1 |
On 29 Nov 2007 at 11:36, timpoluk@×××.net wrote: |
2 |
|
3 |
> There is a lot of documentation about how to setup Xen with Gentoo but |
4 |
> to use it with grsecurity/pax seems not to be easily achieved. what are |
5 |
> the pitfalls, drawbacks? |
6 |
|
7 |
when you speak of virtualization and kernels, you should always specify |
8 |
whether you're talking about the guest or host kernel (or both) as the |
9 |
answer varies between them. |
10 |
|
11 |
on the host side, i think pretty much all of grsec/PaX will work fine |
12 |
except for KERNEXEC (and even that is not unfixable either, but it needs |
13 |
a patch in the hypervisor code itself, not PaX). |
14 |
|
15 |
on the guest side, most things will work except for the old style PAGEEXEC |
16 |
method (that tweaks the TLBs and is not compatible with a hypervisor |
17 |
intercepting those attempts) and possibly KERNEXEC/UDEREF if the hypervisor |
18 |
has assumptions about the guest kernel's segment layout. for example, UDEREF |
19 |
doesn't work under vmware and i expect it to not work under most non-hw |
20 |
virtualizations (or at least not without a huge performance impact, but |
21 |
that'll be quite obvious as soon as you try to boot such a guest kernel). |
22 |
|
23 |
note also that 2.6.23 has xen domU support already, so you should probably |
24 |
go with that version (on the guest side, that is) as i tried to make PaX |
25 |
work with it since then (but couldn't actually test it myself, at least |
26 |
it should compile ;-). |
27 |
|
28 |
|
29 |
-- |
30 |
gentoo-hardened@g.o mailing list |