[gentoo-hardened] Virtualbox-OSE PIE/PIC support

[gentoo-hardened] Virtualbox-OSE PIE/PIC support

[Dariem Pérez Herrera]

Hello,
I'm new in this list. Let me introduce myself: my name is Dariem, and
I'm part of a team that is trying to create a distro based on project
Gentoo Hardened. We want to collaborate  with you in everything we can.
My first email will be about Virtualbox-OSE. I would like to know if
there is any patch I can use to fix the problem with the inline asm
using ebx register, but if it doesn't exist, I can try to create it
myself and share it with you, I just don't want to duplicate efforts.
Can you tell me what is the status of this issue?

best regards,

Dariem

-- 
Lic. Dariem Pérez Herrera
Profesor de Programación, Facultad X
Desarrollador de Nova GNU/Linux
Universidad de las Ciencias Informáticas, Cuba

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[pageexec]

On 27 Jan 2010 at 1:58, Dariem Pérez Herrera wrote:

> Hello,
> I'm new in this list. Let me introduce myself: my name is Dariem, and
> I'm part of a team that is trying to create a distro based on project
> Gentoo Hardened. We want to collaborate  with you in everything we can.
> My first email will be about Virtualbox-OSE. I would like to know if
> there is any patch I can use to fix the problem with the inline asm
> using ebx register, but if it doesn't exist, I can try to create it
> myself and share it with you, I just don't want to duplicate efforts.
> Can you tell me what is the status of this issue?

while i haven't looked at the non-PIC in vbox, i can tell you that it's
only the tip of the iceberg, there're much more difficult problems there.
in particular, the kernel drivers are not compatible with PaX currently
and fixing them is anything but trivial (see http://www.virtualbox.org/ticket/941
and their in-house ring-0 module loader code among others).

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[Dariem Pérez Herrera]

El 27/01/10 05:53, pageexec@freemail.hu escribió:
> while i haven't looked at the non-PIC in vbox, i can tell you that it's
> only the tip of the iceberg, there're much more difficult problems there.
> in particular, the kernel drivers are not compatible with PaX currently
> and fixing them is anything but trivial (see http://www.virtualbox.org/ticket/941
> and their in-house ring-0 module loader code among others).
>   

Thanks for your reply. I haven't looked for PaX issues yet (I suppose
it'd be at runtime), I'd like to achieve firstly a successful
compilation using PIC. I've played a little with the inline asm code and
I think it can be done. Did you tested those PaX issues using a provided
binary or you compiled from source code? Can you tell if the binary you
tested had PIC enabled?

regards,

Dariem

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[pageexec]

On 27 Jan 2010 at 13:56, Dariem Pérez Herrera wrote:

> Thanks for your reply. I haven't looked for PaX issues yet (I suppose
> it'd be at runtime), I'd like to achieve firstly a successful
> compilation using PIC. I've played a little with the inline asm code and
> I think it can be done. Did you tested those PaX issues using a provided
> binary or you compiled from source code? Can you tell if the binary you
> tested had PIC enabled?

i compiled it using portage so whatever it builds is what i have. i definitely
recall seeing the textrel warnings in a few shared libraries, but didn't look
into them, sorry.

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[Dariem Pérez Herrera]

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

If anyone if having trouble compiling virtualbox-ose-3.1.0 with
gcc-4.3.4 (hardened, with PIE/PIC and SSP), here is a possible solution
(patch attached).


-- 
Lic. Dariem Pérez Herrera
Profesor de Programación, Facultad X
Desarrollador de Nova GNU/Linux
Universidad de las Ciencias Informáticas, Cuba



[-- Attachment #2: virtualbox-ose-3.1.0-nova-hardened-pie-pic-support.patch --]
[-- Type: text/x-patch, Size: 5145 bytes --]

diff -rud VirtualBox-3.1.0_OSE_Orig/src/VBox/Devices/PC/Etherboot-src/arch/i386/core/pci_io.c VirtualBox-3.1.0_OSE/src/VBox/Devices/PC/Etherboot-src/arch/i386/core/pci_io.c
--- VirtualBox-3.1.0_OSE_Orig/src/VBox/Devices/PC/Etherboot-src/arch/i386/core/pci_io.c	2009-03-13 06:38:36.000000000 -0400
+++ VirtualBox-3.1.0_OSE/src/VBox/Devices/PC/Etherboot-src/arch/i386/core/pci_io.c	2010-01-27 04:39:46.000000000 -0500
@@ -112,13 +112,30 @@
 	unsigned long length;		/* %ecx */
 	unsigned long entry;		/* %edx */
 
-	__asm__(BIOS32_CALL
+	__asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl  %%ecx, %%ebx\n"
+#endif
+		BIOS32_CALL
+#if __PIC__
+		"movl %%ebx, %1\n"
+		"pop %%ebx\n"
+#endif
 		: "=a" (return_code),
+#if __PIC__
+		  "=m" (address),
+#else
 		  "=b" (address),
+#endif
 		  "=c" (length),
 		  "=d" (entry)
 		: "0" (service),
+#if __PIC__
+		  "2" (0),
+#else
 		  "1" (0),
+#endif
 		  "S" (bios32_entry));
 
 	switch (return_code) {
@@ -140,14 +157,26 @@
         unsigned long ret;
         unsigned long bx = (bus << 8) | device_fn;
 
-        __asm__(BIOS32_CALL
+        __asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
                 "jc 1f\n\t"
                 "xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
                 "1:"
                 : "=c" (*value),
                   "=a" (ret)
                 : "1" (PCIBIOS_READ_CONFIG_BYTE),
+#if __PIC__
+		  "m" (bx),
+#else
                   "b" (bx),
+#endif
                   "D" ((long) where),
                   "S" (pcibios_entry));
         return (int) (ret & 0xff00) >> 8;
@@ -159,14 +188,26 @@
         unsigned long ret;
         unsigned long bx = (bus << 8) | device_fn;
 
-        __asm__(BIOS32_CALL
+        __asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
                 "jc 1f\n\t"
                 "xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
                 "1:"
                 : "=c" (*value),
                   "=a" (ret)
                 : "1" (PCIBIOS_READ_CONFIG_WORD),
+#if __PIC__
+		  "m" (bx),
+#else
                   "b" (bx),
+#endif
                   "D" ((long) where),
                   "S" (pcibios_entry));
         return (int) (ret & 0xff00) >> 8;
@@ -178,14 +219,26 @@
         unsigned long ret;
         unsigned long bx = (bus << 8) | device_fn;
 
-        __asm__(BIOS32_CALL
+        __asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
                 "jc 1f\n\t"
                 "xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
                 "1:"
                 : "=c" (*value),
                   "=a" (ret)
                 : "1" (PCIBIOS_READ_CONFIG_DWORD),
+#if __PIC__
+		  "m" (bx),
+#else
                   "b" (bx),
+#endif
                   "D" ((long) where),
                   "S" (pcibios_entry));
         return (int) (ret & 0xff00) >> 8;
@@ -197,14 +250,26 @@
 	unsigned long ret;
 	unsigned long bx = (bus << 8) | device_fn;
 
-	__asm__(BIOS32_CALL
+	__asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
 		"jc 1f\n\t"
 		"xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
 		"1:"
 		: "=a" (ret)
 		: "0" (PCIBIOS_WRITE_CONFIG_BYTE),
 		  "c" (value),
-		  "b" (bx),
+#if __PIC__
+		  "m" (bx),
+#else
+                  "b" (bx),
+#endif
 		  "D" ((long) where),
 		  "S" (pcibios_entry));
 	return (int) (ret & 0xff00) >> 8;
@@ -216,14 +281,26 @@
 	unsigned long ret;
 	unsigned long bx = (bus << 8) | device_fn;
 
-	__asm__(BIOS32_CALL
+	__asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
 		"jc 1f\n\t"
 		"xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
 		"1:"
 		: "=a" (ret)
 		: "0" (PCIBIOS_WRITE_CONFIG_WORD),
 		  "c" (value),
-		  "b" (bx),
+#if __PIC__
+		  "m" (bx),
+#else
+                  "b" (bx),
+#endif
 		  "D" ((long) where),
 		  "S" (pcibios_entry));
 	return (int) (ret & 0xff00) >> 8;
@@ -235,14 +312,26 @@
 	unsigned long ret;
 	unsigned long bx = (bus << 8) | device_fn;
 
-	__asm__(BIOS32_CALL
+	__asm__(
+#if __PIC__
+		"pushl %%ebx\n"
+		"movl %3, %%ebx\n"
+#endif
+		BIOS32_CALL
 		"jc 1f\n\t"
 		"xor %%ah, %%ah\n"
+#if __PIC__
+		"pop %%ebx\n"
+#endif
 		"1:"
 		: "=a" (ret)
 		: "0" (PCIBIOS_WRITE_CONFIG_DWORD),
 		  "c" (value),
-		  "b" (bx),
+#if __PIC__
+		  "m" (bx),
+#else
+                  "b" (bx),
+#endif
 		  "D" ((long) where),
 		  "S" (pcibios_entry));
 	return (int) (ret & 0xff00) >> 8;
@@ -257,17 +346,27 @@
 	int pack;
 
 	if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
-		__asm__(BIOS32_CALL
+		__asm__(
+#if __PIC__
+			"pushl %%ebx\n"
+#endif
+			BIOS32_CALL
 			"jc 1f\n\t"
 			"xor %%ah, %%ah\n"
 			"1:\tshl $8, %%eax\n\t"
-			"movw %%bx, %%ax"
+			"movw %%bx, %%ax\n"
+#if __PIC__
+			"pop %%ebx\n"
+#endif
 			: "=d" (signature),
 			  "=a" (pack)
 			: "1" (PCIBIOS_PCI_BIOS_PRESENT),
 			  "S" (pcibios_entry)
+#if __PIC__
+			: "cx");
+#else
 			: "bx", "cx");
-
+#endif
 		present_status = (pack >> 16) & 0xff;
 		major_revision = (pack >> 8) & 0xff;
 		minor_revision = pack & 0xff;

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[basile]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

Dariem Pérez Herrera wrote:
> Hello,
> I'm new in this list. Let me introduce myself: my name is Dariem, and
> I'm part of a team that is trying to create a distro based on project
> Gentoo Hardened. We want to collaborate  with you in everything we can.
> My first email will be about Virtualbox-OSE. I would like to know if
> there is any patch I can use to fix the problem with the inline asm
> using ebx register, but if it doesn't exist, I can try to create it
> myself and share it with you, I just don't want to duplicate efforts.
> Can you tell me what is the status of this issue?
>
> best regards,
>
> Dariem
>
>   
Hi Dariem:

Interesting!  There seems to be a trend of IT professors using hardened
to build distros.  You might be interested in what we did with hardened ->

    http://opensource.dyc.edu/tinhat

Anyhow our early work was done on VMWare which worked fine.  I don't
know if thats an option for you.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[Dariem Pérez Herrera]

El 27/01/10 13:39, basile escribió:
> Hi Dariem:
>
> Interesting!  There seems to be a trend of IT professors using hardened
> to build distros.  You might be interested in what we did with hardened ->
>
>     http://opensource.dyc.edu/tinhat
>
> Anyhow our early work was done on VMWare which worked fine.  I don't
> know if thats an option for you.
>   

Hi Basile:
I've already heard about your project. I'll be looking at it soon (right
now I'm quite busy). Our goal is not as ambitious as yours. We just want
to have an usable but secure enough server. Let's hope we all can help
each other.
About WMware, I think there are some issues with the license -- I don't
know exactly which ones. So we stick with Virtualbox-OSE, which we want
to have working on hardened Gentoo itself, with all the security enabled.


-- 
Lic. Dariem Pérez Herrera
Profesor de Programación, Facultad X
Desarrollador de Nova GNU/Linux
Universidad de las Ciencias Informáticas, Cuba

Re: [gentoo-hardened] Virtualbox-OSE PIE/PIC support

[Ed W]

On 27/01/2010 06:58, Dariem Pérez Herrera wrote:
> Hello,
> I'm new in this list. Let me introduce myself: my name is Dariem, and
> I'm part of a team that is trying to create a distro based on project
> Gentoo Hardened. We want to collaborate  with you in everything we can.
> My first email will be about Virtualbox-OSE. I would like to know if
> there is any patch I can use to fix the problem with the inline asm
> using ebx register, but if it doesn't exist, I can try to create it
> myself and share it with you, I just don't want to duplicate efforts.
> Can you tell me what is the status of this issue?
>
>    

Do also look into linux-vservers.  I use these in conjunction with 
hardened gcc-4.4 and it's a good fit for my needs.  Isolation is lower 
than virtualbox, but for many server installations the lower 
virtualisation overhead may be useful.  In my case I have both the host 
and most of the guests running hardened (on AMD64 host)

Creating your own profiles turns out to also be an excellent solution to 
server mainenance - definitely recommend it

Good luck

Ed W