Skip to content

Previewing new SecureDrop kernel

Jump to bottom
Kunal Mehta edited this page Aug 2, 2022 · 5 revisions

This procedure allows for a one-time check of the next SecureDrop kernel, in preview mode. If the kernel fails to load, in most cases the server will fall back to the default kernel, allowing this check to be done remotely.

However, if the kernel does load but networking support is not available, it may be necessary to roll back the kernel version to the default at the console (or wait for the next nightly reboot to revert to the default). This procedure is recommended only for Linux admins familiar with GRUB and the Linux boot process.

Connect to the monitor server

  • connect to mon via ssh from Admin Workstation
  • sudo su or preface commands below with sudo:

Install packages

  • edit /etc/apt/sources.list.d/apt_freedom_press.list, adding preview after main, so that it looks as follows:
deb [arch=amd64] https://apt.freedom.press/ focal main preview
  • run apt update
  • run apt install linux-headers-5.15.57-grsec-securedrop linux-image-5.15.57-grsec-securedrop

Configure GRUB to use new kernel for next boot, and fall back if it fails:

  • update Grub defaults with the editor of your choice, e.g. vi /etc/default/grub:

    • change GRUB_DEFAULT value to 'saved'
    • ensure the GRUB_CMDLINE_LINUX value ends with panic=5, inside existing quotation marks. Add a space before panic if there is an existing value.

  • check menuentry options with grep menuentry /boot/grub/grub.cfg | more, and confirm that entries exist for both 5.15.26 and 5.15.57

  • set the default kernel to the entry for 5.15.26: grub-set-default "Advanced options for Ubuntu>Ubuntu, with Linux 5.15.26-grsec-securedrop"

  • set the next reboot kernel to the entry for 5.15.57, eg: grub-reboot "Advanced options for Ubuntu>Ubuntu, with Linux 5.15.57-grsec-securedrop"

  • update the grub config with update-grub

  • reboot the server with shutdown -r now

The server should come back up with the 5.15.57 kernel. If the kernel panics, the system will reboot after 5 seconds into the 5.15.26 kernel. Wait for the server to be available again, reconnect, and check the kernel version with uname -r. If you experience issues connecting to the server, or are connected locally, you can verify connectivity via a command such as sudo host freedom.press.

To revert to the current non-preview kernel:

  • reboot the monitor server a second time, and confirm that it comes up with the 5.15.26 kernel with uname -r
  • uninstall the 5.15.57 kernel packages with: apt remove linux-headers-5.15.57-grsec-securedrop linux-image-5.15.57-grsec-securedrop
  • remove the preview keyword from /etc/apt/sources.list.d/apt_freedom_press.list and run sudo apt-get update
  • edit /etc/default/grub, removing the panic=5 option from the GRUB_CMDLINE_LINUX value
  • revert remaining GRUB changes by running sudo dpkg-reconfigure securedrop-grsec (this will automatically trigger another update-grub run)
Clone this wiki locally