Prerequisites:
You have installed the following software/commands:
make, gcc, g++, libncurses5, libncurses5-dev, patch, and there's probably more but I can't think of anything right now.
make, gcc, g++, libncurses5, libncurses5-dev, patch, and there's probably more but I can't think of anything right now.
***NOW W/SPARC SUPPORT!!! (see below for details)
This part is for compiling a Debian Linux kernel on x86/amd64 with GRSEC
Step 1:
Download the latest version of Grsecurity and download the latest working stable kernel that goes with it.
(from the 2 links below I put as references)
Download the latest version of Grsecurity and download the latest working stable kernel that goes with it.
(from the 2 links below I put as references)
Step 2:
Move the 2 compressed files to the directory /usr/src/
Uncompress both files using tar -zxvf for the kernel (example: linux-kernel-2.6.24.5.tar.gz)
and gunzip to turn grsecurity-2.1.11-2.4.36.2-200804211830.patch.gz into grsecurity-2.1.11-2.4.36.2-200804211830.patch
Move the 2 compressed files to the directory /usr/src/
Uncompress both files using tar -zxvf for the kernel (example: linux-kernel-2.6.24.5.tar.gz)
and gunzip to turn grsecurity-2.1.11-2.4.36.2-200804211830.patch.gz into grsecurity-2.1.11-2.4.36.2-200804211830.patch
Step 3:
Move the grsec code into the directory of the linux kernel source.
Patch the kernel source with the grsec code by executing the command: patch -p1 < grsecurity-2.1.11-2.4.36.2-200804211830.patch
If you want you can add in the grsec iptables patch as well using the same method.
Move the grsec code into the directory of the linux kernel source.
Patch the kernel source with the grsec code by executing the command: patch -p1 < grsecurity-2.1.11-2.4.36.2-200804211830.patch
If you want you can add in the grsec iptables patch as well using the same method.
Step 4:
Execute the command make menuconfig.
Choose the drivers, etc.. that you wish to be built into your kernel. You can tell what needs to be built in to your kernel based on a few commands such as lspci, lsmod, etc..
There are some that are dependent on each other for instance:
cisc0ninja@testbox:/# lsmod
Module Size Used by
thermal_sys 9378 processor, fan, thermal
Execute the command make menuconfig.
Choose the drivers, etc.. that you wish to be built into your kernel. You can tell what needs to be built in to your kernel based on a few commands such as lspci, lsmod, etc..
There are some that are dependent on each other for instance:
cisc0ninja@testbox:/# lsmod
Module Size Used by
thermal_sys 9378 processor, fan, thermal
cisc0ninja@testbox:/# modinfo thermal
filename: /lib/modules/2.6.32-5-686/kernel/drivers/acpi/thermal.ko
license: GPL
description: ACPI Thermal Zone Driver
author: Paul Diefenbaugh
alias: acpi*:LNXTHERM:*
depends: thermal_sys
vermagic: 2.6.32-5-686 SMP mod_unload modversions 686
parm: act:Disable or override all lowest active trip points. (int)
(etc.. concatenated b/c I'm not going to type all this shit out and you guys get the point)
filename: /lib/modules/2.6.32-5-686/kernel/drivers/acpi/thermal.ko
license: GPL
description: ACPI Thermal Zone Driver
author: Paul Diefenbaugh
alias: acpi*:LNXTHERM:*
depends: thermal_sys
vermagic: 2.6.32-5-686 SMP mod_unload modversions 686
parm: act:Disable or override all lowest active trip points. (int)
(etc.. concatenated b/c I'm not going to type all this shit out and you guys get the point)
So in this instance you need to add the thermal module to be built in, as well as select for thermal_sys to be built in.
One may be listed under acpi options and the others may be listed under device drivers generic thermal sysfs driver.
One may be listed under acpi options and the others may be listed under device drivers generic thermal sysfs driver.
Don't select them to be modules because we're not going to be using an initrd image for this install. If you choose to actually do an initrd image then it's still good to build in the drivers that the system actually needs and just place other drivers as modules. For instance the system has an intel nic but I think I'll be adding another nic later, probably a 3com so I'll build in the intel nic and maybe make the 3com a module since I don't have it now but may later. That is called a modular kernel.
If your shit doesn't boot properly at the end of this it's because you either didn't build in everything you needed or built too much shit in and it's puking on itself. Don't forget to actually configure the options you want in the Grsec and PaX portions of the config (that's the actual security part of it we're aiming for here)
If your shit doesn't boot properly at the end of this it's because you either didn't build in everything you needed or built too much shit in and it's puking on itself. Don't forget to actually configure the options you want in the Grsec and PaX portions of the config (that's the actual security part of it we're aiming for here)
Step 5:
Save your config and then type make and press enter.
When that is through type:
make
make modules
make modules_install
make bzImage
and finally make install
Save your config and then type make and press enter.
When that is through type:
make
make modules
make modules_install
make bzImage
and finally make install
***In some cases you may need to also do a make firmware & make firmware_install
Technically if you are building a monolithic kernel and building all the drivers, etc.. into the kernel and not compiling anything as modules you can omit the make modules and make modules_install commands but I think you still need to do....
make
make bzImage
depmod -a
make install
make
make bzImage
depmod -a
make install
Step 6:
Update grub with the command: update-grub
But watch out! Sometimes grub has a funny way of reading things!
If your previous line in menu.lst or grub.cfg says:
root=UUID 2345o05te4wtftlk43tjg ro quiet
type the command mount in a normal shell like bash.
If mount is showing root as /dev/sda1 then in your menu.lst file you can say root=/dev/sda1 ro quiet instead of the UUID shit.
Sometimes it needs this instead to boot properly. The reason is that you can't use UUID's without an initrd image (the UUID's are blkid's that get taken from commands like mount which happen after the kernel is booted; so you need to specify the drive and partition such as root=/dev/sda1 or whatever your root partition is. As well, you also need to change your /etc/fstab to show
/dev/sda1 / ext4 defaults 0 1
instead of it saying
UUID=(long number) / ext4 defaults 0 1
Update grub with the command: update-grub
But watch out! Sometimes grub has a funny way of reading things!
If your previous line in menu.lst or grub.cfg says:
root=UUID 2345o05te4wtftlk43tjg ro quiet
type the command mount in a normal shell like bash.
If mount is showing root as /dev/sda1 then in your menu.lst file you can say root=/dev/sda1 ro quiet instead of the UUID shit.
Sometimes it needs this instead to boot properly. The reason is that you can't use UUID's without an initrd image (the UUID's are blkid's that get taken from commands like mount which happen after the kernel is booted; so you need to specify the drive and partition such as root=/dev/sda1 or whatever your root partition is. As well, you also need to change your /etc/fstab to show
/dev/sda1 / ext4 defaults 0 1
instead of it saying
UUID=(long number) / ext4 defaults 0 1
This needs to be done for all partitions in /etc/fstab.
Step 7:
Reboot into your new Monolithic Debian Linux Kernel complete with Grsec and NO nasty initrd image!!!
Reboot into your new Monolithic Debian Linux Kernel complete with Grsec and NO nasty initrd image!!!
Step 8:
If you are having a hard time getting this to work, you may decide to try with an initrd image.
You can do this by issueing the following command:
update-initramfs -c -k
example:
update-initramfs -c -k 2.6.39.2-grsec
If you are having a hard time getting this to work, you may decide to try with an initrd image.
You can do this by issueing the following command:
update-initramfs -c -k
example:
update-initramfs -c -k 2.6.39.2-grsec
Don't forget that if you decide to use an initrd image you need to add support for it back in to the kernel when you do your make menuconfig assuming you took it out earlier.
****************************************************************************************************************
This part is for compiling a Debian Linux kernel on SPARC with GRSEC
Most of the information is fairly the same with the exception that when you compile you use this instead:
make clean && make vmlinux image modules modules_install
or
make vmlinux && make image modules modules_install
make clean && make vmlinux image modules modules_install
or
make vmlinux && make image modules modules_install
Then to make it bootable you have to:
cp arch/sparc/boot/image /boot/vmlinux-2.x.x.x-grsec
cp System.map /boot/System.map-2.x.x.x-grsec
cd /boot
rm -rf vmlinuz (which should be a sym link to your old vmlinuz file)
ln -s vmlinuz-2.x.x.x-grsec vmlinuz
vi silo.conf
remove the line initrd=
cp arch/sparc/boot/image /boot/vmlinux-2.x.x.x-grsec
cp System.map /boot/System.map-2.x.x.x-grsec
cd /boot
rm -rf vmlinuz (which should be a sym link to your old vmlinuz file)
ln -s vmlinuz-2.x.x.x-grsec vmlinuz
vi silo.conf
remove the line initrd=
example silo.conf file:
partition = 1 # Boot partition (= root partition)
root = /dev/sda1 # Root partition
timeout = 150 # Wait 15 seconds before booting the default section
default=Linux
read-write
partition = 1 # Boot partition (= root partition)
root = /dev/sda1 # Root partition
timeout = 150 # Wait 15 seconds before booting the default section
default=Linux
read-write
image=/boot/vmlinuz
label=Linux
label=Linux
image=/boot/vmlinuz-2.x.x.x-old
label=LinuxOLD
initrd=/boot/initrd32.img
label=LinuxOLD
initrd=/boot/initrd32.img
eof
Type the command silo and it will check to make sure your silo.conf file is usable.
Then reboot in to your new linux on sparc custom kernel!
Then reboot in to your new linux on sparc custom kernel!
Thanks to RaT, Spender, and Dave M. for all your assistance and help with this!
-cisc0ninja
Reference:
No comments:
Post a Comment