Grsecurity/Obtaining grsecurity

From Wikibooks, open books for an open world
Jump to: navigation, search
Grsecurity
How to Contribute Obtaining grsecurity Configuring and Installing grsecurity


Contents


The following instructions will lead you through the process of downloading all the components necessary for using grsecurity on your system. Download each component to the same directory on your computer.

You need:

  • The latest stable version of grsecurity.
  • A matching version of gradm, the administration utility for grsecurity.
  • Full source code of the Linux kernel.

You also need to have necessary programs for building, configuring and installing a custom kernel for your system. The preferred way, and required tools, to do the installation depend on the Linux distribution you are using. If you encounter problems with configuring or installing the kernel, please consult your distribution’s documentation.

Downloading grsecurity [edit]

Point your browser to http://grsecurity.net/. Click on the “Download” link and then “Stable”. For the purposes of this document, we will be installing the latest stable grsecurity for kernel 3.2.21. Therefore the patch file will be called ‘’grsecurity-2.9.1-3.2.21-201206201812.patch'’.

Information
 All grsecurity packages have a version string in their names. It contains both the version of the release itself and the kernel version it is meant for. For example, the version string 2.9.1-3.2.21-201206201812 tells us that the version of this grsecurity release is 2.9.1 and it is meant for kernel version 3.2.21. The last section of the version is a timestamp.

In our case we downloaded the following files

  • ‘’grsecurity-2.9.1-3.2.21-201206201812.patch
  • ‘’grsecurity-2.9.1-3.2.21-201206201812.patch.sig'’ - This is the digital signature of this release.

Downloading gradm [edit]

When downloading gradm, the administration utility for grsecurity’s role-based access control system, you must download the version that matches the version of the grsecurity patch you downloaded. Gradm is located on the same download page as grsecurity.

In our case we downloaded the following files

  • ‘’gradm-2.9.1-201206091838.tar.gz
  • ‘’gradm-2.9.1-201206091838.tar.gz.sig'’ - This is the digital signature of this release.

Downloading the Linux Kernel [edit]

The grsecurity patches can only be applied to a vanilla kernel. Many distributions modify the official kernel with additional patches, which means that any kernel source packages acquired through their package manager is very likely incompatible with grsecurity.

For this reason we will download the official unmodified kernel from http://www.kernel.org/. Download the full kernel source package and its signature (the ‘’.sign'’ file), and make sure its version matches the version of the grsecurity patch you downloaded. In this document the version is 3.2.21. The required version is most likely not the latest, so you need to get it from the kernel archives.

If you’ve got a terminal open, you can use the below commands to download both the kernel source and the signature to the current working directory:

$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.21.tar.bz2
$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.21.tar.sign

‘’‘NOTE: The versions of the grsecurity patch and the kernel must match exactly.

Verifying the Downloads [edit]

The grsecurity and gradm packages have been cryptographically signed so that users can verify that the source code has not been modified since it was packaged. You can find the public key used to sign them from the same download page as grsecurity. Scroll down the page until you see a heading that says “Verify these downloads with GPG”. Below the heading is a link to the public key. Download the key to the directory where you placed grsecurity.

Before you can verify the downloads, you need to import the grsecurity key to your public keyring using Gnu Privacy Guard (GPG). If you are unfamiliar with GPG and wish to know more, please refer to The GNU Privacy Handbook.

To import the key, run the following command in the directory where your grsecurity and its key were downloaded.

$ gpg --import spender-gpg-key.asc
gpg: key 4245D46A: public key “Bradley Spengler (spender) <spender@grsecurity.net>” imported
gpg: Total number processed: 1
gpg:               imported: 1

After importing the key, verify the downloaded grsecurity and gradm packages by running the below commands in your grsecurity directory:

$ gpg --verify grsecurity-2.9.1-3.2.21-201206201812.patch.sig
gpg: Signature made Wed 20 Jun 2012 03:14:19 PM PDT using DSA key ID 4245D46A
gpg: Good signature from “Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A

$ gpg --verify gradm-2.9.1-201206091838.tar.gz.sig
gpg: Signature made Sat 09 Jun 2012 03:39:23 PM PDT using DSA key ID 4245D46A
gpg: Good signature from “Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A

As long as GPG reports the signature is good, you do not need to worry about the warning. If you signed the grsecurity key with your own key, you will not get the warning. If the verification of either file failed, re-download the file in question and try again.

The Linux kernel source packages have been signed as well. The latest public key used to sign all kernel packages and revocation certificates can be found at http://www.kernel.org/signature.html. You can import the public key directly from a key server (the servers use port 11371):

$ gpg --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server keys.gnupg.net
gpg: key 6092693E: public key “Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

‘’‘NOTE:’ Before you download the key, visit http://www.kernel.org/signature.html and make sure the key ID (in this example “6092693E”) is the latest valid key.

There are many public key servers to choose from for key verification (eg ‘’--keyserver wwwkeys.pgp.net’‘ can be placed in between the ‘’gpg’‘ and ‘’--recv-keys’‘ terminals without quotes) if the key ID does not have a default one set by the signer. Some of them are listed on Wikipedia.

Before you verify the Linux kernel you will have to untar it because kernel.org now signs their kernels against the .tar file to reduce the amount of .sig files they need to maintain, run:

# bzip2 -d linux-3.2.21.tar.bz2

Now to verify the kernel package, run:

$ gpg --verify linux-3.2.21.tar.sign
gpg: Signature made Tue 19 Jun 2012 05:40:25 PM PDT using RSA key ID 6092693E
gpg: Good signature from “Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

If GPG reports that the signature is good, you are good to go. If the verification failed, re-download the kernel source and its signature, and try again. Although not shown in this example, you will get the same warning from GPG as with the other packages, unless you signed the kernel archive key with your own key.

When you have successfully verified the downloaded files, you are ready to configure grsecurity.

Next Page: Configuring and Installing grsecurity | Previous Page: How to Contribute

Home: Grsecurity

Retrieved from "http://en.wikibooks.org/w/index.php?title=Grsecurity/Obtaining_grsecurity&oldid=2368171"