I have intramfs which I use to decrypt my root partition, however I have problems building working hardened kernel with gcc-4.8.1 I build linux-3.10.1-hardened-r1, linux-3.11.2-hardened, linux-3.11.3-hardened with gcc-4.8.1, they all panic on boot, with message "Fixing recursive fault but reboot is needed!" I tried linux-3.11.3-hardened with gcc 4.7.1-r1 and it boots fine. I also tried vanilla-3.11.4, it works fine with both gcc-4.7.1-r1 and gcc-4.8.1. Reproducible: Always Portage 2.2.7 (hardened/linux/amd64/no-multilib, gcc-4.7.3, glibc-2.17, 3.11.3-hardened x86_64) ================================================================= System uname: Linux-3.11.3-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2 KiB Mem: 2997008 total, 2287448 free KiB Swap: 0 total, 0 free Timestamp of tree: Sun, 13 Oct 2013 00:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r2, 3.2.5-r2, 3.3.2-r2 dev-util/cmake: 2.8.11.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.2 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.13.4, 1.14 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1, 4.8.1-r1 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.11 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo local-overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/home/amade/overlay" SYNC="" USE="X aac acl acpi alsa amd64 apache2 bash-completion berkdb bzip2 cli cracklib crypt cxx dri dvd flac gdbm gif gnutls gold gpg hardened iconv icu ipv6 jpeg jpeg2k justify mmx mmxext mng modules mp3 mudflap mysql mysqli ncurses nls nptl opencl opengl openmp pam pax_kernel pcre png readline session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd threads tiff udev unicode urandom usb v4l vim-syntax xattr xcb xft xinerama zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 ppc" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 360834 [details] hardened config config which I used to build hardened kernels for vanilla I just copied it and replied "n" to all questions for "new options" I did mrproper between rebuilds
(In reply to Amadeusz Sławiński from comment #1) > Created attachment 360834 [details] > hardened config > > config which I used to build hardened kernels > > for vanilla I just copied it and replied "n" to all questions for "new > options" > > I did mrproper between rebuilds I wonder if its the gcc plugins that are breaking. You might want to try turning off the options in PaX's Miscellaneous hardening features. I'm alerting upstream.
So I tried disabling options, it boots fine when I disable CONFIG_PAX_KERNEXEC (it also seems to disable CONFIG_PAX_CONSTIFY_PLUGIN, but when I disable it alone it still fails). 2741a2742,2745 > # CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set > # CONFIG_DEBUG_LOCK_ALLOC is not set > # CONFIG_PROVE_LOCKING is not set > # CONFIG_LOCK_STAT is not set 2850d2853 < CONFIG_PAX_KERNEXEC_PLUGIN=y 2886,2889c2889,2890 < CONFIG_PAX_KERNEXEC=y < # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set < CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y < CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or" --- > # CONFIG_PAX_KERNEXEC is not set > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" 2906d2906 < CONFIG_PAX_CONSTIFY_PLUGIN=y
is this still a problem with the latest patches (3.11/3.12)? if yes can you capture and post dmesg somehow?
Great that you ask, just yesterday I accidentally compiled kernel (linux-3.11.9-hardened) with gcc-4.8.2, it still failed to boot with same problem. Is this enough or should I try some other patch? Here http://asmblr.net/panic/P141013_00.49.jpg is (a bit blurry) capture of panic screen from the time I reported it, I can get better one tomorrow if needed.
can you enable frame pointers (CONFIG_FRAME_POINTER) to get a better backtrace? also can you test this under qemu and if it fails there, post your config/vmlinux/bzImage?
Created attachment 364134 [details] kernel config from 3.11.9 (with enabled frame pointers)
this should now be fixed in the latest PaX patch, grsecurity will follow eventually. it'd be nice if someone could test it with PaX alone as the fix is non-trivial due to some old (and rather stupid) design choices in linux/amd64. you don't even need to enable KERNEXEC, the necessary changes are always active.
I've tested 3.12.4 kernel with latest pax patch (pax-linux-3.12.4-test3.patch) both vm and main system boot fine now.
hardened-sourced-3.12.5 has fixes from upstream and boots fine
