Greetings!
Well, I've been working on this for a while, but I think I finally have grsecurity working with Xen 3.0.2 paravirtualization. I tried this before, but it was nearly impossible because Xen treated the linux kernel like a subsystem of itself. Patching a vanilla kernel with Xen completely replaced several parts of the kernel. To circumvent this we decided to try out Xen's HVM full virtualization. That didn't work out so well. Not only did we have to buy a really expensive server to get Intel VT-x enabled chips, but the performance is horrible. I know the guys over at xensource are working hard on replacing the qemu emulation system with a better and faster system, but there is no way I can deploy the current implementation on production systems. That's when I started thinking.... Xen is trying to merge itself with the mainstream kernel. So in the current release, Xen doesn't become it's own arch and replace large parts of the kernel. Instead it tries to appear more like a driver or a service. As a matter of fact, I think it's offically a subarch of i386 and x86_64 now.
Then I thought If I'm going to be running linux on Xen, why the heck would I ever want to fully virtualize something that should be paravirtualized. All I'm getting out of the deal is a big performance hit.
Anyway, I got cracking on fixing the .rej's that are produced when applying grsecurity-2.1.9-2.6.16.19-200606041421.patch to a Xen patched kernel tree. After the smoke cleared, I fired up Dom0 and lo and behold grsec worked there! Then I fired up a paravirtualized DomU and again grsec worked there too!
I haven't tested everything, just x86_64 Dom0 and DomU's. I'm afraid to try the i386 arch because Xen replaces arch/{i386,x86_64}/mm/fault.c with fault-xen.c. The x86_64 version was almost identical to the kernel.org version, so finding out where the code in the patch should go was easy. The i386 version wasn't so easy, and I'm not sure if I got it right.
I didn't have to change any code at all, I just had to find the proper place to put the code when the patch failed. I'm a lousy programmer, so I'm glad I didn't have to guess. If any real developers out there use Xen, please give this a try and let me know if I screwed anything up.
How to use the patch.
First, get the Xen Source. Then unpack it, chdir into the top level tree and do a make. This will download the vanilla 2.6.16 kernel from kernel.org, patch the hell out of it and build it. Once that's done, cd into linux-2.6.12-xen and make mrproper (I suppose make clean would work as just well), then apply this patch. Then cd back into the Xen source directory and run rm -fR dist/install/* && make linux-2.6-xen-config CONFIGMODE={menuconfig,xconfig} and configure your kenrel and grsec. Next run make linux-2.6-xen-build && make linux-2.6.-xen-install. Then cd dist && ./install.sh.
I tried to create a patch that could just be copied into the xen-3.0.2/patches/linux-2.6.16/ directory and auto-applied but I'm not having any luck there.
I'm hosting this Xen patch from my box at home, so it's availability is really up to Cox Communications and the electric company. If anyone has a place more accessible, please stash it and link to it. If not, I'll try to get it up somewhere on CCBill's network.