NUC11 hardware: network device unsupported by SecureDrop custom kernel #6170
Comments
|
@zenmonkeykstop @eloquence @conorsch Please let me know if I missed anything that would be useful documenting in this issue! |
|
Looks like grsec's 5.15 series might actually be the way to go. the 5.10 patch is EOL in Q1 2022. |
Agreed, that's what https://grsecurity.net/download/ says. However, the EOL dates there are substantially different from what's on https://www.kernel.org/category/releases.html :
If what we want is long-term support for hardware, tracking the 5.10 series seems like the biggest win for us. The discrepancy is great enough that I suspect the grsec page is perhaps out of date. I suggest we reach out to spender and and ask for clarification. |
|
The kind folks at grsecurity strongly recommended we target 5.15, as @zenmonkeykstop rightly proposed. We'll continue to test patches and revise the build process, if necessary, in freedomofpress/kernel-builder#18 |
|
☝️ I installed the 5.15.18 kernel above on a fresh Ubuntu 20.04.3 installation:
|
Description
On a NUC11i5PAK, the network connectivity is lost during installation after the first reboot.
Steps to Reproduce
I am following the documentation instructions and the issue appeared when running
./securedrop-admin installfrom the Admin workstation. However, I believe that booting the NUC11 using the5.4.136-grsec-securedropkernel may be enough to reproduce the issue.Expected Behavior
After the servers reboot, the installation script resumes normally. Even if it that wasn't the case, I'd expect to be able to connect to both servers via:
ssh [email protected]andssh [email protected].Actual Behavior
There is no route to either
appormon.When logging into the servers directly (physical access) this is what I see:
sudo lshw -class network # prints that the network device is UNCLAIMEDThe (wired) network device of the NUC11i5PAK is:
Ethernet controller [...] Intel CorporationDevice [8086:15f3] (rev 03), which seems to be supported via theigckernel module. (I might be wrong about his, or there might be other ways.)That module seems to be missing from the hardened kernel that SecureDrop uses:
modinfo igc # modinfo: ERROR: Module alias igc not found.Finally, for reference, by default Ubuntu 20.04 allows to use the network device as
enp0s25. (Which is why the installation script behaves as expected until the servers are rebooted with the custom kernel.)Comments
Using the SecureDrop kernel-builder to get a build based on the 5.10 release might be a good starting point.
The text was updated successfully, but these errors were encountered: