__TOC__
{{title|title=Linux Kernel Runtime Guard (LKRG) in Qubes OS Debian or {{Q project name}} VMs}} {{#seo: |description=HowTo: Install LKRG in Qubes Debian or {{Q project name}} TemplateVM |image=https://www.whonix.org/w/images/thumb/a/a7/P_lkrg2.png/470px-P_lkrg2.png }} {{Header}} [[File:P_lkrg2.png|LKRG logo|100px|link=Linux_Kernel_Runtime_Guard_LKRG]] [[File:Debian.png|30px|link=Linux_Kernel_Runtime_Guard_LKRG]] [[File:{{project_name_short}}_old_logo.png|30px|link=Qubes-Whonix]] [[File:qubes-logo-blue.png|30px]] '''{{free}}'''
Linux Kernel Runtime Guard (LKRG) protects the kernel. It provides security through diversity and has a similar effect to running an uncommon operating system (kernel). https://www.openwall.com/lkrg/ LKRG renders whole classes of kernel exploits ineffective, while making other exploits less reliable and more difficult to write; see [[Linux_Kernel_Runtime_Guard_LKRG#Features|features]] and [[Linux_Kernel_Runtime_Guard_LKRG#Security|security]]. LKRG was developed by a security professional with reviews undertaken by other high profile security professionals; see [[Linux_Kernel_Runtime_Guard_LKRG#Authorship|authorship]]. For further information, refer to the main [[Linux_Kernel_Runtime_Guard_LKRG|LKRG]] entry. The instructions below explain how to install LKRG in [[File:qubes-logo-blue.png|15px]] Qubes Debian-based VMs. Most users will want to apply these instructions in the Qubes Debian TemplateVM. [[File:{{project_name_short}}_old_logo.png|15px|link=Qubes-Whonix]] {{Q project name}} is supported as well, but in that case the steps to add the signing key and repository should be skipped because they are already present in {{Q project name}}. For all other platforms [[File:Tux.png|15px]], see [[Linux_Kernel_Runtime_Guard_LKRG|LKRG]]. = Qubes VM Kernel = Since LKRG is a kernel module, it is required (and advisable) to reconfigure the VM to use a Qubes VM kernel. [https://github.com/QubesOS/qubes-issues/issues/5456 cannot compile LKRG (Linux Kernel Runtime Guard) with Qubes dom0 kernel / broken gcc plugins structleak_plugin.so latent_entropy_plugin.so] This probably occurs due to this recently closed issue which has only filtered through to Qubes OS master branches, but not the stable branches: [https://github.com/QubesOS/qubes-issues/issues/2844 kernel-devel package have broken gcc plugin]. The dom0 kernel compilation bug might be fixed after upgrades. It is unclear if it would then be advisable to use dom0 kernel. Any issues with Qubes VM kernel should not be confused with LKRG. Otherwise, LKRG could be falsely suspected of causing unrelated issues, which wastes time in successfully completing the configuration. {{Qubes VM Kernel}} = Add Signing Key = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Skip this step in {{Q project name}}. }} {{Box|text= {{W-APT-Repository-Key}} }} = Add Repository = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Skip this step in {{Q project name}}. }} {{Project-APT-Repository-Add}} = Install LKRG = {{testers-only}} {{Box|text= Install LKRG. {{Install Package|package= lkrg-dkms linux-headers-amd64 }} }} The LKRG installation procedure is complete. Interested users can learn more, consider additional hardening and so on; see [[Linux_Kernel_Runtime_Guard_LKRG|here]] for further information. = Credits and Source Code = The [https://www.openwall.com/lkrg/ original] source software is maintained by Adam "pi3" Zabrocki. See also: [[Linux_Kernel_Runtime_Guard_LKRG#Authorship|LKRG authorship]]. [[Linux_Kernel_Runtime_Guard_LKRG/Qubes|This website with Qubes instructions]] and [[Linux_Kernel_Runtime_Guard_LKRG|LKRG Debian Package Website]] is the [https://en.wikipedia.org/wiki/Fork_(software_development) software fork] homepage for LKRG, with a focus on easy installation, added user documentation, and integration with [[Whonix]], [[Kicksecure]], Debian, and other distributions. The software fork source code can be found [https://github.com/Whonix/lkrg here]. = References = Qubes ticket: [https://github.com/QubesOS/qubes-issues/issues/5461 make Linux Kernel Runtime Guard (LKRG) easily avaialble in Qubes] {{reflist|close=1}} {{Footer}} [[Category:Documentation]]