Mailing List Archive

Current kernel status
I contacted minipli, and he said that unofficial grsecurity kernel is
frozen. So we should not wait for him to port KPTI and Meltdown.
Is hardened toolchain still supported by community?
I successfully compiled with gcc 7.3.0 v17.0 profile with virtualbox 5.2.8
and nvidia-drivers 390.42, but had to update pax patches for them. Where
should I share this patches?
Re: Current kernel status [ In reply to ]
Hey Ren,


That’s too bad about minipli, but that’s understandable, especially considering the amount of work.

I can’t comment on the level of support, but Gentoo has always been about providing users with choices, so I don’t think your patches should be rejected. There’s still a pax_kernel use flag in play with several ebuilds, and that’s not ben deprecated or masked.

I think the best might be to either open bugs on bugs.gentoo.org <http://bugs.gentoo.org/> or make GitHub PRs with your changes here: https://github.com/gentoo/gentoo/pulls <https://github.com/gentoo/gentoo/pulls>


Cheers,

– Guillaume Ceccarelli

> On Apr 14, 2018, at 02:33, Ren Nyo <rennyonyo@gmail.com> wrote:
>
> I contacted minipli, and he said that unofficial grsecurity kernel is frozen. So we should not wait for him to port KPTI and Meltdown.
> Is hardened toolchain still supported by community?
> I successfully compiled with gcc 7.3.0 v17.0 profile with virtualbox 5.2.8 and nvidia-drivers 390.42, but had to update pax patches for them. Where should I share this patches?
Re: Current kernel status [ In reply to ]
Hi!

On Sat, Apr 14, 2018 at 12:33:55AM +0000, Ren Nyo wrote:
> I contacted minipli, and he said that unofficial grsecurity kernel is
> frozen. So we should not wait for him to port KPTI and Meltdown.

Looks like there is no progress so far. :(

Is there any other options how to get kernel newer than 4.9.74 with
GrSecurity/PaX for personal use, or it's now available only for high
price i.e. enterprise-only?

--
WBR, Alex.
Re: Current kernel status [ In reply to ]
Hey Alex,

As far as I know, official grsecurity is the only game in town now. I can’t comment on their pricing for personal use. You might want to get in touch and ask them if you haven’t done so recently.

– Guillaume Ceccarelli

> On 2 Sep 2018, at 10:42, Alex Efros <powerman@powerman.name> wrote:
>
> Hi!
>
>> On Sat, Apr 14, 2018 at 12:33:55AM +0000, Ren Nyo wrote:
>> I contacted minipli, and he said that unofficial grsecurity kernel is
>> frozen. So we should not wait for him to port KPTI and Meltdown.
>
> Looks like there is no progress so far. :(
>
> Is there any other options how to get kernel newer than 4.9.74 with
> GrSecurity/PaX for personal use, or it's now available only for high
> price i.e. enterprise-only?
>
> --
> WBR, Alex.
>
Re: Current kernel status [ In reply to ]
In minipli's github brunch, in issues someone ported changes up to 4.9.105.
However without spectre and meltdown fixes. You should write to grsecurity
team about personal license. If they will receive many letters, maybe they
make such license available.

??, 2 ????. 2018 ?., 11:43 Alex Efros <powerman@powerman.name>:

> Hi!
>
> On Sat, Apr 14, 2018 at 12:33:55AM +0000, Ren Nyo wrote:
> > I contacted minipli, and he said that unofficial grsecurity kernel is
> > frozen. So we should not wait for him to port KPTI and Meltdown.
>
> Looks like there is no progress so far. :(
>
> Is there any other options how to get kernel newer than 4.9.74 with
> GrSecurity/PaX for personal use, or it's now available only for high
> price i.e. enterprise-only?
>
> --
> WBR, Alex.
>
>
Re: Current kernel status [ In reply to ]
Hi,

the last publicly available version of PaX / grsecurity will probably
never be ported to work with the Meldown / Spectre fixes.

The only option is to use minipli's last release (4.9.74) and port all
non-spectre related fixes from upstream's 4.9 branch [1] to it. However
you should only run such a kernel on CPUs not affected by Meltdown /
Spectre, such as the Raspberry Pi or Intel's Atom (the in-order ones
codenamed "Bonnell") [2].

Bear in mind that upstream is porting fixes from PaX to mainline, albeit
at a slow pace. I've rebased the last pax-only patch on 4.9.74 but
decided for myself that it's not worth maintaining a 4.9 fork.

Cheers,
Philipp

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/?h=linux-4.9.y
[2] https://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors

Am 02.09.2018 22:39 schrieb Ren Nyo:
> In minipli's github brunch, in issues someone ported changes up to
> 4.9.105. However without spectre and meltdown fixes. You should write
> to grsecurity team about personal license. If they will receive many
> letters, maybe they make such license available.
>
> ??, 2 ????. 2018 ?., 11:43 Alex Efros <powerman@powerman.name>:
>
>> Hi!
>>
>> On Sat, Apr 14, 2018 at 12:33:55AM +0000, Ren Nyo wrote:
>>> I contacted minipli, and he said that unofficial grsecurity
>> kernel is
>>> frozen. So we should not wait for him to port KPTI and Meltdown.
>>
>> Looks like there is no progress so far. :(
>>
>> Is there any other options how to get kernel newer than 4.9.74 with
>> GrSecurity/PaX for personal use, or it's now available only for
>> high
>> price i.e. enterprise-only?
>>
>> --
>> WBR, Alex.
Re: Current kernel status [ In reply to ]
On Sun, Sep 2, 2018 at 2:25 PM, Guillaume Ceccarelli
<guillaume@gcs-ventures.com> wrote:
> As far as I know, official grsecurity is the only game in town now. I can’t comment on their pricing for personal use. You might want to get in touch and ask them if you haven’t done so recently.

They currently do not offer a program with "a suitable pricing for
personal use" but also state that they are "exploring alternatives".
(Whatever both those things mean exactly.)

In the meantime they suggest to use "minipli's 4.9 unofficial fork",
which is not an attractive option for me.
For the time I stick with the upstream kernel and hope that they
finally start caring more about security. The Kernel Self Protection
Project might be a start, but I doubt that it will be able to change
the current policy when it comes to features which potentially reduce
the general usability of the kernel.