Just because the baton was dropped doesn't mean that others weren't willing to pick it up.
There are a few groups now that are forward porting the last grsecurity release (4.9.24) to work with newer kernels in the 4.9 branch. This is the one that the Hardened Kernel Community Project links to: https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec And the Dapper Linux project is trying to forward-port the patches to 4.11 (but it still doesn't compile properly; trust me, I've tried): https://github.com/dapperlinux/dapper-secure-kernel-patchset I've taken their work and created a test 4.9 Qubes grsec kernel branch merging their patches with the Qubes/Xen patches here (the only one that wouldn't merge was the mcelog patch so I commented it out; I'm too newb to figure out how to adjust it to account for the changes that the grsec patches make), if people wanted to play around with it: https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.9-grsec Some Notes: - The resulting kernel-qubes-vm package as a VM kernel works *exactly* the same as a coldkernel. So if you were running coldkernel in your VMs before, you can save yourself a lot of time using this instead because instead of installing a grsec kernel on each VM, all you have to do now is install it once in dom0 and only point the VMs you want to use it. - I haven't played with it too much yet, but the standard dom0 kernel package boots, but you'll need to run paxctl to soften the protections on various binaries and libraries for it to work 100% (paxctl -cm /usr/bin/pulseaudio is definitely one of them), and maybe do some other things as well. The problem is, Fedora doesn't have pax-tools in its repository (I think; Debian definitely does), so you'll have to compile those utilities yourself. The Dapper Linux project has a branch and compile instructions on GitHub, but it's up to you to figure out how to use them (there's lots of documentation on the web; the Arch and Gentoo Linux grsecurity wikis are probably a good place to start): https://github.com/dapperlinux/pax-tools There's probably a risk in continuing to use a stale patch set as time goes by, but if you're the type that believes a stale grsecurity patch set is still better than the stock kernel configuration, there are groups out there trying to keep it alive for as long as possible. As for getting as many of those grsec patches merged upstream as possible, that's where the Hardened Kernel Community Project comes in and they're primarily concentrating on 4.11 for now. Their work is here: https://github.com/thestinger/linux-hardened/ And I've created a 4.11 branch that merges in those patches (it's what I'm currently running in dom0 on my personal machines at the moment, and it seems to work fine) here: https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.11-hard If you just want a stock 4.11 experience, I've also created a branch without the hardened stuff here: https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.11 So for those who are bored with the stock kernels and want to try something new (or need better hardware support than what 4.9 has), there are a few more choices now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/og4hqk%2410t%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
