[gentoo-hardened] Meeting 2010-09-16 log

[gentoo-hardened] Meeting 2010-09-16 log

[Magnus Granberg]

[-- Attachment #1: Type: Text/Plain, Size: 93 bytes --]

Hi

Log from the Hardened meeting 2010-09-16

Hardened at Gentoo.org
Magnus Granberg (Zorry)

[-- Attachment #2: meeting-2010-09-16_22:00UTC.log --]
[-- Type: text/x-log, Size: 21416 bytes --]

[23:58:53] <Zorry> agenda okay?
[23:59:12] <quantumsummers|a> yessir
[23:59:45] <blueness> lol calling him now
[00:00:00] - {Day changed to Fri Sep 17 00:00:00 2010}
[00:00:15] <blueness> i'm ready
[00:00:27] <klondike> hum
[00:00:37] <klondike> hardened meeting?
[00:00:45] <klondike> have fun :D
[00:00:50] <Zorry> 1.0 toolchain
[00:01:13] <quantumsummers|a> hey, I have to step out for 5 mins, sorry (grrrrrr business)
[00:01:17] <quantumsummers|a> I will read back over things
[00:01:19] <Zorry> we still waiting for stable of gcc 4.4.4-r2
[00:01:54] <Zorry> and waithing for vapier on the glibc sigaction bug
[00:02:14] <quantumsummers|a> Bug 331531
[00:02:16] <willikins> quantumsummers|a: https://bugs.gentoo.org/331531 "stabilize sys-devel/gcc-4.4.4-r2"; Gentoo Linux, Core system; NEW; zorry@g.o:toolchain@g.o
[00:02:20] -*- quantumsummers|a brb
[00:02:32] <Zorry> else i dont see any major probs in the toolchain
[00:03:10] <blueness> there are no more blockers, so what's the hold up?  just the arch teams?
[00:03:50] <Zorry> blueness: yes and thay added a bump of the patchset to it
[00:04:17] <blueness> what is the difference between -r1 and -r2 i didn't look
[00:04:35] <Zorry> the rev of the gentoos patchset
[00:04:43] <blueness> oh right
[00:05:31] <Zorry> else it looking good
[00:06:03] <blueness> i can't think of anything else myself.  i've had good success with it on 4 arches
[00:06:12] <blueness> x86, amd64, ppc and ppc64.  all good
[00:06:23] <quantumsummers|a> back, sorry
[00:06:25] <blueness> tried mips but its too crazy
[00:06:36] <Zorry> arm did have some prog in glibc and we have fix for it
[00:07:24] <Zorry> but it up to vapier say what to do.
[00:07:39] <blueness> the problem with mips is that *none* of its userland is supported so too much breaks that has nothing to do with the toolchain and its too ahrd for me to fix by myself, so i don't think i'm going to try to test mips anymore
[00:07:48] <Zorry> else i don't have any to say on the toolchain
[00:08:01] <blueness> okay, next
[00:08:07] <Zorry> 2.0 kernel
[00:08:18] <quantumsummers|a> big fun there :)
[00:08:24] <quantumsummers|a> today that is
[00:08:29] <blueness> here's the progress report
[00:08:44] <blueness> we have two stable 2.6.28-r9 and 2.6.32-r9
[00:09:05] <blueness> stabilization of 2.6.32-r9 is on x86, amd64, and ppc64
[00:09:26] <blueness> it does not work on ppc and the other arch teams didn't care to stabilize
[00:09:35] <blueness> not even ia64
[00:10:01] <blueness> so i'm going to shoot for 4 arches which i can test: x86 amd64, ppc ppc64
[00:10:25] <blueness> first question: should we drop the other KEYWORDS or just leave them ~arch?
[00:11:08] <Zorry> leave them as ~
[00:11:11] <-- cilly (pluto@unaffiliated/cilly) has quit (Quit: leaving...)
[00:11:58] <blueness> k, i can still make the stabilization request, but i think those teams will just skip
[00:12:17] <blueness> okay next issue.
[00:12:32] <blueness> there are a lot of user that want to do virtualization with hardened
[00:12:57] <blueness> this is a complex issue because certain hardening doesn't work with certain types of virt
[00:13:25] <quantumsummers|a> I think a major goal (at least for me) is to get eucalyptus running with KVM.
[00:13:32] <quantumsummers|a> all hardened
[00:13:36] <blueness> i have clear now what works with what, eg kvm host can't have KERNEXEC or UDEREF
[00:13:45] <quantumsummers|a> which is a bummer
[00:14:03] <blueness> xen guest can't have UDEREF but can have all else with paravirt
[00:14:04] <prometheanfire> blueness: I thought we could have KERNEXEC but not UDEREF
[00:14:30] <blueness> xen guest can have all hardening with full virt
[00:14:47] <prometheanfire> no, I am stupid
[00:14:58] <blueness> also i don't think some of that stuff will be fixed upstream anytime soon
[00:15:16] <blueness> so what approach should i take.  one possibility is to just document this
[00:15:42] <blueness> another is to create some predefined Kconfig options like our current [server] [server without rbac] etc
[00:16:03] <prometheanfire> I think you could create a new security level maybe
[00:16:06] <blueness> any suggestions?  personally i don't want to multiply the number of preconfigs
[00:16:09] <quantumsummers|a> that is not a bad idea blueness
[00:16:20] <quantumsummers|a> however, it does make extra work.
[00:16:31] <quantumsummers|a> I would vote for documenting it somewhere
[00:16:38] <blueness> quantumsummers|a, which the preconfigs is a good idea?
[00:16:51] <quantumsummers|a> I sort of like that, but its a pain
[00:17:02] <quantumsummers|a> yes, the preconfig
[00:17:14] <quantumsummers|a> I always end up altering things regardless
[00:17:28] <blueness> yeah but the current preconfigs are a bit of a mess.  i've already had to start cleaning up the workstation
[00:17:36] <quantumsummers|a> We could have someone create a nice little guidexml doc detailing virt on hardened
[00:18:21] <quantumsummers|a> I wouldn't mind writing it, blueness you can check my work :)
[00:18:24] <blueness> quantumsummers|a, okay i think i'll just document what i've learned in a plain text file for now, share it and then we can go from there.   i know that virtualization is big
[00:18:41] <quantumsummers|a> sounds good, its easy enough to xml the thing
[00:19:06] <blueness> consider all the possibilities: xen vs kvm
[00:19:09] <quantumsummers|a> reminds me, I need to cvs co all of gentoo.org web on some convenient box
[00:19:14] <blueness> then in xen you have full vs paravirt
[00:19:19] <quantumsummers|a> yes.
[00:19:23] <blueness> in kvm you have emulated hardware vs virtio
[00:19:33] <blueness> each has its own quirks with various hardening
[00:19:36] <quantumsummers|a> seems like a tabular exposition would be in order
[00:20:18] <blueness> okay, so document it and then we'll think about which to preconfig
[00:20:31] <quantumsummers|a> sounds good to me
[00:20:33] <blueness> i guess i just don't want to mess up the preconfigs even more!
[00:20:40] <quantumsummers|a> blueness++
[00:20:52] <blueness> by mess up i don't mean break, but just create confusion among the users
[00:20:52] <Chainsaw> Agreed blueness, let's document first.
[00:21:04] <Zorry> +1
[00:21:20] <quantumsummers|a> solid plan
[00:21:27] <blueness> okay, if there's no more about this issue, let me move on
[00:21:40] <Zorry> okay
[00:21:48] <Zorry> 3.0 profiles
[00:22:07] -*- blueness runs!
[00:22:40] -*- prometheanfire catches a blueness 
[00:22:42] <blueness> okay i won't run
[00:22:42] -*- quantumsummers|a hooks blueness
[00:23:07] <quantumsummers|a> its a scary thing, I still have poor understanding of
[00:23:18] <quantumsummers|a> blueness did you get with Robin re: stacking?
[00:23:31] <blueness> there is a version of the cleaned up profiles on the hardened-development repo
[00:23:32] <Zorry> we have to match work on toolchain, h-k and bug for now
[00:23:34] <quantumsummers|a> seems like I recall him volunteering
[00:23:57] --> inode33 (debian-tor@gateway/tor-sasl/inode33) has joined #gentoo-hardened
[00:24:06] <-- CMoH (~cipi@95.76.71.81) has quit (Read error: Connection reset by peer)
[00:24:10] <blueness> quantumsummers|a, i didn't talk to him yet, i do think i understand what's going on a bit, but not enough to make changes with confidence
[00:24:39] <quantumsummers|a> gotcha
[00:24:44] <blueness> the last work i did was over a month ago, i simply imported all the changes from the tree to our cleaned up profiles on the repo
[00:25:05] <Zorry> have't don any thing :(
[00:25:05] <blueness> but we decided to wait for stabilization of the toolchain if i recall correctly
[00:25:14] <Zorry> yes
[00:25:26] <blueness> oh and i did test them
[00:25:30] <blueness> on 4 arches
[00:25:34] <quantumsummers|a> nice
[00:25:37] --> CMoH (~cipi@95.76.71.81) has joined #gentoo-hardened
[00:25:55] <blueness> basically i just did a mount --bind of the repo profiles over /usr/portage/profile/...
[00:26:19] <blueness> and then check if emerge --<various options> gave the same results and it did
[00:26:28] <blueness> after of course changing with profile-config
[00:26:49] <blueness> so it looks like the change wouldn't break the tree, it just eliminates the /10.0/ verioning
[00:27:03] <blueness> 4 arches = x86, amd64, ppc ppc64
[00:27:25] <quantumsummers|a> blueness you may consider emailing these results to council+toolchain
[00:27:29] <quantumsummers|a> +baselayout
[00:27:51] <quantumsummers|a> cc Solar too :) he'll like the removal of versioning
[00:27:53] <blueness> quantumsummers|a, i'm not sure that's necessary really, we have ownership over our own profiles
[00:28:12] <blueness> oh wait, you're thinking of more than just hardened?
[00:28:21] <quantumsummers|a> right, might be nice to show how you did it as the non-versioned profiles was something more broadly discussed
[00:28:31] <Chainsaw> blueness: Still polite to check with the others to make sure you don't unleash a world of hell on them somehow.
[00:28:43] <Chainsaw> blueness: Like the KDE lot and the 5 million messages out of repoman when I try to commit something now.
[00:28:52] <prometheanfire> lol
[00:29:12] <blueness> Chainsaw, yeah true.  i figure hardened is on the leaf of the inheritance tree, but you never know
[00:29:24] <Chainsaw> blueness: Exactly.
[00:29:58] <blueness> okay, i'll email what i did and what we're planning.  to whom?  to mabye -dev?
[00:30:05] <blueness> -dev which catch all.
[00:30:21] <Chainsaw> Yeah, -dev sounds right.
[00:30:45] <quantumsummers|a> +1
[00:30:49] <Zorry> you may ask what happing to the stack ting to
[00:31:13] <blueness> sounds good to me.  i think i'd like more people involved to help because i still don't fully understand them
[00:31:33] <blueness> k
[00:31:57] <quantumsummers|a> as long as you can avoid bike shedding :P
[00:31:57] <blueness> Zorry, let me draft something and you can look it over, see what you think
[00:32:06] <Zorry> k
[00:32:38] <Zorry> do we have any more on the profiles?
[00:32:57] <blueness> not really
[00:33:25] <Zorry> 4.0 docs
[00:33:40] <Zorry> haven't done anything :(
[00:33:52] <quantumsummers|a> I have an idea
[00:34:09] <blueness> yeah i think we're kinda in trouble here, i'm so busy fixing stuff i can't sit down and write
[00:34:11] <quantumsummers|a> blueness: do you have any exemplary students that might like to assist?
[00:34:41] <blueness> quantumsummers|a, i can try to solicit again, they're busy with work
[00:34:45] <quantumsummers|a> I am owed a ton of $$ which has meant that I could not do the internship thing this semester
[00:34:47] <blueness> schoolwork
[00:34:59] <quantumsummers|a> yeah, that is usual
[00:35:06] <quantumsummers|a> extra credit :D
[00:35:07] <blueness> what i'm thinking is a special topics course on gentoo dev and get them in that way
[00:35:19] <quantumsummers|a> that is a great idea
[00:35:31] <quantumsummers|a> we can beg nightmorph to assist
[00:35:31] <blueness> quantumsummers|a, not *extra*
[00:36:05] <blueness> just credit literally a 3 credit course to do gentoo dev work something like sunrise and get a few into this so they can actually write intelligently
[00:36:14] <quantumsummers|a> hey wait, where is SwifT? He is/was a docs guy I think
[00:36:28] <prometheanfire> sunrise is slow for me
[00:36:33] <prometheanfire> 3 week turnaround
[00:36:38] <SwifT> quantumsummers|a: what, where, who
[00:36:43] <quantumsummers|a> Hi Sven!
[00:36:56] <quantumsummers|a> Want to help xml up some hardened docs?
[00:37:11] <SwifT> sure
[00:37:18] <quantumsummers|a> SWEET, we have our man
[00:37:37] <quantumsummers|a> SwifT: do you still have access to gentoo-www?
[00:37:45] <SwifT> quantumsummers|a: nope, I'm no dev (anymore)
[00:37:53] <quantumsummers|a> thought you retired
[00:38:01] <quantumsummers|a> well, that's ok, we can still manage
[00:38:23] <SwifT> but I do still have an anon checkout of the docs and so, so shouldn't be too hard to write up some stuff and test it before I attach it to some bug or send it off
[00:38:44] <Zorry> good :)
[00:38:45] <SwifT> it's just... i'm no dev because it's hard to tell you when things are going to be done :p
[00:38:45] <quantumsummers|a> either way, the hardened docs have not changed much in quite a while
[00:39:14] <Zorry> it need alot work and updates
[00:39:23] <blueness> quantumsummers|a, the old stuff is still very good, we mostly need updates
[00:39:37] <blueness> Zorry, can you think of what *new* stuff we really need?
[00:39:40] <quantumsummers|a> blueness yes, I agree
[00:39:53] <blueness> maybe the virtualization stuff should become its own page
[00:39:57] <quantumsummers|a> it should
[00:40:07] <Zorry> blueness: it should
[00:40:21] <blueness> there's a forum thread on it but it scattered between forum, thread and my head
[00:40:52] <Zorry> blueness:  asm faq pic backtrace toolchain
[00:41:20] <Zorry> need some new stuff and updates
[00:41:25] <blueness> hmm ... maybe what the different pax/grsec options doo
[00:41:36] <Zorry> that to
[00:41:46] <quantumsummers|a> would be nice to show what new preconfigs are there
[00:41:49] <blueness> yeah there's some confusion about those
[00:42:17] <blueness> oh and this one is scary, but the symantics of RBAC rules for gradm
[00:42:26] <klondike> about docs
[00:42:34] <prometheanfire> blueness: theres a wiki for grsec already
[00:42:39] <klondike> let me 2 minutes to checks it out
[00:43:14] <blueness> prometheanfire, yes i know it, and maybe i should unashamedly steals some stuff from it
[00:43:15] <prometheanfire> http://en.wikibooks.org/wiki/Grsecurity
[00:43:21] <prometheanfire> why steal?
[00:43:44] <blueness> some of those issues need to be discussed in a gentoo context
[00:43:52] <prometheanfire> kk
[00:44:16] <-- NeddySeagoon (~NeddySeag@gentoo/developer/NeddySeagoon) has quit (Quit: what, what, what, what, what, what, what, what, what, what.  Only 10 Watts Neddy ?  Thats not very bright!!)
[00:45:15] <klondike> ok
[00:45:24] <klondike> on the options on PAX and GRsec
[00:45:28] <Zorry> klondike:  willing to help SwifT with the docs?
[00:45:36] <klondike> Yeah
[00:45:41] <klondike> but I'm like him
[00:45:49] <klondike> can't tell when I'll have time
[00:46:04] <klondike> As I was saying
[00:46:12] <klondike> On the Pax and grsec options
[00:46:28] <klondike> We can take it all from the work I did on June
[00:46:46] <blueness> klondike, oh yeah, that was pretty good stuff actually
[00:46:55] <quantumsummers|a> klondike: that was good work, btw
[00:47:09] <blueness> let's xml-ify it
[00:47:14] <quantumsummers|a> easy enough
[00:47:52] <klondike> Aside from that
[00:48:16] <klondike> I don't mind doing some investigation work and write it on an usable form
[00:48:25] <klondike> Just tell me what has to be documented
[00:48:54] <blueness> klondike, start by converting that work
[00:49:01] <klondike> Ok
[00:49:02] <blueness> to xml i mean
[00:49:07] <klondike> No problem
[00:49:15] <klondike> I have some background with it
[00:49:28] <blueness> once its on gentoo-www we can start adding to it
[00:49:51] <quantumsummers|a> klondike: if you prefer a GUI, there is a nice demo of the beacon editor at beaconeditor.org
[00:50:14] <klondike> Ahh I rather doing things the old school way
[00:50:23] <quantumsummers|a> me too, just sayin' :)
[00:50:45] <Zorry> quantumsummers have you move accont on icoalesce ?
[00:51:30] <quantumsummers|a> ah, yes. I need to set y'all up here real quick
[00:51:45] <quantumsummers|a> gimme a sec & I can start that process
[00:52:53] <Zorry> quantumsummers can we use it for the doc thing to? so all can edit it before we merege it to docs?
[00:53:18] <quantumsummers|a> ok, Zorry (yes in answer to your question, you certainly can) and blueness, and Chainsaw, you should have mail
[00:53:34] <quantumsummers|a> who else needs accounts Zorry?
[00:53:57] <Zorry> klondike and SwifT then for the doc stuff
[00:54:20] <Chainsaw> quantumsummers_: I'm already on there using my work address.
[00:54:27] <klondike> Ok I'll start by converting the doc on Pax + GRSEC to GuideXML
[00:54:55] <quantumsummers|a> Chainsaw: nope, this is the full production version, not the dev version
[00:55:12] <quantumsummers|a> the dev has been taken down temporarily anyway
[00:55:15] <Chainsaw> quantumsummers|a: Please use my work address, not my spammed-to-hell-and-back gentoo box.
[00:55:16] <quantumsummers|a> this is a separate sys
[00:55:28] <quantumsummers|a> ok, I'll send another invite to that one
[00:55:49] <quantumsummers|a> Zorry: I'm resending you an invite, deleted the wrong one
[00:55:55] <Zorry> k
[00:56:38] <quantumsummers|a> Chainsaw: ok, resent
[00:57:24] <Chainsaw> quantumsummers|a: Done.
[00:58:16] <klondike> Well
[00:58:25] <Zorry> so we got some progres :)
[00:58:51] <blueness> quantumsummers|a, whhat email did you send it too?
[00:59:08] <quantumsummers|a> blueness@g.o
[00:59:11] <blueness> k
[00:59:29] <quantumsummers|a> Chainsaw: you have an invite to the newly created Hardened Gentoo proj on there
[00:59:37] <quantumsummers|a> klondike: PM me an email addy
[00:59:49] <blueness> quantumsummers|a, not seeing it for some reason
[01:00:20] <quantumsummers|a> hmm. should be on its way, I saw it leave the server :)
[01:00:35] <klondike> There you are
[01:00:36] <blueness> k
[01:01:15] <Zorry> SwifT: can you pm quantumsummers to?
[01:01:41] <quantumsummers|a> he is asleep I think (he PM'd me to say as much)
[01:01:51] <Zorry> k
[01:01:54] <Chainsaw> quantumsummers|a: Received & accepted.
[01:02:17] <quantumsummers|a> excellent
[01:02:26] <quantumsummers|a> klondike: you should have mail shortly
[01:02:45] <klondike> I have
[01:02:52] -*- klondike is reading
[01:02:55] <quantumsummers|a> damn db is a tad cold.
[01:03:22] <Chainsaw> Please note that I'll have to sleep eventually.
[01:03:25] <quantumsummers|a> :)
[01:03:28] <Chainsaw> Train journey tomorrow.
[01:03:34] <quantumsummers|a> where to?
[01:03:38] <Chainsaw> London.
[01:03:50] <quantumsummers|a> well, I hope the weather is nice
[01:04:17] <quantumsummers|a> I'll invite Robin to join as well, he's on there already
[01:04:48] --> jotik^^ (~7f000001@39.24.190.90.dyn.estpak.ee) has joined #gentoo-hardened
[01:05:07] <-- jotik (~7f000001@39.24.190.90.dyn.estpak.ee) has quit (Ping timeout: 265 seconds)
[01:05:19] <-- Arfrever (~Arfrever@gentoo/developer/Arfrever) has quit (Ping timeout: 240 seconds)
[01:05:41] <Zorry> quantumsummers|a: accepted
[01:05:58] <quantumsummers|a> Zorry: you have a notification
[01:06:22] <Zorry> done
[01:06:26] <klondike> Ok
[01:06:28] <klondike> done
[01:06:38] <klondike> Though strangely there was no EULA
[01:06:48] <Chainsaw> So, is the meeting over?
[01:06:54] <klondike> quantumsummers|a: you should check the point 3 on the registration page
[01:06:57] <Zorry> do we have any more the docs
[01:06:59] <quantumsummers|a> klondike: its a private system
[01:07:31] <klondike> quantumsummers|a: ok, anyway there are a few typos on point 3 :P
[01:07:42] <quantumsummers|a> heh, thanks, I'll fix 'em
[01:07:51] <Zorry> can we move on?
[01:07:55] <quantumsummers|a> yes
[01:08:18] <Zorry> 5.0 bugs
[01:08:29] <Zorry> blueness: did you have anything there?
[01:08:48] <blueness> a couple of minor points
[01:09:10] <blueness> 1) your patch for -fstack-protector was accepted upstream, so that closed one bug
[01:09:19] <blueness> one kernel bug
[01:09:38] <blueness> 2) i made some changes to the predefined work station which fixed another bug
[01:10:05] <blueness> fix the bug where the kernel didn't respect the proc group id
[01:10:26] <blueness> and
[01:10:40] <blueness> the big one today --- i emailed the list about it
[01:10:55] <blueness> the only bugs i'm not addressing are the 2.6.28-r9 bugs
[01:11:23] <blueness> but once we get a couple of 2.6.32/.34 kernels stable, i think i have to just abanon that, if its okay with people
[01:11:41] <Zorry> +1
[01:11:44] <klondike> +1
[01:12:33] <quantumsummers|a> +1
[01:12:39] <Chainsaw> Yes, 2.6.28 is dead to me.
[01:12:42] <quantumsummers|a> ask solar though, he liked that kernel
[01:12:52] <Chainsaw> I have gotten a 2.6.32 fix from FusionIO, so I'm no longer stuck with it anywhere.
[01:13:04] <quantumsummers|a> nice
[01:13:36] <blueness> the bugs above were bug #331551 and #312335
[01:13:38] <willikins> blueness: https://bugs.gentoo.org/331551 "sys-kernel/hardened-sources-2.6.34-r1 does not respect proc special group"; Gentoo Linux, Hardened; RESO, FIXE; cdsmith80@gmail.com:hardened-kernel@g.o
[01:13:52] <blueness> bug #312335
[01:13:54] <willikins> blueness: https://bugs.gentoo.org/312335 "sys-kernel/hardened-sources-2.6.32 build complains about missing -fstack-protector support with sys-devel/gcc-4.4.2-r2"; Gentoo Linux, Hardened; RESO, FIXE; mail@cleeus.de:hardened-kernel@g.o
[01:14:42] <Zorry> do we have any more bugs we need to disscuse?
[01:14:46] <blueness> oh maybe i should add FYI that i've been taking care of gradm and paxtest
[01:14:51] <blueness> nah i'm done
[01:15:00] <blueness> got a lot done today
[01:15:53] <klondike> Well I'm having trouble with hardened and S2D S2R
[01:15:55] <Zorry> waiting for gcc-4.4.4-r2 to get stable before i can close some bugs that fail on older toolchain
[01:16:17] <klondike> But I'll try with 2.6.34 and maybe fix things there :/
[01:16:40] <Zorry> any else bug?
[01:17:28] <Zorry> okay 6.0 open meeting for users
[01:17:49] <Zorry> any qa or else the meeting is done
[01:18:13] <quantumsummers|a> open floor

Re: [gentoo-hardened] Meeting 2010-09-16 log

[Radoslaw Madej]

On Friday 17 September 2010 16:12:38 you wrote:
> Hi
> 
> Log from the Hardened meeting 2010-09-16
> 
> Hardened at Gentoo.org
> Magnus Granberg (Zorry)

Thanks Guys!
The virtualisation stuff and hardened on arm sound particularly exciting!

Zorry - which version of gcc/glibc do you want to get to work on arm? I'd be 
more than happy to help with some testing if needed! My N900 screams for 
hardened...! ;))
Cheers,
Radek

Re: [gentoo-hardened] Meeting 2010-09-16 log

[pageexec]

On 17 Sep 2010 at 19:56, Radoslaw Madej wrote:

> Zorry - which version of gcc/glibc do you want to get to work on arm? I'd be 
> more than happy to help with some testing if needed! My N900 screams for 
> hardened...! ;))

maybe look at http://natisbad.org/N900/n900-custom-kernel.html ? ;)