Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
2.6.22-klight2-grsec aka 'speed meets security'
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 18, 2007 1:49 pm    Post subject: 2.6.22-klight2-grsec aka 'speed meets security' Reply with quote

Hi there,

for those who need a fast kernel but also security-features such as grsecurity / pax, here's the solution:

2.6.22-klight2 kudos to Waninkoko

with adaptive+readahead, ipw2200 powertop from kamikaze5 and newest reiser4 (2.6.22-2) patch from namesys + grsecurity-2.1.11-2.6.22.2-200708101800.patch from www.grsecurity.net

disclaimer: no guarantee that it will work for you - it works fine here with latest ati-drivers (8.40.4 & compiz-fusion, mono)

Links:
(most of those are hosted at waninkoko's server, if you need more info ask him)
2.6.22-klight2-grsec-adaptive_readahead-ipw2200_powertop.tar.bz2
description: this is an all-in-one patch and applies to plain/vanilla 2.6.22
the below links are only provided for your convenience, mark that they won't apply cleanly if applied one after another !!

2.6.22-klight2
grsecurity-2.1.11-2.6.22.2-200708101800.patch
adaptive+ondemand-readahead-2.6.22.patch
ipw2200-1.2.2-2.6.22.patch
reiser4-for-2.6.22-2.patch.gz

have a lot of fun :!:

Hotfix #1:

sky2_2.6.22.1-to-2.6.23-rc2-mm2.patch
this should help you guys with a sky2 gigabit ethernet controller sort your problems out; this raises sky2's version from 1.14 to 1.16
disclaimer: since I have no access to my rig I can't say if it helps, there's only evidence that it compiles fine & seems to work , see
so please test and report


Hotfix #2:

cfs v19.1 to v20.2 update
see: http://lkml.org/lkml/2007/8/23/75



WARNING:

don't enable grsecurity or pax with this kernel if you're using the reiser4 filesystem on your /root partition !!
this can and will lead to data corruption (namesys currently is investigating this)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D


Last edited by kernelOfTruth on Thu Aug 23, 2007 10:10 pm; edited 10 times in total
Back to top
View user's profile Send private message
santaclaws
Apprentice
Apprentice


Joined: 05 Jan 2007
Posts: 161
Location: Deeper Underground

PostPosted: Sat Aug 18, 2007 1:54 pm    Post subject: Reply with quote

What does fast mean?

Do you have any comparisons to other kernels? :?:
_________________
Software is like sex. It is better when ist is free.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 18, 2007 2:12 pm    Post subject: Reply with quote

santaclaws wrote:
What does fast mean?

Do you have any comparisons to other kernels? :?:


err, by "fast" I mean it's purely subjective faster than e.g. the hardened-sources or gentoo-sources

since they include ck-patchset, adaptive readahead, reiser4, cfs scheduler and so on throughput, latency is somewhat lower than default, copying of files is also faster, launch times for apps, etc etc (just my experience)

so try it out :wink:

as already said it's for those who need additional security to 2.6.22-klight2
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
santaclaws
Apprentice
Apprentice


Joined: 05 Jan 2007
Posts: 161
Location: Deeper Underground

PostPosted: Sat Aug 18, 2007 2:18 pm    Post subject: Reply with quote

Thanks. :D

I will try out that kernel, when I solved my annoying "expat" problems.
_________________
Software is like sex. It is better when ist is free.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 18, 2007 2:31 pm    Post subject: Reply with quote

one word of advice:

don't use reiser4 on your root-partition and grsecurity-enabled kernels >=2.6.22 since that will definitely lead to data corruption of libuuid.so* and other files

haven't figured out why that happens, but will report it later to namesys

yay! another bug, soon there will be no more, then reiser4 is ready for primetime :wink:


output of paxtest kiddie

Quote:
Mode: kiddie
Linux cathy 2.6.22-klight2-grsec #5 PREEMPT Sat Aug 18 16:04:22 CEST 2007 i686 Intel(R) Pentium(R) M processor 1.73GHz GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 17 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (ET_DYN) : 23 bits (guessed)
Main executable randomisation (ET_EXEC) : 17 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : No randomisation
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed


paxtest blackhat doesn't even finish :lol:
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
dtoo
Tux's lil' helper
Tux's lil' helper


Joined: 29 Mar 2004
Posts: 86

PostPosted: Mon Aug 20, 2007 2:19 am    Post subject: Reply with quote

No broken-out?
I'm interested adaptive+readahead. What's version (V12/V16,...) you using?
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Aug 20, 2007 10:29 am    Post subject: Reply with quote

as already said it's simply 2.6.22-klight2 with additional patches from kamiakze5:

adaptive+ondemand-readahead-2.6.22.patch
ipw2200-1.2.2-2.6.22.patch
reiser4-for-2.6.22-2.patch.gz

grsecurity-patch doesn't apply cleanly so you need to modify several files,

therefore I have provided this all-in-one patch, no time to make clean broken-out patches :(
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Aug 20, 2007 8:16 pm    Post subject: Reply with quote

hotfix #1: is out !

this should help you guys with a marvell gigabit ethernet lan chip
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
sezaru
n00b
n00b


Joined: 10 Aug 2006
Posts: 47

PostPosted: Mon Aug 20, 2007 9:02 pm    Post subject: Reply with quote

How do i apply this patch? i try patch -p1 < 2.6.22-klight2-grsec-adaptive+readahead-ipw2200_powertop.patch but i get a lot of fails, there is some other way to apply the patch?
Thanks in adv!
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Aug 20, 2007 9:14 pm    Post subject: Reply with quote

sezaru wrote:
How do i apply this patch? i try patch -p1 < 2.6.22-klight2-grsec-adaptive+readahead-ipw2200_powertop.patch but i get a lot of fails, there is some other way to apply the patch?
Thanks in adv!


extract vanilla 2.6.22, then change directory into it

Code:
patch -p1 < 2.6.22-klight2-grsec-adaptive+readahead-ipw2200_powertop.patch
or

Code:
patch -p1 < ../2.6.22-klight2-grsec-adaptive+readahead-ipw2200_powertop.patch


dunno why there's fails for you, I'll try it out myself, *fingers crossed* :roll:

update:

applied fine, please try again
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
sezaru
n00b
n00b


Joined: 10 Aug 2006
Posts: 47

PostPosted: Mon Aug 20, 2007 9:28 pm    Post subject: Reply with quote

Ah i think i get what im doing wrong, i tried to apply this patch in my klight-sources and not on a vanilla-sources, i will try now just extract the vanilla and apply the patch, btw there is someway to make a ebuild for the patch?
Thanks!

UPDATE:
Now with just vanilla the patch aplies fine, good job :D
Back to top
View user's profile Send private message
sezaru
n00b
n00b


Joined: 10 Aug 2006
Posts: 47

PostPosted: Mon Aug 20, 2007 11:35 pm    Post subject: Reply with quote

Compiled and runing fine, i need no recompile the nvidia driver to make they run again as usual, but now im getting a problem, when i open the compiz-fusion the sistem crash and i need to reset the system by the power button, there is someone with the same problem?
Thanks in adv!
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Tue Aug 21, 2007 12:19 am    Post subject: Reply with quote

you compiled in grsecurity-stuff?

Code:
emerge paxtest


and post output here

Code:
paxtest kiddie


== ?


AND: please don't ever again reset your linux-box with power-button, for this you have Magic SysRQ

Who or What is the Magic SysRQ Key ? :wink:

just kill everything, then sync, umount partitions and reboot with Magic SysRQ Key :D
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
sezaru
n00b
n00b


Joined: 10 Aug 2006
Posts: 47

PostPosted: Tue Aug 21, 2007 3:52 am    Post subject: Reply with quote

There is the output:
Code:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux ray=out 2.6.22-klight2-grsec #2 PREEMPT Mon Aug 20 21:28:05 BRT 2007 i686 Unknown CPU Typ AuthenticAMD GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 17 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 23 bits (guessed)
Main executable randomisation (ET_EXEC)  : 17 bits (guessed)
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 17 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : No randomisation
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed


Hmm i dont know about the SysRq button i will remenber this next time :lol:
But now all screw up when i reboot mannualy the PC my HD have some corrupcions, now i can't enter in the system with nvidia and nv, just with the vesa, but this is not a kernel problem its just the signal that i need change my HD :lol:
But well, i get with the vesa driver my system running and i really like the kernel, very responsible the way i like, great work !
Back to top
View user's profile Send private message
n0rbi666
l33t
l33t


Joined: 04 Mar 2005
Posts: 707
Location: \Poland\Krakow

PostPosted: Tue Aug 21, 2007 4:32 pm    Post subject: Reply with quote

kernelOfTruth wrote:
AND: please don't ever again reset your linux-box with power-button, for this you have Magic SysRQ

Who or What is the Magic SysRQ Key ? :wink:

just kill everything, then sync, umount partitions and reboot with Magic SysRQ Key :D

Sooooo, i can't shut down system like that : http://gentoo-wiki.com/HOWTO_Shutdown_headless_server_when_power-button_pressed ? Must alt+sysrq+s then u then b (or o) ?
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Tue Aug 21, 2007 5:13 pm    Post subject: Reply with quote

naa, there are cases when your X-server just sits there (== hangs) and it doesn't even react to a short tip of the power-button, in that case use magic sysrq key :wink:

what he did was a "hard reset" / "hard shutdown" -> not so good, with the magic sysrq key you can still sync your partitions, umount them & reboot (== safer)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
n0rbi666
l33t
l33t


Joined: 04 Mar 2005
Posts: 707
Location: \Poland\Krakow

PostPosted: Tue Aug 21, 2007 6:39 pm    Post subject: Reply with quote

kernelOfTruth wrote:
naa, there are cases when your X-server just sits there (== hangs) and it doesn't even react to a short tip of the power-button, in that case use magic sysrq key :wink:

what he did was a "hard reset" / "hard shutdown" -> not so good, with the magic sysrq key you can still sync your partitions, umount them & reboot (== safer)
Aaaa mkay, I see :)

Next question : on what kernel version should I apply the patch ? On 2.6.22.4 it does'ny apply cleanly ...
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Wed Aug 22, 2007 8:54 pm    Post subject: Reply with quote

it applies to vanilla-2.6.22

== plain linux-2.6.22.tar.gz / linux-2.6.22.tar.bz2
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Thu Aug 23, 2007 1:04 pm    Post subject: Reply with quote

hotfix #2: is out !
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
Ishiki
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2005
Posts: 86

PostPosted: Fri Aug 24, 2007 3:46 pm    Post subject: Reply with quote

With the new CFS I had some problems loading modules.

Kernel was: 2.6.22-klight2-cfs-v20.1-grsec, modules where installed in /lib/modules/2.6.22-klight2-cfs-v20.1-grsec, but the system wanted to load them from /lib/modules/2.6.22-klight2. I've made a link from /lib/modules/2.6.22-klight2-cfs-v20.1-grsec to /lib/modules/2.6.22-klight2 just to see what will happen. Modules were loaded succesfully, but then when rebooted I got some weird kernel oopses that I can't find in logs. It was something about CPU and then some chunks of 0s and 1s I guess.
It will require some more testing.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Fri Aug 24, 2007 4:12 pm    Post subject: Reply with quote

please try it again - in the meantime I silently updated to cfs v20.2 (such as Ingo did) ^^
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
Ishiki
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2005
Posts: 86

PostPosted: Fri Aug 24, 2007 5:58 pm    Post subject: Reply with quote

This is bad, really bad.

I've unpacked vanilla, patched with 2.6.22-klight2-grsec-adaptive_readahead-ipw2200_powertop.patch and then with update to cfs 20.2 and kernel became even less usable. Firefox doesn't work with it.
I don't know, maybe it's fixed in 20.3 :D

Anyway, here's the photo of the kernel oopses when rebooting the system:

Code:
http://images21.fotosik.pl/380/12ec3eee2d3ec3d7.jpg


EDIT. And I haven't had grsec / pax enabled in the config.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum