[grsec] grsecurity & lguest

Philip Sanderson philip.k.sanderson at gmail.com
Thu Nov 4 05:11:15 EDT 2010 

>
> I think I'm getting closer to why it's not supported on the guest:
>
> ./lguest 64 ../../../diffs/linux-2.6.35.8/vmlinux
>
> lguest: unhandled trap 13 at 0x1001081 (0x10)
>
>     1081:    ea 88 10 00 00 10 00     ljmp   $0x10,$0x1088
>
>
 So I think the problem is in

ENTRY(startup_32)
        /* test KEEP_SEGMENTS flag to see if the bootloader is asking
                us to not reload segments */
        testb $(1<<6), BP_loadflags(%esi)
        jnz 2f

/*
 * Set segments to known values.
 */
        lgdt pa(boot_gdt_descr)
        movl $(__BOOT_DS),%eax
        movl %eax,%ds
        movl %eax,%es
        movl %eax,%fs
        movl %eax,%gs
2:

and

#ifdef CONFIG_PAX_KERNEXEC_WAT
        movl $pa(boot_gdt),%edi
        movl $__LOAD_PHYSICAL_ADDR,%eax
        movw %ax,__BOOT_CS + 2(%edi)
        rorl $16,%eax
        movb %al,__BOOT_CS + 4(%edi)
        movb %ah,__BOOT_CS + 7(%edi)
        rorl $16,%eax
        ljmp $(__BOOT_CS),$1f


Since it does not set lgdt due to the paravirt boot code setting "don't
reset segments" it's not initialized properly.

If I make the reset of lgdt unconditional it doesn't work (probably due to
requiring the need of the hypervisor to make that change :-). If I #ifdef
out the initial ljmp it dies at

# ./lguest 64 ../../../diffs/linux-2.6.35.8/vmlinux
lguest: unhandled trap 14 at 0x100ad26 (0xffffffdc)

        set_early_handler handler=early_protection_fault,trapno=13
        set_early_handler handler=early_page_fault,trapno=14

Checking addresses near by it:

00008d20 <irqfd_inject>:
    8d20:       55                      push   %ebp
    8d21:       89 e5                   mov    %esp,%ebp
    8d23:       83 ec 0c                sub    $0xc,%esp
    8d26:       89 5d f8                mov    %ebx,-0x8(%ebp)

emulator_set_cached_descriptor:
    ad24:       09 d0                   or     %edx,%eax
    ad26:       89 45 dc                mov    %eax,-0x24(%ebp)

0000bd20 <ftrace_raw_output_kvm_nested_vmrun>:
    bd20:       55                      push   %ebp
    bd21:       83 e9 14                sub    $0x14,%ecx
    bd24:       89 e5                   mov    %esp,%ebp
    bd26:       83 ec 34                sub    $0x34,%esp

So I'm not sure... need to work out how to get more indepth debugging
information for it, for me to be able to work out what the problems are :\

I can't even get KERNEXEC working on a real machine either (model name    :
Intel(R) Atom(TM) CPU N270   @ 1.60GHz) :/

I'll try getting PAE/NX working instead for the time being and come back to
kernexec later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://grsecurity.net/pipermail/grsecurity/attachments/20101104/cc9f1414/attachment.htm>

More information about the grsecurity mailing list