On 12/11/2016 11:16 PM, Reg Tiangha wrote: > On 12/11/2016 06:01 PM, [email protected] > wrote: > >> Thanks for all your info. >> > A few last observations: > > - If you run coldkernel on a NetVM or ProxyVM, *nothing* will be able to > connect behind it (which kind of sucks). > - Dropbox no longer launches and it keeps trying to download the daemon > every time you start it up. Ironically, there are no issues with > SpiderOAK or NextCloud, but those programs don't force you to download a > daemon after installation. > - coldkernel works in a usbVM with USB input proxy, however, it does > *not* work with mass storage device pass-through (which also sucks) and > it has the added effect of locking up Qubes VM Manager once you try as well. > > Note that all of my sysVMs are running Fedora minimal templates; not > sure if using a Debian template would make a difference, but I would > suspect not. In the meantime, I've reverted all of my service VMs to use > normal kernels and am only running coldkernel on AppVMs. > > I wonder if properly setting RBAC rules may help with some of the > issues? It'd be nice to be able to figure out how to get gradm working > in an AppVM. Does anyone know what the /dev/grsec device is or how to > create it? > Looks like preliminary coldkernel support for Debian templates is now official:
https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html They fixed the makefile issue so the Debian instructions as written should just work. They even enabled the RBAC driver in the kernel.config file (if any of the coldhak team is out there reading this, thanks so much! But if you really don't want it in your kernel, you can modify the coldkernel.config file with CONFIG_GRKERNSEC_NO_RBAC=y ; and if you really wanted SELinux in your kernel, theoretically you would add the various SELinux kernel config options to this file as well; you can Google for what those are although I haven't tried it myself). The Fedora instructions are still pending for the reasons in the blog post, but if people *really* want to try it on a FC template, I'll give you my instructions from start to finish. I'll start with how to compile it on an FC BuildVM, then how to install your rpms on other FC templates without having to reinstall the entire build environment and compiling each time. I used FC 24, but it should still work on FC 23. First, the Build instructions: 1) On dom0: sudo qubes-dom0-update grub2-xen 2) On FC TemplateVM (make sure /home has at least 4GB free): a) Install support for booting from pvgrub2 kernels: sudo dnf install qubes-kernel-vm-support b) Install the dev environment: sudo dnf install hmaccalc zlib-devel binutils-devel elfutils-libelf-devel ncurses-devel gcc-plugin-devel wget git gnupg2 bc gcc-c++ rpm-build c) Optional: Install bison and flexx to compile gradm: sudo dnf install bison flex OPTIONAL: At this point, you can create an AppVM to do the actual compiling, just make sure to save the rpms and u2mfn.ko kernel module that you'll end up making. Otherwise, if this is the TemplateVM you intend to also use later on in a different AppVM, then keep going. 3) Clone coldkernel from github: wget "https://coldhak.ca/coldhak/keys/coldhak.asc"; - O coldhak.asc gpg --import coldhak.asc git clone https://github.com/coldhakca/coldkernel cd coldkernel git verify-tag coldkernel-0.9a-4.8.13 git checkout tags/coldkernel-0.9a-4.8.13 4) Build coldkernel: make qubes-guest 5) Now you'll have made two rpms. Install them: sudo dnf install kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rpm Now, this is the tricky part. You'll also need to compile the u2mfn.ko kernel module, which isn't done by default because the coldkernel kernel sources aren't installed by default. BUT a version of the kernel sources still exists in your coldkernel directory so you can use that instead to build it. 6) Symlink kernel source to where dkms can find it: sudo ln -s /home/user/coldkernel/linux-4.8.13 /lib/modules/4.8.13-coldkernel-grsec-1/build 7) Build the u2mfn kernel module and rebuild initramfs: sudo dkms autoinstall -k 4.8.13-coldkernel-grsec-1 sudo dracut --regenerate-all --force It will compile the u2mfn kernel module and will place it in /lib/modules/4.8.13-coldkernel-grsec-1/extra. IF YOU INTEND TO INSTALL COLDKERNEL ON OTHER FC TEMPLATES, BACK THIS FILE UP!! 7b) Back up the u2mfn kernel module: sudo cp /lib/modules/4.8.13-coldkernel-grsec-1/extra/u2mfn.ko /home/user/coldkernel/ Now, you'll have your two rpms and the u2mfn kernel module in your coldkernel directory. Save those elsewhere if you intend on installing coldkernel on other machines (ex. Copy to another VM). Continuing on, you'll want to install grsecurity's paxctld program: 8) Grab paxctld and verify it: wget https://grsecurity.net/paxctld/paxctld-systemd-1.2.1-1.x86_64.{rpm,rpm.sig} gpg (or it might be gpg2) --homedir=.gnupg --verify paxctld-systemd-1.2.1-1.x86_64.{rpm.sig,rpm} 9) Install and enable paxctld: sudo dnf install paxctld-systemd-1.2.1-1.x86_64.rpm sudo cp paxctld.conf /etc/paxctld.conf sudo paxctld -d sudo systemctl enable paxctld 10) Create grub config file. When you use the pvgrub2 kernel, it'll ignore any qvm-prefs kernelopts you may have set. So you'll need to create a /etc/default/grub file containing your kernelopts (ex. GRUB_CMDLINE_LINUX="nopat"). Once done, run: sudo grub2-mkconfig -o /boot/grub2/grub.cfg Shutdown the VM, and assuming you did this all on a Template VM, change its kernel to pvgrub2 and start it up. If you did it on an AppVM, all of the system changes will be erased, making it really important to have backed up that u2mfn file. If you want to install this on other FC templates without having to recompile, make sure to back up the: - kernel and kernel-header rpms - the paxctld rpm and conf file to another machine. HOW TO INSTALL ON OTHER FC TEMPLATES: 1) Copy the linux and linux-headers rpm files as well as the u2mfn.ko file to the FC template you want to install it on. 2) Install pvgrub2 support: sudo dnf install qubes-kernel-vm-support grub2-tools (and bison and flex if you'll be compiling gradm on it as well) 3) Install the coldkernel rpms: sudo dnf install kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rp 4) Copy the u2mfn kernel module to the kernel module's directory: sudo cp u2mfn.ko /lib/modules/4.8.13-coldkernel-grsec-1/extra/ 5) Rebuild kernel module map: sudo depmod -v 4.8.13-coldkernel-grsec-1 6) Regenerate initramfs: sudo dracut --regenerate-all --force 7) Install grub (don't forget to make your /etc/default/grub file if you need to pass additional kernel options): sudo grub2-mkconfig -o /boot/grub2/grub.cfg 8) Install paxctld as per the instructions above. That should do it. Once you boot into the gresecurity environment, you'll then be able to compile gradm and use that to profile your machine. Unfortunately, I was hoping I could do that to profile ServiceVMs, but I still have the same issues as before, mainly any AppVM set to use a coldkernel-enabled Proxy or NetVM refuses to start (libxenlight throws an error), and Qubes VM Manager crashes any time you try to attach a USB device to another VM using a sys-usb VM with coldkernel. I don't know how to fix this; I tried tracing things manually and using paxctl to disable memory protections on various qubes binaries (FYI: running paxctl -cm on the dropbox binary in your home directory allows it to work again), but it was like trying to find a needle in a haystack. I don't know enough about the Qubes architecture to even know where to begin. But hopefully my instructions will allow other people to try it for themselves and help test this stuff out. Good luck, and thanks again to the coldhak crew for all their hard work!! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o2o1n0%244ml%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
