grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Sun Jul 03, 2016 9:24 am

Hello,

I have a new laptop (Dell Inspiron 7559 with a I7-6700HQ 2.6G processor) running kernel 4.5.7 w/grsecurity-3.1-4.5.7-201606302132.patch

When I try to boot the that kernel, all I see on the screen is:

Booting '4.5.7-grsec'
Loading Linux 4.5.7-grsec ...

It does not get far enough to give me any output using netconsole

Vanilla 4.5.7 and 4.6.3 kernels boot fine

If there is anything you want me to try, please let me know. I will try a few other 4.5.7 patches later today to see if it ever worked along with disabling things like KERNEXEC, UDEREF, etc. also.

Here are the GRKERNSEC/PAX config options from my kernel (I can send the whole thing to whoever wants it)

CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_EPT is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_KVM is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
CONFIG_GRKERNSEC_PROC_GID=756
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
# CONFIG_PAX_RAP is not set
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=1005
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby spender » Sun Jul 03, 2016 11:17 am

Are you using UEFI? The PaX Team is currently looking into this.

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Sun Jul 03, 2016 4:59 pm

Thanks for the reply.

I am running UEFI and forgot to mention that I disabled Trusted Boot.
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Sun Jul 03, 2016 6:45 pm

A quick test of disabling KERNEXEC and UDEREF allows the boot
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Sun Jul 03, 2016 8:07 pm

It does not boot with UDEREF OFF and KERNEXEC ON
It boots with UDEREF ON AND KERNEXEC OFF
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Sun Jul 03, 2016 8:21 pm

After looking through previous KERNEXEC issues here, I should also point out I am using GRUB2

Also, DEBUG_INFO prints no additional information
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Mon Jul 04, 2016 12:53 pm

It boots with KERNEXEC ON if I boot with "efi=old_map"
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby PaX Team » Tue Jul 05, 2016 3:54 am

can you also try the PaX patch alone for 4.6 (not 4.5)? it too has similar changes but with upstream's removal of lots of DEBUG_RODATA conditionals, i'm wondering if that works better.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Tue Jul 05, 2016 10:15 am

4.6.3 with just the pax-linux-4.6.3-test9.patch boots

Any idea when 4.6.3 will be released (I did see you were waiting for some user reports)?
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: grsecurity-3.1-4.5.7-201606302132 kernel fails to boot

Postby x14sg1 » Tue Jul 05, 2016 10:26 pm

It boots with grsecurity-3.1-4.6.3-201607051723.patch and I do not need "efi=old_map"

Thank you
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm


Return to grsecurity support