conorsch
commented
7 years ago Just to confirm: these are the exact changes we used to build the latest SD kernel we shipped?
Yes! That's the goal of submitting these, and also for isolating the SD-specific vars in a dedicated playbook: so we have clear and transparent documentation of the build process we use for shipping custom kernels for SD instances.
Overhaul of the
build-grsec-metapackagerole. Makes it more generally applicable to reuse, and importantly adds a postinst kernel hook to ensure state of PaX flags on grub binaries (closes #90). These changes recently shipped in the context of SecureDrop, and the config presented here was used for the build.Also adds a dedicated
grsec-build-securedropVM, tracking Trusty and using a dedicated playbook specifically for the SD build process (closes #89).