Hardened KVM Guests cannot auto-adjust screen resolution

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Fri Apr 15, 2016 4:04 pm

Running a Debian guest with a custom built kernel (sid Grsec not maintained with virtualization capabilities)

The VM's QXL driver can no longer automatically adjust the screen resolution when resizing the graphical display. The screen still responds to xrandr command: "xrandr --output Virtual-0 --auto" however but "scale display: always" option in virt-manager doesn't work as it used to with a non-hardened kernel.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby PaX Team » Fri Apr 15, 2016 4:21 pm

are there any related messages in the guest dmesg? does the guest kernel configuration matter?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Fri Apr 15, 2016 11:04 pm

Unfortunately there are no tell-tale signs in dmesg output. The relevant part:

Code: Select all
[   17.186471] [drm] qxl: 16M of VRAM memory size
[   17.186471] [drm] qxl: 255M of IO pages memory ready (VRAM domain)
[   17.186471] [drm] qxl: 256M of Surface memory size
[   17.316115] [drm] main mem slot 1 [d0000000,fffe000]
[   17.316115] [drm] surface mem slot 2 [e0000000,10000000]
[   17.316182] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[   17.316182] [drm] No driver support for vblank timestamp query.
[   17.319554] [drm] fb mappable at 0xD0000000, size 3145728
[   17.319554] [drm] fb: depth 24, pitch 4096, width 1024, height 768
[   17.319554] checking generic (d0000000 300000) vs hw (d0000000 1000000)
[   17.319554] fb: switching to qxldrmfb from simple
[   18.298229] Console: switching to colour dummy device 80x25
[   18.308228] fbcon: qxldrmfb (fb0) is primary device
[   18.324303] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
[   18.329986] grsec: denied use of iopl() by /bin/vmmouse_detect[vmmouse_detect:323] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd-udevd[systemd-udevd:204] uid/euid:0/0 gid/egid:0/0
[   18.344108] Console: switching to colour frame buffer device 128x48
[   18.352257] qxl 0000:00:02.0: fb0: qxldrmfb frame buffer device
[   18.524246] [drm] Initialized qxl 0.1.0 20120117 for 0000:00:02.0 on minor 0



I tried allowing privileged IO in Grsec settings before but effect was the same.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby PaX Team » Sat Apr 16, 2016 3:13 am

are there any suspicious messages around the time you tried to resize the screen? as for grsec options, perhaps post the ones you enabled and we'll see what you can try to disable.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Sat Apr 16, 2016 3:04 pm

I found differences in other log files:


Grsec:


Xorg.0.log

Code: Select all
No mention of "vgahw" submodule.


Code: Select all
Monitor referred to as Virtual-0



kdm.log

Code: Select all
xf86EnableIOPorts: failed to set IOPL for I/O (No such device)
(II) [KMS] Kernel modesetting enabled.
resizing primary to 1024x768
primary is
(EE) Server terminated successfully (0). Closing log file.




Vanilla:

Xorg.0.log

Code: Select all
[    35.291] (II) Loading sub module "vgahw"
[    35.291] (II) LoadModule: "vgahw"
[    35.291] (II) Loading /usr/lib/xorg/modules/libvgahw.so
[    35.360] (II) Module vgahw: vendor="X.Org Foundation"
[    35.360]    compiled for 1.16.4, module version = 0.1.0
[    35.360]    ABI class: X.Org Video Driver, version 18.



Code: Select all
Monitor name: qxl-0




kdm.log

Code: Select all
(II) [KMS] drm report modesetting isn't supported.
resizing surface0 to YYYYYYYYY
memory space from  to
memory space from  to
skipping mode ------ not fitting in surface0skipping mode ------- not fitting in surface0resizing surface0 to YYYYYYYYY
memory space from  to
memory space from  to
slots start: 1, slots end: 7
done reset
resizing primary to XXXXXXX
primary is
resizing primary to XXXXXXX
primary is






Relevant Grsec Settings:

Code: Select all
#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_VM86=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Tue Apr 19, 2016 12:25 pm

I'm guessing my logs were not that helpful :( Can you please test this in KVM, its easily reproducible. I'm not good at looking into complex problems.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Thu Apr 28, 2016 10:58 pm

I tested a vanilla build and it has this bug. It has nothing to do with the Grsec patch set so excuse the report.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Thu Apr 28, 2016 11:09 pm

Thank you for developing Grsecurity and keeping it free software. You are doing the world a great service.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby scratchingpost » Tue Sep 06, 2016 9:46 pm

I've had this problem for ages! at first it DID look like it was a grsec problem, it's not, but the workaround does need grsec setting:

The way I've found around it is to disable KMS for qxl:
/etc/default/grub:
Code: Select all
GRUB_CMDLINE_LINUX=" qxl.modeset=0"

then update grub.

then edit /etc/sysctl.d/grsec.conf:
Code: Select all
kernel.grsecurity.disable_priv_io = 0
...
kernel.grsecurity.grsec_lock = 1

needed otherwise non-KMS mode of QXL doesn't boot under grsec.

for this to work the kernel has to be compiled with
Code: Select all
GRKERNSEC_SYSCTL_DISTRO=y


I'm waiting for the day when auto-resize will work with QXL in KMS mode again. I fight with QXL more than any other package.
scratchingpost
 
Posts: 2
Joined: Tue Sep 06, 2016 9:36 pm

Re: Hardened KVM Guests cannot auto-adjust screen resolution

Postby bancfc » Wed Oct 19, 2016 5:50 pm

UPDATE:

Turns out this was caused by a bug in KDE (for KVM hosts). I reported it upstream and a fix is in progress.
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm


Return to grsecurity support