Help
Add this page to your collection
Show collection (0 pages)
Suggest pagesGrsecurity/Obtaining grsecurity
The
Contents |
The following instructions will lead you through the process of downloading all the components necessary for using grsecurity on your system. Download each component to the same directory on your computer.
You need:
- The latest stable version of grsecurity.
- A matching version of gradm, the administration utility for grsecurity.
- Full source code of the Linux kernel.
You also need to have necessary programs for building, configuring and installing a custom kernel for your system. The preferred way, and required tools, to do the installation depend on the Linux distribution you are using. If you encounter problems with configuring or installing the kernel, please consult your distribution's documentation.
[edit] Downloading grsecurity
Point your browser to http://grsecurity.net/. Click on the "Download" link and then "Stable". For the purposes of this document, we will be installing the latest stable grsecurity for kernel 2.6.32.45. Therefore the patch file will be called grsecurity-2.2.2-2.6.32.45-201108262310.patch.
 |
All grsecurity packages have a version string in their names. It contains both the version of the release itself and the kernel version it is meant for. For example, the version string 2.2.2-2.6.32.45-201108262310 tells us that the version of this grsecurity release is 2.2.2 and it is meant for kernel version 2.6.32.45. The last section of the version is a timestamp. |
In our case we downloaded the following files
- grsecurity-2.2.2-2.6.32.45-201108262310.patch
- grsecurity-2.2.2-2.6.32.45-201108262310.patch.sig - This is the digital signature of this release.
[edit] Downloading gradm
When downloading gradm, the administration utility for grsecurity's role-based access control system, you must download the version that matches the version of the grsecurity patch you downloaded. Gradm is located on the same download page as grsecurity.
In our case we downloaded the following files
- gradm-2.2.2-201108142019.tar.gz
- gradm-2.2.2-201108142019.tar.gz.sig - This is the digital signature of this release.
[edit] Downloading the Linux Kernel
The grsecurity patches can only be applied to a vanilla kernel. Many distributions modify the official kernel with additional patches, which means that any kernel source packages acquired through their package manager is very likely incompatible with grsecurity.
For this reason we will download the official unmodified kernel from http://www.kernel.org/. Download the full kernel source package and its signature (the .sign file), and make sure its version matches the version of the grsecurity patch you downloaded. In this document the version is 2.6.32.45. The required version is most likely not the latest, so you need to get it from the kernel archives.
If you've got a terminal open, you can use the below commands to download both the kernel source and the signature to the current working directory:
$ wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.45.tar.bz2 $ wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.45.tar.sign
NOTE: The versions of the grsecurity patch and the kernel must match exactly.
[edit] Verifying the Downloads
The grsecurity and gradm packages have been cryptographically signed so that users can verify that the source code has not been modified since it was packaged. You can find the public key used to sign them from the same download page as grsecurity. Scroll down the page until you see a heading that says "Verify these downloads with GPG". Below the heading is a link to the public key. Download the key to your grsecurity directory.
Before you can verify the downloads, you need to import the grsecurity key to your public keyring using Gnu Privacy Guard (GPG). If you are unfamiliar with GPG and wish to know more, please refer to The GNU Privacy Handbook.
To import the key, run the following command in your grsecurity directory.
$ gpg --import spender-gpg-key.asc gpg: key 4245D46A: public key "Bradley Spengler (spender) <spender@grsecurity.net>" imported gpg: Total number processed: 1 gpg: imported: 1
After importing the key, verify the downloaded grsecurity and gradm packages by running the below commands in your grsecurity directory:
$ gpg --verify grsecurity-2.2.2-2.6.32.45-201108262310.patch.sig gpg: Signature made Fri 26 Aug 2011 11:26:59 PM EDT using DSA key ID 4245D46A gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A $ gpg --verify gradm-2.2.2-201108142019.tar.gz.sig gpg: Signature made Sun 14 Aug 2011 08:18:57 PM EDT using DSA key ID 4245D46A gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A
As long as GPG reports the signature is good, you do not need to worry about the warning. If you signed the grsecurity key with your own key, you will not get the warning. If the verification of either file failed, re-download the file in question and try again.
The Linux kernel source packages have been signed as well. The latest public key used to sign all kernel packages and revocation certificates can be found at http://www.kernel.org/signature.html. You can import the public key directly from a key server (the servers use port 11371):
$ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E gpg: requesting key 517D0F0E from hkp server wwwkeys.pgp.net gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
NOTE: Before you download the key, visit http://www.kernel.org/signature.html and make sure the key ID (in this example "517D0F0E") is the latest valid key.
There are many other public key servers to choose from. Some of them are listed on Wikipedia.
Now to verify the kernel package, run:
$ gpg --verify linux-2.6.32.45.tar.bz2.sign gpg: Signature made Tue 16 Aug 2011 07:43:30 PM EDT using DSA key ID 517D0F0E gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E
If GPG reports that the signature is good, you are good to go. If the verification failed, re-download the kernel source and its signature, and try again. Although not shown in this example, you will get the same warning from GPG as with the other packages, unless you signed the kernel archive key with your own key.
When you have successfully verified the downloaded files, you are ready to configure grsecurity.
