Update grsecurity kernels for workstation templates

[emkll]

We are currently 4.14.169 kernels on the workstation (as of today, 4.14.179 has been released), we should consider upgrading these as part of a regular schedule. There have not been any major vulnerabilities and we do we the grsecurity patchset for additional hardening.

Checklist (based on #546 (comment))

• Review/merge Updated securedrop-workstation kernel config for 4.14.186 ansible-role-grsecurity-build#59
• Review/merge Bumped workstation kernel metapackage version to 4.14.186 securedrop-builder#176
• Review/merge Added 4.14.186 workstation kernel image, header, and metadata packages securedrop-apt-test#46
• Wait for packages to be uploaded, make clean/make all and review/merge updated expected kernel version test value to 4.14.186 #582
• Test in dev/staging
• Review/merde PR to prod LFS repository - https://github.com/freedomofpress/securedrop-debian-packages-lfs/pull/29
• Upload source tarball to s3

[zenmonkeykstop]

Plan to move to 4.14.179 or get in sync with core (4.14.175)?

[emkll]

The current build logic does not make it easy to build historical versions, we should target whatever the latest version is at the time we build the kernels (currently 4.14.179)

[eloquence]

For the 5/20-6/3 sprint, we're aiming to build a workstation kernel and get an LFS PR up (not merged), but our priority is a smooth 0.3.0 release including the fedora-30->31 transition (#544).

[zenmonkeykstop]

PRs required to unlock testing have been submitted as follows:

• updated securedrop-workstation config for 4.14.182 build ansible-role-grsecurity-build#58
• Bumped workstation-grsec kernel version to 4.14.182 securedrop-builder#174
• added 4.14.182 workstation kernel packages securedrop-apt-test#42
• Updated expected kernel version in workstation tests #565

Some preliminary testing has been done against the kernel by manually installing it in securedrop-workstation-buster and reprovisioning the workstation. Outstanding tasks before the LFS PR can be issued include:

• More testing, including apt upgrade scenarios
• Uploading the source offer tarball to S3 (I need to verify/acquire credentials or delegate this)

(Have updated docs while going through the process.)

[zenmonkeykstop]

There's been a relevant CVE and grsec patch while these PRs were in the queue, so they will be closed and replaced with a new kernel build soon.

[zenmonkeykstop]

A new set of PRs required to unlock testing for the 4.14.186 kernel have been submitted as follows:

• Updated securedrop-workstation kernel config for 4.14.186 ansible-role-grsecurity-build#59
• Bumped workstation kernel metapackage version to 4.14.186 securedrop-builder#176
• Added 4.14.186 workstation kernel image, header, and metadata packages securedrop-apt-test#46
• updated expected kernel version test value to 4.14.186 #582

Some preliminary testing has been done against the kernel by manually installing it in securedrop-workstation-buster and reprovisioning the workstation. Outstanding tasks before the LFS PR can be issued include:

• More testing, including apt upgrade scenarios
• Uploading the source offer tarball to S3

[eloquence]

(In light of the number of PRs involved and the need for coordinated review, tracking the issue rather than the individual PRs on the board.)

[eloquence]

This was completed, and the new kernel has been released to all workstation users, see https://apt.freedom.press/pool/main/s/securedrop-workstation-grsec/