When I turn on CONFIG_PAX_KERNEXEC, the system halts at the end of the boot process (after initializing all of the kernel, when or immediately after mounting the root filesystem). The same kernel and configuration works fine with CONFIG_PAX_KERNEXEC turned off. With hardened-sources-2.6.28, CONFIG_PAX_KERNEXEC worked.
Created attachment 192977 [details] My .config (working version, set CONFIG_PAX_KERNEXEC=y to reproduce the bug).
Please post your emerge --info and attach the output of the BUG please (with GRKERNSEC_HIDESYM disabled). This may be fixed already. Can you try the latest PaX test patch[1] against vanilla 2.6.29.4? [1] http://www.grsecurity.net/~paxguy1/pax-linux-2.6.29.4-test26.patch
Created attachment 193007 [details] emerge --info
Don't know how to save the BUG (or panic?): The system hangs completely before root is mounted r/w and before login is possible. On the screen, I only see the last few lines of a (numeric, hence useless) stack backtrace. The important information has already scrolled off the screen, scrollback doesn't work. I tried in slow motion earlier today (with a printk delay), and it said something like "Unable to handle kernel paging request". I will try the kernel you proposed tomorrow (it is already late night here).
pax-linux-2.6.29.4-test27 works fine with CONFIG_PAX_KERNEXEC.
As the problem is fixed upstream for some time now: Any hope for fixed hardened-sources any time soon?
Klaus, rest assured that a new version is imminent (I'm proxying some of the work that's going into it). I'm just as keen to see a new release as you are but I want to ensure that it is a strong one! I'm estimating that my work will continue for 2-3 more days before I consider it ready for submission to Gordon. In the meantime, please accept our apologies for the release lag on this occasion.
Kerin, any news on this one?
Well, I do have a patchset for 2.6.29; it contains a range of backported fixes as far as 2.6.30.5 and was used in production by myself up until quite recently. Essentially, I went as far as I felt I could possibly go in terms of making a release-worthy patchset. Obviously, I am in no position to push this to the tree myself so I leave it in the hands of anyone who wishes to do so (indeed, several people involved in the project have already been kept abreast of the revisions that I made up until this point). I won't be doing any further work on it as it takes a disproportionate amount of time and energy and sufficient time has elapsed now to render this work virtually obsolete. hardened-sources is currently stagnating, save for the recent work carried out by Anarchy which is currently sitting in an overlay. At such time as this stagnation ends, I would envisage that 2.6.31 - or any recent release - is targetted for stabilisation. After all, even the grsecurity people are quick to focus their attention on new kernel.org releases. Doing this kind of work seems like a losing battle and is ultimately pointless if we have a problem getting releases out the door. I've already rebased my kernels on Anarchy's recent work and reverted to the strategy of minimal maintenance. I also have an updated patchset for 2.6.28 which resolves a large number of hardened-kernel assigned bugs which pertain to that branch. I believe gengor has a copy and anyone else is very much welcome to it, although it should be noted that I have not heavily tested it (in particular, someone would need to make sure that CIFS support is A-OK).
After a long period of "testing" grsecurity releases only, the grsecurity team has released a "stable" grsecurity release for 2.6.31.6. Time for a new hardened-sources release?
(In reply to comment #10) > > Time for a new hardened-sources release? > Yes, it is. 2.6.32-r9 is the latest stable on amd64. Can you test it and see if this is still an issue.
I don't use hardened-sources any longer. I'm building my own for some months now from vanilla-sources and the grsec patch.
