Building an RPM package for the latest Linux kernel and grsecurity

What are we building?

We are going to add one set of patches to the Linux kernel:

grsecurity which is a collection of patches to the Linux kernel targeted to increase security

How to create the custom-configured kernel RPM?

Download spec file to /usr/src/redhat/SPEC/

cd /usr/src/redhat/SPEC/ ; wget http://cpc.freeshell.org/linux/kernel-grsec-2.4.21.spec

Download all the patches and sources to /usr/src/redhat/SOURCE/
- ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.21.tar.gz
- http://grsecurity.net/grsecurity-1.9.11-2.4.21.patch
```
wget/lftp/...
```
Create an empty kernel config file (you can also copy an existing one to speed up the kernel configuration)
```
touch /usr/src/redhat/SOURCE/kernel-2.4.21-i686-1grsec.config
```
Prepare the kernel (unpacking the sources and applying the patches)
```
cd /usr/src/redhat/SPEC ; rpm -bp kernel-grsec-2.4.spec
```

Tweak the kernel config

cd /usr/src/redhat/BUILD/linux-2.4.21 ; make oldconfig/menuconfig/xconfig

Copy the resulting config to the source of the RPM

cp /usr/src/redhat/BUILD/linux-2.4.21/.config /usr/src/redhat/SOURCE/kernel-2.4.21-i686-1grsec.config

Compile the kernel and have a cup of tea/coffee/...

cd /usr/src/redhat/SPEC ; rpm -ba kernel-grsec-2.4.spec

Done! Easy, wasn't it ?

Why is there no binary RPM to download?

I think that it would be bad to give a binary RPM for that kernel for the following reasons:

a secure kernel should be tightened down to your specific needs
a lot of people won't be happy if they end up with PaX
you should not trust strangers ;-)

Why isn't there the O(1)/low latency/... patch included?

What I am looking forward is to get a stable kernel, so I prefer to limit the amount of patching as I don't have an unlimited number of QAs to test it.

Nicolas Lidzborski (cpc at freeshell.org) on August 14 2003

Previous version: kernel-grsec.2.4.20.html