Linux kernel maintenance
We build and publish our own Linux kernels with additional grsecurity hardening patches. The kernel-builder repository contains scripts that fetch upstream kernel tarballs plus grsecurity patches and produces Debian packages.
Testing a new kernel
The following steps should be performed for all of the recommended hardware:
Install the new kernel packages on your Monitor Server using unattended-upgrades, e.g.
sudo apt update && sudo unattended-upgrades --debugor wait for the automatic nightly upgrade.
Reboot. Verify with
uname -rthat you are using the new kernel.
If it doesn’t boot, see the Troubleshooting Kernel Updates documentation.
paxtestpackage, run with
sudo paxtest blackhat, and verify it doesn’t return any new errors nor warnings.
Install spectre-meltdown-checker and the
binutilspackage, run with
sudo ./meltdown-checker, and verify it doesn’t return any errors nor warnings.
Upgrade your Application Server to the new kernel and reboot.
Run basic smoke tests of SecureDrop by verifying you can send a submission and a journalist can reply.