Coldhak Blog

Coldkernel on Qubes pt.1

December 12, 2016

We are currently working on supporting both Debian and Fedora TemplateVMs, however the below instructions assume a Debian 8 TemplateVM.

It is suggested that you create a dedicated Debian TemplateVM for experimenting with coldkernel. This support is very experimental, and may result in broken Templates.

Configuring Debian TemplateVM

First, change your max storage size to be 10GB (you can likely get away with anything over 4GB, however running out of disk space at the end of a build can be frustrating).

Qubes VM Manager

Fix sources.list

Open /etc/apt/sources.list and uncomment the lines starting with deb-src. It should look something like this:

deb http://httpredir.debian.org/debian jessie main contrib non-free
deb-src http://httpredir.debian.org/debian jessie main contrib non-free

deb http://security.debian.org jessie/updates main contrib non-free
deb-src http://security.debian.org jessie/updates main contrib non-free

Installing dependencies

Run in dom0:

sudo qubes-dom0-update grub2-xen

Run in your Debian TemplateVM:

sudo apt install qubes-kernel-vm-support grub2-common
sudo apt install paxctl bc wget gnupg fakeroot build-essential devscripts libfile-fcntllock-perl git gcc-4.9-plugin-dev
sudo apt-get build-dep linux

Building coldkernel

Cloning and verification

Once dependencies are installed, clone and verify the coldkernel build scripts on your TemplateVM:

wget "https://coldhak.ca/coldhak/keys/coldhak.asc" -O coldhak.asc
gpg --import coldhak.asc
git clone https://github.com/coldhakca/coldkernel
cd coldkernel
git verify-tag coldkernel-0.9a-4.8.13
git checkout tags/coldkernel-0.9a-4.8.13

coldkernel verify

Building

Next, begin the coldkernel build. This step may take multiple hours depending on your hardware.

make qubes-guest

coldkernel build

Installing coldkernel

Run in your Debian TemplateVM post-build:

wget https://grsecurity.net/paxctld/paxctld_1.2.1-1_amd64.{deb,deb.sig}
gpg --homedir=.gnupg --verify paxctld_1.2.1-1_amd64.{deb.sig,deb}
sudo dpkg -i paxctld_1.2.1-1_amd64.deb
sudo make install-deb
sudo cp paxctld.conf /etc/paxctld.conf
sudo paxctld -d
sudo systemctl enable paxctld
sudo mkdir /boot/grub
sudo update-grub2
sudo shutdown -h now

Post-install TemplateVM configuration

Once the TemplateVM has been shutdown, you can change the kernel in the Qubes VM manager to pvgrub and start the VM.

Qubes VM Manager