Compile latest kernel on Debian and Ubuntu

linux kernel compile

Here are my notes on how to compile and install the latest version of the Linux kernel, at this moment version 5.9.1, on Debian 10 ‘Buster’ and Ubuntu 20.04 LTS from source code. Procedure should be similar for other flavours of linux. Remember to change versions and/or paths to match your preferences if necessary.

First, we will download and verify the source code, install necessary packages and copy our current configuration, therefore we will have it as our starting config. See below the commands for this part.

## Download the source code and pgp signature from https://www.kernel.org/
## to a directory of your choice
mkdir -p /usr/src/
cd /usr/src/
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.9.1.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.9.1.tar.sign
## Install necessary packages
apt-get install gnupg2 build-essential libncurses-dev bison flex libssl-dev libelf-dev bc
## Uncompress the source code
xz -d -v linux-5.9.1.tar.xz
## Import keys belonging to kernel developers and check signatures
gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
gpg --verify linux-5.9.1.tar.sign
## Untar the source code and cd into the directory
tar xf linux-5.9.1.tar
cd linux-5.9.1/
## Copy over actual kernel config file
cp -v /boot/config-$(uname -r) .config

Next we have to take decision whether we want to sign the kernel modules or not. To clarify, the kernel module signing facility cryptographically signs modules during installation and then checks the signature upon loading the module, what increases security by making it harder to load a malicious module into the kernel.

Procedures for both cases are explained below, so choose the one that best suits your needs.

Module signing configuration

In order to sign our modules we need to go through some configuration steps.

Firstly, we will create the signing key that we will use to sign the modules. To do this we should go to ‘/usr/src/linux-5.9.1/certs’ an create a file named ‘x509.genkey’ with this content.

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Then we will execute the following command to create the key:

openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 -config x509.genkey -outform PEM -out kernel_key.pem -keyout kernel_key.pem

Finally we need configure module signing and the key we will use in the kernel configuration options. To do so we will execute the ncurses-based pseudo-graphical menu and adjust some options:

  • cd into ‘/usr/src/linux-5.9.1’ and type ‘make menuconfig’
  • Go to ‘Enable loadable module support’ and select/activate the option ‘Automatically sign all modules’. This option comes activated in Ubuntu (remember we are using our current config as base) and deactivated in Debian by default.
  • Go back to the first menu and then navigate to ‘Cryptographic API’ —> ‘Certificates for signature checking’ —> ‘File name or PKCS#11 URI of module signing key’ and put the path of our previously created key relative to the source code directory, in our case ‘certs/kernel_key.pem’ in place.
  • In the same menu, leave the entry ‘Additional X.509 keys for default system keyring’ blank if not already blank.

Important note: If you want to fully harden your installation, don’t forget to take the generated key (kernel_key.pem) out of the box and keep it in a safe place for future signing.

That’s all, you can exit the configuration menu saving changes and move on to compile the kernel.

Module unsigning configuration

To disable module signing, we should do it in kernel configuration:

  • cd into ‘/usr/src/linux-5.9.1’ and type ‘make menuconfig’
  • Go to ‘Enable loadable module support’ and unselect/deactivate the option ‘Automatically sign all modules’. This option comes activated in Ubuntu, as we are using our current config as base, and deactivated in Debian by default.
  • Go back to the first menu and then navigate to ‘Cryptographic API’ —> ‘Certificates for signature checking’ and make sure that options ‘File name or PKCS#11 URI of module signing key’ and ‘Additional X.509 keys for default system keyring’ are blank if not already blank.

This is all we need to compile our kernel without module signing feature. Exit the configuration menu saving changes and move on to the next section.

Compile linux kernel

Finally we can compile and install our new kernel and its modules. These are the commands that you need to finish this procedure.

## Compile using make or make -j n where n is the number of processors to use
make -j 2
## Install kernel modules
make modules_install
## Optimize and install new kernel
cd /lib/modules/5.9.1/
find . -name *.ko -exec strip --strip-unneeded {} +
cd /usr/src/linux-5.9.1/
make install
reboot

After rebooting, your new kernel will be running and fully operational, check it with ‘uname -a’.

It is recommended to execute ‘make clean’ from the source directory of the kernel in order to free some space from files generated during compilation. With this you can easily free between 10 and 20 GB space.

We have seen how to compile and install the latest linux kernel on Debian and Ubuntu. Comments are welcome.

Leave a Reply

Your email address will not be published.