Build a monolithic kernel

[legoktm]

At #45 (comment) @thedeadliestcatch wrote:

I would strongly suggest considering building monolithic kernels with a minimal config. If you transition away from HVM to pvgrub, and even if you don't, it will be a good idea. Removing LKM support has several benefits in terms of reducing attack surface in the kernel for ROP and code injection scenarios (after all, LKM support comes with the implicit need for a dynamic linker in kernel space).

I replied:

This is a good point and something I started wondering about mid-last week, whether there was any benefit to building individual modules. I'll look into doing a monolithic build.

From what I can tell we just need to change all the m settings to y and then turn off CONFIG_MODULES. We should make sure that the blacklisted modules (see freedomofpress/securedrop#1886) are disabled at build-time as well.

[legoktm]

Oh heh, we already have an open issue about needing at least 1G memory: freedomofpress/securedrop-workstation#838. I never got around to digging into it further, are you saying it's just a requirement of the grsec patches?

[zenmonkeykstop]

That shouldn't be a problem to set up, we can set the initial memory when we clone the templates used for sd-* app/dispvms.