Update grsecurity kernels for workstation templates #546
Comments
|
Plan to move to 4.14.179 or get in sync with core (4.14.175)? |
|
The current build logic does not make it easy to build historical versions, we should target whatever the latest version is at the time we build the kernels (currently 4.14.179) |
|
For the 5/20-6/3 sprint, we're aiming to build a workstation kernel and get an LFS PR up (not merged), but our priority is a smooth 0.3.0 release including the fedora-30->31 transition (#544). |
|
PRs required to unlock testing have been submitted as follows:
Some preliminary testing has been done against the kernel by manually installing it in
(Have updated docs while going through the process.) |
|
There's been a relevant CVE and grsec patch while these PRs were in the queue, so they will be closed and replaced with a new kernel build soon. |
|
A new set of PRs required to unlock testing for the 4.14.186 kernel have been submitted as follows:
Some preliminary testing has been done against the kernel by manually installing it in securedrop-workstation-buster and reprovisioning the workstation. Outstanding tasks before the LFS PR can be issued include:
|
|
(In light of the number of PRs involved and the need for coordinated review, tracking the issue rather than the individual PRs on the board.) |
|
This was completed, and the new kernel has been released to all workstation users, see https://apt.freedom.press/pool/main/s/securedrop-workstation-grsec/ |
We are currently 4.14.169 kernels on the workstation (as of today, 4.14.179 has been released), we should consider upgrading these as part of a regular schedule. There have not been any major vulnerabilities and we do we the grsecurity patchset for additional hardening.
Checklist (based on #546 (comment))
The text was updated successfully, but these errors were encountered: