• Questions regarding the installation of a hardened kernel on Antergos


    Ok, so the original goal was to get apparmor running on my Antergos system, as per this post.

    To achieve this I needed to install a kernel that had the appropriate modules needed to run apparmor.

    To achieve this I installed Linux hardened kernel via pacman using:

    sudo pacman -S linux-hardened linux-hardened-headers
    

    Then I selected the hardened kernel at boot, and I add the necessary boot parameters apparmor=1 security=apparmor

    Once the system is up and running apparmor indeed appears to be running. However during the system startup process I am not confronted with:

    [FAILED] Failed to start Load Kernel Modules.
    

    Having searched around online I think the main issue is the discrepancy that has formed between:

    uname -a
    Linux AntWorld 4.17.15.a-1-hardened
    

    And:

    pacman -Q linux
    linux 4.17.14.arch1-1
    

    On the arch forum I came across a post by someone facing a similar problem when installing linux-lts kernel on arch.

    Someone answering the question said:

    Probably your boot partition was not mounted when you did the upgrade of the kernel. Mount the boot partition on /boot and reinstall the linux package. Fix your /etc/fstab to ensure it is mounted for future updates. Unmount the boot partition and look in /boot; there are probably a kernel file and and initrd file in there that do not belong. Unless you are not using a boot partition, the /boot directory, when not used as a mount point, should be empty. Updating the kernel with nothing mounted on /boot causes the flies to appear.

    My questions now are:

    Mount the boot partition on /boot and reinstall the linux package. --> Does that mean I need to startup, select the regular kernel in the grub menu and then apply sudo -Rns linux-hardened linux-hardened-headers, then manually mount the boot partition, and then install the packages again? (NOTE: I have activated full-disk-encryption during Antergos installation, does that change the ways in which I am (un-)able to mount the boot partition in any way?)

    Fix your /etc/fstab to ensure it is mounted for future updates -> Mine currently reads:

    UUID=98dc5531-3348-4adf-8b64-c27db3f02012 /boot ext4 defaults,relatime,data=ord$
    UUID=ba501b15-3a41-404b-8b5b-670a3a03372c / ext4 defaults,relatime,data=ordered$
    UUID=ccd878da-d45e-4a68-8cc9-1a2f61f4ccc2 /home ext4 defaults,relatime,data=ord$
    UUID=4760b469-17a6-4c21-abc7-e18fedc3f2b7 swap swap defaults 0 0
    

    yet I am not quite sure how I should update it to ensure mounting of the boot partition?

    Unmount the boot partition and look in /boot; there are probably a kernel file and and initrd file in there that do not belong. Unless you are not using a boot partition, the /boot directory, when not used as a mount point, should be empty. -> When I apply ls -la in /boot I currently get:

    drwxr-xr-x  5 root root     1024 Aug 16 18:55 .
    drwxr-xr-x 17 root root     4096 Apr 14 09:18 ..
    drwxr-xr-x  6 root root     1024 Aug 18 10:33 grub
    -rw-r--r--  1 root root 36946612 Aug 16 18:57 initramfs-linux-fallback.img
    -rw-r--r--  1 root root 36937914 Aug 16 18:57 initramfs-linux-hardened-fallback.img
    -rw-r--r--  1 root root 16981351 Aug 16 18:57 initramfs-linux-hardened.img
    -rw-r--r--  1 root root 16966319 Aug 16 18:57 initramfs-linux.img
    -rw-r--r--  1 root root  1747456 Aug  8 09:47 intel-ucode.img
    drwx------  2 root root    12288 Dec  7  2017 lost+found
    drwxr-xr-x  2 root root     1024 Aug  9 20:48 syslinux
    -rw-r--r--  1 root root  5330896 Aug  9 13:56 vmlinuz-linux
    -rw-r--r--  1 root root  5380048 Aug 15 18:41 vmlinuz-linux-hardened
    

    Does Unless you are not using a boot partition, the /boot directory, when not used as a mount point, should be empty. mean that after properly installing the kernel I could remove all these files & directories?

  • @exploring_ant said in Questions regarding the installation of a hardened kernel on Antergos:

    pacman -Q linux
    linux 4.17.14.arch1-1

    uname -a is showing currently running kernel…
    pacman -Q linux is not showing the same as it should be pacman -Qs linux what would show all packages locally installed with the string linux inside…

    And you have different kernels installed the hardened one and the standard (main) one… but as your version is showing 4.17.14 it would be interesting to see the output of pacman -Qs linux

installation322 kernel151 regarding4 hardened2 Posts 2Views 422
Log in to reply
Bloom Email Optin Plugin

Looks like your connection to Antergos Community Forum was lost, please wait while we try to reconnect.