Grsecurity/Obtaining grsecurity

Point your browser to http://grsecurity.net/. Click on the "Download" link and then select a "Stable" or "Test" patch (since September 9th, 2015, stable patches of grsecurity are available to commercial customers only). For the purposes of this document, we will be installing the latest stable grsecurity for kernel 3.2.50. Therefore the patch file will be called "grsecurity-2.9.1-3.2.50-201308052151.patch".

In our case we downloaded the following files

• grsecurity-2.9.1-3.2.50-201308052151.patch
• grsecurity-2.9.1-3.2.50-201308052151.patch.sig - This is the digital signature of this release.

When downloading gradm, the administration utility for grsecurity's role-based access control system, you must download the version that matches the version of the grsecurity patch you downloaded. Gradm is located on the same download page as grsecurity.

In our case we downloaded the following files

• gradm-2.9.1-201308021745.tar.gz
• gradm-2.9.1-201308021745.tar.gz.sig - This is the digital signature of this release.

The grsecurity patches can only be applied to a vanilla kernel. Many distributions modify the official kernel with additional patches, which means that any kernel source packages acquired through their package manager is very likely incompatible with grsecurity.

For this reason we will download the official unmodified kernel from http://www.kernel.org/. Download the full kernel source package and its signature (the ".sign" file), and make sure its version matches the version of the grsecurity patch you downloaded. In this document the version is 3.2.50. The required version is most likely not the latest, so you need to get it from the kernel archives.

If you've got a terminal open, you can use the below commands to download both the kernel source and the signature to the current working directory:

$ wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.50.tar.bz2
$ wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.50.tar.sign

NOTE: The versions of the grsecurity patch and the kernel must match exactly.

The grsecurity and gradm packages have been cryptographically signed so that users can verify that the source code has not been modified since it was packaged. You can find the public key used to sign them from the same download page as grsecurity. Scroll down the page until you see a heading that says "Verify these downloads with GPG". Below the heading is a link to the public key. Download the key to the directory where you placed grsecurity.

Before you can verify the downloads, you need to import the grsecurity key to your public keyring using Gnu Privacy Guard (GPG). If you are unfamiliar with GPG and wish to know more, please refer to The GNU Privacy Handbook.

To import the key, run the following command in the directory where your grsecurity and its key were downloaded.

$ gpg --import spender-gpg-key.asc
gpg: key 4245D46A: public key "Bradley Spengler (spender) <spender@grsecurity.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1

After importing the key, verify the downloaded grsecurity and gradm packages by running the below commands in your grsecurity directory:

$ gpg --verify grsecurity-2.9.1-3.2.50-201308052151.patch.sig
gpg: Signature made Mon 05 Aug 2013 06:55:44 PM PDT using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A

$ gpg --verify gradm-2.9.1-201308021745.tar.gz.sig
gpg: Signature made Fri 02 Aug 2013 02:45:37 PM PDT using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A

Below is an example of a failed signature verification. The patch file was modified on purpose to make the verification fail.

$ gpg --verify grsecurity-2.9.1-3.2.50-201308052151.patch.sig
gpg: Signature made Mon 05 Aug 2013 06:55:44 PM PDT using DSA key ID 4245D46A
gpg: BAD signature from "Bradley Spengler (spender) <spender@grsecurity.net>"

As long as GPG reports the signature is good, you do not need to worry about the warning about the key not being certified with a trusted signature. If you signed the grsecurity key with your own key, you will not get the warning. If the verification of either file failed (i.e. if you get the "BAD signature" message), re-download the file in question and try again.

The Linux kernel source packages have been signed as well. Please follow the instructions on the Linux kernel website to verify the kernel source package.

When you have successfully verified the downloaded files, you are ready to configure grsecurity.