On 12/12/2016 10:41 PM, Reg Tiangha wrote: > On 12/11/2016 11:16 PM, Reg Tiangha wrote: >> On 12/11/2016 06:01 PM, raahe...@gmail.com >> wrote: >> >>> Thanks for all your info. >>> >> A few last observations: >> >> - If you run coldkernel on a NetVM or ProxyVM, *nothing* will be able to >> connect behind it (which kind of sucks). >> - Dropbox no longer launches and it keeps trying to download the daemon >> every time you start it up. Ironically, there are no issues with >> SpiderOAK or NextCloud, but those programs don't force you to download a >> daemon after installation. >> - coldkernel works in a usbVM with USB input proxy, however, it does >> *not* work with mass storage device pass-through (which also sucks) and >> it has the added effect of locking up Qubes VM Manager once you try as well. >> >> Note that all of my sysVMs are running Fedora minimal templates; not >> sure if using a Debian template would make a difference, but I would >> suspect not. In the meantime, I've reverted all of my service VMs to use >> normal kernels and am only running coldkernel on AppVMs. >> >> I wonder if properly setting RBAC rules may help with some of the >> issues? It'd be nice to be able to figure out how to get gradm working >> in an AppVM. Does anyone know what the /dev/grsec device is or how to >> create it? >> > Looks like preliminary coldkernel support for Debian templates is now > official: > > https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html > > They fixed the makefile issue so the Debian instructions as written > should just work. They even enabled the RBAC driver in the kernel.config > file (if any of the coldhak team is out there reading this, thanks so > much! But if you really don't want it in your kernel, you can modify the > coldkernel.config file with CONFIG_GRKERNSEC_NO_RBAC=y ; and if you > really wanted SELinux in your kernel, theoretically you would add the > various SELinux kernel config options to this file as well; you can > Google for what those are although I haven't tried it myself). > > The Fedora instructions are still pending for the reasons in the blog > post, but if people *really* want to try it on a FC template, I'll give > you my instructions from start to finish. I'll start with how to compile > it on an FC BuildVM, then how to install your rpms on other FC templates > without having to reinstall the entire build environment and compiling > each time. I used FC 24, but it should still work on FC 23. > > First, the Build instructions: > > 1) On dom0: > > sudo qubes-dom0-update grub2-xen > > 2) On FC TemplateVM (make sure /home has at least 4GB free): > > a) Install support for booting from pvgrub2 kernels: > > sudo dnf install qubes-kernel-vm-support > > b) Install the dev environment: > > sudo dnf install hmaccalc zlib-devel binutils-devel > elfutils-libelf-devel ncurses-devel gcc-plugin-devel wget git gnupg2 bc > gcc-c++ rpm-build > > c) Optional: Install bison and flexx to compile gradm: > > sudo dnf install bison flex > > > OPTIONAL: At this point, you can create an AppVM to do the actual > compiling, just make sure to save the rpms and u2mfn.ko kernel module > that you'll end up making. Otherwise, if this is the TemplateVM you > intend to also use later on in a different AppVM, then keep going. > > > 3) Clone coldkernel from github: > > wget "https://coldhak.ca/coldhak/keys/coldhak.asc"; - O coldhak.asc > > gpg --import coldhak.asc > > git clone https://github.com/coldhakca/coldkernel > > cd coldkernel > > git verify-tag coldkernel-0.9a-4.8.13 > > git checkout tags/coldkernel-0.9a-4.8.13 > > 4) Build coldkernel: > > make qubes-guest > > 5) Now you'll have made two rpms. Install them: > > sudo dnf install > kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm > kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rpm > > > Now, this is the tricky part. You'll also need to compile the u2mfn.ko > kernel module, which isn't done by default because the coldkernel kernel > sources aren't installed by default. BUT a version of the kernel sources > still exists in your coldkernel directory so you can use that instead to > build it. > > > 6) Symlink kernel source to where dkms can find it: > > sudo ln -s /home/user/coldkernel/linux-4.8.13 > /lib/modules/4.8.13-coldkernel-grsec-1/build > > 7) Build the u2mfn kernel module and rebuild initramfs: > > sudo dkms autoinstall -k 4.8.13-coldkernel-grsec-1 > > sudo dracut --regenerate-all --force > > > It will compile the u2mfn kernel module and will place it in > /lib/modules/4.8.13-coldkernel-grsec-1/extra. IF YOU INTEND TO INSTALL > COLDKERNEL ON OTHER FC TEMPLATES, BACK THIS FILE UP!! > > 7b) Back up the u2mfn kernel module: > > sudo cp /lib/modules/4.8.13-coldkernel-grsec-1/extra/u2mfn.ko > /home/user/coldkernel/ > > > Now, you'll have your two rpms and the u2mfn kernel module in your > coldkernel directory. Save those elsewhere if you intend on installing > coldkernel on other machines (ex. Copy to another VM). > > > Continuing on, you'll want to install grsecurity's paxctld program: > > 8) Grab paxctld and verify it: > > wget > https://grsecurity.net/paxctld/paxctld-systemd-1.2.1-1.x86_64.{rpm,rpm.sig} > > gpg (or it might be gpg2) --homedir=.gnupg --verify > paxctld-systemd-1.2.1-1.x86_64.{rpm.sig,rpm} > > 9) Install and enable paxctld: > > sudo dnf install paxctld-systemd-1.2.1-1.x86_64.rpm > > sudo cp paxctld.conf /etc/paxctld.conf > > sudo paxctld -d > > sudo systemctl enable paxctld > > 10) Create grub config file. When you use the pvgrub2 kernel, it'll > ignore any qvm-prefs kernelopts you may have set. So you'll need to > create a /etc/default/grub file containing your kernelopts (ex. > GRUB_CMDLINE_LINUX="nopat"). Once done, run: > > sudo grub2-mkconfig -o /boot/grub2/grub.cfg > > > Shutdown the VM, and assuming you did this all on a Template VM, change > its kernel to pvgrub2 and start it up. If you did it on an AppVM, all of > the system changes will be erased, making it really important to have > backed up that u2mfn file. > > If you want to install this on other FC templates without having to > recompile, make sure to back up the: > > - kernel and kernel-header rpms > > - the paxctld rpm and conf file > > to another machine. > > > HOW TO INSTALL ON OTHER FC TEMPLATES: > > 1) Copy the linux and linux-headers rpm files as well as the u2mfn.ko > file to the FC template you want to install it on. > > 2) Install pvgrub2 support: > > sudo dnf install qubes-kernel-vm-support grub2-tools (and bison and > flex if you'll be compiling gradm on it as well) > > 3) Install the coldkernel rpms: > > sudo dnf install > kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm > kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rp > > 4) Copy the u2mfn kernel module to the kernel module's directory: > > sudo cp u2mfn.ko /lib/modules/4.8.13-coldkernel-grsec-1/extra/ > > 5) Rebuild kernel module map: > > sudo depmod -v 4.8.13-coldkernel-grsec-1 > > 6) Regenerate initramfs: > > sudo dracut --regenerate-all --force > > 7) Install grub (don't forget to make your /etc/default/grub file if > you need to pass additional kernel options): > > sudo grub2-mkconfig -o /boot/grub2/grub.cfg > > 8) Install paxctld as per the instructions above. > > > That should do it. Once you boot into the gresecurity environment, > you'll then be able to compile gradm and use that to profile your machine. > > Unfortunately, I was hoping I could do that to profile ServiceVMs, but I > still have the same issues as before, mainly any AppVM set to use a > coldkernel-enabled Proxy or NetVM refuses to start (libxenlight throws > an error), and Qubes VM Manager crashes any time you try to attach a USB > device to another VM using a sys-usb VM with coldkernel. I don't know > how to fix this; I tried tracing things manually and using paxctl to > disable memory protections on various qubes binaries (FYI: running > paxctl -cm on the dropbox binary in your home directory allows it to > work again), but it was like trying to find a needle in a haystack. I > don't know enough about the Qubes architecture to even know where to begin. > > But hopefully my instructions will allow other people to try it for > themselves and help test this stuff out. Good luck, and thanks again to > the coldhak crew for all their hard work!! > > Ah crap. Step 2 should read:
sudo dnf install qubes-kernel-vm-support grub2-common Otherwise, you won't be able to install grub on the vm. Don't forget it! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o2o1rs%244ml%242%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
