grsecurity forums

Skip to content

cryptomgr_test vs RAP

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

cryptomgr_test vs RAP

Postby Dwokfur » Sun May 08, 2016 12:13 pm

I've just tried out a new kernel with RAP enabled. The stuff boots flawlessly on a laptop. However it crashes early during boot on a server.
According to the logs cryptomgr_test pulls the trigger. Unfortunately due to technical reasons, I could not capture all lines of the log messages. Since the machine is in production I have limited resources to further investigate the problem. Fortunately, enabling CONFIG_CRYPTO_MANAGER_DISABLE_TESTS (which implies disabling CONFIG_CRYPTO_FIPS) is an easy workaround of the problem - unless a system must be FIPS 200 compliant.

Beginning of the trace:
Image
End of trace:
Image

I can try out something once every week on the system.

For future perspectives: I don't mind if a browser's JIT code is not protected. I'm compiling browsers with JIT disabled. It's more important to spread the technique all over the userland.

Respect for the work made RAP possible:
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top

Re: cryptomgr_test vs RAP

Postby PaX Team » Sun May 08, 2016 1:09 pm

this is probably some crypto function written in asm that i have yet to mark with the RAP hash. can you decode the reported RIP address via addr2line -fip and also send me your vmlinux/config?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: cryptomgr_test vs RAP

Postby minipli » Mon May 09, 2016 3:56 pm

The following patch should fix the issue. Can you please apply it on top of the grsec patch and test it?: http://r00tworld.net/~minipli/grsec/pax-4.5.3-aesni_fix.diff
minipli
 
Posts: 21
Joined: Mon Jan 03, 2011 6:39 pm
Top

Re: cryptomgr_test vs RAP

Postby PaX Team » Tue May 10, 2016 8:21 pm

the next patch should fix all the x86 asm crypto functions that are called indirectly.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: cryptomgr_test vs RAP

Postby Dwokfur » Wed May 11, 2016 6:27 am

minipli wrote:The following patch should fix the issue. Can you please apply it on top of the grsec patch and test it?: http://r00tworld.net/~minipli/grsec/pax-4.5.3-aesni_fix.diff


I confirm, that the patch fixes the issue. Thanks: Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top

Re: cryptomgr_test vs RAP

Postby Dwokfur » Wed May 11, 2016 7:53 am

PaX Team wrote:the next patch should fix all the x86 asm crypto functions that are called indirectly.


BTW there's a difference between the unaffected laptop and the affected server, which can be relevant here: the laptop has AVX extensions, while the server has no AVX. Therefore the crpyto config differs a little bit because of that.

After applying the patch I experienced some IO stalls hunging tasks during kernel compile after reboot with the patch. I incremented grsec patch from 201605080858 to the latest available for download: 201605102138. Booting the latest kernel I can compile kernel source without stalls.

Sending you an email as well: Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron