I'e had the problem of being green for a second and immediately turning yellow with installing just a regular distro debian kernel with pvgrub. In other words the gui is not working, but you can verify the kernel is booting properly with using sudo xl console VMNAME in dom0. Marek says you have to compile the u2mfn module and make sure its installed. But I have no idea how to do this.
scroll down to installing kernel in debian vm https://www.qubes-os.org/doc/managing-vm-kernel/
Thanks for all your info.
Thanks. When building this in d9-t, I get 'recipe failed' "Error 2" pretty soon after starting the build process. No idea why, as there is no log, and I don't see an option to provide one (or to provide verbose output).
> Thanks. When building this in d9-t, I get 'recipe failed' "Error 2" pretty soon after starting the build process. No idea why, as there is no log, and I don't see an option to provide one (or to provide verbose output).
Hmm, I haven't had time to try it under Debian 9 yet and might not for a while.
In the meantime, peeking at their build script, what you can try to do (haven't tried it myself though) is to comment out the spinner code around the build_kernel part and the '> /dev/null 2>&1' part in the build.sh file and perhaps that would throw the verbose compile output to the terminal to give some hints on where or why it fails.
So find this section in build.sh:
start_spinner "Building coldkernel..."
build_kernel > /dev/null 2>&1
stop_spinner $?
And change it to be
build_kernel
and try to compile (make qubes-guest) again. If the output isn't enough to give any hints, you may need to run 'make clean' to get rid of anything that was pre-compiled and to start again from scratch.
Thanks for that hint. Seems there was an issue with gcc not supporting plugins, even though supposedly all the required packages were installed and updated. Worked around it, it's building now.
Glad to hear. For future reference, what exactly did you have to do? Was it
sudo apt install gcc-6-plugin-dev
or something else?
.[30m.[47mWelcome to GRUB!
.[37m.[40m.[37m.[40m.[37m.[40merror: no such device: /boot/xen/pvboot-x86_64.elf.
Reading (xen/xvda/boot/grub/grub.cfg
.[H.[J.[1;1Herror: file `/boot/grub/fonts/unicode.pf2' not found.
error: no suitable video mode found.
No, I mean running 8/stable, no other repos active. Would dom0 running uefi matter to the VM
As for the rest, I've rerun every step a few times, so I can't imagine I missed anything. update-grub2 gave me the message below, but according to the qubes howto page, those errors don't matter.
Anyway, thanks for your replies / time, I guess I'll poke around the log etc a bit more.
-----
user@debian-8:/boot$ sudo update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.8.13-coldkernel-grsec-1
Found initrd image: /boot/initrd.img-4.8.13-coldkernel-grsec-1
/usr/sbin/grub-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map.
/usr/sbin/grub-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map.
/usr/sbin/grub-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map.
No volume groups found
done
Thanks. If you want/need more information than that log contains, please tell me, I still have the offending templateVM :)
[ 0.765662] BUG: unable to handle kernel paging request at ffff87ff95a17300
[ 0.765671] IP: [<ffffffff81316cb9>] delay_mwaitx+0x49/0x90
[ 0.765682] PGD 0
[ 0.765688] Oops: 0000 [#1] SMP
[ 0.765693] Modules linked in:
[ 0.765701] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.8.13-coldkernel-grsec-1 #1
[ 0.765709] task: ffff8800136bf540 task.stack: ffffc90000e38000
[ 0.765714] RIP: e030:[<ffffffff81316cb9>] [<ffffffff81316cb9>] delay_mwaitx+0x49/0x90
[ 0.765724] RSP: e02b:ffffc90000e3be50 EFLAGS: 00010087
[ 0.765729] RAX: ffff87ff95a17300 RBX: 0000000000000001 RCX: 0000000000000000
[ 0.765735] RDX: 0000000000000000 RSI: 00039262adda8fdb RDI: 000000000002a4e4
[ 0.765740] RBP: ffffffff81c17300 R08: 00000000ffffffff R09: 0000000000000000
[ 0.765745] R10: 0000000000000002 R11: 000000000000000f R12: 0000000000000200
[ 0.765749] R13: ffffc90000e3bea7 R14: ffffffff824055e8 R15: 607e4ce58fa6249c
[ 0.765758] FS: 0000000000000000(0000) GS:ffff880013e00000(0000) knlGS:0000000000000000
[ 0.765765] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.765770] CR2: ffff87ff95a17300 CR3: 00000000020c2000 CR4: 0000000000040660
[ 0.765775] Stack:
[ 0.765779] 0000000000000001 00000000000010d1 ffffffff814956a5 95fa1589597478a1
[ 0.765788] ffffffff814960d0 95fa1589597478a1 ffffc90000e3bec8 06937a89d974aa7d
[ 0.765797] 00000000ffffffed ffffffff8236af42 df7e4ce58fa6249c 0000000000000000
[ 0.765807] Call Trace:
[ 0.765815] [<ffffffff814956a5>] ? i8042_wait_write+0x25/0x70
[ 0.765822] [<ffffffff814960d0>] ? i8042_command+0x30/0x80
[ 0.765829] [<ffffffff8236af42>] ? i8042_init+0x606/0x6f8
[ 0.765835] [<ffffffff8236a93c>] ? i8042_probe+0xa41/0xa41
[ 0.765842] [<ffffffff8100219d>] ? do_one_initcall+0x4d/0x170
[ 0.765849] [<ffffffff822f3f0d>] ? kernel_init_freeable+0x202/0x2ff
[ 0.765856] [<ffffffff81623f65>] ? kernel_init+0x5/0x118
[ 0.765861] [<ffffffff8163c6fe>] ? ret_from_fork+0x1e/0x40
[ 0.765867] [<ffffffff81623f60>] ? rest_init+0x88/0x88
[ 0.765871] Code: 41 b8 ff ff ff ff 48 09 c6 41 ba 02 00 00 00 eb 09 48 29 c6 48 01 f7 48 89 c6 48 89 e8 65 48 03 05 25 25 cf 7e 4c 89 c9 4c 89 ca <0f> 01 fa 4c 39 c7 4c 89 c3 4c 89 d8 48 0f 46 df 4c 89 d1 0f 01
[ 0.765920] RIP [<ffffffff81316cb9>] delay_mwaitx+0x49/0x90
[ 0.765927] RSP <ffffc90000e3be50>
[ 0.765931] CR2: ffff87ff95a17300
[ 0.765939] ---[ end trace 84bc057c0ef01aab ]---
[ 0.765946] Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
(Same error in both VMs.)
Yes, but it didn't make a difference.
Never. I compiled the d8/9 kernels in their respective (cloned) templates, but got nowhere.
On 12/14/2016 06:03 AM, Foppe de Haan wrote:
> To clarify: this has to be done in every template in which you want to use this? Or can I just copy the whole dir after compiling (seems necessary for the make install-deb step?), install whatever packages I need to perform the post-build steps, and perform those?
> (thinking of D8-template, D9-, Whonix-gw/ws)
>
For Debian systems, you only need to follow the coldhak instructions
once to create the kernel deb packages. If you want to take your work
and install it on other Debian templates without having to set up the
dev environment again, just install the qubes-kernel-vm-support and
grub2-common packages on them (and you'll probably want paxctl too to
help with managing the pax stuff until you've figured out what you want
your pax ruleset to look like), then copy over the linux-headers and
linux-image packages that you had just made and install them in that
order (headers first, then image). Install the firmware packages only if
you need them. That seemed to work for me.
Make sure to clone the templates you want to try this on for testing
purposes if you don't want to lose your originals; for example, by
default, you won't be able to connect to a Whonix template running
coldkernel as qrexec won't start up properly (but if you switch back to
a normal kernel, it'll work fine again). And if you enable this on a
service vm like sys-net, no machine configured to use it as a net vm
will start up. I don't know how to troubleshoot this or fix this, so if
anyone out there figures that part out, please share.
Don't forget to follow the rest of the coldhak instructions to install
and configure paxctld, set up grub, and to add the relevant grsecurity
groups!
sudo groupadd -g 9001 grsecproc
sudo groupadd -g 9002 tpeuntrusted
sudo groupadd -g 9003 denysockets
I am testing coldkernel and I have a few questions. Does or should it work with a vpn gateway? Do I have to change some config file or special permissions?
I did not use grsec much in the past so I am in the process of learning.
I could connect to my coldkernel appvm via vpn gateway after freshly compiling and starting the appvm. After reboot none of my coldkernel appvm is connecting to the internet via vpn gateway anymore but connecting to clearnet without a proxyvm.
No qrexex error.
Re update: I meant both cases, like you assumed but primarily recompiling with changes to the coldkernel.config. I did all these steps again, like described. That includes update grub. I did have the same errors mentioned earlier in the thread. (/usr/sbin/grub-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map.) but other than that everything looked fine. Something must have gone wrong.
I will try again like you described. Thanks very much for your help and the tip with switching back to normal kernel...so obvious that I would have missed it.