For those of you who are fresh like myself, Im going to compile some 
information Ive found on Qubes Kernel hardening. And for the tech savvy Qubes 
junkies, also like myself, lets have another discussion! Of course 
anyones welcome to add their 2 cents or drop a dime. 

     ~Things that I think are facts but might not be as of early 2018~

1. Qubes does not incorporate kernel hardening. 
2. GrSecurity is really great security? (Discussion/opinion below)
3. The Coldkernel Team is working on Qubes kernel hardening.
4. GrSecurity is working close with PaX.

   Q - Why should you care? 
   A - Kernel Hardening protects against many forms of L337 H4X0R5 and monsters.

     ~More pseudo-phacts~
5. "PaX is maintained by The PaX Team, whose principal coder is anonymous"

6. GrSecurity is really great security but very few distros use it. 
     -Why? An extrapolation on this below.

7. Q - Why is Qubes not integrated with GrSecurity/PaX?
   A - "Grsec is dead (at least as an open source project), so it doesn't apply 
anymore." -marmarek (dev)

8. Q - How can we easily incorporate kernel hardening into our Qubes?
   A - Directly into your qubes just like this:

     ~On GrSecurity/PaX~ 

GrSecurity, allegedly, is a really great form of kernel hardening. A 
brief look at their page tells you that they have done 
their homework. Notably, there are features that Qubes users would 
find very appealing. Upon further investigation, it seems as though
this is not an open source project, meaning that only the inner core 
of developers works on maintaining and updating the code, but the 
source is still free to distribute so long as its not changed, from 
my understanding. (cont. below)


GrSec doesnt keep their docs well maintained and the setup uses lots of 
jargon/acronyms that are not for modest users. -misquote, Qubes user, April 2017
   -drawbacks to GrSec: 
     -you have to pay for support to keep up-to-date with patches
     -the likely-hood of users scrutinizing the code is much smaller than 
open-source development

GrSec, while it sounds good, is aimed at a different breed of user-base. 
I really like the idea of (excuse my lack of proper technical terms) 
a non-profit that still gets paid. I have no idea how it actually works, 
but I assume that people that believe in a presented idea donate and 
developers get paid to preform a civil service. That is a really sound 
business plan. Sure, lots of people do not donate. Alternately, lots of
people DO donate. 

For instance, Kali Linux. They offer a free to the public open source 
service: the hacking distro, originally Backtrack Linux. They needed
more money, so instead of living off of donations, they created the 
OffSec brand training and certifications. OffSec and Kali: two mostly 
different products that do not solely rely on each other. Or I should 
say, Kali does not rely on OffSec. 

The difference that Im hinting at is that GrSec does not support this 
freedom. Its subtly obvious that between not keeping the documentation 
up-to-date and the software itself being hard to understand, they have 
made the open source 'project' extremely difficult for the end user. It
is only really feasible for enterprises. 

To reiterate in a somewhat prejudice, unprofessional manner: Theyre not
open source because they believe in open source. Their heart isnt in it. 

Back to business. 

"In late June, noted open-source programmer Bruce Perens warned that using 
Grsecurity's Linux kernel security could invite legal trouble."

Bruce Perens posted a blog article in late June of 2017 that concluded that 
anyone who compiled their kernel using GrSec was subject to "contributory 
infringement and breach of contract" due to the GNU policy declining the 
modification of code. At first glance, it would seem that Perens did slander 
this company and some would argue that this accusation would be a far-fetched 
plausability for a company that is only insuring themselves. But as the 
security community well knows and lawsuits have well-documented, corporations 
often blur the lines between property dispute. 

The month after Perens posted his blog, the stated company lashed back 
as would a person deeply hurt by critique. I wouldnt think that slander 
would warrant a lawsuit, but a lawsuit it was accusing Bruce, his webhost 
and others of defamation and business interference. This does not make them 
stand out from other companies. After all, Cisco sued DefCon in 2005 for 
similar reasons of exposing vulnerabilities in their routers. But this is 
the nature of what makes security SECURE. Exposing loopholes and plugging 
them. And this company acted with a most unbecoming maturity. 


The software is licensed under the GNU GPL version 2 meaning the software 
is free to distribute as is. The cited article also declares that Perens 
accuses the company of over-ruling the license agreement by stating that 
customers who distribute the subscription patches will forfeit their 
customer rights. 

GNU GPL v2 section 6: You may not impose any further restrictions on the 
recipients' exercise of the rights granted herein. You are not responsible for 
enforcing compliance by third parties to this License.

If youre still thinking about using this obviously robust software, I 
will conclude by restating that GrSec does not have the consumers best
interests in mind. And this the the most important consideration when 
deciding whether to use a product. It should also be well noted that 
when googling 'GrSec', there are many concerns.

 Hardened Linux stalwarts Grsecurity pull the pin after legal fight

 Linux kernel security gurus Grsecurity oust freeloaders from castle

 Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity

 My mail to the grsecurity team to expose their FUD

 Beyond #Grsecurity: The Future of Linux security is Brighter than Ever

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to