Gentoo Archives: gentoo-commits

From: "Anthony G. Basile (blueness)" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/uclibc: index.xml lilblue.xml
Date: Mon, 03 Jun 2013 01:43:30
Message-Id: 20130603014327.5DB0D2171D@flycatcher.gentoo.org
1 blueness 13/06/03 01:43:27
2
3 Modified: index.xml
4 Added: lilblue.xml
5 Log:
6 Add documentation about Lilblue
7
8 Revision Changes Path
9 1.9 xml/htdocs/proj/en/hardened/uclibc/index.xml
10
11 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&view=markup
12 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&content-type=text/plain
13 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?r1=1.8&r2=1.9
14
15 Index: index.xml
16 ===================================================================
17 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml,v
18 retrieving revision 1.8
19 retrieving revision 1.9
20 diff -u -r1.8 -r1.9
21 --- index.xml 31 May 2013 16:15:02 -0000 1.8
22 +++ index.xml 3 Jun 2013 01:43:27 -0000 1.9
23 @@ -37,8 +37,9 @@
24
25 <p>
26 Continued developments in uClibc have made it increasingly suitable for fully
27 -featured systems, even desktops. The recent addition of the native POSIX thread
28 -library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)
29 +featured systems, like <uri link="lilblue.xml">Lilblue</uri>, our security-enhanced,
30 +fully featured XFCE4, amd64 desktop built on uClibc. The recent addition of the native POSIX
31 +thread library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)
32 meant that we could finally implement our complete complement of tool chain
33 hardening from glibc:
34 </p>
35 @@ -86,7 +87,7 @@
36 <ti>Generic</ti>
37 <ti>Yes</ti>
38 <ti>Yes</ti>
39 - <ti>stage3 desktop</ti>
40 + <ti>stage3 <uri link="lilblue.xml">desktop</uri></ti>
41 <ti>[mirror]/experimental/amd64/uclibc</ti>
42 </tr>
43 <tr>
44
45
46
47 1.1 xml/htdocs/proj/en/hardened/uclibc/lilblue.xml
48
49 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&view=markup
50 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&content-type=text/plain
51
52 Index: lilblue.xml
53 ===================================================================
54 <?xml version="1.0" encoding="UTF-8"?>
55 <?xml-stylesheet href="/xsl/project.xsl" type="text/xsl"?>
56 <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
57 <!DOCTYPE project SYSTEM "/dtd/project.dtd">
58 <project>
59
60 <name>Lilblue</name>
61 <longname>Lilblue: A security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,
62 built on uClibc</longname>
63
64 <description>
65 "Lilblue" is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,
66 built on uClibc.
67 </description>
68
69 <longdescription>
70 <p>
71 "Lilblue", named after the <uri link="https://en.wikipedia.org/wiki/Little_Penguin">Little Blue Penguin</uri>
72 of New Zealand, a smaller cousin of the <uri link="https://en.wikipedia.org/wiki/Gentoo_Penguin">Gentoo</uri>,
73 is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc.
74 </p>
75 <p>
76 The "security-enhancement" comes from a toolchain which builds all of userland
77 </p>
78 <ul>
79 <li>with <uri link="http://en.wikipedia.org/wiki/Stack-smashing_protection"> stack smashing protection </uri>
80 and <uri link="http://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html">stack-check</uri>,</li>
81 <li>as <uri link="https://en.wikipedia.org/wiki/Position-independent_code">position independent executables</uri>
82 --- even executables are marked ET_DYN</li>
83 <li>with hardened linking --- relocation read only and no lazy binding
84 (<uri link="https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only">relro and bindnow</uri>),</li>
85 <li>with a non-executable stack, only RW permitted on a GNU_STACK phdr,</li>
86 </ul>
87 <p>
88 and a kernel which provides:
89 </p>
90 <ul>
91 <li>various memory protection features for processes
92 (<uri link="http://pax.grsecurity.net/docs/pageexec.txt">PAGEEXEC</uri>,
93 <uri link="http://pax.grsecurity.net/docs/mprotect.txt">MPROTECT</uri>,
94 <uri link="http://pax.grsecurity.net/docs/randmmap.txt">RANDMMAP</uri>,
95 <uri link="http://pax.grsecurity.net/docs/emutramp.txt">EMUTRAMP</uri>),</li>
96 <li>an <uri link="http://pax.grsecurity.net/docs/aslr.txt">enhanced address space layout
97 randomization </uri> in conjunction with PIE above,</li>
98 <li>numerous internal and kernel-userland surface hardening features,</li>
99 </ul>
100 <p>
101 See <uri link="http://pax.grsecurity.net/docs">PaX</uri> and
102 <uri link="https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">grsecurity</uri>
103 for more information on the various hardening features in the kernel. If you want
104 a <uri link="https://wiki.ubuntu.com/Security/Features">laundry list of security
105 features</uri>, you might consider what Ubuntu does. Most of these features, or
106 some variation of them, are in Lilblue. However, Lilblue goes further with
107 grsecurity/PaX which is a major boost to hardening. There's a nice little utility
108 by Tobias Klein, <uri link="http://www.trapkit.de/tools/checksec.html">checksec.sh</uri>.
109 Run it against the latest Ubuntu and Lilblue for a comparison.
110 </p>
111 <p>
112 The "fully featured desktop" comes the fact that the system comes with over 800
113 packages covering most desktop needs. XFCE4 was chosen because of its slim and
114 flexible nature. These include:
115 </p>
116 <ul>
117 <li>ephiphany, claws, hexchat for browsing, email and IRC</li>
118 <li>abiword, evince, gcalctool, gtext for generic office software</li>
119 <li>gqview, smplayer for multimedia with many open codecs</li>
120 <li>transmission for bittorrent</li>
121 <li>and no! busybox does not provide most of the core utilities</li>
122 </ul>
123 <p>
124 Lilblue should not be thought of as an "embedded" system. The major difference
125 between it and a stock Gentoo system built with the same package set is that uClibc
126 replaces glibc. Work is on the way to make about 7000 packages available via binpkg
127 hosting.
128 </p>
129 <p>
130 Finally, why uClibc and why only amd64? Let me address the latter first: almost
131 all desktop systems today support X86_64 architecture. Factored in with time
132 constraints, mostly revolving around the difficulties maintaining hardening on
133 X86, this made the choice to only support amd64 seem reasonable. The uClibc is
134 harder to justify, so may or may not accept the following reasons:
135 </p>
136 <ul>
137 <li>uClibc is a configurable standard C library aimed at embedded systems, and
138 it should remain so, but it is not just for embedded systems anymore!</li>
139 <li>uClibc is fast! Lilblue boots in 14 seconds off a SSD</li>
140 <li>uClibc is small ~400 KB for uClibc vs 1.7 MB</li>
141 <li>uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for
142 uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)</li>
143 <li>It is not the mainstream and forces the developer to confront design principles
144 when building a "Standard C Library" and executables that link against it</li>
145 <li>I like working with the people who work on Gentoo and uClibc. Its not a
146 reason to use Lilblue, but it was a motivation for me to do this</li>
147 </ul>
148 </longdescription>
149
150 <extrachapter position="top">
151 <title>Installation</title>
152 <section>
153 <body>
154 <p>
155 Okay, so you're curious. Maybe not enough to install it on a real box, but
156 you'll give it a spin as a virtual machine. Good! Installation is manual, but
157 much easier than the full Gentoo installation described in the
158 <uri link="http://www.gentoo.org/doc/en/handbook/index.xml">Handbook</uri>. Of
159 course, there are less choices to be made. What we give below will most likely
160 "just work", but feel free to deviate from it if you want to try something different.
161 For instance, the kernel is compiled with lots of support. Do you want to try
162 BTRFS instead of EXT4?
163 </p>
164 <p>
165 Here are the steps:
166 </p>
167 <p>
168 <b>1.</b> First let's prepare a boot device and boot into it. Download the install ISO
169 image using
170 </p>
171 <pre caption=""><i>wget http://[mirror]/pub/linux/gentoo/releases/amd64/current-iso/install-amd64-minimal-[date].iso</i></pre>
172 <p>
173 Here [mirror] is any <uri link="http://www.gentoo.org/main/en/mirrors2.xml">Gentoo
174 mirror</uri> and [date] is whatever the date is of the latest release. This is
175 just Gentoo's generic amd64 minimal install image. Its glibcbased, but that's
176 okay, it won't prevent chrooting into the uClibc desktop which you have to do
177 later on. If you are putting this on a physical box, then burn the ISO image to
178 a CD or DVD. For a virtual machine, just aim its virtual CD/DVD device to the
179 ISO file. Alternatively, you may want to boot from a pen drive. Gentoo's install
180 ISO is not the best for this. You may want to try
181 <uri link="http://www.sysresccd.org/SystemRescueCd_Homepage">SystemRescueCD</uri>,
182 a Gentoo-derived distro with lots of uses. Or, if you already have a working
183 Linux system and you want to install Lilblue to another drive, just boot off
184 your current system and partition the other drive. Whatever your choice, boot
185 off that device now.
186 </p>
187 <p>
188 <b>2.</b> Prepare root/boot/swap partitions, format and mount them. Using
189 <uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?chap=4&amp;part=1#doc_chap3">
190 fdisk</uri>, prepare at least three partitions. boot only has to hold a kernel
191 or two, so you can get away with less, but the others are reasonable minima:
192 </p>
193 <table>
194 <tr><th>Partition</th><th>Mount Point</th><th>Size</th></tr>
195 <tr><ti>/dev/sda1</ti><ti>/boot</ti><ti>128 MB</ti></tr>
196 <tr><ti>/dev/sda2</ti><ti>swap</ti><ti>&gt;1 GB</ti></tr>
197 <tr><ti>/dev/sda3</ti><ti> / </ti><ti>&gt;4 GB</ti></tr>
198 </table>
199 <p>
200 <b>3.</b> Format the partitions and mount them:
201 </p>
202 <pre caption="">
203 <i># mke2fs /dev/sda1</i>
204 <i># mkswap /dev/sda2</i>
205 <i># mkfs.ext4 /dev/sda3</i>
206
207 <i># mkdir -p /mnt/gentoo</i>
208 <i># mount /dev/sda3 /mnt/gentoo</i>
209
210 <i># mkdir -p /mnt/gentoo/boot</i>
211 <i># mount /dev/sda1 /mnt/gentoo/boot</i></pre>
212 <p>
213 <b>4.</b> Download and unpack the tarball image:
214 </p>
215 <pre caption="">
216 <i># cd /mnt/gentoo</i>
217 <i># wget http://[mirror]/pub/linux/gentoo/experimental/amd64/uclibc/desktop-amd64-uclibc-hardened-[date].tar.bz2</i>
218 <i># tar xf desktop-amd64-uclibc-hardened-[date].tar.bz2</i></pre>
219 <p>
220 <b>5.</b> Prepare the chroot and chroot into it. Assuming you're still in the same directory as in the previous step, do
221 </p>
222 <pre caption="">
223 <i># mount --bind /dev dev/</i>
224 <i># mount --bind /dev/pts dev/pts</i>
225 <i># mount --bind /proc proc/</i>
226 <i># mount --bind /sys sys/</i>
227 <i># chroot . /bin/bash -l</i>
228 <i># source /etc/profile</i>
229 <i># env-update</i>
230 >>> Regenerating /etc/ld.so.cache...
231 /sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf'
232 /sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf'
233 /sbin/ldconfig: skipping /usr/games/lib: No such file or directory</pre>
234 <p>
235 Don't worry about the warning messages generated by <c>ldconfig</c>, they are harmless issues.
236 </p>
237 <p>
238 If you changed any of the above values for /dev/sda*, or you're not installing
239 onto sda, then edit /etc/lilo.conf and /etc/fstab. Change the values to what
240 you picked. Finally, install lilo to your boot drive, exit the chroot and reboot:
241 </p>
242 <pre caption="">
243 <i># lilo</i>
244 Added Gentoo + *
245 <i># exit</i>
246 <i># reboot</i></pre>
247 <p>
248 <b>6. </b>Log in and enjoy! You have one user account and root. You can only log into the desktop
249 as user <b>gentoo</b>, but can <c>sudo</c> or <c>su</c> root.
250 </p>
251 <table>
252 <tr><th>Username</th><th>Password</th></tr>
253 <tr><ti>gentoo</ti><ti>gentoo</ti></tr>
254 <tr><ti>root</ti><ti>root</ti></tr>
255 </table>
256 </body>
257 </section>
258 </extrachapter>
259
260 <extrachapter position="top">
261 <title>Working with Lilblue</title>
262 <section>
263 <body>
264 <p>
265 Lilblue <b>is</b> Gentoo, not a separate distro. Gentoo covers many possibilities
266 and building all userland against uClibc is just one choice. You can learn how to
267 work with a Gentoo system by reading the <uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml">Handbook</uri>.
268 Skip the section on "Installing Gentoo" since we've already done that; but take a
269 look at "Working with Gentoo", "Working with Portage" and "Gentoo Network Configuration".
270 </p>
271 </body>
272 </section>
273 </extrachapter>
274
275
276 <extrachapter position="top">
277 <title>Reporting Bugs and Feature Requests</title>
278 <section>
279 <body>
280 <ul>
281 <li>Submit bugs to: <uri link="http://bugs.gentoo.org">Gentoo's Bugzilla</uri></li>
282 <li>Assign to: blueness@g.o</li>
283 <li>CC: hardened@g.o</li>
284 </ul>
285 </body>
286 </section>
287 </extrachapter>
288
289 <dev role="lead">blueness</dev>
290
291 <extrachapter position="bottom">
292 <title>I Want to Participate</title>
293 <section>
294 <body>
295 <p>
296 To participate in the Hardened uClibc project join the mailing list at
297 <c>gentoo-hardened@g.o</c> and visit our online IRC channel at
298 <c>#gentoo-hardened</c> on <c>irc.freenode.net</c>.
299 </p>
300 </body>
301 </section>
302 </extrachapter>
303
304
305 </project>