linux-hardened icon indicating copy to clipboard operation
linux-hardened copied to clipboard

Published 20 hours ago verified publisher icon anthraxx

5.13 / 5.14

Open hyder365 opened this issue 3 years ago • 20 comments

Linux 5.14 is on rc3 as of right now, and linux-hardened still doesn't have a 5.13 patch. Is there a reason the 5.13 branch (one month old) is being skipped? Thanks.

hyder365 avatar Jul 26 '21 18:07 hyder365

Yes, because the port is incomplete. Feel free to participate, primarily the "slub: add multi-purpose random canaries" fails during boot.

anthraxx avatar Jul 27 '21 10:07 anthraxx

Should offending patch be temporarily reverted then?

Bernhard40 avatar Aug 12 '21 17:08 Bernhard40

Should offending patch be temporarily reverted then?

This seems to happen with every mainline release. Can anyone speak as to when the last attempt to upstream the overall patchset was? Or any part of it? Time has shown that this is a losing game, with the people left vulnerable for weeks/months being the real losers.

hyder365 avatar Aug 12 '21 18:08 hyder365

@hyder365 how about you contribute then? I'm sick of all the vampires taking all the work for free without giving back but choose all possibility to cry a river. It's a massive time investment here that im doing on top of my day job for free. Use the LTS tags. If you dont like it, and dont want to contribute to make it better or faster, dont use it.

@Bernhard40 5.13 is nearly finished, test workspaces boot and seem to function, most likely the release will be during the weekend

anthraxx avatar Aug 12 '21 18:08 anthraxx

For the record and for people that really want to help us instead of just complaining, 5.13 is particularly annoying due to KASAN changes – see da844b787245 and d57a964e09c2 — that conflict with SLUB hardenings in linux-hardened. This is actually not the first time. By the way, 5.12 brought KFENCE, which is a bit problematic too especially with slab canaries, and we're still not set on the best way to handle that.

Nowadays I'd say that the bulk of linux-hardened is in mm/slab.h and mm/slub.c, so you could start by looking at what patches do to those files. The more people understand these changes, the more they can help us for each rebase and the quicker linux-hardened will be ready after each mainline release.

We're doing what we can to maintain this patchset, when we have time for it. People that are not satisfied with this work and don't help can always fork linux-hardened or just stop using it and go back to running vanilla, but they're not entitled to anything here.

tsautereau-anssi avatar Aug 12 '21 19:08 tsautereau-anssi

We have finished and synced up the remaining work for 5.13. I have tagged an RC1 pre-release which I will give some more real world workload (and invite for a quick test) before moving on to stable releases.

https://github.com/anthraxx/linux-hardened/releases/tag/5.13-hardened1-rc1

anthraxx avatar Aug 18 '21 00:08 anthraxx

I've built kernel 5.13.12 with your 5.13-hardened1-rc1 patch, but the system (a VM booting in BIOS mode) hangs without any error message immediately after booting. I'm unsure if this is expected/a known issue or not, or if I'm overlooking something, so I figured putting a comment about it into here wouldn't hurt. :)

I've built the kernel using archbuild from the devtools package with testing repos enabled, using the current linux-hardened PKGBUILD from Archlinux with the following additional changes:

  • patch line SUBLEVEL = 0 changed to SUBLEVEL = 12

  • https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.13/mtd-cfi_cmdset_0002-fix-crash-when-erasing-writing-amd-cards.patch (applied prior to your 5.13-hardened1-rc1 patch)

  • export MAKEFLAGS="${MAKEFLAGS} -j16"

  • unchanged config compared to 5.12.17/5.12.19 (but the config gets obviously updated automatically during the build process)

hardfalcon avatar Aug 18 '21 20:08 hardfalcon

@hardfalcon can you check with CONFIG_SLAB_CANARY disabled? If that works, can you check vanilla 5.13.12 with the slab canary patch cherry-picked?

anthraxx avatar Aug 19 '21 17:08 anthraxx

on a debian 11 with gcc version 10.2.1 it is working fine! Thank you

karesmakro avatar Aug 20 '21 11:08 karesmakro

FWIW, don't know if this will help @hardfalcon, but the INIT_ON_FREE_DEFAULT_ON option was causing my 5.13.12 kernel not to boot, though I can't say for certain that there wasn't something else possibly conflicting with it.

h4xor666 avatar Aug 21 '21 00:08 h4xor666

@h4xor666 both have the very same root cause. disabling init_on_free just doesn't overwrite the canary with zero. The latest rc2 addresses this issue and should work with SLAB_CANARY and INIT_ON_FREE_DEFAULT_ON https://github.com/anthraxx/linux-hardened/releases/tag/5.13-hardened1-rc2

anthraxx avatar Aug 21 '21 00:08 anthraxx

sorry to say, rc2 ist not working for me. I can't see any message, boot process fails after os welcome message

edit: forgot to say, that it's a kvm based virtual machine and os is Debian 11 (bullseye)

karesmakro avatar Aug 21 '21 10:08 karesmakro

Sadly, no luck with rc2. Only thing I changed was the init_on_free_default_on option, still won't boot. I'll try and find logs of some sort.

h4xor666 avatar Aug 21 '21 18:08 h4xor666

@karesmakro @h4xor666 please try rc3 :cat2:

anthraxx avatar Aug 23 '21 15:08 anthraxx

my system was booting successfully! No problems so far.

karesmakro avatar Aug 23 '21 17:08 karesmakro

Installed across several Debian PCs and notebooks. All bootable, syslogs for the past two days look good (no different than vanilla). 5.13.12.

beaglesnuf avatar Aug 25 '21 14:08 beaglesnuf

5.13.13-hardened1 has been released and the 5.14 branch is based on v5.14-rc7 and ready for testing

anthraxx avatar Aug 26 '21 20:08 anthraxx

Just to be clear, to test the 5.14 branch, we should downloaded the full tree as source to build? Or is there a Github specific way to generate a diff patch against upstream 5.14?

beaglesnuf avatar Aug 31 '21 04:08 beaglesnuf

Just to be clear, to test the 5.14 branch, we should downloaded the full tree as source to build? Or is there a Github specific way to generate a diff patch against upstream 5.14?

https://github.com/anthraxx/linux-hardened/compare/7aeadb5bb82ad21ffbcd54c81d77727b7a05e6c1..1779bf4e8af6df4bf587980370fcf61f4235a2cb.diff

as example of 5.13: this would be for 5.13.13-hardened1 , thus against linux 5.13.13

https://github.com/anthraxx/linux-hardened/compare/7aeadb5bb82ad21ffbcd54c81d77727b7a05e6c1..1779bf4e8af6df4bf587980370fcf61f4235a2cb

where 7aeadb5bb82ad21ffbcd54c81d77727b7a05e6c1 is the base commit for Linux 5.13.13

and 1779bf4e8af6df4bf587980370fcf61f4235a2cb is at Linux hardened 5.13.13-hardened1

edit:

for 5.14

it would be

https://github.com/anthraxx/linux-hardened/compare/7d2a07b769330c34b4deabeed939325c77a7ec2f..e3bb405d91431e286c9dac2ad3ca33505bd8269d.diff

https://github.com/anthraxx/linux-hardened/compare/7d2a07b769330c34b4deabeed939325c77a7ec2f..e3bb405d91431e286c9dac2ad3ca33505bd8269d

7d2a07b769330c34b4deabeed939325c77a7ec2f is base commit for Linux 5.14

e3bb405d91431e286c9dac2ad3ca33505bd8269d the current (WIP ?) commit state of 5.14-hardened0

references:

https://www.codegrepper.com/code-examples/shell/compare+two+commits+github

kernelOfTruth avatar Sep 04 '21 04:09 kernelOfTruth

FWIW, thank you very much for all your hard work, and for pushing that 5.16 port. It's much appreciated!

yardenac avatar Mar 25 '22 18:03 yardenac