# Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean

It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet.

We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening".

**Note:** The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.3.x (test) patch. The URLs and filenames in this document may become outdated, so fetch the latest from [grsecurity.net](https://grsecurity.net) and [kernel.org](https://www.kernel.org/).

Install dependencies:

    apt-get install libncurses5-dev build-essential fakeroot kernel-package gcc-4.9 gcc-4.9-plugin-dev make

Grab Spender's key and verify it:

    wget https://grsecurity.net/spender-gpg-key.asc
    gpg --import spender-gpg-key.asc
    gpg --keyserver pool.sks-keyservers.net --recv-key 647F28654894E3BD457199BE38DBBDC86092693E
    gpg --with-fingerprint spender-gpg-key.asc
    gpg --fingerprint 647F28654894E3BD457199BE38DBBDC86092693E

Grab the kernel source and grsecurity patch, plus signatures for each:

    wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.xz
    wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.sign
    wget https://grsecurity.net/test/grsecurity-3.1-4.3.3-201601051958.patch
    wget https://grsecurity.net/test/grsecurity-3.1-4.3.3-201601051958.patch.sig

Decompress the tarball:

    unxz linux-4.3.3.tar.xz

Verify that the signatures are good:

    gpg --verify grsecurity-3.1-4.3.3-201601051958.patch.sig
    gpg --verify linux-4.3.3.tar.sign

Extract the kernel source and apply the patch:

    tar -xf linux-4.3.3.tar
    cd linux-4.3.3/
    patch -p1 < ../grsecurity-3.1-4.3.3-201601051958.patch

Start with the VPS's existing kernel configuration, and then configure stuff:

    cp /boot/config-3.16.0-4-amd64 .config
    make menuconfig

Under *Security options*, enable Grsecurity (press Y), set *Configuration Method* to **Automatic**, set *Usage Type* to **Server**, set *Virtualization Type* to **Guest**, set *Virtualization Software* to **KVM** and *Required Priorities* to **Security**. Save and exit. 

You may want to ensure all CPU cores participate in the build by exporting this environment variable:

    export CONCURRENCY_LEVEL="$(grep -c '^processor' /proc/cpuinfo)"

Now you can compile the kernel. It can take a while to finish, and ideally you shouldn't be doing this as root.

    fakeroot make-kpkg --initrd kernel_image

In the parent directory, you'll have the package `linux-image-4.3.3-grsec_4.3.3-grsec-10.00.Custom_amd64.deb`. Copy it to the target machine and install with `dpkg -i`.

Install some tools to use with [PaX](https://en.wikipedia.org/wiki/PaX) (which hardens userland binaries against common exploitation techniques based on memory corruption):

    apt-get install paxtest paxctl

Grab the kernel version string used in the GRUB bootloader menu:

    grep menuentry /boot/grub/grub.cfg | cut -d "'" -f2 | grep "grsec$"
    
Set the new kernel to boot by default, and reboot:
    
    sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=\"Advanced options for Debian GNU\/Linux>Debian GNU\/Linux, with Linux 4.3.3-grsec\"/" /etc/default/grub
    update-grub
    grub-reboot "Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux 4.3.3-grsec"
    shutdown -r now

When the machine comes back after rebooting, check `uname -r` to verify that you're running grsec.

Set these sysctl variables (use `sysctl -p` to activate after editing `/etc/sysctl.conf`):

    kernel.grsecurity.rwxmap_logging = 0
    kernel.grsecurity.grsec_lock = 1

Set some PaX flags for GRUB:

    paxctl -Cpm /usr/sbin/grub-probe
    paxctl -Cpm /usr/sbin/grub-mkdevicemap
    paxctl -Cpm /usr/sbin/grub-install
    paxctl -Cpm /usr/bin/grub-script-check
    paxctl -Cpm /usr/bin/grub-mount
    
You may find that some stuff won't work like common interpreters for scripting languages because of memory protection. As an example, you can disable MPROTECT for Python like so:

    paxctl -c /usr/bin/python2.7
    paxctl -m /usr/bin/python2.7

Run `paxtest blackhat` and check the output. If PaX is working, you should see something like this:

```
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 23 bits (guessed)
Heap randomisation test (PIE)            : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : 33 bits (guessed)
Main executable randomisation (PIE)      : 33 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 40 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 44 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 44 bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         : Killed
```

Congratulations! You're now running [grsecurity](https://grsecurity.net/) on your Debian DigitalOcean droplet. A similar process should work on a Linode VPS with PV-GRUB enabled — you'd just have to select Xen as the virtualization type instead (unless your Linode is on their brand new, upgraded KVM infrastructure).

At [Freedom of the Press Foundation](https://freedom.press), we've been working on automating this whole process with [Ansible](https://github.com/ansible/ansible). Check out our [GitHub repository](https://github.com/freedomofpress/grsec/)!

See also [paxctld](https://grsecurity.net/paxctld/paxctld_1.0-4_amd64.deb), a daemon for applying PaX flags to bianries persistently across package updates. I also suggest evaluating the grsecurity [RBAC](https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System) (role-based access control), which is extremely powerful.

Special acknowledgments to [Garrett Robinson](https://twitter.com/garrettr_), James Dolan, [Runa Sandvik](https://twitter.com/runasand), and [Conor Schaefer](https://twitter.com/conorsch) whose work on building kernels for [SecureDrop](https://github.com/freedomofpress/securedrop) informed this guide.