Improved hardened kernels available [was: Re: Announcing security hardened kernels for testing]

Martin Pitt martin.pitt at canonical.com
Fri Jan 7 02:39:48 CST 2005 

Hello again,

Martin Pitt [2005-01-04 16:16 +0100]:
> Right now I built kernels for i386 (a generic 386 package and an
> optimized K7 one) and powerpc. These are the platforms I can test at
> home, but I will build kernels for other flavors (like 686, SMP and
> Power4) and architectures soon, too.

Now there are all i386 and PowerPC flavour available that the standard
kernel provides. (386/686/K7 with and without SMP support,
PowerPC/Power3/Power4 with and without SMP).

> You can download the debs from [4]. Alternatively you can add an apt
> source to install and upgrade them easily:
> 
>   deb     http://people.ubuntu.com/~pitti/linux-hardened/  /
>   deb-src http://people.ubuntu.com/~pitti/linux-hardened/  /

If you use this, you just need to apt-get dist-upgrade.

> Caveats:
> 
>  - The XFS file system does not work with these kernels at the moment,
>    so do not install them if you rely on XFS. I try to sort that out
>    soon.

This has been fixed.

>  - Some programs (most notably X.org and OpenOffice.org) still rely on
>    executing writeable memory, so the PaX protection has to be
>    disabled for them. You have to install the "chpax" package and
>    execute the following commands before everything will work:
> [...]
> 
>    This will set flags in the ELF headers, so you have to repeat these
>    commands after every X.org/OO.o package upgrade for now. These
>    flags do not interfere with anything, so you can safely set them
>    and use the programs on a normal kernel. In the near future I will
>    try to make this happen automatically.

I created a package linux-hardened-support which ships a script
"update-linux-hardened-support" which does all necessary setup in a
configurable way. Moreover, the kernel packages depend on this package
and will automatically execute the update script on installation.

>  - Framebuffer text console does not work on my i386 (it works fine on
>    my iBook, though). So if you don't see any output, please boot with
>    the normal VGA mode (remove the vga= kernel parameter). I
>    appreciate feedback on this!

This is still broken on my i386, I do not get any output (however, the
system boots normally and X.org starts, too).

Enjoy and please let me know about any problems!

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050107/4191c35b/attachment.pgp

More information about the ubuntu-devel mailing list