When you use the standard Debian kernel, you get the security support from the Debian project. I think this is really important. But if you are running Debian on a system that really needs a few patches to function well, you'll have to somehow take the fully patched Debian kernel and add a few of your own. I could find guides on how to do this, but I had another complication: I wanted to cross-compile as well, and build an armhf kernel on an amd64 system. In the end, this post provided the information I needed.
It took me a bit of time to figure it out. I hope that I can save some people this time and effort by describing how I got it working in the end.
To install a cross-compilation toolchain, just install crossbuild-essential-armhf. Neat!
You also need to install the build requirements. I had to fiddle with this a bit: you really need gcc-6-arm-linux-gnueabihf, but this conflicts with gcc-multilib. I tried to use mk-build-deps to install the build dependencies, but it insisted on including gcc-multilib; I don't know why. In the end, I just assumed I had the important dependencies already installed.
Every time Debian releases a security update for the kernel, you'll need to apply your own patches and build your own. The following incantation worked for me:
apt-get source linux=4.9.30-2+deb9u5 cd linux-4.9.30/ export $(dpkg-architecture -aarmhf) export CROSS_COMPILE=arm-linux-gnueabihf- export TMPDIR=~/tmp quilt import ../0001-usb-dwc3-core-setup-phy-before-trying-to-read-from-i.patch quilt import ../2166ffd004e04a61887eb2a39f8639dc12140c58-updated.diff quilt push -a fakeroot debian/rules source fakeroot make -j4 -f debian/rules.gen binary-arch_armhf_none_armmp-lpae
The latest security update when I did this was 4.9.30-2+deb9u5; obviously, you'll have to change the version number accordingly every time a new update is released. I had to set the TMPDIR because my /tmp was too small for building the package with the debug symbols. The two patches I need to apply to the kernel to have it work correctly on my Odroid XU4 were saved in the parent directory, and they are added to the patches managed by quilt. The patches are subsequently applied (pushed). The last two lines will build you a nice Linux image, linux-image-4.9.0-3-armmp-lpae_4.9.30-2+deb9u5_armhf.deb. The format in the last line is target_arch_featureset_flavour. It changes with the exact kernel binary package you need for your system.
I also tried to set APPEND_TO_VERSION and CONCURRENCY_LEVEL, but they unfortunately had no effect when building like this. If you know how to do the APPEND_TO_VERSION bit, I'd really appreciate it if you mailed me to tell me how.