Page 1 of 1

Grsecurity beaglebone black gentoo hardened

PostPosted: Thu Jan 22, 2015 7:00 pm
by revskills
Hi there,

Just to share some notes, and I've seen people interested in this but nothing specific to beaglebone black am335x.
Gentoo documentation is fairly complete and basically is the same procedure for hardened sources. Similarly you can do with grsec patches and the official bbb kernel (which of course is a better option). Feel free to fix/update/whatever this notes in https://github.com/revskills/am335x_boneblack_grsec .

Grsecurity on Beaglebone Black Rev. C

#toolchain & overlay
emerge dev-vcs/git sys-devel/crossdev sys-fs/dosfstools app-arch/lzop
mkdir -p /usr/local/portage/{metadata,profiles}
echo "local_overlay" > /usr/local/portage/profiles/repo_name #repo_name
echo "masters = gentoo" > /usr/local/portage/metadata/layout.conf
chown -R portage:portage /usr/local/portage
echo "PORTDIR_OVERLAY=\"/usr/local/portage\"" >>/etc/portage/make.conf

#crossdev
crossdev -S -P -v -t armv7a-hardfloat-linux-gnueabihf
crossdev -C armv7a-hardfloat-linux-gnueabihf

#u-boot
wget ftp://ftp.denx.de/pub/u-boot/u-boot-2015.01.tar.bz2
tar xvjf u-boot-2015.01.tar.bz2
cd u-boot-2015.01
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- am335x_boneblack_config
install tools/mkimage /usr/local/bin
##scp/cp to microSD or eMMC first partition (I used the microSD to store logs)
cp {MLO,u-boot.img} p1/

#You have two options hardened-sources or use the official beaglebone linux kernel with patches/firmware/config (probably better option) and apply the grsec patch
emerge hardened-sources
cd /usr/src/linux
make distclean
## download firmware needed
wget http://arago-project.org/git/projects/?p=am33x-cm3.git\;a=blob_plain\;f=bin/am335x-pm-firmware.bin\;hb=HEAD -O firmware/am335x-pm-firmware.bin
wget https://raw.githubusercontent.com/beagl ... _defconfig -O .config ## CONFIG_EXTRA_FIRMWARE="am335x-pm-firmware.bin"
## setup your custom grsec options or use mine grsec-bbb, LOCALVERSION=-grsec
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- menuconfig
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- -j`getconf _NPROCESSORS_ONLN`
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- -j`getconf _NPROCESSORS_ONLN` uImage dtbs LOADADDR=0x82000000
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- -j`getconf _NPROCESSORS_ONLN` modules
make ARCH=arm CROSS_COMPILE=armv7a-hardfloat-linux-gnueabihf- INSTALL_MOD_PATH=../linux_modules -j`getconf _NPROCESSORS_ONLN` modules_install

##scp/cp files to bbb
linux/arch/arm/boot/{uImage,zImage,/dts/am335x-boneblack.dtb} /boot
linux_modules/lib/{modules,firmware} /lib

#boot
Linux bblack 3.17.7-grsec #1 SMP PREEMPT Thu Jan 22 13:21:20 UTC 2015 armv7l Generic AM33XX (Flattened Device Tree) GNU/Linux

References:
http://wiki.gentoo.org/wiki/BeagleBone_Black
http://www.crashcourse.ca/wiki/index.ph ... on_the_BBB
https://bugs.gentoo.org/show_bug.cgi?id=460356
http://dev.gentoo.org/~armin76/arm/beag ... l_emmc.xml

Re: Grsecurity beaglebone black gentoo hardened

PostPosted: Fri Jan 23, 2015 7:46 pm
by revskills
Note: I updated the latest 3.14.29 grsecurity patch with some minimal fixes (fbdev paths, ln, etc) for the official beaglebone kernel 3.14 branch.

https://raw.githubusercontent.com/revsk ... -bbb.patch