Grsecurity+Debian 10 has issues when PCI devices are being attached

[drw...@gmail.com]

Hi all,

I've been trying to get a Debian 10 sys-net running with grsecurity as a kernel. However, i've been running into some trouble when the PCI devices are being attached to it. libxenlight is giving me errors and the PVH VM will never even attempt to boot. If I use a Qubes kernel, I don't run into these errors and the PCI devices get attached just fine.

I've attached 2 screenshots of the errors i'm facing, currently, it might be best to focus on the errors after midnight and ignore the other lines in the screenshot.

Any pointers for what I could attempt to get this fixed?

I plan to write a bigger piece of documentation if I get these bugs ironed out and how I got the rest to compile/work.

Best,
Jurre

[Jarrah]

> I've been trying to get a Debian 10 sys-net running with grsecurity as a
> kernel. However, i've been running into some trouble when the PCI devices
> are being attached to it. libxenlight is giving me errors and the PVH VM
> will never even attempt to boot.

Just to check, are you trying to boot a PVH VM with PCI devices? That's
only supported on HVM (and PV). Try changing 'virt_mode' to 'hvm'

[drw...@gmail.com]

I should've been a bit more clear but yes by PVH I meant virt_mode == hvm.

[54th Parallel]

Hi Jurre,

How were you able to get a grsec kernel? I though grsec is propietary/paid-for only now. Would love to get my hands on it if possible. 

[Jurre van Bergen]

Offtopic: I suggest you contact them to buy it, that's what we did. Support your local and only noteworthy linux kernel security project.

Op za 10 okt. 2020 om 13:52 schreef 54th Parallel <fiftyfour...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/92dcfe29-03f4-41d7-9902-be7934c7d3f1n%40googlegroups.com.

[drw...@gmail.com]

OK, I got a lot further with this. It was, surprisingly ;-))), PEBKAC.

Started sys-net with HVM and the kernel as "none" worked in the sense that the VM boots and no PCI errors are thrown around.

What doesn't work at the moment, is that no connections seems to be possible through qrexec in HVM mode and so since there is no GUI connection possible and so the VM shuts down.

In PVH mode, everything works very smoothly and without issues for VM's without needing pci passthrough.

Will have a closer look...

Best,

Jurre

[lama...@gmail.com]

On Sunday, October 11, 2020 at 12:26:46 AM UTC+2 drw...@gmail.com wrote:

Offtopic: I suggest you contact them to buy it, that's what we did. Support your local and only noteworthy linux kernel security project.

It is now possible for individuals to buy a license?

[drw...@gmail.com]

No idea.