279795 – sys-kernel/hardened-sources-2.6.32-r9: doesn't boot as xen domU kernel

Bug 279795 - sys-kernel/hardened-sources-2.6.32-r9: doesn't boot as xen domU kernel

Summary: sys-kernel/hardened-sources-2.6.32-r9: doesn't boot as xen domU kernel

Status:	RESOLVED CANTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	The Gentoo Linux Hardened Kernel Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-31 12:09 UTC by Fabiano Francesconi
Modified:	2011-04-04 20:21 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
hardened-sources-2.6.32-r9 config with pax disabled (hardened-cnf-pax-disabled,56.51 KB, text/plain) 2010-08-15 07:38 UTC, Andy Task	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fabiano Francesconi 2009-07-31 12:09:19 UTC

Using this kernel I cannot let it boot.
Simply switching kernel (using a normal gentoo-sources-2.6.30-r4) everything runs smooth.

Don't know what to do.. I can provide you very poor logging

Reproducible: Always

Comment 1 Fabiano Francesconi 2009-07-31 12:15:18 UTC

This is 'xm dmesg' on dom0

(XEN) traps.c:437:d27 Unhandled invalid opcode fault/trap [#6] on VCPU 0 [ec=0000]
(XEN) domain_crash_sync called from entry.S (ff1b588e)
(XEN) Domain 27 (vcpu#0) crashed on cpu#3:
(XEN) ----[ Xen-3.4.0  x86_32p  debug=n  Not tainted ]----
(XEN) CPU:    3
(XEN) EIP:    e019:[<c0228044>]
(XEN) EFLAGS: 00000206   EM: 1   CONTEXT: pv guest
(XEN) eax: c08b0000   ebx: 00000000   ecx: 00000004   edx: 00000000
(XEN) esi: c08b0001   edi: c0788f9e   ebp: 00000000   esp: c080afd4
(XEN) cr0: 8005003b   cr4: 000006f0   cr3: 28b83000   cr2: 00000000
(XEN) ds: e021   es: e021   fs: e021   gs: e021   ss: e021   cs: e019
(XEN) Guest stack trace from esp=c080afd4:
(XEN)    c0228044 0001e019 00010006 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 c08b0000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)    00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

Comment 2 Fabiano Francesconi 2009-07-31 12:16:40 UTC

This is 'tail -f /var/log/xen/xend.log

[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:92) XendDomainInfo.create(['vm', ['name', 'caprica'], ['memory', 256], ['vcpus', 1], ['on_xend_start', 'ignore'], ['on_xend_stop', 'ignore'], ['image', ['linux', ['kernel', '/xen/kernels/vmlinux'], ['root', '/dev/xvda1 ro'], ['videoram', 4]]], ['s3_integrity', 1], ['device', ['vbd', ['uname', 'phy:/dev/vg/caprica'], ['dev', 'xvda1'], ['mode', 'w']]], ['device', ['vbd', ['uname', 'phy:/dev/vg/caprica_swap'], ['dev', 'xvda2'], ['mode', 'w']]], ['device', ['vif', ['mac', '00:16:00:00:10:02'], ['vifname', 'veth1']]]])
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:2295) XendDomainInfo.constructDomain
[2009-07-31 14:16:09 3132] DEBUG (balloon:166) Balloon: 569744 KiB free; need 4096; done.
[2009-07-31 14:16:09 3132] DEBUG (XendDomain:452) Adding Domain: 29
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:2496) XendDomainInfo.initDomain: 29 256
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:2520) _initDomain:shadow_memory=0x0, memory_static_max=0x10000000, memory_static_min=0x0.
[2009-07-31 14:16:09 3132] DEBUG (balloon:166) Balloon: 569744 KiB free; need 263168; done.
[2009-07-31 14:16:09 3132] INFO (image:173) buildDomain os=linux dom=29 vcpus=1
[2009-07-31 14:16:09 3132] DEBUG (image:661) domid          = 29
[2009-07-31 14:16:09 3132] DEBUG (image:662) memsize        = 256
[2009-07-31 14:16:09 3132] DEBUG (image:663) image          = /xen/kernels/vmlinux
[2009-07-31 14:16:09 3132] DEBUG (image:664) store_evtchn   = 1
[2009-07-31 14:16:09 3132] DEBUG (image:665) console_evtchn = 2
[2009-07-31 14:16:09 3132] DEBUG (image:666) cmdline        = root=/dev/xvda1 ro 
[2009-07-31 14:16:09 3132] DEBUG (image:667) ramdisk        = 
[2009-07-31 14:16:09 3132] DEBUG (image:668) vcpus          = 1
[2009-07-31 14:16:09 3132] DEBUG (image:669) features       = 
[2009-07-31 14:16:09 3132] DEBUG (image:670) flags          = 0
[2009-07-31 14:16:09 3132] INFO (XendDomainInfo:2159) createDevice: vbd : {'uuid': 'ffb6dbad-cb08-f0b0-8dd5-4f964eb5a0c5', 'bootable': 1, 'driver': 'paravirtualised', 'dev': 'xvda1', 'uname': 'phy:/dev/vg/caprica', 'mode': 'w'}
[2009-07-31 14:16:09 3132] DEBUG (DevController:95) DevController: writing {'virtual-device': '51713', 'device-type': 'disk', 'protocol': 'x86_32-abi', 'backend-id': '0', 'state': '1', 'backend': '/local/domain/0/backend/vbd/29/51713'} to /local/domain/29/device/vbd/51713.
[2009-07-31 14:16:09 3132] DEBUG (DevController:97) DevController: writing {'domain': 'caprica', 'frontend': '/local/domain/29/device/vbd/51713', 'uuid': 'ffb6dbad-cb08-f0b0-8dd5-4f964eb5a0c5', 'bootable': '1', 'dev': 'xvda1', 'state': '1', 'params': '/dev/vg/caprica', 'mode': 'w', 'online': '1', 'frontend-id': '29', 'type': 'phy'} to /local/domain/0/backend/vbd/29/51713.
[2009-07-31 14:16:09 3132] INFO (XendDomainInfo:2159) createDevice: vbd : {'uuid': '25513f35-d1ad-6778-7ff4-0de1923b8848', 'bootable': 0, 'driver': 'paravirtualised', 'dev': 'xvda2', 'uname': 'phy:/dev/vg/caprica_swap', 'mode': 'w'}
[2009-07-31 14:16:09 3132] DEBUG (DevController:95) DevController: writing {'virtual-device': '51714', 'device-type': 'disk', 'protocol': 'x86_32-abi', 'backend-id': '0', 'state': '1', 'backend': '/local/domain/0/backend/vbd/29/51714'} to /local/domain/29/device/vbd/51714.
[2009-07-31 14:16:09 3132] DEBUG (DevController:97) DevController: writing {'domain': 'caprica', 'frontend': '/local/domain/29/device/vbd/51714', 'uuid': '25513f35-d1ad-6778-7ff4-0de1923b8848', 'bootable': '0', 'dev': 'xvda2', 'state': '1', 'params': '/dev/vg/caprica_swap', 'mode': 'w', 'online': '1', 'frontend-id': '29', 'type': 'phy'} to /local/domain/0/backend/vbd/29/51714.
[2009-07-31 14:16:09 3132] INFO (XendDomainInfo:2159) createDevice: vif : {'mac': '00:16:00:00:10:02', 'vifname': 'veth1', 'uuid': 'cbd14009-a114-2c65-0674-46dd0bd6954b'}
[2009-07-31 14:16:09 3132] DEBUG (DevController:95) DevController: writing {'mac': '00:16:00:00:10:02', 'handle': '0', 'protocol': 'x86_32-abi', 'backend-id': '0', 'state': '1', 'backend': '/local/domain/0/backend/vif/29/0'} to /local/domain/29/device/vif/0.
[2009-07-31 14:16:09 3132] DEBUG (DevController:97) DevController: writing {'domain': 'caprica', 'frontend': '/local/domain/29/device/vif/0', 'uuid': 'cbd14009-a114-2c65-0674-46dd0bd6954b', 'script': '/etc/xen/scripts/vif-bridge', 'mac': '00:16:00:00:10:02', 'frontend-id': '29', 'state': '1', 'vifname': 'veth1', 'online': '1', 'handle': '0'} to /local/domain/0/backend/vif/29/0.
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:3051) Storing VM details: {'on_xend_stop': 'ignore', 'shadow_memory': '0', 'uuid': 'f862fdd0-4f97-e35c-3179-baf2abd6a175', 'on_reboot': 'restart', 'start_time': '1249042569.66', 'on_poweroff': 'destroy', 'bootloader_args': '', 'on_xend_start': 'ignore', 'on_crash': 'restart', 'xend/restart_count': '0', 'vcpus': '1', 'vcpu_avail': '1', 'bootloader': '', 'image': "(linux (kernel /xen/kernels/vmlinux) (args 'root=/dev/xvda1 ro ') (videoram 4) (notes (HV_START_LOW 4118806528) (FEATURES '!writable_page_tables|pae_pgdir_above_4gb') (VIRT_BASE 3221225472) (GUEST_VERSION 2.6) (PADDR_OFFSET 0) (GUEST_OS linux) (HYPERCALL_PAGE 3225423872) (LOADER generic) (SUSPEND_CANCEL 1) (PAE_MODE yes) (ENTRY 3223470784) (XEN_VERSION xen-3.0)))", 'name': 'caprica'}
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:1621) Storing domain details: {'console/ring-ref': '166788', 'image/entry': '3223470784', 'console/port': '2', 'store/ring-ref': '166789', 'image/loader': 'generic', 'vm': '/vm/f862fdd0-4f97-e35c-3179-baf2abd6a175', 'control/platform-feature-multiprocessor-suspend': '1', 'image/hv-start-low': '4118806528', 'image/guest-os': 'linux', 'image/virt-base': '3221225472', 'memory/target': '262144', 'image/guest-version': '2.6', 'image/pae-mode': 'yes', 'console/limit': '1048576', 'image/paddr-offset': '0', 'image/hypercall-page': '3225423872', 'image/suspend-cancel': '1', 'cpu/0/availability': 'online', 'image/features/pae-pgdir-above-4gb': '1', 'image/features/writable-page-tables': '0', 'console/type': 'xenconsoled', 'name': 'caprica', 'domid': '29', 'image/xen-version': 'xen-3.0', 'store/port': '1'}
[2009-07-31 14:16:09 3132] DEBUG (DevController:95) DevController: writing {'protocol': 'x86_32-abi', 'state': '1', 'backend-id': '0', 'backend': '/local/domain/0/backend/console/29/0'} to /local/domain/29/device/console/0.
[2009-07-31 14:16:09 3132] DEBUG (DevController:97) DevController: writing {'domain': 'caprica', 'frontend': '/local/domain/29/device/console/0', 'uuid': 'd0e1b991-ec88-e8c1-1644-5954d52c2b88', 'frontend-id': '29', 'state': '1', 'location': '2', 'online': '1', 'protocol': 'vt100'} to /local/domain/0/backend/console/29/0.
[2009-07-31 14:16:09 3132] DEBUG (XendDomainInfo:1708) XendDomainInfo.handleShutdownWatch
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vif.
[2009-07-31 14:16:10 3132] DEBUG (DevController:144) Waiting for 0.
[2009-07-31 14:16:10 3132] DEBUG (DevController:629) hotplugStatusCallback /local/domain/0/backend/vif/29/0/hotplug-status.
[2009-07-31 14:16:10 3132] DEBUG (DevController:643) hotplugStatusCallback 1.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vscsi.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vbd.
[2009-07-31 14:16:10 3132] DEBUG (DevController:144) Waiting for 51713.
[2009-07-31 14:16:10 3132] DEBUG (DevController:629) hotplugStatusCallback /local/domain/0/backend/vbd/29/51713/hotplug-status.
[2009-07-31 14:16:10 3132] DEBUG (DevController:643) hotplugStatusCallback 1.
[2009-07-31 14:16:10 3132] DEBUG (DevController:144) Waiting for 51714.
[2009-07-31 14:16:10 3132] DEBUG (DevController:629) hotplugStatusCallback /local/domain/0/backend/vbd/29/51714/hotplug-status.
[2009-07-31 14:16:10 3132] DEBUG (DevController:643) hotplugStatusCallback 1.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices irq.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vkbd.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vfb.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices console.
[2009-07-31 14:16:10 3132] DEBUG (DevController:144) Waiting for 0.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices pci.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices ioports.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices tap.
[2009-07-31 14:16:10 3132] DEBUG (DevController:139) Waiting for devices vtpm.
[2009-07-31 14:16:10 3132] INFO (XendDomain:1180) Domain caprica (29) unpaused.
[2009-07-31 14:16:10 3132] WARNING (XendDomainInfo:1877) Domain has crashed: name=caprica id=29.
[2009-07-31 14:16:10 3132] ERROR (XendDomainInfo:2011) VM caprica restarting too fast (Elapsed time: 0.832911 seconds). Refusing to restart to avoid loops.
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2723) XendDomainInfo.destroy: domid=29
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2198) Destroying device model
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2205) Releasing devices
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2218) Removing vif/0
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:1133) XendDomainInfo.destroyDevice: deviceClass = vif, device = vif/0
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2218) Removing vbd/51713
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:1133) XendDomainInfo.destroyDevice: deviceClass = vbd, device = vbd/51713
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2218) Removing vbd/51714
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:1133) XendDomainInfo.destroyDevice: deviceClass = vbd, device = vbd/51714
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2218) Removing console/0
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:1133) XendDomainInfo.destroyDevice: deviceClass = console, device = console/0
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2203) No device model
[2009-07-31 14:16:10 3132] DEBUG (XendDomainInfo:2205) Releasing devices

Comment 3 James Earl Spahlinger 2009-07-31 12:46:50 UTC

You may wish to attach your logs instead of pasting them in the bugzilla comments.

Comment 4 Brad Plant 2009-09-02 23:12:54 UTC

2.6.28 + Xen + PaX doesn't work. More info here: http://forums.grsecurity.net/viewtopic.php?f=1&t=2063&start=45

Comment 5 Fabiano Francesconi 2009-10-02 09:35:52 UTC

From the above linked forum:
> i've been working on xen support on and off for a few weeks now, so it'll be    > definitely fixed.

So we should expect to be released soon a patch that fixes all this issues!

Comment 6 Anthony Basile gentoo-dev

2010-07-08 11:26:51 UTC

We are working on stabilizing 2.6.32-r9.  It is already stable in amd64.  I also run many domU hardened systems with this kernel.  Can the reporter try this new kernel and see if this is still an issue.

Comment 7 Andy Task 2010-08-11 18:18:49 UTC

Hi, 

has anybody started pv domU with hardened-source-2.6.32-r9? Does not work for me. Security profile is "server". Starting the domU with xen sources works.

# uname -a
Linux xendo 2.6.34-xen #6 SMP Sat Aug 7 05:43:37 CEST 2010 x86_64 Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz GenuineIntel GNU/Linux

Can you post a working kernel config which I could try? 

If needed I can paste my .config and xen logs/dmsg, let me know.

Comment 8 Anthony Basile gentoo-dev

2010-08-11 18:43:25 UTC

(In reply to comment #7)
> Hi, 
> 
> has anybody started pv domU with hardened-source-2.6.32-r9? Does not work for
> me. Security profile is "server". Starting the domU with xen sources works.
> 

Sorry, I should clarify Comment #6.  I run many *fully* virtualized domU with hardened-sources-2.6.32-r9.  I have not tried paravirt.

Comment 9 Fabiano Francesconi 2010-08-11 19:35:25 UTC

The problem I have is in paravirt mode. As far as I know, it won't work on NON-HVM machine

Comment 10 Andy Task 2010-08-14 21:43:44 UTC

Hi got hardened-sources-2.6.32-r9 as pv domU working. I set Security Options to server without rbac, switched then to Custom and disabled PAX.

The domU boots now with the hardened kernel, login is not displayed because of a console issue (stops on *starting local [ok]) but sshd is up and all running. Will figure that out too.

Comment 11 Fabiano Francesconi 2010-08-14 22:26:24 UTC

(In reply to comment #10)
> Hi got hardened-sources-2.6.32-r9 as pv domU working. I set Security Options to
> server without rbac, switched then to Custom and disabled PAX.
> 
> The domU boots now with the hardened kernel, login is not displayed because of
> a console issue (stops on *starting local [ok]) but sshd is up and all running.
> Will figure that out too.  
> 

That's something related to the /dev/console. It has nothing to do with hardened-sources.

The thing is that by disabling PAX you have disabled the main feature of an hardened kernel, I'd say.

Comment 12 Anthony Basile gentoo-dev

2010-08-14 23:35:05 UTC

(In reply to comment #10)
> Hi got hardened-sources-2.6.32-r9 as pv domU working. I set Security Options to
> server without rbac, switched then to Custom and disabled PAX.
> 
> The domU boots now with the hardened kernel, login is not displayed because of
> a console issue (stops on *starting local [ok]) but sshd is up and all running.
> Will figure that out too.  
> 

At some point post your kernel config file.  What I may do is add yet another option to the list of pre-configured grsec/pax options, so the choices will be: 1) server, 2) server without rbac, 3) workstation, 4) workstation without rbac and finally 5) paravirt.

Comment 13 Anthony Basile gentoo-dev

2010-08-14 23:36:43 UTC

> The thing is that by disabling PAX you have disabled the main feature of an
> hardened kernel, I'd say.
> 

Yeah, at some point if you disable all the goodies, you might as well go with just gentoo-sources, but there may be some hardening features we can save.

Comment 14 Andy Task 2010-08-15 07:38:53 UTC

Created attachment 243015 [details]
hardened-sources-2.6.32-r9 config with pax disabled

Comment 15 Andy Task 2010-08-15 07:39:13 UTC

Thanks guys I know that I do not want to disable PAX at all. But I was not able to run pv hardened kernel. I wonder if it makes sense to run hardened profile without hardened kernel?

Anyway, if possible I want to have fully hardened pv domU if possible like on my other physical servers. I assumed that virtualization is very common these days and some of you already run xen with hardened domUs and I missed something in the config (thats why I asked if sb can paste a config for me).

uname + emerge --info: http://pastebin.com/A9CdhKqT
config of the working kernel with pax disabled

Regarding hardened HVM domU, would be nice if somebody can share a working config.

Comment 16 Anthony Basile gentoo-dev

2010-08-15 12:36:56 UTC

(In reply to comment #15)
> Thanks guys I know that I do not want to disable PAX at all. But I was not able
> to run pv hardened kernel. I wonder if it makes sense to run hardened profile
> without hardened kernel?

Yes, even if you disable all of PaX you still have GRSEC hardening which is still important.  Also, some of the PaX features can be captured at the userland level by a compiling with a hardened toolchain.

Also, I suspect there may be some PaX features which you can run.  I'd like to sort out which and work with upstream on the ones we can't get working now.

> Anyway, if possible I want to have fully hardened pv domU if possible like on
> my other physical servers. I assumed that virtualization is very common these
> days and some of you already run xen with hardened domUs and I missed something
> in the config (thats why I asked if sb can paste a config for me).

We want this too.

Comment 17 Andy Task 2010-08-15 14:57:26 UTC

Thanks Tony, as you suggested we can discuss and catch the bug(s) over there http://forums.gentoo.org/viewtopic-p-6388313.html#6388313

Comment 18 Anthony Basile gentoo-dev

2010-09-07 00:28:14 UTC

(In reply to comment #10)
> Hi got hardened-sources-2.6.32-r9 as pv domU working. I set Security Options to
> server without rbac, switched then to Custom and disabled PAX.

It seems from the forum discussion that the culprit is just CONFIG_PAX_KERNEXEC=y.  Can someone verify that a pv domU works with PaX fully enabled *except* for CONFIG_PAX_KERNEXEC.

Comment 19 Fabiano Francesconi 2010-09-12 13:51:24 UTC

> It seems from the forum discussion that the culprit is just
> CONFIG_PAX_KERNEXEC=y.  Can someone verify that a pv domU works with PaX fully
> enabled *except* for CONFIG_PAX_KERNEXEC.
> 

It works for me.
PAX_KERNEXEC is disabled by configuration since on of the dependencies is !XEN so it's not available when using XEN settings, I think.

Comment 20 Anthony Basile gentoo-dev

2010-09-23 11:46:48 UTC

(In reply to comment #19)
> > It seems from the forum discussion that the culprit is just
> > CONFIG_PAX_KERNEXEC=y.  Can someone verify that a pv domU works with PaX fully
> > enabled *except* for CONFIG_PAX_KERNEXEC.
> > 
> 
> It works for me.
> PAX_KERNEXEC is disabled by configuration since on of the dependencies is !XEN
> so it's not available when using XEN settings, I think. 
> 

I'm in the process of writing documention on this bug and the forum.  Can you let me know if CONFIG_PAX_MEMORY_UDEREF=y is set in your domU guest?

Also, I assume there is no hardening whatsoever of dom0.  Correct?

Comment 21 PaX Team 2010-09-23 22:03:56 UTC

my 2 cents: KERNEXEC and UDEREF will never work in a normal domU (they're disabled in Kconfig), whether HVM supports them is something i can't tell but they may work there.

Comment 22 Anthony Basile gentoo-dev

2010-10-04 09:43:41 UTC

(In reply to comment #21)
> my 2 cents: KERNEXEC and UDEREF will never work in a normal domU (they're
> disabled in Kconfig), whether HVM supports them is something i can't tell but
> they may work there.
> 

They do work there.  I've run kernels with KERNEXEC and UDEREF as full virt guests in OpenSuse's xen implementation for well over a year.  No issues.

Comment 23 Anthony Basile gentoo-dev

2011-03-12 15:51:00 UTC

@Fabio.  This is an old bug, but I've been working on getting hardened working with virtualization --- both by trying to fix bugs (ie get upstream to do it :P) or to turn off those features in hardened-sources config file which are incompatible.

Can you try to compile hardened-sources-2.6.37-r5 and/or hardened-sources-2.6.32-r40 and choose 

Security options
  ---> Grsecurity
    ---> Security Level
      ---> Hardened Gentoo [virtualization]

and see if these will boot ad domU's.  If so, then I think we're done with this issue.

Comment 24 Anthony Basile gentoo-dev

2011-04-04 20:21:32 UTC

It is unlikely that a full fix will be found for this issue and we have a work around built into the kernel configs which deal with virtualization.  I'm closing this one.