FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 11-29-2007, 09:10 AM
 
Default grsec/pax with xen

On 29 Nov 2007 at 11:36, timpoluk@gmx.net wrote:

> There is a lot of documentation about how to setup Xen with Gentoo but
> to use it with grsecurity/pax seems not to be easily achieved. what are
> the pitfalls, drawbacks?

when you speak of virtualization and kernels, you should always specify
whether you're talking about the guest or host kernel (or both) as the
answer varies between them.

on the host side, i think pretty much all of grsec/PaX will work fine
except for KERNEXEC (and even that is not unfixable either, but it needs
a patch in the hypervisor code itself, not PaX).

on the guest side, most things will work except for the old style PAGEEXEC
method (that tweaks the TLBs and is not compatible with a hypervisor
intercepting those attempts) and possibly KERNEXEC/UDEREF if the hypervisor
has assumptions about the guest kernel's segment layout. for example, UDEREF
doesn't work under vmware and i expect it to not work under most non-hw
virtualizations (or at least not without a huge performance impact, but
that'll be quite obvious as soon as you try to boot such a guest kernel).

note also that 2.6.23 has xen domU support already, so you should probably
go with that version (on the guest side, that is) as i tried to make PaX
work with it since then (but couldn't actually test it myself, at least
it should compile ;-).


--
gentoo-hardened@gentoo.org mailing list
 
Old 11-29-2007, 09:36 AM
 
Default grsec/pax with xen

I am in the process of setting up a new amd64 server and would like to
use grsecurity/pax together with xen (linux vserver could also be an option). Could someone give me hints how to integrate xen into the
hardened setup. I am using the hardened-sources-2.6.22.

There is a lot of documentation about how to setup Xen with Gentoo but
to use it with grsecurity/pax seems not to be easily achieved. what are
the pitfalls, drawbacks?

I also would like to know if KVM/QEMU could be an option with good performance.

Best Regards,

Werner
--
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-08-2007, 10:33 AM
 
Default grsec/pax with xen

> Von: pageexec@freemail.hu

> when you speak of virtualization and kernels, you should always specify
> whether you're talking about the guest or host kernel (or both) as the
> answer varies between them.

I was thinking about both but at least I want it for the host side.

> on the host side, i think pretty much all of grsec/PaX will work fine
> except for KERNEXEC (and even that is not unfixable either, but it needs
> a patch in the hypervisor code itself, not PaX).

Unfortunately I am not able to do such coding :-/
If you talk about KERNEXEC I guess the kernel option CONFIG_GRKERNSEC_KMEM has to be disabled. Could I use RBAC
to get back anything of the lost protection?

If I want to try XEN what's the preferred way to implement it? Downloading
a kernel patched with XEN and then patching with grsecurity or reverse?

Best Regards,

Werner
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
--
gentoo-hardened@gentoo.org mailing list
 
Old 12-08-2007, 05:13 PM
 
Default grsec/pax with xen

On 8 Dec 2007 at 12:33, timpoluk@gmx.net wrote:
> > on the host side, i think pretty much all of grsec/PaX will work fine
> > except for KERNEXEC (and even that is not unfixable either, but it needs
> > a patch in the hypervisor code itself, not PaX).
>
> Unfortunately I am not able to do such coding :-/ If you talk about
> KERNEXEC I guess the kernel option CONFIG_GRKERNSEC_KMEM has to be
> disabled. Could I use RBAC to get back anything of the lost protection?

KERNEXEC is a PaX feature, independent of grsec's kmem protection.
and no, the kmem protection has nothing to do with virtualization
as everyone has kernel modules to manage host side memory.

> If I want to try XEN what's the preferred way to implement it? Downloading
> a kernel patched with XEN and then patching with grsecurity or reverse?

grsec doesn't support xen's dom0 yet (only when it'll enter mainline),
domU may already work with the latest 2.6.23+ kernels (at least i tried
to make it compatible with PaX), but i have yet to test it myself. in
other words, you can't use grsec on a xen host yet, only in a guest.

--
gentoo-hardened@gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 05:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org