Compile Debian Kernel with GRSEC


You have installed the following software/commands:
make, gcc, g++, libncurses5, libncurses5-dev, patch, and there's probably more but I can't think of anything right now.

***NOW W/SPARC SUPPORT!!! (see below for details)

This part is for compiling a Debian Linux kernel on x86/amd64 with GRSEC

Step 1:
Download the latest version of Grsecurity and download the latest working stable kernel that goes with it.
(from the 2 links below I put as references)

Step 2:
Move the 2 compressed files to the directory /usr/src/
Uncompress both files using tar -zxvf for the kernel (example: linux-kernel-
and gunzip to turn grsecurity-2.1.11- into grsecurity-2.1.11-

Step 3:
Move the grsec code into the directory of the linux kernel source.
Patch the kernel source with the grsec code by executing the command: patch -p1 < grsecurity-2.1.11-
If you want you can add in the grsec iptables patch as well using the same method.

Step 4:
Execute the command make menuconfig.
Choose the drivers, etc.. that you wish to be built into your kernel. You can tell what needs to be built in to your kernel based on a few commands such as lspci, lsmod, etc..
There are some that are dependent on each other for instance:
cisc0ninja@testbox:/# lsmod
Module Size Used by
thermal_sys 9378 processor, fan, thermal

cisc0ninja@testbox:/# modinfo thermal
filename: /lib/modules/2.6.32-5-686/kernel/drivers/acpi/thermal.ko
license: GPL
description: ACPI Thermal Zone Driver
author: Paul Diefenbaugh
alias: acpi*:LNXTHERM:*
depends: thermal_sys
vermagic: 2.6.32-5-686 SMP mod_unload modversions 686
parm: act:Disable or override all lowest active trip points. (int)
(etc.. concatenated b/c I'm not going to type all this shit out and you guys get the point)

So in this instance you need to add the thermal module to be built in, as well as select for thermal_sys to be built in.
One may be listed under acpi options and the others may be listed under device drivers generic thermal sysfs driver.

Don't select them to be modules because we're not going to be using an initrd image for this install. If you choose to actually do an initrd image then it's still good to build in the drivers that the system actually needs and just place other drivers as modules. For instance the system has an intel nic but I think I'll be adding another nic later, probably a 3com so I'll build in the intel nic and maybe make the 3com a module since I don't have it now but may later. That is called a modular kernel.
If your shit doesn't boot properly at the end of this it's because you either didn't build in everything you needed or built too much shit in and it's puking on itself. Don't forget to actually configure the options you want in the Grsec and PaX portions of the config (that's the actual security part of it we're aiming for here)

Step 5:
Save your config and then type make and press enter.
When that is through type:
make modules
make modules_install
make bzImage
and finally make install

***In some cases you may need to also do a make firmware & make firmware_install

Technically if you are building a monolithic kernel and building all the drivers, etc.. into the kernel and not compiling anything as modules you can omit the make modules and make modules_install commands but I think you still need to do....
make bzImage
depmod -a
make install

Step 6:
Update grub with the command: update-grub
But watch out! Sometimes grub has a funny way of reading things!
If your previous line in menu.lst or grub.cfg says:
root=UUID 2345o05te4wtftlk43tjg ro quiet
type the command mount in a normal shell like bash.
If mount is showing root as /dev/sda1 then in your menu.lst file you can say root=/dev/sda1 ro quiet instead of the UUID shit.
Sometimes it needs this instead to boot properly. The reason is that you can't use UUID's without an initrd image (the UUID's are blkid's that get taken from commands like mount which happen after the kernel is booted; so you need to specify the drive and partition such as root=/dev/sda1 or whatever your root partition is. As well, you also need to change your /etc/fstab to show
/dev/sda1 / ext4 defaults 0 1
instead of it saying
UUID=(long number) / ext4 defaults 0 1

This needs to be done for all partitions in /etc/fstab.

Step 7:
Reboot into your new Monolithic Debian Linux Kernel complete with Grsec and NO nasty initrd image!!!

Step 8:
If you are having a hard time getting this to work, you may decide to try with an initrd image.
You can do this by issueing the following command:
update-initramfs -c -k
update-initramfs -c -k

Don't forget that if you decide to use an initrd image you need to add support for it back in to the kernel when you do your make menuconfig assuming you took it out earlier.


This part is for compiling a Debian Linux kernel on SPARC with GRSEC

Most of the information is fairly the same with the exception that when you compile you use this instead:
make clean && make vmlinux image modules modules_install
make vmlinux && make image modules modules_install

Then to make it bootable you have to:
cp arch/sparc/boot/image /boot/vmlinux-2.x.x.x-grsec
cp /boot/
cd /boot
rm -rf vmlinuz (which should be a sym link to your old vmlinuz file)
ln -s vmlinuz-2.x.x.x-grsec vmlinuz
vi silo.conf
remove the line initrd=

example silo.conf file:
partition = 1 # Boot partition (= root partition)
root = /dev/sda1 # Root partition
timeout = 150 # Wait 15 seconds before booting the default section




Type the command silo and it will check to make sure your silo.conf file is usable.
Then reboot in to your new linux on sparc custom kernel!

Thanks to RaT, Spender, and Dave M. for all your assistance and help with this!