[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] grsecurity +XEN w/o HVM

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: "John Anderson" <johnha@xxxxxxxxxx>
  • Date: Mon, 26 Jun 2006 17:05:25 -0700
  • Delivery-date: Mon, 26 Jun 2006 17:05:53 -0700
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcaZfWRpPhevHeNbQ1Orb0nAkahgGg==
  • Thread-topic: grsecurity +XEN w/o HVM



I’ve undertaken a small task of porting grsecurity-2.1.9 to xen-3.0-testing.  I’ve never done any sort of OS or kernel development before, so it’s pretty daunting.  So far I’ve been able to compile an i386 kernel and compile and boot an x86_64 kernel with some of the grsec/PAX features working.  I’m pretty sure that PAX_RANDSTACK is not working though because of CONFIG_X86_NO_TSS.  The function the grsecurity patch adds to arch/i386/kernel/process.c is:



asmlinkage void pax_randomize_kstack(void)


       struct tss_struct *tss = init_tss + smp_processor_id();

       unsigned long time;


       if (!randomize_va_space)





       /* P4 seems to return a 0 LSB, ignore it */


       time &= 0x1EUL;

       time <<= 2;


       time &= 0xFUL;

       time <<= 3;


       tss->esp0 ^= time;

       current->thread.esp0 = tss->esp0;




I surrounded the tss_struct declaration and the tss->esp0/current->thread.esp0 assignments with #ifdef CONFIG_X86_NO_TSS lines to get the kernel to compile.  That completely defeats the purpose of this function which is to randomize the kernel stack.  What is available in Xen that is comparable to the capacity that struct tss_struct is used in if CONFIG_X86_NO_TSS is defined?


Any ideas would be greatly appreciated.


For reference GRSecurity is available at www.grsecurity.net.




John A.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.