Dapper Secure Kernel

Dapper Linux Hardened Kernel with Fedora Patches and Dapper Secure Kernel Patches

Introduction

This repository contains the current Linux kernel used by Dapper Linux. The build process is heavily based on the Fedora Linux kernel build process, and should be familliar to those who build their own kernels.

Current supported versions by Dapper Linux:

Dapper Linux	Linux Version	Dapper Secure Kernel Patch
26	4.13.7	4.13.7-2017-10-15

Packaging and Building a Source RPM for COPR

This section should serve as a step by step guide as to how Dapper Linux readies kernels for building. This is an updated version of a guide found on thiébaud.fr, which was extremly useful.

We need to install a RPM development toolchain:

$ sudo dnf group install c-development
$ sudo dnf install rpmdevtools yum-utils gcc-plugin-devel
$ rpmdev-setuptree

The rpm-setuptree will create a rpmbuild directory in your $HOME folder. If you'd rather use another path, you can put %_topdir %{getenv:HOME}/my_path in ~/.rpmmacros.

Next, we get the current kernel source RPM, install it to the rpmbuild dir and fetch the kernel's build dependancies

$ dnf download --source kernel
$ rpm -Uvh kernel-4.13.5-200.fc26.src.rpm
$ sudo dnf builddep kernel
$ sudo dnf install numactl-devel pesign

Now we fetch the latest patch from Dapper Secure Kernel Patchset and place it in the SOURCES directory.

$ cd ~/rpmbuild/SOURCES
$ wget https://dapperlinux.com/downloads/dapper-secure-kernel-patches-4.13.7-2017-10-15.patch
$ wget https://dapperlinux.com/downloads/dapper-secure-kernel-patches-4.13.7-2017-10-15.patch.sig

Now we verify the signiture of the patch (you might have to import the signing key first). Ensure the signature is good.

$ gpg --verify dapper-secure-kernel-patches-4.13.7-2017-10-15.patch

Now, add the dapper-secure-kernel-patchset patch to the kernel.spec file. In the SPECS directory, edit kernel.spec and change

# define buildid .local

to:

%define buildid .dappersec

Since Dapper Linux is only interested in supporting x86_64 at this point in time, remove the other architectures by adding to the nobuild arches flag:

Change

%define nobuildarches i386

to:

# We only build kernel-headers on the following...
%define nobuildarches i386 s390 ppc64 ppc64p7 s390 s390x %{arm} aarch64 ppc64le

We also do not want particular packages to be built, since it saves a lot of time and effort since they will never be used. So we will be disabling the debug, pref, tools and debuginfo packages.

Change

# kernel-debug
%define with_debug     %{?_without_debug:     0} %{?!_without_debug:     1}
# kernel-headers
%define with_headers   %{?_without_headers:   0} %{?!_without_headers:   1}
%define with_cross_headers   %{?_without_cross_headers:   0} %{?!_without_cross_headers:   1}
# perf
%define with_perf      %{?_without_perf:      0} %{?!_without_perf:      1}
# tools
%define with_tools     %{?_without_tools:     0} %{?!_without_tools:     1}
# kernel-debuginfo
%define with_debuginfo %{?_without_debuginfo: 0} %{?!_without_debuginfo: 1}

to

# kernel-debug
%define with_debug     %{?_without_debug:     0} %{?!_without_debug:     0}
# kernel-headers
%define with_headers   %{?_without_headers:   0} %{?!_without_headers:   1}
%define with_cross_headers   %{?_without_cross_headers:   0} %{?!_without_cross_headers:   1}
# perf
%define with_perf      %{?_without_perf:      0} %{?!_without_perf:      0}
# tools
%define with_tools     %{?_without_tools:     0} %{?!_without_tools:     0}
# kernel-debuginfo
%define with_debuginfo %{?_without_debuginfo: 0} %{?!_without_debuginfo: 0}

And note that we do wish to build headers for cross compilation compatibility.

Now we need to add the patch. So before:

# END OF PATCH DEFINITIONS

add:

Patch26000: dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch

Then try and apply the patch. Note the -bp flag on rpmbuild will run the %prep section of the .spec file, which does the uncompressing and patching.

$ cd ~/rpmbuild/SPECS
$ rpmbuild -bp kernel.spec
[...]
error: patch failed: arch/x86/entry/vdso/Makefile:170
error: arch/x86/entry/vdso/Makefile: patch does not apply
error: patch failed: arch/x86/kernel/ioport.c:32
error: arch/x86/kernel/ioport.c: patch does not apply
error: patch failed: drivers/acpi/custom_method.c:29
error: drivers/acpi/custom_method.c: patch does not apply
error: patch failed: drivers/platform/x86/asus-wmi.c:1905
error: drivers/platform/x86/asus-wmi.c: patch does not apply
error: patch failed: init/Kconfig:879
error: init/Kconfig: patch does not apply
Patch failed at 0107 Dapper Secure Kernel Patchset 4.13.7
[...]

It is completly normal to fail at this stage. Most of these patches will fail because Fedora ship a patch that may already exist in Dapper Secure Kernel patchset, causing a collision. Or a particular patch may have conflicitng changes with what is found in Dapper Secure Kernel patchset. We can find the reasons behind failure by running a quick grep over the SOURCES diretory over the offending files.

$ cd ~/rpmbuild/SOURCES
$ grep -Rin ioport\.c .
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:281: arch/x86/kernel/ioport.c                           |    17 +-
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:21391:diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:21393:--- a/arch/x86/kernel/ioport.c
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:21394:+++ b/arch/x86/kernel/ioport.c
./efi-lockdown.patch:888: arch/x86/kernel/ioport.c | 4 ++--
./efi-lockdown.patch:892:diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
./efi-lockdown.patch:894:--- a/arch/x86/kernel/ioport.c
./efi-lockdown.patch:895:+++ b/arch/x86/kernel/ioport.c

We can see the efi-lockdown.patch is causing problems, so we can comment it out in the kernel.spec file.

# Fails to patch with Dapper Secure Kernel Patches
#Patch475: x86-Lock-down-IO-port-access-when-module-security-is.patch

You can continue to find all of the other collisions. Here is the list that Dapper Linux comments out (as of Linux 4.9.8)

# Fails to patch with Dapper Secure Kernel Patches
#Patch119: criu-no-expert.patch
#Patch201: efi-lockdown.patch
#Patch210: disable-i8042-check-on-apple-mac.patch

Now when we run the patch command we just find:

$ rpmbuild -bp kernel.spec
[...]
error: patch failed: arch/x86/entry/vdso/Makefile:170
error: arch/x86/entry/vdso/Makefile: patch does not apply
Patch failed at 0082 Dapper Secure Kernel Patchset 4.13.7
[...]

Now, both Fedora and Dapper Secure Kernel patches both patch the vsdo Makefile, and the Kconfig with their own values. Lets fix the vsdo Makefile first.

We need to find which patch file is in disagreement with the Dapper Secure Kernel patch, and then decide which patch we want to ship. So we will do a grep over the source files like so:

grep -Rin "a/arch/x86/entry/vdso/Makefile" .
./kbuild-AFTER_LINK.patch:93:diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
./kbuild-AFTER_LINK.patch:95:--- a/arch/x86/entry/vdso/Makefile
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:10706:diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
./dapper-secure-kernel-patchset-4.13.7-2017-10-15.patch:10708:--- a/arch/x86/entry/vdso/Makefile

Since the Dapper Secure Kernel patches version is much more in depth than the simple changes to provide some compiler warning from Fedora, we will remove the vsdo patch from Fedora. Take note from grep, since it tells you the line you need to modify. I recommend using vim, and using the dd command to delete a line at a time.

You want to remove the following from the fedora patch.

$ vim kbuild-AFTER_LINK.patch +93
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index d540966..eeb47b6 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -167,8 +167,9 @@ $(obj)/vdso32.so.dbg: FORCE \
 quiet_cmd_vdso = VDSO    $@
       cmd_vdso = $(CC) -nostdlib -o $@ \
                       $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
-                      -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
-                sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
+                      -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) \
+               $(if $(AFTER_LINK),; $(AFTER_LINK)) && \
+               sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
 
 VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
        $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)

There is also a bug in the kernel.spec file where it will try and merge and then run newoptions over build configs that we aren't even going to build which prevents us from continuing. We can fix it by changing:

# now run oldconfig over all the config files
for i in *.config

to:

# now run oldconfig over all the config files
for i in %{all_arch_configs}

Now, Dapper Secure Kernel patches requires we add an extra dependancy for build, gcc-plugin-devel, since many security features are added at compile time. So add this just below the BuildRequires section, and just above the Sources section.

#Required for Dapper Secure Kernel Patches
BuildRequires: gcc-plugin-devel

and now we can try and patch again and find the patches now work, but we have more errors:

$ rpmbuild -bp kernel.spec 
[...]
warning: squelched 110 whitespace errors
warning: 115 lines add whitespace errors.
+ chmod +x scripts/checkpatch.pl
[...]
+ grep -E '^CONFIG_'
+ '[' -s .newoptions ']'
+ cat .newoptions
CONFIG_GCC_PLUGINS
CONFIG_GRKERNSEC
error: Bad exit status from /var/tmp/rpm-tmp.ioWAuT (%prep)

This just means that there are options that are required to be configured in the kernel that haven't been configured yet. Namely, the Dapper Secure Kernel options haven't been configured yet. So, we will go to the build directory and run make menuconfig to select what Dapper Secure Kernel Options options we require. Dapper Secure Kernel options live in Security -> Grsecurity.

$ cd ~/rpmbuild/BUILD/kernel-4.13.fc26/linux-4.13.7-200.dappersec.fc26.x86_64/
$ make menuconfig

Once you have set your options, save them, and copy all custom options, which will include all CONFIG_GRKERNSEC and CONFIG_PAX options into SOURCES/config-local. You can find Dapper Linux's options here

$ grep "CONFIG_GRKERNSEC*" .config >> ~/rpmbuild/SOURCES/kernel-local
$ grep "CONFIG_PAX*" .config >> ~/rpmbuild/SOURCES/kernel-local

Dapper Secure Kernel patches also adds in some new misc options, which we must also address

$ cat >> ~/rpmbuild/SOURCES/kernel-local << EOF
# CONFIG_NETFILTER_XT_MATCH_GRADM is not set
CONFIG_GCC_PLUGINS=y
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
# CONFIG_KMEMCHECK is not set
# CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set
# CONFIG_STACKTRACE is not set
CONFIG_MODVERSIONS=y
EOF

You can view your final config here:

$ most ~/rpmbuild/SOURCES/config-local

Hopefully that's all we need to do, so change back to the SPECS directory and do a test patch to see that everything goes smoothly

$ cd ~/rpmbuild/SPECS
$ rpmbuild -bp kernel.spec 

And finally, we can generate a source RPM for the copr or koji build system

$ rpmbuild -bs kernel.spec
Wrote: ~/rpmbuild/SRPMS/dapper-secure-kernel-4.13.7-200.dappersec.fc26.src.rpm

It's probably worth doing a test build before submitting it to a build server, so we can weed out any last minute compilation bugs. The following will build just the dapper-secure-kernel, dapper-secure-kernel-core, dapper-secure-kernel-modules and dapper-secure-kernel-modules-extra packages.

$ rpmbuild -bb --without debug --without debuginfo --without extra --without perf --without tools kernel.spec