grsecurity forums

Skip to content

Tboot and PAX KERNEXEC

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Tboot and PAX KERNEXEC

Postby Zaolin » Wed Nov 07, 2012 7:59 am

Dear PaX-Team.

I am currently using grsecurity patchset with kernel 3.6.
Last month i tried to use tboot in combination with grsec, but i had problems with the suspend and tool txt-stat.
After 6 reboots, 1 hour of txt kernel documentation i figured out that tboot needs to execute special shared kernel pages in order to communicate with the tboot hypervisor.
I didn't really go into detail, because i hadn't much time. I guess it makes sense to place a warning message in the Kconfig help section of KERNEXEC.
Maybe it's possible to change the pax patch or the tboot hypervisor, otherwise tboot only can be used witout KERNEXEC.

Example KERNEXEC Kconfig changes:

Code: Select all
This is the kernel land equivalent of PAGEEXEC and MPROTECT,
that is, enabling this option will make it harder to inject
and execute 'foreign' code in kernel memory itself.

Warning !
If you use Intel TXT with tboot it is still incompatible
with KERNEXEC, because of shared memory pages
for kernel<->tboot hypervisor communication.
Also beware the tboot memory logging feature.


Sorry for my poor english.

Regards Zaolin
Zaolin
 
Posts: 3
Joined: Wed Nov 07, 2012 7:34 am
Top

Re: Tboot and PAX KERNEXEC

Postby PaX Team » Wed Nov 07, 2012 10:03 am

i've been keeping an eye on tboot for some time now but unfortunately i don't get as far as you do on my test box due to some problem here (the SDXC controller chip keeps trying to access an invalid physical address triggering an endless stream of iommu faults). so yes, i'd like to get tboot to work with all of PaX enabled actually but i need user feedback/reports to know what to fix exactly. any particular details you have on what KERNEXEC triggers, etc would be much appreciated.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: Tboot and PAX KERNEXEC

Postby Zaolin » Wed Nov 07, 2012 1:18 pm

First some information about the system itself.

system:
    Thinkpad T520
    bios_version = 1.38
cpu:
    Intel(R) Core(TM) Mobile i7-2620M CPU @ 2.70GHz
memory:
    4096 MB Main RAM / 4 MB DPR MEM
kernel:
    Linux 3.6.2 with Grsecurity Patchset
    feature_exclude = PAX_KERNEXEC, Disable privileged I/O
tboot:
    version = 1.7.2
    acmodul_version = 51
    flags = logging=memory min_ram=0x2000000 pcr_map=da
    state = runs well without mem logging.
    xen = no
errors with this platform config:
    txt-stat - "grsec: denied access of range 60000 -> 68000 in /dev/mem by /usr/sbin/txt-stat"
errors without this platform config:
    s2ram - "KERNEXEC failure"

At the moment I am very busy, I will work on it in few weeks. The only way for debugging will be a serial interface to kernel and tboot. I think the suspend error occurs in the hypervisor because
if I try to suspend, the system exists with an sexit_done and reboots.

If someone have questions, post it here or email/jabber me at: zaolin@das-labor.org

See you later, Zaolin.
Zaolin
 
Posts: 3
Joined: Wed Nov 07, 2012 7:34 am
Top

Re: Tboot and PAX KERNEXEC

Postby PaX Team » Wed Nov 07, 2012 7:07 pm

Zaolin wrote:txt-stat - "grsec: denied access of range 60000 -> 68000 in /dev/mem by /usr/sbin/txt-stat"
this is a grsec restriction, spender can fix it for tboot.
s2ram - "KERNEXEC failure"
for this one i'll need any kernel logs (especially oops info) you can get, that'll help me find out which code is not compatible with KERNEXEC.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron