| 1 |
On 29 Nov 2007 at 11:36, timpoluk@×××.net wrote: |
| 2 |
|
| 3 |
> There is a lot of documentation about how to setup Xen with Gentoo but |
| 4 |
> to use it with grsecurity/pax seems not to be easily achieved. what are |
| 5 |
> the pitfalls, drawbacks? |
| 6 |
|
| 7 |
when you speak of virtualization and kernels, you should always specify |
| 8 |
whether you're talking about the guest or host kernel (or both) as the |
| 9 |
answer varies between them. |
| 10 |
|
| 11 |
on the host side, i think pretty much all of grsec/PaX will work fine |
| 12 |
except for KERNEXEC (and even that is not unfixable either, but it needs |
| 13 |
a patch in the hypervisor code itself, not PaX). |
| 14 |
|
| 15 |
on the guest side, most things will work except for the old style PAGEEXEC |
| 16 |
method (that tweaks the TLBs and is not compatible with a hypervisor |
| 17 |
intercepting those attempts) and possibly KERNEXEC/UDEREF if the hypervisor |
| 18 |
has assumptions about the guest kernel's segment layout. for example, UDEREF |
| 19 |
doesn't work under vmware and i expect it to not work under most non-hw |
| 20 |
virtualizations (or at least not without a huge performance impact, but |
| 21 |
that'll be quite obvious as soon as you try to boot such a guest kernel). |
| 22 |
|
| 23 |
note also that 2.6.23 has xen domU support already, so you should probably |
| 24 |
go with that version (on the guest side, that is) as i tried to make PaX |
| 25 |
work with it since then (but couldn't actually test it myself, at least |
| 26 |
it should compile ;-). |
| 27 |
|
| 28 |
|
| 29 |
-- |
| 30 |
gentoo-hardened@g.o mailing list |
Archives