On 2017-08-24 4:27 PM, nicholas roveda wrote: > I think Reg has done a great job and the porting its a must go path to force > the developers to throw away all the differences that slow down or prevent > the develop of a secure system. >
To be fair, I don't forward port anything; it's @minipli on GitHub (https://github.com/minipli/linux-unofficial_grsec/releases) that does the hard work. All I do is make it easy to use the existing Qubes kernel build scripts to include and package it, which was the original intent once the old coldkernel project became more mature, but unfortunately ended when the grsec project stopped releasing patches to the public with 4.9.24 (I do make one change to minipli's patches though, and that's to remove his custom uname patch because a) something like 4.9.45.unofficial-grsec.qubes.pvops is ridiculously long and b) it actually breaks the Qubes build scripts because it results in a version mismatch and thus halts the compile). But really, that branch is just a proof-of-concept; it really does require the user to customize the kernel config and/or user space to work properly, although it should work for the most part out-of-the-box. I'm not sure yet if it can be completely trusted so I don't actually recommend that people use it per se; for example, the grsec guy included a binary firmware blob in the original grsec patches that was only recently discovered. @minipli has taken it out of future patches, but since the original patch set was never audited, who knows what else might be in there? But for the people who've heavily invested in the old coldkernel or in PAX in their VMs, at least this is a way they can continue using it while still having a somewhat up-to-date kernel. I'll double check that build script soon; it works on my machine, but maybe what I have in my build VM isn't sync'ed with what I have on my public account for the grsec branch. But I also only build on an FC23 VM; are people using something different (like FC24 or 25) to build on? Because that might be it too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ono35q%2459o%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
