grsecurity forums

[laen]

Good day all,

I've been running all my kernels with plugin method OR (CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR), until building the 3.10 kernel that introduced the SSSE3/AVX/AVX2 improved SHA's (SHA1, SHA256 and SHA512) in the Cryptographic API, resulting in a kernel panic at boot. It's taken a bit to figure out it was the PaX plugin method (or the SSSE3/AVX/AVX2-improved code of course), but everything seems to be pointing at it.

The strangest thing however, is that the only one requiring BTS, is the SHA512 one (CONFIG_CRYPTO_SHA512_SSSE3), and the SHA1 (CONFIG_CRYPTO_SHA1_SSSE3) and SHA256 (CONFIG_CRYPTO_SHA256_SSSE3) don't seem to suffer.

Some things I noticed: building them all as modules, the SSSE3/AVX/AVX2 improved SHA1 and SHA256 can be loaded and used in any order, the kernel will panic if the SHA256 is loaded after the SHA512. The size of the SHA512 assembly code is roughly twice as big as the SHA256 one.

Can anyone confirm these findings, or is there something else going on that might result in the requirement of BTS instead of OR? I personally haven't tested 3.11 yet.

Thanks in advance!

[PaX Team]

you should try 3.11 as we stopped working on 3.10 already and if that still fails then also post the detailed oops message please.

[laen]

you should try 3.11 as we stopped working on 3.10 already and if that still fails then also post the detailed oops message please.

Couldn't modify the post, as it was awaiting approval, but the 3.11 kernel no longer requires plugin method BTS (there were quite some changes in the SSSE3/AVX/AVX2 improved code between 3.10 and 3.11 for the Crypto API). Thanks for the help, though, topic can be closed and archived.