Page MenuHomePhabricator
Feed Advanced Search

Oct 24 2018

Patrick closed T468: package paxrat for offical debian.org repository as Resolved.

https://packages.debian.org/stretch/paxrat

Oct 24 2018, 10:08 AM · Whonix, bountysource, bounty, grsecurity, sponsor-B

Apr 29 2017

HulaHoop closed T301: make grsecurity kernel, grsecurity-installer work inside Whonix as Invalid.

upstream ceased open development: https://www.grsecurity.net/passing_the_baton_faq.php

Apr 29 2017, 6:20 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
HulaHoop closed T203: grsecurity kernel installation instructions as Invalid.

upstream ceased open development: https://www.grsecurity.net/passing_the_baton_faq.php

Apr 29 2017, 6:20 PM · sponsor-B, grsecurity, research, security, Whonix

May 4 2016

Patrick updated the task description for T301: make grsecurity kernel, grsecurity-installer work inside Whonix.
May 4 2016, 9:37 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

Apr 2 2016

Patrick updated the task description for T207: Build Debian Packages from Source Code.
Apr 2 2016, 7:46 PM · bountysource, bounty, sponsor-B, security, Whonix
Patrick updated the task description for T207: Build Debian Packages from Source Code.
Apr 2 2016, 6:27 PM · bountysource, bounty, sponsor-B, security, Whonix

Mar 1 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Unfortunately the maintainer said that its a big maintenance burden for him but is open to outside help. I asked for this functionality to be added as optional for the source package.

Mar 1 2016, 7:28 PM · sponsor-B, grsecurity, research, security, Whonix

Feb 29 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.
In T203#8183, @HulaHoop wrote:

Opened feature request:
linux-grsec-base: Multiple Compiled Grsec Kernels for Virtualization Compatibility
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816309

Feb 29 2016, 10:43 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Opened feature request:

Feb 29 2016, 7:40 PM · sponsor-B, grsecurity, research, security, Whonix

Feb 5 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

The author (Collin Childs) is associated with Tor

Feb 5 2016, 4:21 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick updated the task description for T468: package paxrat for offical debian.org repository.
Feb 5 2016, 1:05 PM · Whonix, bountysource, bounty, grsecurity, sponsor-B
Patrick updated the task description for T468: package paxrat for offical debian.org repository.
Feb 5 2016, 1:05 PM · Whonix, bountysource, bounty, grsecurity, sponsor-B
Patrick updated the task description for T468: package paxrat for offical debian.org repository.
Feb 5 2016, 1:04 PM · Whonix, bountysource, bounty, grsecurity, sponsor-B
Patrick created T468: package paxrat for offical debian.org repository.
Feb 5 2016, 1:04 PM · Whonix, bountysource, bounty, grsecurity, sponsor-B
Patrick added a comment to T203: grsecurity kernel installation instructions.

Having had a glimpse at the code, it is still missing tons of required
features. Almost everything listed in T301. Anyhow. Good to know.

Feb 5 2016, 12:26 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Coldkernel is a project that is better at what grsecurity-installer was meant to be:

Feb 5 2016, 7:15 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 28 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

There is no "no duplicate package" policy in that sense. There is a "no
duplicate source code" policy. [Compare: linux-image-686 vs
linux-image-686 are not considered duplicates either. Sharing the very
same source package.] Therefore linux-grsec-generic, linux-grsec-xen,
etc. should not be a policy issue.

Jan 28 2016, 10:17 AM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Not gonna happen. It took this long to package grsec for Debian because of their no duplicate packages policy so the patch had to be adjusted to work with the Debian flavor of the linux kernel.

Jan 28 2016, 4:14 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 27 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

What about separate binary packages per hypervisor?

Jan 27 2016, 3:30 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Could support for all hypervisors be enabled at the same time?

Jan 27 2016, 4:23 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 26 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

Could support for all hypervisors be enabled at the same time?

Jan 26 2016, 11:40 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 25 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

The problem is the Debian kernel is not compiled with any virtualization support.

Jan 25 2016, 8:39 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 22 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

What does not work? The package build/install or the grsecurity kernel itself?

Jan 22 2016, 3:37 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 21 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

You want softmode, right? So why use 'kernel.pax.softmode=0' instead of
'kernel.pax.softmode=1'?

Jan 21 2016, 6:11 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

What does not work? The package build/install or the grsecurity kernel
itself?

Jan 21 2016, 6:08 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

I tried manually testing the 05-grsec.conf settings with no success. Editing the original grsec.conf doesn't work too. (I tried with the kernel conf lock setting disabled). I don't know what to try now...

Jan 21 2016, 6:00 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 19 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

debian/rules debian/control misses systemd entries.

Jan 19 2016, 9:59 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

OK did the changes but need to test package.

Jan 19 2016, 9:52 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

HulaHoop (HulaHoop):

> needs a license header.
Its all gplv3. Do you have an example?
Jan 19 2016, 5:49 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

needs a license header.

Jan 19 2016, 5:01 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

This can very well go to the testers and also the stable repository just
as any package. As long as it's not installed by default there really is
no reason a against it since it requires a manual action to install that
won't be happening accidentally without reading documentation.

Jan 19 2016, 12:20 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 18 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Some notes: When copying paxctld all my tabbing disappeared and the file looks hideous.

Jan 18 2016, 10:45 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

And how does corsac's repository help with that compared to Debian sid repository?

Jan 18 2016, 10:25 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Yes. Let's go simple for start and then see where we get.

Jan 18 2016, 10:14 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

I'm almost done with the exceptions list. I merged some rules to cover Tor Browser and a few other binaries that weren't included. Changed some binary paths to reflect those on Debian...

Jan 18 2016, 10:00 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Why are we back to using corsac's repository? Why not use Debian sid repository and apt pinning instead?

Jan 18 2016, 9:55 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Yes. Merge the first two packages.

Jan 18 2016, 4:55 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Yes. Merge the first two packages.

Jan 18 2016, 2:58 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Package roadmap:

Jan 18 2016, 5:32 AM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

To obtain a binary package or source package to compile?

Jan 18 2016, 5:15 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 17 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

To land a grsec kernel ASAP we can use corsac's Jessie repo.

Jan 17 2016, 8:55 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

To land a grsec kernel ASAP we can use corsac's Jessie repo.

Jan 17 2016, 5:40 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

All we need is a dpkg hook and a conf file for paxctld (the latter mirrors the Arch Linux one)

Jan 17 2016, 4:18 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

My last comment is wrong. David's description is on point.

Jan 17 2016, 3:39 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.
Jan 17 2016, 1:27 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 16 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

Can you shed light on paxctld vs paxrat?

Jan 16 2016, 7:54 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 11 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Good question. I asked upstream because it depends on what direction they'll take:

Jan 11 2016, 11:55 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Do you think paxrat will require a .d config file folder? Would we need a custom paxrat.conf?

Jan 11 2016, 10:55 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Do you think paxrat will require a .d config file folder?

Jan 11 2016, 9:51 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Do you think paxrat will require a .d config file folder? Would we need a custom paxrat.conf?

Jan 11 2016, 6:52 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

HulaHoop (HulaHoop):

Should I resend them with these heading removed?

Jan 11 2016, 5:08 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

No. Should I resend them with these heading removed?

Jan 11 2016, 3:39 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 10 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

Did you remove the X-Debbugs-CC's? I worry that no one up to package it got actually informed by the RFP. Maybe not super important, since the RFP may not necessarily speed up things.

Jan 10 2016, 5:29 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Latest post by Yves on status of grsec support and comments on the default settings chosen for the kernel pacage.

Jan 10 2016, 4:57 PM · sponsor-B, grsecurity, research, security, Whonix

Jan 8 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

RFP sent.

Jan 8 2016, 9:48 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Want to post the RFP?

Jan 8 2016, 9:47 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

There is also a linux-grsec backported kernel package available for Jessie which means we don't have to mess with apt-pinning or a dependency mess to build the source one optionally.

Jan 8 2016, 9:33 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Upstream has sorted out a lot. Licensing, dpkg hooks and config file comments (pull request by Alexey Derlaft).

Jan 8 2016, 8:39 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Dpkg hooks request filed: https://github.com/subgraph/paxrat/issues/5

Jan 8 2016, 1:43 AM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Feature request won't harm probably.

Jan 8 2016, 12:00 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 7 2016

HulaHoop added a comment to T203: grsecurity kernel installation instructions.

I see. Do I open a ticket for adding the dpkg shell scripts? Do we just wait?

Jan 7 2016, 11:43 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Until now there is no license file and no license information in the source files either. So for the moment it cannot be considered Libre Software and must be considered proprietary. Please open an issue on paxrat github.

Jan 7 2016, 11:26 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

What blanks?

Jan 7 2016, 11:14 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

What blanks?

Jan 7 2016, 10:27 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Asked for comments support:

Jan 7 2016, 6:13 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

ETA for subgraphOS alpha: https://twitter.com/attractr/status/684075394509717505

Jan 7 2016, 6:21 AM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

First I applied the Apt-pinning instructions (https://www.whonix.org/wiki/Template:Apt-Pinning) then:

Jan 7 2016, 12:28 AM · sponsor-B, grsecurity, research, security, Whonix

Jan 6 2016

Patrick added a comment to T203: grsecurity kernel installation instructions.

Can you write/post draft/submit an Debian RFP (Request for Package) for paxrat please?

Jan 6 2016, 9:33 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

Debian packaging:
https://github.com/subgraph/paxrat/issues/1

Jan 6 2016, 9:24 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

Would you create/maintain that list?

Jan 6 2016, 8:55 PM · sponsor-B, grsecurity, research, security, Whonix
Patrick added a comment to T203: grsecurity kernel installation instructions.

What is the status of https://www.whonix.org/wiki/Grsecurity? Tested / working in Whonix?

Jan 6 2016, 6:40 PM · sponsor-B, grsecurity, research, security, Whonix
HulaHoop added a comment to T203: grsecurity kernel installation instructions.

linux-grsec now in Debian unstable

Jan 6 2016, 5:26 PM · sponsor-B, grsecurity, research, security, Whonix

Aug 21 2015

HulaHoop added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

Actually the best option is the availability of a Debian grsecurity kernel source package that can be deterministically built. That way the maintenance and update burden is handled upstream and it can be securely installed thru apt with the full protections of grsecurity.

Aug 21 2015, 5:38 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

Aug 20 2015

Patrick removed a project from T301: make grsecurity kernel, grsecurity-installer work inside Whonix: Whonix 12.
Aug 20 2015, 12:04 AM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

Aug 19 2015

Patrick removed a project from T203: grsecurity kernel installation instructions: Whonix 12.
Aug 19 2015, 7:53 PM · sponsor-B, grsecurity, research, security, Whonix

Aug 18 2015

HulaHoop added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

Long term I think its better to have a script to compile and update a grsec kernel than a package in upstream repos because some protections can only be effective if they are unique to the user. A precompiled kernel loses these benefits because the protection values are public and known to everyone including the attacker. Arch has a packaged kernel and they explain the limits:

Aug 18 2015, 9:50 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

Aug 6 2015

Patrick closed T208: better TRNG support as Wontfix.
Aug 6 2015, 7:21 PM · Whonix 12, security, Whonix, sponsor-B

Jul 28 2015

HulaHoop added a comment to T208: better TRNG support.

Yes.

Jul 28 2015, 8:12 PM · Whonix 12, security, Whonix, sponsor-B
Patrick added a comment to T208: better TRNG support.
In T208#6040, @HulaHoop wrote:

The common wisdom is "more entropy can't hurt" [...]
the doubts about this common idea by cryptologist Daniel Bernstein [2] I think we should throw out the idea of supporting TRNG [...]
[2]http://blog.cr.yp.to/20140205-entropy.html

Jul 28 2015, 6:06 PM · Whonix 12, security, Whonix, sponsor-B

Jul 27 2015

HulaHoop added a comment to T208: better TRNG support.

Subverting the HWRNG is the lower hanging fruit and is the most effective to target. It needs minimal conspiracy as only a very simple and small modification is done to sabotage it during the manufacturing process so no one in the design process even knows about it. Its the ultimate backdoor because without a good RNG everything else falls apart.

Jul 27 2015, 4:18 PM · Whonix 12, security, Whonix, sponsor-B
Patrick added a comment to T208: better TRNG support.

Back to the proprietary hardware issue.

Jul 27 2015, 3:33 PM · Whonix 12, security, Whonix, sponsor-B
Patrick added a comment to T208: better TRNG support.

As per http://onerng.info/onerng/ instructions, it also uses rng-tools. (+ The onerng driver package.) (Note: this ticket is not necessarily limited to rngd either.)

Jul 27 2015, 3:24 PM · Whonix 12, security, Whonix, sponsor-B
HulaHoop added a comment to T208: better TRNG support.

Open Hardware implementations are great to have. Does onerng use a different pakage?

Jul 27 2015, 3:06 PM · Whonix 12, security, Whonix, sponsor-B
Patrick added a comment to T208: better TRNG support.

What about Open Hardware implementations? Such as onerng?

Jul 27 2015, 1:18 PM · Whonix 12, security, Whonix, sponsor-B

Jul 26 2015

HulaHoop added a comment to T208: better TRNG support.

Right. Same applies to any closed hardware implementation not open to public review.

Jul 26 2015, 7:33 PM · Whonix 12, security, Whonix, sponsor-B
Patrick added a comment to T208: better TRNG support.

This isn't tied to Intel. There are other vendors.

Jul 26 2015, 8:36 AM · Whonix 12, security, Whonix, sponsor-B

Jul 25 2015

HulaHoop added a comment to T208: better TRNG support.

The common wisdom is "more entropy can't hurt" but given the almost certain probability of Intel hardware RNG being subverted [1] and the doubts about this common idea by cryptologist Daniel Bernstein [2] I thing we should throw out the idea of supporting TRNG and add only on fully open and trusted RNG packages that are authored by knowledgeable people. A malicious vs broken rng is actually harmful.

Jul 25 2015, 11:06 PM · Whonix 12, security, Whonix, sponsor-B
Patrick updated the task description for T208: better TRNG support.
Jul 25 2015, 7:54 PM · Whonix 12, security, Whonix, sponsor-B

Jun 23 2015

Patrick added a comment to T212: ask about Alpine Linux package manager security.

Too long ago... Trying to find this again...

Jun 23 2015, 4:59 PM · sponsor-B, security, Whonix 10, Whonix
ncopa added a comment to T212: ask about Alpine Linux package manager security.

care to give any details about indefinite freeze and downgrade attacks that gentoo has?

Jun 23 2015, 2:05 PM · sponsor-B, security, Whonix 10, Whonix

Jun 6 2015

Patrick added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

http://www.corsac.net/index.php?post=1575

Jun 6 2015, 5:00 AM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

May 21 2015

Patrick added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

It's also just a compiled kernel. I am that far. Has almost the same TODO as this ticket. Non-minor stuff such as "desktop environment (kdm) currently does not start, needs fixing".

May 21 2015, 4:18 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

May 20 2015

HulaHoop added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

What about the corsac repository listed in:
https://wiki.debian.org/grsecurity

May 20 2015, 6:25 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
Patrick added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

Mempo kernel:

May 20 2015, 3:38 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
HulaHoop added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

What are cons of using the Mempo kernel that's already patched with grsecurity?

May 20 2015, 2:53 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

May 13 2015

HulaHoop added a comment to T301: make grsecurity kernel, grsecurity-installer work inside Whonix.

A compact list of sane grsec defaults as deployed on gentoo:

May 13 2015, 3:47 AM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix

May 12 2015

Patrick updated subscribers of T301: make grsecurity kernel, grsecurity-installer work inside Whonix.
May 12 2015, 5:26 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
Patrick updated the task description for T301: make grsecurity kernel, grsecurity-installer work inside Whonix.
May 12 2015, 5:18 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
Patrick updated the task description for T301: make grsecurity kernel, grsecurity-installer work inside Whonix.
May 12 2015, 5:17 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix
Patrick created T301: make grsecurity kernel, grsecurity-installer work inside Whonix.
May 12 2015, 5:16 PM · bountysource, bounty, grsecurity-installer, sponsor-B, Whonix