grsecurity forums

[NoMenu]

I made an intrid grsec kernel for my Toshiba Satellite L505d-gs6000
(4GB ram, AMD Turion Dual-Core Mobile Processor M500,
http://laptops.toshiba.com/laptops/sate ... 05D-GS6000 )

I am using an intel 80GB SSD with 79.7 GB as an encrypted drive, and /boot as unencrypted.
This worked fine with debian's kernel and was able to boot with no problem other than having to set acpi=off (I heard also, one could try less extreme measures, some other level of acpi and thusly not have an only 30 min battery?)

I compiled linux-2.6.33.5 patched with grsecurity-2.1.14-2.6.33.5-201005311127.patch
When I tried the grsec kernel this time (I've used many grsec kernels, each time I seem to have a problem with configuring it, I'm sorry for being a dunce ) first it complained of the PnP bios and suggested I turn that off (pnpbios=off) then it couldn't find the VFS and kernel panicked.

So I rebooted the system, the SSD wouldn't boot, so I had to go into the bios and re-do the SSD harddrive password, then it was able to boot again, this time I edited pnpbios=off into the boot command line, but still the virtual filesystem couldn't be found:
(
http://pics.nexuizninjaz.com/images/plb ... d6es11.jpg

The vanilla not-compiled-by-me kernel worked:
(2.6.32.3-686)
http://pics.nexuizninjaz.com/images/908 ... yvzkye.jpg

Here is my config: http://omploader.org/vNGgyOQ/.config
I have 4GB of ram expandable to 8GB so I set the max ram in the kernel config to 64GB rather than the 4GB it was on.
This laptop is new and has a dual core 2.2Ghz AMD processor, so I set the kernel to be compiled for OPTERON/AMD64/K8 processors.
I pretty much set most extra stuff up as modules (sound cards, vidcards) except for the radeon driver which I set as compiled in.

This is my boot/grub/grub.cfg as generated by update-grub on debian testing (stable wouldn't even install on the laptop)

Code: Select all

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by /usr/sbin/grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  load_env
fi
set default="0"
if [ ${prev_saved_entry} ]; then
  set saved_entry=${prev_saved_entry}
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z ${boot_once} ]; then
    saved_entry=${chosen}
    save_env saved_entry
  fi
}
insmod ext2
set root='(hd0,1)'
search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
set locale_dir=($root)/grub/locale
set lang=en
insmod gettext
set timeout=5
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec ...
        linux   /vmlinuz-2.6.33.5-grsec root=/dev/mapper/sda5_crypt ro acpi=off quiet
}
menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec (recovery mode)" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec ...
        linux   /vmlinuz-2.6.33.5-grsec root=/dev/mapper/sda5_crypt ro single acpi=off
}
menuentry "Debian GNU/Linux, with Linux 2.6.32-3-686" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.32-3-686 ...
        linux   /vmlinuz-2.6.32-3-686 root=/dev/mapper/sda5_crypt ro acpi=off quiet
        echo    Loading initial ramdisk ...
        initrd  /initrd.img-2.6.32-3-686
}
menuentry "Debian GNU/Linux, with Linux 2.6.32-3-686 (recovery mode)" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.32-3-686 ...
        linux   /vmlinuz-2.6.32-3-686 root=/dev/mapper/sda5_crypt ro single acpi=off
        echo    Loading initial ramdisk ...
        initrd  /initrd.img-2.6.32-3-686
}
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###


Here is the /etc/default/grub which is what debian wants me to edit

Code: Select all

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="acpi=off"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_LINUX_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"


(I don't see how I can edit individual entries there though?)
Both the working and non-working kernels use the same device as the root mount, but the grsec (newer) kernel can't find it.

Also the grsec kernel is intrid while the other kernels ... I don't know if they are or not, I don't know how to make a non intrid image, and I recall non intrid images didn't work so well in the past when I tried grsec plus encrypted drive.

Code: Select all

/boot$ ls
config-2.6.32-3-686  config-2.6.33.5-grsec  grub  initrd-2.6.33.5.img  initrd.img-2.6.32-3-686  lost+found  System.map-2.6.32-3-686  System.map-2.6.33.5-grsec  vmlinuz-2.6.32-3-686  vmlinuz-2.6.33.5-grsec


Code: Select all

/$ ls
atcacl  bin  boot  dev  etc  home  initrd.img  lib  lost+found  media  mnt  mozilla  opt  proc  root  sbin  selinux  srv  sys  tmp  usr  var  vmlinuz

ls -lah vmlinuz
lrwxrwxrwx 1 root root 25 May 31 03:14 vmlinuz -> boot/vmlinuz-2.6.32-3-686

ls -lah initrd.img
lrwxrwxrwx 1 root root 28 May 31 03:14 initrd.img -> boot/initrd.img-2.6.32-3-686


Can you help me? How can this be made to boot?

[spender]

You've booted a vanilla kernel which seems to be the distro's kernel. Have you tried booting a vanilla kernel compiled by you with the same .config you used for grsecurity? I don't think this is a grsecurity problem. If you don't build a kernel with the code built in needed to recognize the drive and the boot filesystem contained on it (and you don't have an initrd image configured with the modules needed to do the same) then you'll get the error you described. There are many resources elsewhere on how to properly build a custom kernel.

-Brad

[NoMenu]

I'm using the crypt stuff (encrypted hdd)
I don't know what to do, all the intrid how-to's just give examples like this:

make menuconfig
make modules
make modules install
make install
mkinitramfs -o /boot/initrd-2.6.26.6.img 2.6.26.6-grsec


as to what to do. They don't say how you get it to load modules or anything. I can't do this, it just won't work, please point me to something that troubleshoots.

[spender]

that mkinitramfs command is wrong, it should be:
mkinitramfs -o /boot/initrd-2.6.32.14-grsec.img 2.6.32.14-grsec

The last argument needs to be the version of the kernel you're building. The grub entry also needs to be updated to reference the initrd image you created.

the "make modules install" line should be:
make modules_install

and there's no need to type "make modules", just type "make" (with -j<num cpus + 1> for multithreading)

-Brad

[NoMenu]

that mkinitramfs command is wrong, it should be:
mkinitramfs -o /boot/initrd-2.6.32.14-grsec.img 2.6.32.14-grsec

The last argument needs to be the version of the kernel you're building. The grub entry also needs to be updated to reference the initrd image you created.

the "make modules install" line should be:
make modules_install

and there's no need to type "make modules", just type "make" (with -j<num cpus + 1> for multithreading)

-Brad

Yes, I used that version number in the command. My grub entry is wrong (it was made by debain's update script)? What should I set it as, the debians grub.cfg says not to touch it and do stuff in /etc/defaults/grub instead and then update.

I went through my config and enabled more things as compiled in, recompiling.

[NoMenu]

Compile fails now:

Code: Select all

  CC [M]  drivers/video/cirrusfb.o
  CC [M]  drivers/video/s1d13xxxfb.o
  CC [M]  drivers/video/sis/initextlfb.o
drivers/video/s1d13xxxfb.c:420: warning: ‘bltbit_wait_bitset’ defined but not used
drivers/video/s1d13xxxfb.c:463: warning: ‘bltbit_fifo_status’ defined but not used
  LD [M]  drivers/video/sis/sisfb.o
  CC [M]  drivers/video/sm501fb.o
  CC [M]  drivers/video/vga16fb.o
  CC [M]  drivers/video/vfb.o
  LD      drivers/video/fb.o
  LD      drivers/video/built-in.o
make: *** [drivers] Error 2
debian:/usr/src/linux-2.6.33.5$


[NoMenu]

should I just give up, the freaking kernel won't even compile now.

[NoMenu]

Also I saw this:
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
grsec: protected kernel image paths

Is that bad?

Code: Select all

make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
  grsec: protected kernel image paths
  LD      vmlinux.o
  MODPOST vmlinux.o
WARNING: modpost: Found 23077 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
  GEN     .version
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
  KSYM    .tmp_kallsyms1.S
  AS      .tmp_kallsyms1.o
  LD      .tmp_vmlinux2
  KSYM    .tmp_kallsyms2.S
  AS      .tmp_kallsyms2.o
  LD      vmlinux
  SYSMAP  System.map
  SYSMAP  .tmp_System.map
  Building modules, stage 2.
  VOFFSET arch/x86/boot/voffset.h
  OBJCOPY arch/x86/boot/compressed/vmlinux.bin
  RELOCS  arch/x86/boot/compressed/vmlinux.relocs
  GZIP    arch/x86/boot/compressed/vmlinux.bin.gz
  CC      arch/x86/boot/version.o
  MODPOST 1193 modules
  MKPIGGY arch/x86/boot/compressed/piggy.S
  AS      arch/x86/boot/compressed/piggy.o
  LD      arch/x86/boot/compressed/vmlinux
  ZOFFSET arch/x86/boot/zoffset.h
  OBJCOPY arch/x86/boot/vmlinux.bin
  AS      arch/x86/boot/header.o
  LD      arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  BUILD   arch/x86/boot/bzImage
Root device is (254, 0)
Setup is 13708 bytes (padded to 13824 bytes).
System is 11831 kB
CRC e2329774
Kernel: arch/x86/boot/bzImage is ready  (#3)
WARNING: modpost: Found 13512 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'


[specs]

Install "script" (apt-get install script) and before unpacking the sources do:

Code: Select all

script compiling-messages.txt

After you do the usual:

Code: Select all

tar xjf linux-2.6.33.tar.bz2
cd linux-2.6.33
bzip2 -cd ../patch-2.6.33.bz2 | patch -p1
bzip2 -cd ../grsecurity-2.1.14-2.6.33.5-201005311127.patch.bz2 | patch -p1
cp ../config-2.6.33.5 .config
make oldconfig
..
exit


Big advantage is you don't need to think if you typed anything wrong. It will be all logged in the "compiling-messages.txt". (Use "more" here rather than "less"
.) You could even send the txt if there is a discussion about what you did.

I allways begin with a clean tar and a copy of an existing kernel-configuration. If I compare with a vanilla kernel I only leave out the grsec-patch.

[NoMenu]

ok trying again:

Code: Select all

root@debian:/usr/src/linux-2.6.33.5# make install
sh /usr/src/linux-2.6.33.5/arch/x86/boot/install.sh 2.6.33.5-grsec arch/x86/boot/bzImage \
                System.map "/boot"
root@debian:/usr/src/linux-2.6.33.5# cd /boot
root@debian:/boot# mkinitramfs -o /boot/initrd-2.6.33.5-grsec.img 2.6.33.5-grsec
root@debian:/boot# update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-2.6.33.5-grsec
Found initrd image: /boot/initrd-2.6.33.5-grsec.img
Found linux image: /boot/vmlinuz-2.6.33.5-grsec.old
Found initrd image: /boot/initrd-2.6.33.5-grsec.img
Found linux image: /boot/vmlinuz-2.6.32-3-686
Found initrd image: /boot/initrd.img-2.6.32-3-686
done



Code: Select all

menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec ...
        linux   /vmlinuz-2.6.33.5-grsec root=/dev/mapper/sda5_crypt ro acpi=off pnpbios=off quiet
        echo    Loading initial ramdisk ...
        initrd  /initrd-2.6.33.5-grsec.img
}
menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec (recovery mode)" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec ...
        linux   /vmlinuz-2.6.33.5-grsec root=/dev/mapper/sda5_crypt ro single acpi=off pnpbios=off
        echo    Loading initial ramdisk ...
        initrd  /initrd-2.6.33.5-grsec.img
}
menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec.old" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec.old ...
        linux   /vmlinuz-2.6.33.5-grsec.old root=/dev/mapper/sda5_crypt ro acpi=off pnpbios=off quiet
        echo    Loading initial ramdisk ...
        initrd  /initrd-2.6.33.5-grsec.img
}
menuentry "Debian GNU/Linux, with Linux 2.6.33.5-grsec.old (recovery mode)" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.33.5-grsec.old ...
        linux   /vmlinuz-2.6.33.5-grsec.old root=/dev/mapper/sda5_crypt ro single acpi=off pnpbios=off
        echo    Loading initial ramdisk ...
        initrd  /initrd-2.6.33.5-grsec.img
}
menuentry "Debian GNU/Linux, with Linux 2.6.32-3-686" --class debian --class gnu-linux --class gnu --class os {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 3b884165-d988-4429-b10a-9b8f65bafb60
        echo    Loading Linux 2.6.32-3-686 ...
        linux   /vmlinuz-2.6.32-3-686 root=/dev/mapper/sda5_crypt ro acpi=off pnpbios=off quiet
        echo    Loading initial ramdisk ...
        initrd  /initrd.img-2.6.32-3-686
}


[NoMenu]

Didn't work.

The kernel didn't even panic, it just fucking CRASHED on boot. Piece of shit.
Loading initial ramdisk...
pci 0000:83:00.0: an compatible bridge window for [mem 0xfffe???? shit
[shit]
[shit]
[shit]
[shit]
[shit]
[shit]
[shit]

Had to use a vid cam to find out what it said.

Wtf
WTF

[NoMenu]

pci 000:03:00.0: no compatible bridge window for [mem0xfffe0000-0xffffff]

Where do I get debian's kernel .config?

[NoMenu]

Compiling using this + grsec stuff now:
http://merkel.debian.org/~jurij/2.6.33- ... al.5/i386/

I hope it works. The changes I made were: set the system timer hz from 250 to 1000hz (for midi work)
Selected the Realtek RTL8187SE as a module in the staging-drivers area (it's the wireless card for toshiba satalite L505D-GS6000 )
Configured grsec.

[specs]

You want a secure kernel?
Then you should make the .config yourself.

Or rather run "make menuconfig" and look with each option whether you need it.
After you configured the kernel make a backup of your .config. Then you can start using "make oldconfig").

If you start compiling a kernel first ensure that you have a clean archive. The easiest way to do that is by removing the old archive and unpack the archive, apply the patches and test if the patches have been applied correctly (find . -iname "*.rej").

First you start with the sources from kernel.org without the grsecurity patch. If you can build a working kernel with those sources you start again, now with the grsecurity patch. Each new kernel you start again looking if the sources are patched correctly and clean.

[NoMenu]

Using the debian .cfg as a base and then editing it for grsec worked.
I forgot to disable firewire though, but I don't have a firewire port.