You are not logged in.
- Topics: Active | Unanswered
#2926 Re: Installation » The most secure hardened kernel » 2019-05-01 19:55:10
where can I see a progress and status of KSPP?
https://git.kernel.org/pub/scm/linux/ke … curity.git
How the latest KSPP does compare to Grsecurity 4.9 and latest?
https://grsecurity.net/compare.php
Head_on_a_Stick wrote:In other distributions, Arch Linux have a linux-hardened kernel version and Parabola GNU/Linux-Libre have a linux-libre-xtreme kernel that also has a "hardened" configuration.
Are these hardened kernels hardened by KSPP?
I think they use the configurations recommended by the KSPP, check the upstream sources for the details.
For example: https://git.archlinux.org/svntogit/pack … x-hardened
There are opinions that a universal patch like Grsecurity prevents more potential new yet unknown security related problems than many up to date fixes to specific already discovered issues.
That may very well be the case but forward-porting an old patch to a newer kernel is not at all easy to do, may not work properly and might introduce more bugs & vulnerabilities.
This is why Alpine decided to drop their grsec-patched kernel version, see my mailing list link for the discussion.
Then what FS shall be used on a secured host?
OpenBSD's filesystem is probably the most secure 
For GNU/Linux I really don't know and I'm probably not the best person to ask anyway.
is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?
Head_on_a_Stick wrote:No, they are not:
https://developer.arm.com/support/arm-s … nerabilityI did not find the models I mentioned in your list. These models (A7 and A53) have in order execution without speculative.
Yes, sorry, I was wrong about that.
Is an idea of nesting virtual machines with such different hardened kernels (each with mitigation) good for improving whole security of the system and isolation of guests if full emulation like Bochs is used on each level?
If you want to use hypervisors for isolation then look at Xen instead.
Or vmm(4)
#2927 Re: Hardware & System Configuration » Uefi trouble » 2019-05-01 19:36:05
Head_on_a_Stick wrote:To clear the troublesome NVRAM entry try
# efibootmgr -b 0004 -BWhen you look at the end of the first code box, you see I tried this.
Oh dear, sorry Rolf, I was tired when I posted that.
Would a clear CMOS possibly help?
Unlikely, the entries are stored on non-volatile memory (NVRAM).
#2928 Re: Hardware & System Configuration » Uefi trouble » 2019-04-30 20:47:11
When I try to invoke the Windows installation from grub I get an error that the UUID of the Windows (efi) partition is wrong which is not the case, its the same blkid presents.
Try creating a file at /boot/grub/custom.cfg with this content:
menuentry 'Custom Windows Boot' {
set root=(hd0,1)
chainloader efi/Microsoft/Boot/bootmgfw.efi
}If you reboot and select the 'Custom Windows Boot' entry, does that work?
If not then please post the Windows menuentry from grub.cfg along with the output of blkid.
To clear the troublesome NVRAM entry try
# efibootmgr -b 0004 -B#2929 Re: Installation » The most secure hardened kernel » 2019-04-30 20:32:37
OK, I can't really answer all of your questions (nor am I qualified to do so but that doesn't usually stop me) but I can raise some points.
what are my options today for a secured kernel?
There is a hardening-runtime package in beowulf/ceres that adds sysctl & kernel command line options recommended by the kernel self-protection project that should make the system significantly more secure but note that the sysctl options are applied by a systemd unit file, which won't work in Devaun, so you will have to add them manually instead.
In other distributions, Arch Linux have a linux-hardened kernel version and Parabola GNU/Linux-Libre have a linux-libre-xtreme kernel that also has a "hardened" configuration.
Can I use a relatively old kernel v4.9 with a recent level of userspace like Beowulf testing or even newer?
I would think so, yes, the kernel is fairly self-contained.
But don't run an unsupported kernel version, new vulnerabilities are discovered all the time.
How can I compile ZFS on a libre+grsec kernel?
I don't know but have you got a recent grsec version?
The current grsec configuration is only available at a monetary cost, Alpine Linux dropped their grsec kernel version because they believed applying the last freely-available patches to a current kernel version was not a good approach:
https://lists.alpinelinux.org/alpine-devel/5626.html
And in respect of ZFS, the codebase for that filesystem alone is bigger than the code for the entire OpenBSD base system so the attack surface is *huge* and IMO it is not a good choice for the security-conscious user.
is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?
No, they are not:
https://developer.arm.com/support/arm-s … nerability
They have mitigations in place under Linux though (as does the x86 architecture).
Can I use in Devuan a Linux kernel from another distro like Alpine, Pentoo, Gentoo hardened, etc. ?
Try it and see :-)
Probably better to copy the configuration and roll your own though (compiled under whichever operating system you are using).
How can I remove BLOBS from a general non libre kernel?
Compile your own version instead.
And anyway are you not worried about the firmware blobs on components that do not update from the operating system?
For example, your hard drive controllers are sufficiently complex to pwn your machine: can you say "Stuxnet"?
It seems HardenedBSD has a fix for Spectre mitigation.
So do Linux & OpenBSD.
#2930 Re: Devuan Derivatives » Help on deuvan derivate exelinux on old compaq evo N1005v » 2019-04-29 19:25:46
They find an error like this,
radeon_cp: Failed to load firmware "radeon/R100_cp.bin
The kernel runs through a list of firmware until it finds one it can load for the device so check the full dmesg(1) output to see if any firmware is actually loaded:
# dmesg | grep firmware#2931 Re: Installation » [Solved] apt sources list retrieve? » 2019-04-29 19:22:31
Try
# apt edit-sourcesThat will open /etc/apt/sources.list in the editor of your choice and check the syntax before saving the file so you don't make any mistakes.
#2932 Re: DIY » Linux ports of OpenBSD's ksh » 2019-04-24 20:53:10
Version 6.5-1 is building now
It should be available soon.
EDIT: now in the repository.
#2933 Re: Devuan Derivatives » Help on deuvan derivate exelinux on old compaq evo N1005v » 2019-04-24 18:20:47
Have you installed the non-free firmware required by the AMD graphics card?
You can use gbd to investigate the segfault (if the firmware is already installed or doesn't fix them), I think Devuan has debug repositories containing packages compiled with the debug flags enabled.
#2934 Re: Installation » Installing devuan to lvm partitions within dm-crypt container » 2019-04-22 16:49:53
^ Copy the patch to a file at /tmp/cryptdisks.patch, remove the .orig bit in the first line and then run this command as root:
cd /lib/cryptsetup && patch -p1 < /tmp/cryptdisks.patchProbably wise to backup the file first though:
# cp /lib/cryptsetup/cryptdisks.functions{,.bak}EDIT: ninja'd by rolfie...
#2935 Re: Installation » error when installing task-xfce-desktop in beowulf » 2019-04-22 16:42:19
Can we see
apt policyThe Devuan merged repositories seem to have problems at the moment (as rolfie notes) so perhaps your system is falling back to the Debian repositories.
#2936 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 16:37:36
I don't have the necessary skills
Me neither, that's why it didn't work 
Is it possible to remove what we have done so far?
Of course: just run
# update-rc.d -f wireguard remove
# rm /etc/init.d/wireguardexcuse the trouble
That's OK, it was no trouble at all.
Sorry I couldn't get it working for you.
#2937 Re: Installation » error when installing task-xfce-desktop in beowulf » 2019-04-22 14:29:21
E: Failed to fetch http://deb.debian.org/debian/pool/main/w/webkit2gtk/libjavascriptcoregtk-4.0-18_2.22.7-1_amd64.deb 404 Not Found [IP: 151.101.12.204 80] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Why is your Devuan system attempting to download stuff from Debian's repositories?
why does neofetch say OS: Devuan GNU/Linux beowulf/ceres x86_64
#2938 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 14:19:14
In which case check the journal logs to find out what's going wrong and then fiddle with the service file to get it to work.
#2939 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 12:20:18
# chmod +x /etc/init.d/wireguard#2940 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 11:30:34
Yes.
Thinking about this a bit more: you may have to add networking to the Required-Start line to get the network up before the VPN is started but I'm not really sure.
I can't believe you full-quoted me again though (and even included the request to stop full-quoting in the quote). Ah well.
#2941 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 10:22:40
with the extension .ini
No "extension" is needed, that's a Windows thing. And .ini-style files are what systemd uses.
Also, please don't full quote for a straight reply, it reduces the readability of the thread.
#2942 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-22 08:53:32
The wgquick@.service unit file uses the .ini style ('cos the devs love Windows, presumably) and so cannot be used with sysvinit, you will need to convert it to a shell script instead.
Something like this executable file in /etc/init.d/wireguard might work:
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: wireguard
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: WireGuard via wg-quick(8)
### END INIT INFO
. /lib/init/vars.sh
. /lib/lsb/init-functions
do_start() {
/usr/bin/wg-quick up mullvad-se4
}
do_stop() {
/usr/bin/wg-quick down mullvad-se4
}
case $1 in
(start|restart|reload|force-reload)
do_invoke start
;;
(stop)
do_invoke stop
;;
(*)
echo >&2 "Usage: $0 {start|stop|restart|reload|force-reload}"
exit 3
;;
esacEnable it with
# update-rc.d wireguard defaultsDisclaimer: I'm crap with sysvinit scripts so perhaps wait for somebody to point out my mistakes before trying this.
#2943 Re: Desktop and Multimedia » Devuan and WireGuard / Mullvad VPN » 2019-04-21 20:42:57
Here is the unit file:
https://git.zx2c4.com/WireGuard/plain/s … k@.service
The ExecStart line is the command that is executed by the unit file, replace %i with mullvad-se4 and incorporate it into a boot script for sysvinit.
#2944 Re: Devuan Derivatives » MiyoLinux Portable » 2019-04-21 19:29:42
I'm sorry Miyo, I think I'm going to have to admit defeat here 
I tried rebuilding the image again and now I can't get rid of the delay at all, $DEITY only knows how I managed it originally but it wasn't because of 0040-sudo.
For the record the rebuild was based on this function:
function mkiso {
xorriso -as mkisofs \
-iso-level 3 \
-full-iso9660-filenames \
-volid sharpbang_stretch \
-eltorito-boot isolinux/isolinux.bin \
-eltorito-catalog isolinux/boot.cat \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-isohybrid-mbr isolinux/isohdpfx.bin \
-eltorito-alt-boot \
-e boot/grub/efi.img \
-no-emul-boot -isohybrid-gpt-basdat \
-output ../"$1" ./
}But I removed the EFI-related lines and that must be what fixed things but I can't remember exactly what I removed and now I can't recreate it.
Sorry d00d.
#2945 Re: Devuan Derivatives » MiyoLinux Portable » 2019-04-20 19:56:32
OK, so different command this time
I will have a poke around when I've got time and see if I can get to the bottom of this.
Which method are you using to build the images?
#2946 Re: Other Issues » Is the debian/devuan merge working right? » 2019-04-20 19:00:13
wondering if it is a typo.
No, it's brace expansion
Try the command yourself, I did check before posting it.
#2947 Re: Devuan Derivatives » MiyoLinux Portable » 2019-04-20 18:56:42
You could use pastebinit to generate a URL that you can post instead.
journalctl -u live-config --no-p | pastebinit#2948 Re: Other Issues » Is the debian/devuan merge working right? » 2019-04-20 18:30:39
The repositories are updating for me:
23 packages can be upgraded. Run 'apt list --upgradable' to see them.You should probably post all of your sources:
grep -v '^#\|^$' /etc/apt/sources.list{,.d/*}#2949 Re: DIY » Linux ports of OpenBSD's ksh » 2019-04-20 18:20:36
Version 6.4-3 is out.
I made a mistake (again) with the binary location that broke the alternatives and I didn't notice 'cos my systems are /usr-merged.
It's fixed now.
OpenBSD 6.5 is due out very soon so I think we'll see v6.5 of loksh shortly afterwards.
#2950 Re: Devuan Derivatives » MiyoLinux Portable » 2019-04-20 18:18:28
I did run your listed command in the live session, but nothing stood out to me
Can you post it here then?
I don't have the modified image any more (my storage space is limited) so I'll have to make another one to check at my end.
Board footer
