1 |
blueness 13/06/03 01:43:27 |
2 |
|
3 |
Modified: index.xml |
4 |
Added: lilblue.xml |
5 |
Log: |
6 |
Add documentation about Lilblue |
7 |
|
8 |
Revision Changes Path |
9 |
1.9 xml/htdocs/proj/en/hardened/uclibc/index.xml |
10 |
|
11 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&view=markup |
12 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&content-type=text/plain |
13 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?r1=1.8&r2=1.9 |
14 |
|
15 |
Index: index.xml |
16 |
=================================================================== |
17 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml,v |
18 |
retrieving revision 1.8 |
19 |
retrieving revision 1.9 |
20 |
diff -u -r1.8 -r1.9 |
21 |
--- index.xml 31 May 2013 16:15:02 -0000 1.8 |
22 |
+++ index.xml 3 Jun 2013 01:43:27 -0000 1.9 |
23 |
@@ -37,8 +37,9 @@ |
24 |
|
25 |
<p> |
26 |
Continued developments in uClibc have made it increasingly suitable for fully |
27 |
-featured systems, even desktops. The recent addition of the native POSIX thread |
28 |
-library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>) |
29 |
+featured systems, like <uri link="lilblue.xml">Lilblue</uri>, our security-enhanced, |
30 |
+fully featured XFCE4, amd64 desktop built on uClibc. The recent addition of the native POSIX |
31 |
+thread library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>) |
32 |
meant that we could finally implement our complete complement of tool chain |
33 |
hardening from glibc: |
34 |
</p> |
35 |
@@ -86,7 +87,7 @@ |
36 |
<ti>Generic</ti> |
37 |
<ti>Yes</ti> |
38 |
<ti>Yes</ti> |
39 |
- <ti>stage3 desktop</ti> |
40 |
+ <ti>stage3 <uri link="lilblue.xml">desktop</uri></ti> |
41 |
<ti>[mirror]/experimental/amd64/uclibc</ti> |
42 |
</tr> |
43 |
<tr> |
44 |
|
45 |
|
46 |
|
47 |
1.1 xml/htdocs/proj/en/hardened/uclibc/lilblue.xml |
48 |
|
49 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&view=markup |
50 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&content-type=text/plain |
51 |
|
52 |
Index: lilblue.xml |
53 |
=================================================================== |
54 |
<?xml version="1.0" encoding="UTF-8"?> |
55 |
<?xml-stylesheet href="/xsl/project.xsl" type="text/xsl"?> |
56 |
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> |
57 |
<!DOCTYPE project SYSTEM "/dtd/project.dtd"> |
58 |
<project> |
59 |
|
60 |
<name>Lilblue</name> |
61 |
<longname>Lilblue: A security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, |
62 |
built on uClibc</longname> |
63 |
|
64 |
<description> |
65 |
"Lilblue" is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, |
66 |
built on uClibc. |
67 |
</description> |
68 |
|
69 |
<longdescription> |
70 |
<p> |
71 |
"Lilblue", named after the <uri link="https://en.wikipedia.org/wiki/Little_Penguin">Little Blue Penguin</uri> |
72 |
of New Zealand, a smaller cousin of the <uri link="https://en.wikipedia.org/wiki/Gentoo_Penguin">Gentoo</uri>, |
73 |
is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc. |
74 |
</p> |
75 |
<p> |
76 |
The "security-enhancement" comes from a toolchain which builds all of userland |
77 |
</p> |
78 |
<ul> |
79 |
<li>with <uri link="http://en.wikipedia.org/wiki/Stack-smashing_protection"> stack smashing protection </uri> |
80 |
and <uri link="http://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html">stack-check</uri>,</li> |
81 |
<li>as <uri link="https://en.wikipedia.org/wiki/Position-independent_code">position independent executables</uri> |
82 |
--- even executables are marked ET_DYN</li> |
83 |
<li>with hardened linking --- relocation read only and no lazy binding |
84 |
(<uri link="https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only">relro and bindnow</uri>),</li> |
85 |
<li>with a non-executable stack, only RW permitted on a GNU_STACK phdr,</li> |
86 |
</ul> |
87 |
<p> |
88 |
and a kernel which provides: |
89 |
</p> |
90 |
<ul> |
91 |
<li>various memory protection features for processes |
92 |
(<uri link="http://pax.grsecurity.net/docs/pageexec.txt">PAGEEXEC</uri>, |
93 |
<uri link="http://pax.grsecurity.net/docs/mprotect.txt">MPROTECT</uri>, |
94 |
<uri link="http://pax.grsecurity.net/docs/randmmap.txt">RANDMMAP</uri>, |
95 |
<uri link="http://pax.grsecurity.net/docs/emutramp.txt">EMUTRAMP</uri>),</li> |
96 |
<li>an <uri link="http://pax.grsecurity.net/docs/aslr.txt">enhanced address space layout |
97 |
randomization </uri> in conjunction with PIE above,</li> |
98 |
<li>numerous internal and kernel-userland surface hardening features,</li> |
99 |
</ul> |
100 |
<p> |
101 |
See <uri link="http://pax.grsecurity.net/docs">PaX</uri> and |
102 |
<uri link="https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">grsecurity</uri> |
103 |
for more information on the various hardening features in the kernel. If you want |
104 |
a <uri link="https://wiki.ubuntu.com/Security/Features">laundry list of security |
105 |
features</uri>, you might consider what Ubuntu does. Most of these features, or |
106 |
some variation of them, are in Lilblue. However, Lilblue goes further with |
107 |
grsecurity/PaX which is a major boost to hardening. There's a nice little utility |
108 |
by Tobias Klein, <uri link="http://www.trapkit.de/tools/checksec.html">checksec.sh</uri>. |
109 |
Run it against the latest Ubuntu and Lilblue for a comparison. |
110 |
</p> |
111 |
<p> |
112 |
The "fully featured desktop" comes the fact that the system comes with over 800 |
113 |
packages covering most desktop needs. XFCE4 was chosen because of its slim and |
114 |
flexible nature. These include: |
115 |
</p> |
116 |
<ul> |
117 |
<li>ephiphany, claws, hexchat for browsing, email and IRC</li> |
118 |
<li>abiword, evince, gcalctool, gtext for generic office software</li> |
119 |
<li>gqview, smplayer for multimedia with many open codecs</li> |
120 |
<li>transmission for bittorrent</li> |
121 |
<li>and no! busybox does not provide most of the core utilities</li> |
122 |
</ul> |
123 |
<p> |
124 |
Lilblue should not be thought of as an "embedded" system. The major difference |
125 |
between it and a stock Gentoo system built with the same package set is that uClibc |
126 |
replaces glibc. Work is on the way to make about 7000 packages available via binpkg |
127 |
hosting. |
128 |
</p> |
129 |
<p> |
130 |
Finally, why uClibc and why only amd64? Let me address the latter first: almost |
131 |
all desktop systems today support X86_64 architecture. Factored in with time |
132 |
constraints, mostly revolving around the difficulties maintaining hardening on |
133 |
X86, this made the choice to only support amd64 seem reasonable. The uClibc is |
134 |
harder to justify, so may or may not accept the following reasons: |
135 |
</p> |
136 |
<ul> |
137 |
<li>uClibc is a configurable standard C library aimed at embedded systems, and |
138 |
it should remain so, but it is not just for embedded systems anymore!</li> |
139 |
<li>uClibc is fast! Lilblue boots in 14 seconds off a SSD</li> |
140 |
<li>uClibc is small ~400 KB for uClibc vs 1.7 MB</li> |
141 |
<li>uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for |
142 |
uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)</li> |
143 |
<li>It is not the mainstream and forces the developer to confront design principles |
144 |
when building a "Standard C Library" and executables that link against it</li> |
145 |
<li>I like working with the people who work on Gentoo and uClibc. Its not a |
146 |
reason to use Lilblue, but it was a motivation for me to do this</li> |
147 |
</ul> |
148 |
</longdescription> |
149 |
|
150 |
<extrachapter position="top"> |
151 |
<title>Installation</title> |
152 |
<section> |
153 |
<body> |
154 |
<p> |
155 |
Okay, so you're curious. Maybe not enough to install it on a real box, but |
156 |
you'll give it a spin as a virtual machine. Good! Installation is manual, but |
157 |
much easier than the full Gentoo installation described in the |
158 |
<uri link="http://www.gentoo.org/doc/en/handbook/index.xml">Handbook</uri>. Of |
159 |
course, there are less choices to be made. What we give below will most likely |
160 |
"just work", but feel free to deviate from it if you want to try something different. |
161 |
For instance, the kernel is compiled with lots of support. Do you want to try |
162 |
BTRFS instead of EXT4? |
163 |
</p> |
164 |
<p> |
165 |
Here are the steps: |
166 |
</p> |
167 |
<p> |
168 |
<b>1.</b> First let's prepare a boot device and boot into it. Download the install ISO |
169 |
image using |
170 |
</p> |
171 |
<pre caption=""><i>wget http://[mirror]/pub/linux/gentoo/releases/amd64/current-iso/install-amd64-minimal-[date].iso</i></pre> |
172 |
<p> |
173 |
Here [mirror] is any <uri link="http://www.gentoo.org/main/en/mirrors2.xml">Gentoo |
174 |
mirror</uri> and [date] is whatever the date is of the latest release. This is |
175 |
just Gentoo's generic amd64 minimal install image. Its glibcbased, but that's |
176 |
okay, it won't prevent chrooting into the uClibc desktop which you have to do |
177 |
later on. If you are putting this on a physical box, then burn the ISO image to |
178 |
a CD or DVD. For a virtual machine, just aim its virtual CD/DVD device to the |
179 |
ISO file. Alternatively, you may want to boot from a pen drive. Gentoo's install |
180 |
ISO is not the best for this. You may want to try |
181 |
<uri link="http://www.sysresccd.org/SystemRescueCd_Homepage">SystemRescueCD</uri>, |
182 |
a Gentoo-derived distro with lots of uses. Or, if you already have a working |
183 |
Linux system and you want to install Lilblue to another drive, just boot off |
184 |
your current system and partition the other drive. Whatever your choice, boot |
185 |
off that device now. |
186 |
</p> |
187 |
<p> |
188 |
<b>2.</b> Prepare root/boot/swap partitions, format and mount them. Using |
189 |
<uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?chap=4&part=1#doc_chap3"> |
190 |
fdisk</uri>, prepare at least three partitions. boot only has to hold a kernel |
191 |
or two, so you can get away with less, but the others are reasonable minima: |
192 |
</p> |
193 |
<table> |
194 |
<tr><th>Partition</th><th>Mount Point</th><th>Size</th></tr> |
195 |
<tr><ti>/dev/sda1</ti><ti>/boot</ti><ti>128 MB</ti></tr> |
196 |
<tr><ti>/dev/sda2</ti><ti>swap</ti><ti>>1 GB</ti></tr> |
197 |
<tr><ti>/dev/sda3</ti><ti> / </ti><ti>>4 GB</ti></tr> |
198 |
</table> |
199 |
<p> |
200 |
<b>3.</b> Format the partitions and mount them: |
201 |
</p> |
202 |
<pre caption=""> |
203 |
<i># mke2fs /dev/sda1</i> |
204 |
<i># mkswap /dev/sda2</i> |
205 |
<i># mkfs.ext4 /dev/sda3</i> |
206 |
|
207 |
<i># mkdir -p /mnt/gentoo</i> |
208 |
<i># mount /dev/sda3 /mnt/gentoo</i> |
209 |
|
210 |
<i># mkdir -p /mnt/gentoo/boot</i> |
211 |
<i># mount /dev/sda1 /mnt/gentoo/boot</i></pre> |
212 |
<p> |
213 |
<b>4.</b> Download and unpack the tarball image: |
214 |
</p> |
215 |
<pre caption=""> |
216 |
<i># cd /mnt/gentoo</i> |
217 |
<i># wget http://[mirror]/pub/linux/gentoo/experimental/amd64/uclibc/desktop-amd64-uclibc-hardened-[date].tar.bz2</i> |
218 |
<i># tar xf desktop-amd64-uclibc-hardened-[date].tar.bz2</i></pre> |
219 |
<p> |
220 |
<b>5.</b> Prepare the chroot and chroot into it. Assuming you're still in the same directory as in the previous step, do |
221 |
</p> |
222 |
<pre caption=""> |
223 |
<i># mount --bind /dev dev/</i> |
224 |
<i># mount --bind /dev/pts dev/pts</i> |
225 |
<i># mount --bind /proc proc/</i> |
226 |
<i># mount --bind /sys sys/</i> |
227 |
<i># chroot . /bin/bash -l</i> |
228 |
<i># source /etc/profile</i> |
229 |
<i># env-update</i> |
230 |
>>> Regenerating /etc/ld.so.cache... |
231 |
/sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf' |
232 |
/sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf' |
233 |
/sbin/ldconfig: skipping /usr/games/lib: No such file or directory</pre> |
234 |
<p> |
235 |
Don't worry about the warning messages generated by <c>ldconfig</c>, they are harmless issues. |
236 |
</p> |
237 |
<p> |
238 |
If you changed any of the above values for /dev/sda*, or you're not installing |
239 |
onto sda, then edit /etc/lilo.conf and /etc/fstab. Change the values to what |
240 |
you picked. Finally, install lilo to your boot drive, exit the chroot and reboot: |
241 |
</p> |
242 |
<pre caption=""> |
243 |
<i># lilo</i> |
244 |
Added Gentoo + * |
245 |
<i># exit</i> |
246 |
<i># reboot</i></pre> |
247 |
<p> |
248 |
<b>6. </b>Log in and enjoy! You have one user account and root. You can only log into the desktop |
249 |
as user <b>gentoo</b>, but can <c>sudo</c> or <c>su</c> root. |
250 |
</p> |
251 |
<table> |
252 |
<tr><th>Username</th><th>Password</th></tr> |
253 |
<tr><ti>gentoo</ti><ti>gentoo</ti></tr> |
254 |
<tr><ti>root</ti><ti>root</ti></tr> |
255 |
</table> |
256 |
</body> |
257 |
</section> |
258 |
</extrachapter> |
259 |
|
260 |
<extrachapter position="top"> |
261 |
<title>Working with Lilblue</title> |
262 |
<section> |
263 |
<body> |
264 |
<p> |
265 |
Lilblue <b>is</b> Gentoo, not a separate distro. Gentoo covers many possibilities |
266 |
and building all userland against uClibc is just one choice. You can learn how to |
267 |
work with a Gentoo system by reading the <uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml">Handbook</uri>. |
268 |
Skip the section on "Installing Gentoo" since we've already done that; but take a |
269 |
look at "Working with Gentoo", "Working with Portage" and "Gentoo Network Configuration". |
270 |
</p> |
271 |
</body> |
272 |
</section> |
273 |
</extrachapter> |
274 |
|
275 |
|
276 |
<extrachapter position="top"> |
277 |
<title>Reporting Bugs and Feature Requests</title> |
278 |
<section> |
279 |
<body> |
280 |
<ul> |
281 |
<li>Submit bugs to: <uri link="http://bugs.gentoo.org">Gentoo's Bugzilla</uri></li> |
282 |
<li>Assign to: blueness@g.o</li> |
283 |
<li>CC: hardened@g.o</li> |
284 |
</ul> |
285 |
</body> |
286 |
</section> |
287 |
</extrachapter> |
288 |
|
289 |
<dev role="lead">blueness</dev> |
290 |
|
291 |
<extrachapter position="bottom"> |
292 |
<title>I Want to Participate</title> |
293 |
<section> |
294 |
<body> |
295 |
<p> |
296 |
To participate in the Hardened uClibc project join the mailing list at |
297 |
<c>gentoo-hardened@g.o</c> and visit our online IRC channel at |
298 |
<c>#gentoo-hardened</c> on <c>irc.freenode.net</c>. |
299 |
</p> |
300 |
</body> |
301 |
</section> |
302 |
</extrachapter> |
303 |
|
304 |
|
305 |
</project> |