grsecurity forums

Dear PaX-Team.

I am currently using grsecurity patchset with kernel 3.6.
Last month i tried to use tboot in combination with grsec, but i had problems with the suspend and tool txt-stat.
After 6 reboots, 1 hour of txt kernel documentation i figured out that tboot needs to execute special shared kernel pages in order to communicate with the tboot hypervisor.
I didn't really go into detail, because i hadn't much time. I guess it makes sense to place a warning message in the Kconfig help section of KERNEXEC.
Maybe it's possible to change the pax patch or the tboot hypervisor, otherwise tboot only can be used witout KERNEXEC.

Example KERNEXEC Kconfig changes:

Code: Select all

This is the kernel land equivalent of PAGEEXEC and MPROTECT,
that is, enabling this option will make it harder to inject
and execute 'foreign' code in kernel memory itself.

Warning !
If you use Intel TXT with tboot it is still incompatible
with KERNEXEC, because of shared memory pages
for kernel<->tboot hypervisor communication.
Also beware the tboot memory logging feature.


Sorry for my poor english.

Regards Zaolin

i've been keeping an eye on tboot for some time now but unfortunately i don't get as far as you do on my test box due to some problem here (the SDXC controller chip keeps trying to access an invalid physical address triggering an endless stream of iommu faults). so yes, i'd like to get tboot to work with all of PaX enabled actually but i need user feedback/reports to know what to fix exactly. any particular details you have on what KERNEXEC triggers, etc would be much appreciated.

First some information about the system itself.

system:

Thinkpad T520
bios_version = 1.38

cpu:

Intel(R) Core(TM) Mobile i7-2620M CPU @ 2.70GHz

memory:

4096 MB Main RAM / 4 MB DPR MEM

kernel:

Linux 3.6.2 with Grsecurity Patchset
feature_exclude = PAX_KERNEXEC, Disable privileged I/O

tboot:

version = 1.7.2
acmodul_version = 51
flags = logging=memory min_ram=0x2000000 pcr_map=da
state = runs well without mem logging.
xen = no

errors with this platform config:

txt-stat - "grsec: denied access of range 60000 -> 68000 in /dev/mem by /usr/sbin/txt-stat"

errors without this platform config:

s2ram - "KERNEXEC failure"

At the moment I am very busy, I will work on it in few weeks. The only way for debugging will be a serial interface to kernel and tboot. I think the suspend error occurs in the hypervisor because
if I try to suspend, the system exists with an sexit_done and reboots.

If someone have questions, post it here or email/jabber me at: zaolin@das-labor.org

See you later, Zaolin.

Zaolin wrote:txt-stat - "grsec: denied access of range 60000 -> 68000 in /dev/mem by /usr/sbin/txt-stat"

this is a grsec restriction, spender can fix it for tboot.

s2ram - "KERNEXEC failure"

for this one i'll need any kernel logs (especially oops info) you can get, that'll help me find out which code is not compatible with KERNEXEC.