Reporting success with Coldkernel on Qubes R3.2 with Debian 8 template. Followed the steps in https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html and worked first try. I did some further tweaking afterwards to allow me to lock it down a bit more in the future with TPE and keep my template minimal.
In the linux-4.8.13 directory structure: Copied u2mfn.c to drivers/misc and set up references in Kconfig and Makefile make menuconfig GRKERNSEC_TPE_ALL=y [kernel.grsecurity.tpe_restrict_all] GRKERNSEC_TPE_INVERT=y [kernel.grsecurity.tpe_invert] PAX_MEMORY_SANITIZE=y [not sure if Xen sanitizes freed memory within the VM, appears to only be on shutdown] PAX_MEMORY_STACKLEAK=y CONFIG_XEN_BLKDEV_BACKEND=m [believe this is necessary for the USB VM, crashed Qubes Manager on attaching USB device to other VM without it] CONFIG_XEN_NETDEV_BACKEND=m [and this for Net VM] CONFIG_U2MFN=y [to let me avoid DKMS] fakeroot make bindeb-pkg -j 4 LOCALVERSION=-coldkernel-grsec-1 KDEB_PKGVERSION=4.8.13-coldkernel-grsec-1 Then, copied the following to minimal template: linux-image-4.8.13-coldkernel-grsec-amd64.deb paxctld_1.2.1-1_amd64.deb paxctld.conf /usr/share/initramfs-tools/hooks/qubes_vm /usr/share/initramfs-tools/scripts/local-top/qubes_cow_setup Added the following file on minimal: /etc/sysctl.d/81-grsec.conf kernel.grsecurity.deny_new_usb = 0 kernel.grsecurity.tpe_invert = 1 kernel.grsecurity.tpe_restrict_all = 1 And ran on it: sudo dpkg -i paxctld_1.2.1-1_amd64.deb [or use one from testing repository] sudo apt install grub2-common sudo groupadd -g 9001 grsecproc sudo groupadd -g 9002 tpeuntrusted sudo groupadd -g 9003 denysockets sudo cp paxctld.conf /etc/paxctld.conf sudo paxctld -d sudo systemctl enable paxctld sudo dpkg -i linux-image-4.8.13-coldkernel-grsec-amd64.deb sudo mkdir /boot/grub sudo update-grub2 sudo shutdown -h now Changed it to use PVGRUB2 and minimal template worked too. Applied it to sys-net, sys-firewall, sys-usb and all function (after adding some packages I missed, etc.) except with two issues so far: 1. qvm-copy-to-vm completes successfully but throws an error to the console at the end about failed to open /proc: permission denied. 2. On full reboot, all sys-VMs start automatically but networking doesn't work right until I shut down whonix and firewall, then start them back up in the proper order. Not sure if it's because they are just booting too fast or if some trigger isn't getting communicated properly. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08e45f82fa9d42b6d8229113c3ee6fba.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
