Celebrating 100 Releases of Dapper Secure Kernel Patchset

03 September 2018| Category: Thoughts|

Dapper Secure Kernel Patchset Stable has reached a major milestone, which is 100 releases! What an achievement! Dapper Secure Kernel Patchset Stable has been keeping the community secure since 4.9.24, all the way to 4.9.124.

It has been slightly under one year since I announced my intentions to maintain the final public release of the grsecurity patchset, as Dapper Secure Kernel Patchset. While I had grand intentions to forward port the patchset from 4.9 to the latest release, it turned out that was more difficult than I could have ever imagined, and while I did do my best to port the patchset from 4.9 to 4.10, and then to 4.11, and then to 4.12, 4.13 and finally 4.14 I have now decided it to be a fools errand. It takes around 70+ hours to resolve merge conflicts from one major release (such as 4.10) to the next major release (such as 4.11), and then even more time to fix compile errors. The last release that I fixed all compile errors for was 4.11, and the last time I resolved all merge conflicts was 4.13, and I am about 80% off of 4.14.

The whole process of doing those forward ports taught me that maintaining a 200,000 LOC patchset is no easy task, and is nothing but hard work. It made me realise how much I took Open Source Security's Grsecurity patchset release schedule for granted. Regardless, that doesn't change anything now.

While I was doing my best to forward port the patchset to the latest kernel releases, I was also maintaining a "stable" branch that follows 4.9 LTS, which was going rather successfully, and even managed to continue onward after some difficulty with Meltdown and Spectre vulnerabilities at around 4.9.75. Today, we celebrate one hundred releases of this stable branch, as I have managed to maintain it from 4.9.24, all the way to 4.9.124. May we hope there will be many more releases to come.

One hundred releases in, and while there has been some bumps along the way, Dapper Secure Kernel Patchset Stable ensures that there is a up to date, public, kernel hardening patchset available for security fans. I will continue to maintain and provide free access to this patchset for as long as I can. - Matthew Ruffell, Founder.

There will be many more releases to come, be sure of that. Originally, 4.9 LTS was meant to have upstream support until Jan 2019, and just recently, it has been announced that support has been extended until Jan 2023. Linux 4.9 was released in late 2016, and support until 2023 means that it will have a six year lifespan. That is one long lifespan, if you ask me. When doing the forward ports from 4.9 -> 4.10 -> 4.11 -> 4.12 -> 4.13 -> 4.14, I had first hand experience at seeing the rate of change that the kernel undergoes with every single release. Four years from now, the latest Linux release will probably not even resemble Linux 4.9 in the slightest. I wonder how upstream will cope maintaining the kernel for so long.

This begs the question. How long will I support Dapper Secure Kernel Patchset Stable for? I'm not sure about the answer. The longer we use older kernels, the more we miss out on new features and enhancements, found in the latest upstream kernels. Things like 5th level paging, Wireguard and hardware support are things that I am interested in. At the same time, by using Dapper Secure Kernel Patchset Stable, we remain vulnerable to Meltdown and Spectre, since their mitigations of PTI / KAISER and Retpoline are not compatible with the current UDEREF and KERNEXEC implementations found in the patchset.

I currently believe that UDEREF and KERNEXEC serve more of a purpose for my users and their threat models than PTI / KAISER and Retpoline do, although this may soon change in the future. I will have to make a decision at some point to whether I remove UDEREF and KERNEXEC to enable KAISER / PTI and Retpoline to be merged. I was planning to leave UDEREF and KERNEXEC active, since upstream support was to be dropped in Jan 2019, but the change to Jab 2023 has made me rethink the way I maintain this patchset.

For now though, I will maintain the patchset for as long as I can.


Tilix

Having a look at Github, we can see interest in the patchset over the last month or so. There are about 15 regular users of the patchset, looking at download counts supplied by Github. There are a few interested people who have a look around the repository too. If you are a user, thanks for being a user! It is great to receive emails from you and read issues that get opened on Github.

The current plans for Dapper Secure Kernel Patchset Stable is to finish GCC 8 support, and to think about removing UDEREF and KERNEXEC and replacing it with KAISER / PTI and Retpoline. All will happen in good time, since I need to start putting some serious time into my PhD.

That's all for now, feel free to email me or open an issue on Github if you want to discuss anything.

Ready To Try Out Dapper Linux?

Let's get you secured. We will have you up and running in no time.

Download Now