Previewing new SecureDrop kernel

This procedure allows for a one-time check of the next SecureDrop kernel, in preview mode. If the kernel fails to load, in most cases the server will fall back to the default kernel, allowing this check to be done remotely.

However, if the kernel does load but networking support is not available, it may be necessary to roll back the kernel version to the default at the console (or wait for the next nightly reboot to revert to the default). This procedure is recommended only for Linux admins familiar with GRUB and the Linux boot process.

Connect to the monitor server

connect to mon via ssh from Admin Workstation
sudo su or preface commands below with sudo:

Install packages

edit /etc/apt/sources.list.d/apt_freedom_press.list, adding preview after main, so that it looks as follows:

deb [arch=amd64] https://apt.freedom.press/ focal main preview

run apt update
run apt install linux-headers-5.15.57-grsec-securedrop linux-image-5.15.57-grsec-securedrop

Configure GRUB to use new kernel for next boot, and fall back if it fails:

update Grub defaults with the editor of your choice, e.g. vi /etc/default/grub:
- change GRUB_DEFAULT value to 'saved'
- ensure the GRUB_CMDLINE_LINUX value ends with panic=5, inside existing quotation marks. Add a space before panic if there is an existing value.
check menuentry options with grep menuentry /boot/grub/grub.cfg | more, and confirm that entries exist for both 5.15.26 and 5.15.57
set the default kernel to the entry for 5.15.26: grub-set-default "Advanced options for Ubuntu>Ubuntu, with Linux 5.15.26-grsec-securedrop"
set the next reboot kernel to the entry for 5.15.57, eg: grub-reboot "Advanced options for Ubuntu>Ubuntu, with Linux 5.15.57-grsec-securedrop"
update the grub config with update-grub
reboot the server with shutdown -r now

The server should come back up with the 5.15.57 kernel. If the kernel panics, the system will reboot after 5 seconds into the 5.15.26 kernel. Wait for the server to be available again, reconnect, and check the kernel version with uname -r. If you experience issues connecting to the server, or are connected locally, you can verify connectivity via a command such as sudo host freedom.press.

To revert to the current non-preview kernel:

reboot the monitor server a second time, and confirm that it comes up with the 5.15.26 kernel with uname -r
uninstall the 5.15.57 kernel packages with: apt remove linux-headers-5.15.57-grsec-securedrop linux-image-5.15.57-grsec-securedrop
remove the preview keyword from /etc/apt/sources.list.d/apt_freedom_press.list and run sudo apt-get update
edit /etc/default/grub, removing the panic=5 option from the GRUB_CMDLINE_LINUX value
revert remaining GRUB changes by running sudo dpkg-reconfigure securedrop-grsec (this will automatically trigger another update-grub run)

Previewing new SecureDrop kernel

Connect to the monitor server

Install packages

Configure GRUB to use new kernel for next boot, and fall back if it fails:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!