Merge pull request #189 from freedomofpress/grsec-metapackage-no-dkms

Checks for u2mfn kernel module in metapackage
freedomofpress · Aug 27, 2020 · 3f33993 · 3f33993
2 parents ca4a647 + a096e8b
commit 3f33993
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/securedrop-workstation-grsec/debian/changelog-buster b/securedrop-workstation-grsec/debian/changelog-buster
@@ -1,3 +1,9 @@
+securedrop-workstation-grsec (4.14.186+buster2) unstable; urgency=medium
+
+  * Ensures u2mfn module is built via dkms, otherwise fails
+
+ -- SecureDrop Team <[email protected]>  Wed, 26 Aug 2020 15:05:49 -0700
+
 securedrop-workstation-grsec (4.14.186+buster1) unstable; urgency=medium
 
   * Starts paxctld before dkms autoinstall step in postinst

diff --git a/securedrop-workstation-grsec/debian/postinst b/securedrop-workstation-grsec/debian/postinst
@@ -17,7 +17,11 @@ set -e
 # for details, see https://www.debian.org/doc/debian-policy/ or
 # the debian-policy package
 
+
+# When updating the kernel version, also check that the u2mfn version matches:
+# https://github.com/QubesOS/qubes-linux-utils/blob/release4.0/version
 GRSEC_VERSION='4.14.186-grsec-workstation'
+U2MFN_VERSION="4.0.30"
 
 # Sets default grub boot parameter to the kernel version specified
 # by $GRSEC_VERSION. The debian buster default kernel is 4.19, thus
@@ -38,12 +42,34 @@ start_paxctld() {
     fi
 }
 
+# Checks that the u2mfn kernel module was successfully built via dkms.
+verify_u2mfn_exists() {
+    ko_filepath="/usr/lib/modules/${GRSEC_VERSION}/updates/dkms/u2mfn.ko"
+    if ! test -f "$ko_filepath"; then
+        return 1
+    fi
+}
+
+# For reasons unknown, u2mfn may be missing. If not found, try to rebuild it,
+# otherwise we'll fail and require admin intervention.
+ensure_u2mfn_exists() {
+    if ! verify_u2mfn_exists ; then
+        dkms remove u2mfn -v "$U2MFN_VERSION" -k "$GRSEC_VERSION" || true
+        dkms autoinstall -k "$GRSEC_VERSION"
+        if ! verify_u2mfn_exists ; then
+            echo "ERROR: u2mfn kernel object is missing: $ko_filepath"
+            exit 1
+        fi
+    fi
+}
+
 case "$1" in
     configure)
-    # Ensure pax flags are set prior to running dkms & grub
+    # Ensure pax flags are set prior to running grub
     start_paxctld
-    # DKMS autoinstall the qubes kernel modules
-    dkms autoinstall $GRSEC_VERSION
+    # Rebuild u2mfn kernel module if missing
+    ensure_u2mfn_exists
+    # Force latest hardened kernel for next boot
     set_grub_default
     update-grub
     ;;