Grsecurity

Discussion about U-Boot and the kernel.

Grsecurity

Postby Semi » Sat Jul 11, 2015 11:28 am

Hello,

I have a question very similar to: viewtopic.php?f=23&t=8227&hilit=grsecurity, on which there wasn't really a satisfying answer.

I would like to use a grsecurity hardened kernel on my raspberry pi 2, on which I plan to run a small webserver with docker. Unfortunately, the grsecurity patched kernel is not available for the ARM-version. So I would need to compile it myself.

However, I don't have any experience with compiling a kernel myself, so I probably need some help. The grsecurity documentation states that the patches they provide can only be applied to the vanilla kernel (https://en.wikibooks.org/wiki/Grsecurit ... nux_Kernel), but as far as I understand is the Archlinux ARM kernel version based on the build which can be found at: https://github.com/archlinuxarm/PKGBUIL ... aspberrypi. Can I apply the grsecurity patches to the Archlinux ARM kernel build? Or should I start with the vanilla kernel, and if so, what are the differences between them?

Thanks for any pointers.
Semi
 
Posts: 4
Joined: Sat Jul 11, 2015 10:48 am

Re: Grsecurity

Postby Semi » Mon Jul 13, 2015 7:13 pm

Update, the archlinux arm kernel build is obviously not compatible with the grsecurity patches. I tried to solve the rejects, but got a compilation error. Probably I did something wrong, although I have no idea what.

Since the archlinux build for the raspberry pi does not apply a separate patch on top of the vanilla kernel, but instead uses a separate raspberry pi version of the linux kernel, it will be hard to figure out what the differences exactly are and apply the grsecurity patches myself. I therefore second the request of Paradoxon to provide the linux-grsec kernel in the ARM repos. Especially because these ARM devices are often used as webserver.

Any pointers which may help to harden the kernel for my raspberry pi 2 are still very welcome!
Semi
 
Posts: 4
Joined: Sat Jul 11, 2015 10:48 am

Re: Grsecurity

Postby WarheadsSE » Mon Jul 13, 2015 8:59 pm

Someone is going to have to step up and make it themselves. We don't have the time to do this.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Grsecurity

Postby Semi » Thu Jul 16, 2015 7:31 pm

Ok maybe this can be the start of something. I succeeded to build a grsecurity hardened kernel for the raspberry pi.

What I did:

    1. Generate a 'raspberry pi' patch by diffing the latest version of the vanilla kernel and the raspberry pi kernel version (it would be easier if the raspberry pi version would be provided as a patch on the vanilla kernel)
    2. Apply grsecurity patch on the vanilla kernel.
    3. Apply the 'raspberry pi' patch on top of the grsecurity-patched kernel
    4. Solve rejects (these were luckily rather trivial to solve)
    5. Set CONFIG_PAX_KERNEXEC=n in the kernel configuration (and the other GRKERNSEC/PAX config options how you like them)
    6. Apply other patches (BFQ patches didn't cause any rejects)

I tried to compile with CONFIG_PAX_KERNEXEC=y, but it resulted in some compilation errors of the kind:
$this->bbcode_second_pass_code('', 'drivers/net/wireless/rtl8192cu/hal/rtl8192c/rtl8192c_hal_init.c:3577:26: error: assignment of member ‘free_hal_data’ in read-only object')
Which probably makes sense since this was not patched with grsecurity.

I did not apply the AUFS patches, these could probably be applied too, but may cause a couple more rejects to solve. I guess I will use overlay FS instead, which is in the kernel at default.

As reference I uploaded my PKGBUILD to github: https://github.com/semitom/archlinux-grsec-raspberrypi. I'll try to update it every now and then, but I'm afraid I don't have time either to keep it up to date with the latest kernel. If anyone does, would be great.
Semi
 
Posts: 4
Joined: Sat Jul 11, 2015 10:48 am


Return to U-Boot/Kernel

Who is online

Users browsing this forum: No registered users and 4 guests