* custom compil
@ 2023-01-22 22:26 A.Péré
2023-01-22 22:52 ` Paulo Miguel Almeida
0 siblings, 1 reply; 7+ messages in thread
From: A.Péré @ 2023-01-22 22:26 UTC (permalink / raw)
To: kernelnewbies
Hi,
I would like to compile a kernel for fedora following this security
guide ( https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
v2)
I have some parameters that i have put using an ansible role
(https://github.com/robertdebock/ansible-role-kernel).
The compilation works but when i reboot i get a black screen so i
guess i am not doing it the right way.
Ideally I would like to be able to compile new kernel on the fly with
my custom .config file for almalinux server and my fedora workstation
home pc.
I have seen this fedora doc
(https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/)
but at the paragraph "Building a Kernel from the Fedora dist-git" it
states 3. Make whatever changes or customizations you need, but no
information is provided on how to do that.
Could you help me in doing this?
Thank you
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: custom compil
2023-01-22 22:26 custom compil A.Péré
@ 2023-01-22 22:52 ` Paulo Miguel Almeida
2023-01-25 21:55 ` aurel.pere
0 siblings, 1 reply; 7+ messages in thread
From: Paulo Miguel Almeida @ 2023-01-22 22:52 UTC (permalink / raw)
To: A.Péré; +Cc: kernelnewbies
On Sun, Jan 22, 2023 at 11:26:40PM +0100, A.Péré wrote:
> Hi,
> I would like to compile a kernel for fedora following this security
> guide ( https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
> v2)
Hi Aurel, Fedora maintains its own kernel and while it tries to follow
the kernel upstream, it has minor differences. They do have a mailing
list for fedora kernels that can be found at https://docs.fedoraproject.org/en-US/quick-docs/kernel/overview/
should you have specific questions about it.
> I have some parameters that i have put using an ansible role
> (https://github.com/robertdebock/ansible-role-kernel).
> The compilation works but when i reboot i get a black screen so i
> guess i am not doing it the right way.
> Ideally I would like to be able to compile new kernel on the fly with
> my custom .config file for almalinux server and my fedora workstation
> home pc.
> I have seen this fedora doc
> (https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/)
> but at the paragraph "Building a Kernel from the Fedora dist-git" it
> states 3. Make whatever changes or customizations you need, but no
> information is provided on how to do that.
> Could you help me in doing this?
> Thank you
I must be honest with you that it's very unlikely that they will
help you if you simply drop ansible playbooks and security best
practices links. So far, the problem that you described is more related
to sysadmin stuff IMO.
My 2 cents for you to do would be:
1) use other mediums such as forums on the internet which a more focused
on that kind of thing.
2) try stuff locally, read up on docs of tools you are not familiar
with yet. With more details like errors I think you will more likely get
across someone that has faced similar problems and can point you to a
solution. So far your problem statement is a bit vague and it would be
hard for anyone willing to help to actually do so.
Good luck :-)
thanks!
- Paulo A.
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies@kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: custom compil
2023-01-22 22:52 ` Paulo Miguel Almeida
@ 2023-01-25 21:55 ` aurel.pere
2023-01-25 22:22 ` Siddh Raman Pant
[not found] ` <185eb05138c.7a3744fd121427.2057112906350747697@siddh.me>
0 siblings, 2 replies; 7+ messages in thread
From: aurel.pere @ 2023-01-25 21:55 UTC (permalink / raw)
To: Paulo Miguel Almeida; +Cc: kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 2739 bytes --]
Hi
I thought it was a mailing list for newbies ans i coulemd find answers or at least links...
Let me rephrase the question: is there a distribution with automated tools to compile a kernel with custom config settings that ils easier and more accessible un particular for automated updates with automatic custom compiling config?
Thanks
22 janv. 2023 23:52:52 Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>:
> On Sun, Jan 22, 2023 at 11:26:40PM +0100, A.Péré wrote:
>> Hi,
>> I would like to compile a kernel for fedora following this security
>> guide ( https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
>> v2)
>
> Hi Aurel, Fedora maintains its own kernel and while it tries to follow
> the kernel upstream, it has minor differences. They do have a mailing
> list for fedora kernels that can be found at https://docs.fedoraproject.org/en-US/quick-docs/kernel/overview/
> should you have specific questions about it.
>
>> I have some parameters that i have put using an ansible role
>> (https://github.com/robertdebock/ansible-role-kernel).
>> The compilation works but when i reboot i get a black screen so i
>> guess i am not doing it the right way.
>> Ideally I would like to be able to compile new kernel on the fly with
>> my custom .config file for almalinux server and my fedora workstation
>> home pc.
>> I have seen this fedora doc
>> (https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/)
>> but at the paragraph "Building a Kernel from the Fedora dist-git" it
>> states 3. Make whatever changes or customizations you need, but no
>> information is provided on how to do that.
>> Could you help me in doing this?
>> Thank you
>
> I must be honest with you that it's very unlikely that they will
> help you if you simply drop ansible playbooks and security best
> practices links. So far, the problem that you described is more related
> to sysadmin stuff IMO.
>
> My 2 cents for you to do would be:
>
> 1) use other mediums such as forums on the internet which a more focused
> on that kind of thing.
> 2) try stuff locally, read up on docs of tools you are not familiar
> with yet. With more details like errors I think you will more likely get
> across someone that has faced similar problems and can point you to a
> solution. So far your problem statement is a bit vague and it would be
> hard for anyone willing to help to actually do so.
>
> Good luck :-)
>
> thanks!
>
> - Paulo A.
>
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies@kernelnewbies.org
>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[-- Attachment #1.2: Type: text/html, Size: 3619 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: custom compil
2023-01-25 21:55 ` aurel.pere
@ 2023-01-25 22:22 ` Siddh Raman Pant
[not found] ` <185eb05138c.7a3744fd121427.2057112906350747697@siddh.me>
1 sibling, 0 replies; 7+ messages in thread
From: Siddh Raman Pant @ 2023-01-25 22:22 UTC (permalink / raw)
To: aurelpere; +Cc: paulo miguel almeida, kernelnewbies
On Thu, 26 Jan 2023 at 03:25:08 +0530, A.Péré wrote:
> Is there a distribution with automated tools to compile a kernel
> with custom config settings
Yes, it is your favourite distro, whichever that may be. You just
need the tools to build, which you may already have, but can be seen
in docs: https://www.kernel.org/doc/html/latest/process/changes.html
> that ils easier and more accessible
If you want a GUI, use `make xconfig`.
> un particular for automated updates with automatic custom compiling config?
Have your custom config options in a separate file somewhere, and use
scripts/kconfig/merge_config.sh to merge. Example in a script:
make defconfig
./scripts/kconfig/merge_config.sh .config common.config
The script will take care of requisite stuff, which additional options
to enable, etc.
Or you can have your entire config saved in .config, and just run
merge_config.sh everytime you pull newer kernel code.
Thanks,
Siddh
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <185eb05138c.7a3744fd121427.2057112906350747697@siddh.me>]
* Re: custom compil
[not found] ` <185eb05138c.7a3744fd121427.2057112906350747697@siddh.me>
@ 2023-01-26 0:13 ` aurel.pere
2023-01-26 12:28 ` Siddh Raman Pant
0 siblings, 1 reply; 7+ messages in thread
From: aurel.pere @ 2023-01-26 0:13 UTC (permalink / raw)
To: Siddh Raman Pant; +Cc: paulo miguel almeida, kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 1705 bytes --]
Ok thanks for these infos i will check it out
When saying automatic i was referring to kernel updates in package repositories (with apt or dnf) where auto download and install can be configured for security updates...i was thinking about applying config options but i guess they are already compiled?
Isnt there a tool that would download new kernel based on repository security updates and that would compile it with a provided config file?
I can use a bash script or ansible role but i dont see how to keep close to the official kernel distribution updates automatically...
Thanks
25 janv. 2023 23:21:15 Siddh Raman Pant <code@siddh.me>:
> On Thu, 26 Jan 2023 at 03:25:08 +0530, A.Péré wrote:
>> Is there a distribution with automated tools to compile a kernel
>> with custom config settings
>
> Yes, it is your favourite distro, whichever that may be. You just
> need the tools to build, which you may already have, but can be seen
> in docs: https://www.kernel.org/doc/html/latest/process/changes.html
>
>> that ils easier and more accessible
>
> If you want a GUI, use `make xconfig`.
>
>> un particular for automated updates with automatic custom compiling config?
>
> Have your custom config options in a separate file somewhere, and use
> scripts/kconfig/merge_config.sh to merge. Example in a script:
>
> make defconfig
> ./scripts/kconfig/merge_config.sh .config common.config
>
> The script will take care of requisite stuff, which additional options
> to enable, etc.
>
> Or you can have your entire config saved in .config, and just run
> merge_config.sh everytime you pull newer kernel code.
>
> Thanks,
> Siddh
[-- Attachment #1.2: Type: text/html, Size: 2738 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: custom compil
2023-01-26 0:13 ` aurel.pere
@ 2023-01-26 12:28 ` Siddh Raman Pant
2023-01-26 20:49 ` aurel.pere
0 siblings, 1 reply; 7+ messages in thread
From: Siddh Raman Pant @ 2023-01-26 12:28 UTC (permalink / raw)
To: aurelpere; +Cc: paulo miguel almeida, kernelnewbies
Please use plain text email and top-posting.
Quoting Greg KH:
A: http://en.wikipedia.org/wiki/Top_post
Q: Were do I find info about this thing called top-posting?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
A: No.
Q: Should I include quotations after my reply?
http://daringfireball.net/2007/07/on_top
---------------------------------------------------------------------
On Thu, 26 Jan 2023 at 05:43:42 +0530, Aurel Pere wrote:
> Ok thanks for these infos i will check it out
>
> When saying automatic i was referring to kernel updates in
> package repositories (with apt or dnf) where auto download
> and install can be configured for security updates...i was
> thinking about applying config options but i guess they are
> already compiled?
Yes, those are already compiled. That's why the process is so
quick!
> Isnt there a tool that would download new kernel based on
> repository security updates and that would compile it with a
> provided config file?
>
> I can use a bash script or ansible role but i dont see how to
> keep close to the official kernel distribution updates
> automatically...
Make a cron job to pull from the kernel repo automatically, either
the stable kernel.org or Fedora's official repo. Then you can run
the merge_config script, and then build the kernel. Then, you can
run `update-grub` or whatever is the process.
Unless for learning, why do this? Fedora maintainers do know their
stuff, so you can trust them. You are not going to audit changes
anyways, so this exercise is futile as you are basically doing the
same thing as `sudo dnf update` (or whatever the dnf command is),
but without the testing from maintainers and other people. Not to
mention the Fedora specific quirks which won't be there upstream.
Better to have your stuff up-to-date using dnf-automatic.
https://docs.fedoraproject.org/en-US/quick-docs/securing-the-system-by-keeping-it-up-to-date/
Thanks,
Siddh
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: custom compil
2023-01-26 12:28 ` Siddh Raman Pant
@ 2023-01-26 20:49 ` aurel.pere
0 siblings, 0 replies; 7+ messages in thread
From: aurel.pere @ 2023-01-26 20:49 UTC (permalink / raw)
To: Siddh Raman Pant; +Cc: paulo miguel almeida, kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 1331 bytes --]
>
> 'Make a cron job to pull from the kernel repo automatically, either
> the stable kernel.org[http://kernel.org] or Fedora's official repo. Then you can run
> the merge_config script, and then build the kernel. Then, you can
> run `update-grub` or whatever is the process.'
>
>> I was hoping a security tool existed for that purpose. I will do with make then
>
> 'Unless for learning, why do this? Fedora maintainers do know their
> stuff, so you can trust them. You are not going to audit changes
> anyways, so this exercise is futile as you are basically doing the
> same thing as `sudo dnf update` (or whatever the dnf command is),
> but without the testing from maintainers and other people. Not to
> mention the Fedora specific quirks which won't be there upstream.'
>
>>I have chosen fedora for the relative pre built security guarantee it brings but i have reasons to believe the default quirks dont provide enough hardening for my situation. So I am now trying my best to follow and apply an official hardening guide and the kernel compiling is a part of it. For me this is a philosophical stake as much as a technical issue and an experiment: in 2023, can someone targeted who is only a geek be sovereign on a relatively trusted computer (ie relative free hardware from purism and free software)
[-- Attachment #1.2: Type: text/html, Size: 2357 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-01-26 20:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-22 22:26 custom compil A.Péré
2023-01-22 22:52 ` Paulo Miguel Almeida
2023-01-25 21:55 ` aurel.pere
2023-01-25 22:22 ` Siddh Raman Pant
[not found] ` <185eb05138c.7a3744fd121427.2057112906350747697@siddh.me>
2023-01-26 0:13 ` aurel.pere
2023-01-26 12:28 ` Siddh Raman Pant
2023-01-26 20:49 ` aurel.pere
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox