[qubes-users] coldkernel status update
Hi everyone, It has been some time since we posted on this list, so here is a brief update: 1. We have recently pushed 0.9a-4.9.20 2. An issue with switching from 4.8.x to 4.9.x was identified and fixed upstream (https://github.com/coldhakca/coldkernel/issues/55) 3. The blog post for Fedora support is currently being written 4. Final tests for Whonix support are underway 5. 0.9b will be released soon, with support for Fedora and 0.9c will follow soon after with full Whonix support (and a blog post, again.) 6. Once 0.9c is out, we will direct our efforts towards providing binaries for Qubes users (and potentially our other supported platforms) 7. After all above steps are complete, we will evaluate what the next steps should be. This may include attempting to provide a kernel for Dom0. If anyone has questions / comments, please feel free to contact me directly. Thanks! -- Colin Childs Coldhak https://coldhak.ca Twitter: @coldhakca -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/559bb54c-c791-b56e-a89c-0fd12acaf0ae%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Experimental Qubes coldkernel support now available
On 13/01/17 11:52 AM, Colin Childs wrote: > On 13/01/17 11:21 AM, Marek Marczykowski-Górecki wrote: >> On Thu, Dec 15, 2016 at 03:11:29PM -0600, Colin Childs wrote: >>> Hi everyone, >> >>> Sorry for not getting on this list sooner, however it looks like testing >>> of coldkernel on Debian is largely going well! I see the most recent >>> issue from foppe, and will be attempting to reproduce later this evening. >> >>> If you run into issues that require coldhak attention, please do not >>> hesitate to open tickets at >>> https://github.com/coldhakca/coldkernel/issues, or email us directly at >>> cont...@coldhak.ca. >> >>> Thanks, and happy testing! >> >> What are the plans for next stages here? I guess fixing Fedora support, >> right? >> >> What about binary packages in general: I've heard there are some >> benefits from compiling the grsec-enabled kernel yourself, as some parts >> are randomized compile-time. Is that true? How much benefit it gives? >> >> Anyway, I think in the end we need some packages in the repository for >> this. >> >> > Hi, > > Please see > https://github.com/coldhakca/coldkernel/issues?q=is%3Aissue+is%3Aopen+label%3Aqubes > for the next steps along, with their planned release versions. We are > currently planning to shit 0.9b within the next week. > > 0.9a (the current release) was not released with Fedora support, and > this was pulled from the README before the release was cut. The 0.9b > release will be focused on Whonix as well as Fedora, however Whonix is > currently taking priority. The goal is to push out both Whonix and > Fedora support with 0.9b, however if Fedora support looks like it will > take considerably longer, it will be bumped to 0.9c. > > For providing binary packages, our goal is to offer grsec enabled > binaries for Debian. Offering pre-built Fedora binaries is not currently > in the roadmap, however it could potentially be added down the line. > > There are some protections that come with compiling the kernel by hand, > such as an actually random/functional GRKERNSEC_RANDSTRUCT[1]. > > [1]: > https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options > Hi everyone, Sorry about the really unfortunate typo/correction in the first paragraph of my previous email. I hope you all have a nice weekend! -- Colin Childs Coldhak https://coldhak.ca Twitter: @coldhakca -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf843318-186a-3ab8-55c8-3cada1f12ae8%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Experimental Qubes coldkernel support now available
On 13/01/17 11:21 AM, Marek Marczykowski-Górecki wrote: > On Thu, Dec 15, 2016 at 03:11:29PM -0600, Colin Childs wrote: >> Hi everyone, > >> Sorry for not getting on this list sooner, however it looks like testing >> of coldkernel on Debian is largely going well! I see the most recent >> issue from foppe, and will be attempting to reproduce later this evening. > >> If you run into issues that require coldhak attention, please do not >> hesitate to open tickets at >> https://github.com/coldhakca/coldkernel/issues, or email us directly at >> cont...@coldhak.ca. > >> Thanks, and happy testing! > > What are the plans for next stages here? I guess fixing Fedora support, > right? > > What about binary packages in general: I've heard there are some > benefits from compiling the grsec-enabled kernel yourself, as some parts > are randomized compile-time. Is that true? How much benefit it gives? > > Anyway, I think in the end we need some packages in the repository for > this. > > Hi, Please see https://github.com/coldhakca/coldkernel/issues?q=is%3Aissue+is%3Aopen+label%3Aqubes for the next steps along, with their planned release versions. We are currently planning to shit 0.9b within the next week. 0.9a (the current release) was not released with Fedora support, and this was pulled from the README before the release was cut. The 0.9b release will be focused on Whonix as well as Fedora, however Whonix is currently taking priority. The goal is to push out both Whonix and Fedora support with 0.9b, however if Fedora support looks like it will take considerably longer, it will be bumped to 0.9c. For providing binary packages, our goal is to offer grsec enabled binaries for Debian. Offering pre-built Fedora binaries is not currently in the roadmap, however it could potentially be added down the line. There are some protections that come with compiling the kernel by hand, such as an actually random/functional GRKERNSEC_RANDSTRUCT[1]. [1]: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options -- Colin Childs Coldhak https://coldhak.ca Twitter: @coldhakca -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e80fd1c8-fa4b-8219-e666-2a86d6a8ff5d%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Experimental Qubes coldkernel support now available
On 17/12/16 01:42 PM, Reg Tiangha wrote: > On 12/17/2016 11:47 AM, Foppe de Haan wrote: >> On Saturday, December 17, 2016 at 7:40:25 PM UTC+1, Reg Tiangha wrote: >>> On 12/17/2016 10:36 AM, Foppe de Haan wrote: >>>> I also built the fedora kernel according to Reg's recipe, same issue. >>>> Comparing boot logs, the problem seems to start here: >>>> >>>> [0.765662] BUG: unable to handle kernel paging request at >>>> 87ff95a17300 >>>> [0.765671] IP: [] delay_mwaitx+0x49/0x90 >>>> [0.765682] PGD 0 >>>> [0.765688] Oops: [#1] SMP >>>> [0.765693] Modules linked in: >>>> [0.765701] CPU: 0 PID: 1 Comm: swapper/0 Not tainted >>>> 4.8.13-coldkernel-grsec-1 #1 >>>> [0.765709] task: 8800136bf540 task.stack: c9e38000 >>>> [0.765714] RIP: e030:[] [] >>>> delay_mwaitx+0x49/0x90 >>>> [0.765724] RSP: e02b:c9e3be50 EFLAGS: 00010087 >>>> [0.765729] RAX: 87ff95a17300 RBX: 0001 RCX: >>>> >>>> [0.765735] RDX: RSI: 00039262adda8fdb RDI: >>>> 0002a4e4 >>>> [0.765740] RBP: 81c17300 R08: R09: >>>> >>>> [0.765745] R10: 0002 R11: 000f R12: >>>> 0200 >>>> [0.765749] R13: c9e3bea7 R14: 824055e8 R15: >>>> 607e4ce58fa6249c >>>> [0.765758] FS: () GS:880013e0() >>>> knlGS: >>>> [0.765765] CS: e033 DS: ES: CR0: 80050033 >>>> [0.765770] CR2: 87ff95a17300 CR3: 020c2000 CR4: >>>> 00040660 >>>> [0.765775] Stack: >>>> [0.765779] 0001 10d1 814956a5 >>>> 95fa1589597478a1 >>>> [0.765788] 814960d0 95fa1589597478a1 c9e3bec8 >>>> 06937a89d974aa7d >>>> [0.765797] ffed 8236af42 df7e4ce58fa6249c >>>> >>>> [0.765807] Call Trace: >>>> [0.765815] [] ? i8042_wait_write+0x25/0x70 >>>> [0.765822] [] ? i8042_command+0x30/0x80 >>>> [0.765829] [] ? i8042_init+0x606/0x6f8 >>>> [0.765835] [] ? i8042_probe+0xa41/0xa41 >>>> [0.765842] [] ? do_one_initcall+0x4d/0x170 >>>> [0.765849] [] ? kernel_init_freeable+0x202/0x2ff >>>> [0.765856] [] ? kernel_init+0x5/0x118 >>>> [0.765861] [] ? ret_from_fork+0x1e/0x40 >>>> [0.765867] [] ? rest_init+0x88/0x88 >>>> [0.765871] Code: 41 b8 ff ff ff ff 48 09 c6 41 ba 02 00 00 00 eb 09 48 >>>> 29 c6 48 01 f7 48 89 c6 48 89 e8 65 48 03 05 25 25 cf 7e 4c 89 c9 4c 89 ca >>>> <0f> 01 fa 4c 39 c7 4c 89 c3 4c 89 d8 48 0f 46 df 4c 89 d1 0f 01 >>>> [0.765920] RIP [] delay_mwaitx+0x49/0x90 >>>> [0.765927] RSP >>>> [0.765931] CR2: 87ff95a17300 >>>> [0.765939] ---[ end trace 84bc057c0ef01aab ]--- >>>> [0.765946] Kernel panic - not syncing: grsec: halting the system due >>>> to suspicious kernel crash caused by root >>>> >>>> (Same error in both VMs.) >>>> >>> Did you try passing along the "nopat" kernel option through grub to see >>> if that made a difference? >> Yes, but it didn't make a difference. >> > > Does it work when the VM has the entire compile environment? As in, if > you follow the coldhak instructions directly, does it work? Or does it > never work? > > > Hi everyone, Please be aware that there are a number of issues with using coldkernel in the Fedora templates currently. Our goal is to push out 0.9b over the holidays to address this. For the time being, the Fedora instructions have been entirely removed from the master git branch, and progress will be made on the 0.9b branch, along with Whonix support. Happy Holidays! -- Colin Childs Coldhak https://coldhak.ca Twitter: @coldhakca -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e004ad67-8d69-f4fb-a040-5927e9157172%40riseup.net. For more options, visit https://groups.google.com/d/optout.
