Update SecureDrop kernels to 4.14 series

[emkll]

Update strings for 4.14.150-grsec, kernel configuration can be found in freedomofpress/ansible-role-grsecurity-build#51

Status

Order of operations before closing this PR:

• Create Debian Buster / Python3 circleci-docker container for CI containers#19
• Update securedrop-workstation and securedrop-core to 4.14.150 ansible-role-grsecurity-build#51
• Update SecureDrop workstation kernels to 4.14.151 securedrop-builder#84
• Add Buster channel for securedrop-workstation and 4.14.151 kernel images securedrop-apt-test#22
• Debug/fix incompatibilities described in Update SecureDrop kernels to 4.14 series #4962 (comment)
• Amend this PR with the proper version strings (4.14.152-grsec-securedrop), ready for final review
• Review/merge Adds 4.14.150 kernel image package and metapackage securedrop-apt-test#21
• Review / merge PR with config changes: Upgrade SecureDrop grsec kernels to 4.14.154 and tweak EFI kernel config settings ansible-role-grsecurity-build#52 (there is also a fix in this PR that changes the kernel commandline option to noefi

Description of Changes

Fixes #4843

Testing

• CI is green
• Testing QA Matrix

Deployment

New and existing installs will be updated via apt and unattended upgrades via cron-apt

Checklist

If you made changes to the system configuration:

• Configuration tests pass

[zenmonkeykstop]

Setting up a NUC5+NUC7 instance for extended testing now, if anyone else wants to grab the Mac Mini option please feel free.

[redshiftzero]

Note that before we merge this we have to, in order:

1. review/merge: Create Debian Buster / Python3 circleci-docker container for CI containers#19
2. review/merge changes that have CI failing due to 1 being absent (contains config for changes in 3): Update securedrop-workstation and securedrop-core to 4.14.150 ansible-role-grsecurity-build#51
3. review/merge the kernel package into the lfs repo such that the kernel is deployed to apt-test.freedom.press: Adds 4.14.150 kernel image package and metapackage securedrop-apt-test#21
4. then review/merge this PR version bumping securedrop core

[emkll]

Some preliminary testing has already been done:
-@rmol reported successful boot and networking on NUC7

• I have already performed some testing on Mac Minis and NUC5 (not a full Application acceptance, but rows 7-25 from https://docs.google.com/spreadsheets/d/1fxjwa1rzVSHT3jrdQMBQeUXWsIb6IrW1pRKwBmUPtzk/edit#gid=0).

Once this is ready for review I will amend the test plan to clarify coverage and provide a matrix. Per the comment above, marking this as pending additional work, until steps 1 and 2 described above are completed.

[zenmonkeykstop]

NUC5 booted and network up for me, NUC7i5BNH still failing at loading initrd. I'm gonna see if there's a BIOS update or something that I'm missing tomorrow.

[ageis]

This is a huge milestone for security, as many feature flags relevant to security re: freedomofpress/kernel-builder#28 first appeared in 4.14. I see the config changed a little bit. Can we take care of freedomofpress/kernel-builder#28 with your initial release of 4.14 or should it be addressed in a follow-up? (I am considering submitting a patch to the config)

[emkll]

Thanks @ageis for following up on this ticket, and for your contributions in other related threads. We have tried in the past to address most of the findings by the kconfig_check tool, but unfortunately result in a non-functional build. There are also sone settings that will always fail, as some grsecurity options replace/conflict with mainline kernel configs (CONFIG_PAGE_TABLE_ISOLATION and PAX_UDEREF)

A locked down Kernel configuration provides defense-in-depth should an attacker gain code execution on the system, or exploit a known or unknown vulnerability in the software stack. While we do take every measure to prevent attacker code execution and very carefully update dependencies, it is a bit harder and more time consuming to test and improve the kernel configuration. Breakage can occur, and we have a few hardware targets that we officially support, which requires manual QA/testing on those platforms. For these reasons, I think an iterative approach is best here.

You had opened in the past a PR against our build repo to improve some of those config flags in freedomofpress/ansible-role-grsecurity-build#34 . I will be porting those changes into freedomofpress/ansible-role-grsecurity-build#51 as a start.

If these changes are successful, it will result in the following improvements, using https://github.com/a13xp0p0v/kconfig-hardened-check :

• Workstation: 62/110 to 72/110
• SecureDrop core (not yet applied): 56/110 to 71/110

[emkll]

This is now ready for review. As discussed in standup, in order to test this PR, we should:

1. Review and merge Upgrade SecureDrop grsec kernels to 4.14.154 and tweak EFI kernel config settings ansible-role-grsecurity-build#52
2. Rebase this on top of the fix for make dev stuck at the beginning on Debian Buster #4972
3. Review and merge Adds 4.14.150 kernel image package and metapackage securedrop-apt-test#21
4. Re-run the full CI workflow

[conorsch]

freedomofpress/securedrop-apt-test#21 has been merged, and new packages are now served via: https://apt-test.freedom.press/pool/main/l/linux-4.14.152-grsec-securedrop/

Waiting for CI to pass before proceeding with final review.

[emkll]

CI is now passing @conorsch , ready for your final review. I have opened #4989 to track mitigations for CVE-2019-11135 . I propose we revert/address aa2493d there to ensure CI continues to work smoothly.

[conorsch]

Looks great. With #4989 tracking the small follow-up task, I'm satisfied with these changes going in as they are. Let's also make sure to coordinate additional hardware testing to get freedomofpress/ansible-role-grsecurity-build#52 in.