[Gentoo] Testing the Ragnarok Kernel (-bin ebuild)
The adventurous and security-minded Gentoo users (or future Gentoo users) may be interested in testing the Ragnarok project's Kernel build.
This is a pre-built kernel, built with LLVM/Clang, ThinLTO, and enables multiple hardening options (some of which most distributions refuse to enable for one reason or the other), including Control Flow Integrity. It uses the sys-kernel/gentoo-sources package as a source, and gets updated as soon as possible after it (usually within a few hours).
Mind you, I've been running this kernel on three machines ever since I moved to Gentoo (and before that, the same basic config with a custom kernel on Debian) and have yet to encounter an issue. However, there are so many different computers/hardware configurations out there that it can't be guaranteed to work absolutely everywhere. So if you're interested in helping out, you can report any issue in the kernel-build repository issue tracker.
One caveat: this kernel enforces modules signing. This means that out-of-tree modules (eg NVIDIA), which aren't signed at build time, won't load. This can be remedied by compiling the kernel from source and use your own cert to sign these modules (more details later on).
Prerequisites
First things first, the ebuild depends on the classic /boot partition
and won't work if you use /efi instead. If you think that the /efi
directory should be supported, open an issue in the kernel-build
repository and I will gladly oblige if enough people ask for it.
Same applies for supporting not having /boot as a separate partition.
Next, ensure that the following packages are installed:
- app-eselect/eselect-repository
- dev-vcs/git
- app-crypt/signify
More details as to why signify(1) will be needed will be given in a future post.
Also ensure that you have a means to create an
initramfs.
While dracut is the recommended tool (and automatic initramfs generation
using it will soon be possible by enabling the dracut USE flag),
any other method will also work.
Add the PGP Key
Grab my public OpenPGP key:
Place it in /usr/share/openpgp-keys/.
Add Ragnarok's ebuild Repo
Add Ragnarok's ebuild repository to /etc/portage/repos.conf/eselect-repo.conf:
[ragnarok]
location = /var/db/repos/ragnarok
auto-sync = yes
sync-type = git
sync-uri = https://github.com/RagnarokOS/pkgs.git
sync-depth = 1
sync-git-verify-commit-signature = true
sync-openpgp-key-path = /usr/share/openpgp-keys/lecorbeau.asc
sync-openpgp-key-refresh = false
Run the following commands to enable and sync the repo:
# eselect-repository enable ragnarok
# emaint sync -r ragnarok
Note: when syncing the repo, you will get a warning related to key-refresh
being set to false in eselect-repo.conf. I cannot set up WKD yet, and
considering that I prefer Signify, I'm not sold on using WKD so far.
Afterwards, emerge the ragnarok-keys package, which will ensure that
new pgp/signify keys get updated and old ones removed:
# emerge -av sec-keys/ragnarok-keys
Portage will warn you that the key you copied in the earlier step will be overwritten, you may safely ignore the warning.
Install
Ensure that /boot is mounted, then:
# emerge -av sys-kernel/linux-ragnarok-bin
Afterwards, generate a new initramfs, eg.
# dracut --kver=${PVR}-ragnarok
Replace ${PVR} with the ebuild version.
Then update your bootloader config, eg.
# grub-mkconfig -o /boot/grub/grub.cfg
Afterwards, reboot, and enjoy.
Compiling the kernel
Of course, it's possible to compile the kernel yourself, either because
you'd like to use the .config file as a base for a minimal kernel tailored
to your own computer, or because you need to
sign out-of-tree modules
yourself.
This kernel ebuild will fetch gentoo-sources as a dependency, and will
copy Ragnarok's
config file
to the kernel source directory in /usr/src, which makes the process
a bit more convenient.
If you choose to compile a minimal kernel based on Ragnarok's config and
encounter any issue, be sure to mention it when opening a bug report, and
paste the content of your .config file along with it. More importantly,
I cannot offer support for minimal kernel configs which the disables default
hardening options, for obvious reasons.
Compiling Steps
As with any kernel update, be sure to run:
# eselect kernel list
# eselect kernel set num
Replace num with the latest version.
Edit EXTRAVERSION inside the Makefile
# sed -i -e '/EXTRAVERSION = -gentoo/c\EXTRAVERSION = -ragnarok-custom' Makefile
Next, cd into /usr/src/linux, then:
# make CC=clang LLVM=1 nconfig
Make your changes and save the config. You now have two choices:
- Create a tarball to install this kernel on multiple machines.
- Install only on the same computer you built the kernel on.
If you choose option 1, run:
# make CC=clang LLVM=1 -j# dir-pkg
# cd tar-install
# tar czvf ../linux-VERSION-ragnarok-custom.tgz \
--exclude=build/ --owner=root --sort=name *
# cd ..
Replace -j# with the desired number of CPUs to use (or $(nproc)),
and VERSION with the kernel version (eg 6.12.31).
Installing the kernel then merely requires you to copy the contents of
boot to /boot/ and lib/modules to /usr/lib/modules/.
If you choose option 2:
# make CC=clang LLVM=1 -j#
# make modules_install
Then copy config-*.*.*-ragnarok-custom, System.map-*.*.*-ragnarok-custom
and vmlinuz-*.*.*-ragnarok-custom to /boot.
No matter which route you took, remember to generate an initramfs and update your bootloader config.