headers
Philip Sanderson | 2 Nov 2010 23:24
Picon

Re: grsecurity & lguest

 

> KERNEXEC seems like it would be unsupported; as lguest wants to map
> executable code at 0xff[ce]00000 (drivers/lguest/core.c). I know for certain
> it does not work if you enable kernel modules :-) It would be nice if it was
> supported for the host.

I think I'm getting closer to why it's not supported on the guest:

./lguest 64 ../../../diffs/linux-2.6.35.8/vmlinux
lguest: unhandled trap 13 at 0x1001081 (0x10)

    1081:    ea 88 10 00 00 10 00     ljmp   $0x10,$0x1088

So I'm guessing it's not quite compatible with the segment selectors used when KERNEXEC is enabled since it reference to BOOT_CS, and it's dying on the ljmp to that CS.

BOOT_DS seems to work -- maybe the BOOT_CS Privilege level needs to be set to 1 ? I'll have a look further later on today.





_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply |
headers
Philip Sanderson | 4 Nov 2010 10:11
Picon

Re: grsecurity & lguest



I think I'm getting closer to why it's not supported on the guest:

./lguest 64 ../../../diffs/linux-2.6.35.8/vmlinux

lguest: unhandled trap 13 at 0x1001081 (0x10)

    1081:    ea 88 10 00 00 10 00     ljmp   $0x10,$0x1088


 So I think the problem is in

ENTRY(startup_32)
        /* test KEEP_SEGMENTS flag to see if the bootloader is asking
                us to not reload segments */
        testb $(1<<6), BP_loadflags(%esi)
        jnz 2f

/*
 * Set segments to known values.
 */
        lgdt pa(boot_gdt_descr)
        movl $(__BOOT_DS),%eax
        movl %eax,%ds
        movl %eax,%es
        movl %eax,%fs
        movl %eax,%gs
2:

and

#ifdef CONFIG_PAX_KERNEXEC_WAT
        movl $pa(boot_gdt),%edi
        movl $__LOAD_PHYSICAL_ADDR,%eax
        movw %ax,__BOOT_CS + 2(%edi)
        rorl $16,%eax
        movb %al,__BOOT_CS + 4(%edi)
        movb %ah,__BOOT_CS + 7(%edi)
        rorl $16,%eax
        ljmp $(__BOOT_CS),$1f


Since it does not set lgdt due to the paravirt boot code setting "don't reset segments" it's not initialized properly.

If I make the reset of lgdt unconditional it doesn't work (probably due to requiring the need of the hypervisor to make that change :-). If I #ifdef out the initial ljmp it dies at

# ./lguest 64 ../../../diffs/linux-2.6.35.8/vmlinux
lguest: unhandled trap 14 at 0x100ad26 (0xffffffdc)

        set_early_handler handler=early_protection_fault,trapno=13
        set_early_handler handler=early_page_fault,trapno=14

Checking addresses near by it:

00008d20 <irqfd_inject>:
    8d20:       55                      push   %ebp
    8d21:       89 e5                   mov    %esp,%ebp
    8d23:       83 ec 0c                sub    $0xc,%esp
    8d26:       89 5d f8                mov    %ebx,-0x8(%ebp)

emulator_set_cached_descriptor:
    ad24:       09 d0                   or     %edx,%eax
    ad26:       89 45 dc                mov    %eax,-0x24(%ebp)

0000bd20 <ftrace_raw_output_kvm_nested_vmrun>:
    bd20:       55                      push   %ebp
    bd21:       83 e9 14                sub    $0x14,%ecx
    bd24:       89 e5                   mov    %esp,%ebp
    bd26:       83 ec 34                sub    $0x34,%esp

So I'm not sure... need to work out how to get more indepth debugging information for it, for me to be able to work out what the problems are :\

I can't even get KERNEXEC working on a real machine either (model name    : Intel(R) Atom(TM) CPU N270   <at> 1.60GHz) :/

I'll try getting PAE/NX working instead for the time being and come back to kernexec later.


_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply |
headers
pageexec | 23 Dec 2010 00:20
Picon
Favicon

Re: grsecurity & lguest

On 4 Nov 2010 at 20:11, Philip Sanderson wrote:

just a heads up, the latest PaX patch should work with lguest under KERNEXEC
thanks to andrewg's work (if the code doesn't compile it's all my fault, i didn't
test my cleaned up version ;). the solution is not ideal in that lguest's flat
ring-0 segments are kept as is and that's obviously not good for KERNEXEC, but
i'll let you guys refine this further.

> I can't even get KERNEXEC working on a real machine either (model name    :
> Intel(R) Atom(TM) CPU N270    <at>  1.60GHz) :/

what's the issue there? does that CPU have an NX bit? is it enabled? what happens
when you boot a PAE/PaX kernel? does vanilla/PAE work?
Permalink | Reply |

Gmane