Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Mon, 26 Jun 2017 16:30:41 +0900 Alice Ferrazzi wrote: > Linus Torvald on grsecurity: > https://www.spinics.net/lists/kernel/msg2540934.html Linus maybe responsible for Linux, but also things like Dirty Cow. Not sure how I feel about him and security, given that neglect. https://dirtycow.ninja/ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 -- William L. Thomson Jr. pgpQrERxVX_tW.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/26/2017 09:15, Luis Ressel wrote: > On Sun, 25 Jun 2017 23:47:48 -0400 > Joshua Kinard wrote: > >> Safe for now to just switch to gentoo-sources while retaining hardened >> toolchain? Or would there be a few additional steps needed? I only >> use PaX for mprotect() and the ALSR capabilities, though I suspect >> those might be in the standard sauce by now. As such, I haven't had >> to deal with userland issues and PaX too much over the years. > > A full rebuild shouldn't be neccessary after a switch to gentoo-sources > or vanilla-sources. At least, I can't think of any reason why it would, > and I haven't encountered any problems after switching on my own hosts. > > Just keep in mind that vanilla-sources doesn't support the PaX xattrs > properly (AFAIR), so if you ever want to switch *back* from vanilla to > hardened, some pax markings will be missing. This shouldn't be an issue > for gentoo-sources, though. > > Cheers, > Luis Ressel > The machine needs a full rebuild just to "freshen" it up. Current install is going on 6-7+ years, at least three different motherboard/CPU cycles, and the SATA drives are pushing 8+ years old at this point in that machine. The same drives were previously in my desktop machine between ~2006-2008, so they've had a *great* run for spinning rust. I've got new'ish replacement drives and a new drive bay recently arrived, so the grsecurity mess was the straw that broke the proverbial camel's back. Just a matter of getting the needed downtime to move data off, rebuild/reinstall everything, move stuff back, and check for broken bits. Until then, I wasn't sure if switching to gentoo-sources would have any side-effects with the hardened userland to get to a newer kernel. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 6144R/F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Sun, 25 Jun 2017 23:47:48 -0400 Joshua Kinard wrote: > Safe for now to just switch to gentoo-sources while retaining hardened > toolchain? Or would there be a few additional steps needed? I only > use PaX for mprotect() and the ALSR capabilities, though I suspect > those might be in the standard sauce by now. As such, I haven't had > to deal with userland issues and PaX too much over the years. A full rebuild shouldn't be neccessary after a switch to gentoo-sources or vanilla-sources. At least, I can't think of any reason why it would, and I haven't encountered any problems after switching on my own hosts. Just keep in mind that vanilla-sources doesn't support the PaX xattrs properly (AFAIR), so if you ever want to switch *back* from vanilla to hardened, some pax markings will be missing. This shouldn't be an issue for gentoo-sources, though. Cheers, Luis Ressel pgpNbGvSbzkd0.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Mon, Jun 26, 2017 at 9:30 AM, Alice Ferrazzi wrote: > > Linus Torvald on grsecurity: > https://www.spinics.net/lists/kernel/msg2540934.html Spender responds: http://www.openwall.com/lists/oss-security/2017/06/24/1 Popcorn worthy thread.
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
Linus Torvald on grsecurity: https://www.spinics.net/lists/kernel/msg2540934.html -- Thanks, Alice Ferrazzi Gentoo Kernel Project Leader Mail: Alice Ferrazzi PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/23/2017 12:28, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > So short-term, what's the next step one can do to hop off the hardened-sources train before it runs out of track without a full rebuild? I'm planning on a full rebuild/re-install eventually for my dev box, but it has been stuck on kernel 4.9.x since this shindig went down and I'd like to get ahead to 4.11 or 4.12 instead of using my SGI machines to discover new surprises. Safe for now to just switch to gentoo-sources while retaining hardened toolchain? Or would there be a few additional steps needed? I only use PaX for mprotect() and the ALSR capabilities, though I suspect those might be in the standard sauce by now. As such, I haven't had to deal with userland issues and PaX too much over the years. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 6144R/F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 6/24/17 6:04 AM, Alexis Ballier wrote: > On Fri, 23 Jun 2017 12:28:27 -0400 > "Anthony G. Basile" wrote: > >> Hardened Gentoo has two sides to it, kernel hardening (done via >> hardened-sources) and toolchain/executable hardening. The two are >> interrelated but independent enough that toolchain hardening can >> continue on its own. The hardened kernel, however, provided PaX >> protection for executables and this will be lost. We did a lot of >> work to properly maintain PaX markings in our package management >> system and there was no part of Gentoo that wasn't touched by issues >> stemming from PaX support. > > > Good luck to them at providing a complete userland ecosystem for using > pax protection. Good luck at getting people accept and review their > often crashing asm patches at upstream projects that won't even be able > to test their benefits. > > Maybe we should start a business for this ? :) > http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 > (This is for Patrice) Correct. Zorry, myself and others on the hardened team did a lot to make userland play nice with the hardened-kernel. It represents most of my effort in Gentoo. > > > > We'll need to decide what to do with things like USE=pic. For media > packages this is not something you usually want to enable as you can > bear the 10Mb relocations at startup to have 10% or more performance > improvement when reading your 2hours long movie. It will be a mess going forward. We will necessarily have to start dropping pax related stuff, if for no other reason than we can't support making a package work under pax if we have no pax enabled kernel to test on. Once this is gone, such bugs will float upstream to pipacs and spender. "Good luck" is right. > > > Alexis. > -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Fri, 23 Jun 2017 12:28:27 -0400 "Anthony G. Basile" wrote: > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of > work to properly maintain PaX markings in our package management > system and there was no part of Gentoo that wasn't touched by issues > stemming from PaX support. Good luck to them at providing a complete userland ecosystem for using pax protection. Good luck at getting people accept and review their often crashing asm patches at upstream projects that won't even be able to test their benefits. Maybe we should start a business for this ? :) http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 (This is for Patrice) We'll need to decide what to do with things like USE=pic. For media packages this is not something you usually want to enable as you can bear the 10Mb relocations at startup to have 10% or more performance improvement when reading your 2hours long movie. Alexis.
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/23/2017 09:28 AM, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > Thanks for taking the time to let the greater Gentoo community know. It's a shame things took this turn... Is there any hope of a fork emerging from the drama? Why would a security-conscious group take their toys and go home? Regardless, this is a loss for Linux as a whole. I hope something springs up in its place. -- Daniel Campbell - Gentoo Developer OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
> I welcome feedback. And how about KSPP and other similar projects, that tries to continue the idea of community-friendly development based on latest release available to wide public (or, maybe some other, that was grown in parallel with PaX)? [OFFTOP] I personally very dislike Brad's behaviour. Not only closing the source from public. Not only blackmail to ban from updates for customers that will public the patches. But also his trolling against KSPP: Firstly he cried they steal his work (yup, steal. OpenSource. Lol). Then he stated that he wants that KSPP stated *both* that their work is based on Grsec *and* that they have no connection with grsecurity at the *same time*. So, it looks like he does not really care about Linux Security. He only cares about his business. Which is against my vision of opensource community principles. So, since that time I have no non-offensive words to describe him anymore. So, I previously decided to take latest available hardened-sources patchset and maintain it (mostly, fix for new kernel releases) locally for my needs, until Gentoo Hardened will migrate to KSPP, or KSPP will merge all of the work into "vanilla" Linux. But since I read this notice, I'm very sad about the destiny of Gentoo Hardened. It was the best solution for production servers, imho. But news like that makes people think that it (Hardened Gentoo) starts pre-death agonia. And that's very and very sad :'( [/OFFTOP]
[gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
Hi everyone, Since late April, grsecurity upstream has stop making their patches available publicly. Without going into details, the reason for their decision revolves around disputes about how their patches were being (ab)used. Since the grsecurity patch formed the main core of our hardened-sources kernel, their decision has serious repercussions for the Hardened Gentoo project. I will no longer be able to support hardened-sources and will have to eventually mask and remove it from the tree. Hardened Gentoo has two sides to it, kernel hardening (done via hardened-sources) and toolchain/executable hardening. The two are interrelated but independent enough that toolchain hardening can continue on its own. The hardened kernel, however, provided PaX protection for executables and this will be lost. We did a lot of work to properly maintain PaX markings in our package management system and there was no part of Gentoo that wasn't touched by issues stemming from PaX support. I waited two months before saying anything because the reasons were more of a political nature than some technical issue. At this point, I think its time to let the community know about the state of affairs with hardened-sources. I can no longer get into the #grsecurity/OFTC channel (nothing personal, they kicked everyone), and so I have not spoken to spengler or pipacs. I don't know if they will ever release grsecurity patches again. My plan then is as follows. I'll wait one more month and then send out a news item and later mask hardened-sources for removal. I don't recommend we remove any of the machinery from Gentoo that deals with PaX markings. I welcome feedback. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA