Problems with 2.6.24.2-grsec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Problems with 2.6.24.2-grsec

Postby icc » Wed Feb 20, 2008 12:23 pm

Hi, I'm sorry if this problem might not be directly linked to grsec, but it seems to be.

I've installed ubuntu-server distro on a hp proliant ml370 g3, and now I've been trying to compile a 2.6.24.2 kernel with the grsec-patch released on februar 15th. Haven't tried the patch released yesterday(19th) yet thou, maby I'll try tonight. Has the EFI error been fixed? Additonal info: disabled EFI and VSDO.

The problem:
I used the standard .config from the kernel-headers-2.6.22-14-server, applied patch, etc. On first boot I got:
Code: Select all
check root= bootarg cat /proc/cmdline or missing modules, devices cat /proc/modules ls /dev/
ALERT! /dev/disk/by-uuid/a99bdda0-44a3-4811-8cc4-2d315ff97756 does not exist.
Dropping to shell!

I added the cciss module to /etc/modules and that did the trick. Maby I rather should have loaded it in initramfs? Donno how the standard ubuntu-kernel got the module loaded, if it was initramfs or something else. But now the problem is that the kernel hangs on "Loading linux...". If I remove the quiet and splash options the last thing I see is that he finds the cciss0 devies and prints some info, and then it hangs forever. Could it be the modprobe error described in another thread?

I'm no kernel expert, so go easy on me :oops:
Help appreciated, .config

*** SOLVED ***
See post 9 for solution!
Last edited by icc on Sun Apr 27, 2008 9:29 am, edited 1 time in total.
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm

Re: Problems with 2.6.24.2-grsec

Postby xstasi » Wed Feb 20, 2008 12:39 pm

Ubuntu identifies devices with an UUID, and i don't think that vanilla Linux has UUID support.
Try replacing the /dev/by-uuid/blah string with /dev/sdb9 or whatever is your root device
xstasi
 
Posts: 13
Joined: Tue Feb 19, 2008 10:09 am

Re: Problems with 2.6.24.2-grsec

Postby icc » Wed Feb 20, 2008 1:42 pm

I've got a vanilla kernel (2.6.23.1) running with grsec on another ubuntu server, using uuid, so I don't think the problem lies there. But thanks for the input!
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm

Re: Problems with 2.6.24.2-grsec

Postby icc » Thu Feb 21, 2008 4:38 pm

It seems to me that it's an option in grsec that causes trouble for the cciss module, or it's something wrong with the cciss module in 2.4.26.2. I'll try to compile the same kernel without the grsec to see what happens.

Here's the last output before computer hangs:
Code: Select all
...
Ramdisk driver initialized: 16 RAM disks of 65536K size 1024 blocksize
Compaq SMART2 Driver (v 2....)
HP CISS Driver (v 3.6...)
ACPI: PCI Interrupt 0000:02:01.0[A] -> CSI 16 (level, low) -> IRQ 16
cciss0: (0x46) at PCI 0000:02:01.0 IRQ 223 using DAC
      blocks= 35553120 block_size= 512
      heads=255, sectors=32, cylinders=4357
     
      blocks= 213367680 block_size= 512
      heads=255, sectors=32, cylinders=26140

And now nothing happens.
The version numbers isn't there since I couldn't clearly see them on the screenshot.

Is there a way I could turn on more debugging so I can clearly see what happens?
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm

Re: Problems with 2.6.24.2-grsec

Postby PaX Team » Sat Feb 23, 2008 1:54 pm

icc wrote:It seems to me that it's an option in grsec that causes trouble for the cciss module, or it's something wrong with the cciss module in 2.4.26.2. I'll try to compile the same kernel without the grsec to see what happens.
try to disable PaX features and see if anything changes in behaviour (at a guess, KERNEXEC/UDEREF might interfere although that should also be a visible oops). next, can you set up netconsole or serial and get a boot log for both a working and failing boot so that they can be compared?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Problems with 2.6.24.2-grsec

Postby PaX Team » Sat Feb 23, 2008 2:01 pm

PaX Team wrote:try to disable PaX features and see if anything changes in behaviour (at a guess, KERNEXEC/UDEREF might interfere although that should also be a visible oops). next, can you set up netconsole or serial and get a boot log for both a working and failing boot so that they can be compared?
i just remembered that it's KERNEXEC that isn't compatible with a particular cciss driver feature (it calls some Compaq BIOS functions), so you'll have to choose between the two. for a proper fix i'd need documentation on what the requirements for these BIOS calls are but such information doesn't seem to be available.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Problems with 2.6.24.2-grsec

Postby icc » Mon Feb 25, 2008 9:24 am

Here the dmesg of a working system: dmesg

I tried to disable the whole section under:
Security options ---> PaX ---> Non-executable pages ---> [ ] Enforce non-executable pages
Donno if that's what you meant by kernexec.

But the output the same as previously posted, one exeption, I removed the Compaq Smart2 module since it's not needed.

Next I'll just try to disable the whole PaX section :cry:
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm

Re: Problems with 2.6.24.2-grsec

Postby icc » Mon Feb 25, 2008 11:02 am

I disabled grsec and pax and the problem still consists. My guess is either that the grsec patch brakes the cciss module or that the cciss module is broken in 2.6.24.2. The latter makes no sense to me as the cciss version (3.6.14) is the same in 2.6.22.14 and 2.6.24.2.

I guess I'll just have to stick with the default ubuntu-server image :cry:
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm

*** SOLVED ***

Postby icc » Sun Apr 27, 2008 9:27 am

Ok, so the problem did not involve grsec at all. The problem is changes in the 2.6.23/24/25 ++ where some calls or something is made different, I dont know the exact cause, but I have a solution! It's as simple as upgrading the firmware on the HP Smart Array controller. As HP always says, they recommand using the lastest firmware!

And also grsec seems to work perfectly with the cciss module!

Hope this can be helpfull to others with HP Smart Array controllers or HP servers.

Big thanks to you all for letting me waste your time with this :D
icc
 
Posts: 11
Joined: Thu Nov 08, 2007 12:52 pm


Return to grsecurity support

cron