Greetings,
I’ve undertaken a small task of porting
grsecurity-2.1.9 to xen-3.0-testing. I’ve never done any sort of OS
or kernel development before, so it’s pretty daunting. So far I’ve
been able to compile an i386 kernel and compile and boot an x86_64 kernel with some
of the grsec/PAX features working. I’m pretty sure that PAX_RANDSTACK
is not working though because of CONFIG_X86_NO_TSS. The function the grsecurity
patch adds to arch/i386/kernel/process.c is:
#ifdef CONFIG_PAX_RANDKSTACK
asmlinkage void pax_randomize_kstack(void)
{
struct tss_struct *tss
= init_tss + smp_processor_id();
unsigned long time;
if
(!randomize_va_space)
return;
rdtscl(time);
/* P4 seems to return a
0 LSB, ignore it */
#ifdef CONFIG_MPENTIUM4
time &= 0x1EUL;
time <<= 2;
else
time &= 0xFUL;
time <<= 3;
#endif
tss->esp0 ^= time;
current->thread.esp0
= tss->esp0;
}
#endif
I surrounded the tss_struct declaration and the tss->esp0/current->thread.esp0
assignments with #ifdef CONFIG_X86_NO_TSS lines to get the kernel to compile. That
completely defeats the purpose of this function which is to randomize the kernel
stack. What is available in Xen that is comparable to the capacity that struct
tss_struct is used in if CONFIG_X86_NO_TSS is defined?
Any ideas would be greatly appreciated.
For reference GRSecurity is available at www.grsecurity.net.
Thanks,
John A.
