[gentoo-hardened] Fwd: [gentoo-dev] News item for sys-kernel/hardened-sources removal

[gentoo-hardened] Fwd: [gentoo-dev] News item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 173 bytes --]

For those of you wondering about the future of hardened-sources. They
will be removed in a bit more than a month.

Input regarding the news item is more than welcome.


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 1948 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these freely available [1].
As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove then from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the  stable
4.9 branch of the kernel minipli, another Grsec user, is forward
porting the patches on [2]. The Gentoo Hardened team can't make any
statement regarding the security, reliability or update availability
of those patches as we aren't providing them and can't therefore
make any recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal.

Finally we'd like to send a sincere thank you to Brad Spengler and
the PaX Team for making their hardening patches freely available all
this time.



[1] https://grsecurity.net/passing_the_baton.php
[2] https://github.com/minipli/linux-unofficial_grsec

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 862 bytes --]

[gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 688 bytes --]

El 15/08/17 a las 17:01, Francisco Blas Izquierdo Riera (klondike) escribió:
> Hi!
>
> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.
>
> This is my first time writting a news item so all input will be appreciated.
>
> As for the rationale behind this, we need to clearly inform users as to
> the options available for hardening their system kernels after the
> removal of the hardened-sources.
>
> Sincerely,
> Klondike
>
Updated the news item following comments from dilfridge, mrueg and
floppym. Also made it display to users of hardened profiles.


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2239 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 2
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove then from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the  stable
4.9 branch of the kernel minipli, another Grsec user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

[gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 1249 bytes --]

El 15/08/17 a las 18:08, Ulrich Mueller escribió:
>>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wrote:
>> Updated the news item following comments from dilfridge, mrueg and
>> floppym. Also made it display to users of hardened profiles.
> Some very minor comments:
>
>> Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
> Format of the line is "Real Name <email@address>", so I'd suggest to
> drop the nick in parentheses, especially since it is there in the
> e-mail address anyway.
>
>> Because of that we will be masking the hardened-sources on the 27th of
>> August and will proceed to remove then from the tree by the end of
>> September. [...]
> s/then/them/
>
>> As an alternative, for users happy keeping themselves on the  stable
>> 4.9 branch of the kernel minipli, another Grsec user, is forward
>> porting the patches on [3].
> I had difficulties parsing this sentence. Insert a comma after
> "kernel"? Also there is spurious whitespace before "stable".
>
> Ulrich

Thanks for your input, I have addressed your comments on the attached
news item.

I have also added a note regarding the other PaX related packages as
these won't stil be removed.


Klondike


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2374 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 3
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another Grsec user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

[gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 835 bytes --]

El 16/08/17 a las 09:40, Marek Szuba escribió:
> Two tiny bits of formal nitpicking from my side:
>  - it's "grsecurity" (not a typo, they do use a lowercase g except when
> the name appears at the beginning of a sentence), not "grsec";
>  - the patches were not *distributed by* grsecurity, they *are*
> grsecurity. The vendor's name is Open Source Security, Inc.

Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.



[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2320 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 4
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
grsecuirty patches.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another grsecurity user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Robert Sharp]

[-- Attachment #1: Type: text/plain, Size: 1198 bytes --]

On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 16/08/17 a las 09:40, Marek Szuba escribió:
>> Two tiny bits of formal nitpicking from my side:
>>   - it's "grsecurity" (not a typo, they do use a lowercase g except when
>> the name appears at the beginning of a sentence), not "grsec";
>>   - the patches were not *distributed by* grsecurity, they *are*
>> grsecurity. The vendor's name is Open Source Security, Inc.
> Nowadays it is, but this hasn't always been the case. You'll notice the
> presence of a /dev/grsec and you'll also find grsec referenced accross
> some old patches. Anyways I changed it.
>
> The same applies to Open Source Security, Inc. the company was founded
> on 2008 but grsecurity has been around for much longer. That's why I
> prefer to refer to Brad Spengler and The PaX team here as they are still
> the real upstream behind Open Source Security, Inc.
>
>
Would anyone like to outline a simple process to migrate from 
hardened-sources + hardened tool-chain to gentoo-sources? Presumably if 
I just drag my config file across it will cause all sorts of problems? 
Do I need to work backwards through the hardening guide, for example?

Thanks


[-- Attachment #2: Type: text/html, Size: 1728 bytes --]

Re: [gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 1704 bytes --]

El 16/08/17 a las 15:36, Robert Sharp escribió:
> On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 16/08/17 a las 09:40, Marek Szuba escribió:
>>> Two tiny bits of formal nitpicking from my side:
>>>  - it's "grsecurity" (not a typo, they do use a lowercase g except when
>>> the name appears at the beginning of a sentence), not "grsec";
>>>  - the patches were not *distributed by* grsecurity, they *are*
>>> grsecurity. The vendor's name is Open Source Security, Inc.
>> Nowadays it is, but this hasn't always been the case. You'll notice the
>> presence of a /dev/grsec and you'll also find grsec referenced accross
>> some old patches. Anyways I changed it.
>>
>> The same applies to Open Source Security, Inc. the company was founded
>> on 2008 but grsecurity has been around for much longer. That's why I
>> prefer to refer to Brad Spengler and The PaX team here as they are still
>> the real upstream behind Open Source Security, Inc.
>>
>>
> Would anyone like to outline a simple process to migrate from
> hardened-sources + hardened tool-chain to gentoo-sources?
>
Unless you want to drop userspace hardening (which most likely you don't
as it is still useful on vanilla kernels) a simple copy of the .config
file to gentoo sources followed by make oldconfig will work in the vast
majority of cases.

> Presumably if I just drag my config file across it will cause all
> sorts of problems?
>
Nah, not really, as long as you do oldconfig you should be fine. Most of
the config changes were compatimentalized under the grsecurity section.

> Do I need to work backwards through the hardening guide, for example?
>
Definitively not :)

[-- Attachment #1.1.2: Type: text/html, Size: 2957 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Michael Orlitzky]

On 08/16/2017 10:37 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>
>> Would anyone like to outline a simple process to migrate from
>> hardened-sources + hardened tool-chain to gentoo-sources?
>>
> Unless you want to drop userspace hardening (which most likely you don't
> as it is still useful on vanilla kernels) a simple copy of the .config
> file to gentoo sources followed by make oldconfig will work in the vast
> majority of cases.
> 


There is one thing you have to watch out for: certain vanilla kernel
hardened features were subjugated to grsecurity ones and you'll probably
want to enable them. For example, you probably want CONFIG_VMAP_STACK
once you've switched, but it won't be enabled in your old .config
because it conflicts with GRKERNSEC_KSTACKOVERFLOW.

(It would help to collect those options on a wiki page?)

Re: [gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[philipp.ammann]

Am 16.08.2017 16:46 schrieb Michael Orlitzky:
> There is one thing you have to watch out for: certain vanilla kernel
> hardened features were subjugated to grsecurity ones and you'll 
> probably
> want to enable them. For example, you probably want CONFIG_VMAP_STACK
> once you've switched, but it won't be enabled in your old .config
> because it conflicts with GRKERNSEC_KSTACKOVERFLOW.
> 
> (It would help to collect those options on a wiki page?)

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

That probably covers all relevant options on a vanilla kernel.

[gentoo-hardened] About sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 3664 bytes --]

Hi!

The gentoo-dev list is not the right place to keep up discussion on why
or how the hardened-sources will be removed. Not this thread which is
about the news item.

Most packages just get masked and removed in 30 days for example without
sending a news item just an e-mail to gentoo-dev-announce. The only
reason why we are sending it is because most Gentoo Hardened users were
using the hardened-sources and deserve a heads-up as to what will happen
to them and what can they do after (as there will be no clear and simple
upgrade path with similar features).

Please do send further answers to gentoo-hardened which is the porject's
mailing list.

El 18/08/17 a las 02:59, R0b0t1 escribió:
> On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 15/08/17 a las 17:50, R0b0t1 escribió:
>>> Where was this decision discussed?
>> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>>
>> And many other threads in that list for example, those are just blueness
>> (the package maintainer) conclussions.
>>> The last available kernel is
>>> apparently receiving long term support, there may not be any reason to
>>> remove it.
>> Not by the original upstream, and definitively not in the way in which
>> Grsec used to (manually cherrypicking security related commits and not
>> just those marked as security related).
>>
> All blueness says in that is that he can't personally support the
> patches. That's fine, and nobody that I know of ever expected him to
> do that. However, until they are unfixably broken, why remove them?
> Keeping them until a suitable replacement is available seems like the
> best option available.
> There's no criteria in that notice for when they would be removed.
> What criteria was used to decide they are generating useless work and
> should be removed?
They are already unfixably broken. They are affected by stack clash
(when using certain obscure configs but nonetheless). They are to all
effects unmaintained (as in upstream not publishing patches we can
provide to you). And I'd rather not look at what other fixes came in the
4.9 tree since then that I have missed.
>> Although minipli's kernel patches are good and I personally recommend
>> them, this is not something the Gentoo Hardened team will do. Also they
>> probably should be renamed something else.
> I'm not sure anyone is asking the hardened team to do anything, except
> for people on the hardened team who want to remove the patches.
Then please address blueness about this (on the aforementioned thread)
and not me. I'm just the messenger who was asked to deliver the news.
>>> If it isn't broken and creating work yet I'm not sure why
>>> anyone cares.
>> Go to #gentoo-hardened and see how there is people asking about this
>> again and again :P
>>
> I'm not sure what you mean. There are people asking about it, but that
> doesn't necessarily mean they want it to happen. If something is done
> people are going to discuss it regardless of what it is.
I mean people is asking "what happens with the hardened-sources?" and we
having to answer. Now at least we have a clear path of action announced. 
> Please understand, I don't want to keep an old version of the kernel
> and associated patches around forever, just until a replacement is
> actually found.
There are a few replacements, we aren't just providing an ebuild in the
portage tree for them (except for gentoo-sources, of course).

If you want to keep the ebuilds and patches I recommend you set up a
personal overlay instead.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

[gentoo-hardened] Re: About sys-kernel/hardened-sources removal

[R0b0t1]

Hello again,

That you split this off caused me to miss your message.

On Sat, Aug 19, 2017 at 5:54 AM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> Hi!
>
> The gentoo-dev list is not the right place to keep up discussion on why
> or how the hardened-sources will be removed. Not this thread which is
> about the news item.
>

Discussing the validity of the news item seems topical.

> Most packages just get masked and removed in 30 days for example without
> sending a news item just an e-mail to gentoo-dev-announce. The only
> reason why we are sending it is because most Gentoo Hardened users were
> using the hardened-sources and deserve a heads-up as to what will happen
> to them and what can they do after (as there will be no clear and simple
> upgrade path with similar features).
>
> Please do send further answers to gentoo-hardened which is the porject's
> mailing list.
>

At this point I am following up here because the issue is time sensitive.

> El 18/08/17 a las 02:59, R0b0t1 escribió:
>> On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
>> (klondike) <klondike@gentoo.org> wrote:
>>> El 15/08/17 a las 17:50, R0b0t1 escribió:
>>>> Where was this decision discussed?
>>> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>>>
>>> And many other threads in that list for example, those are just blueness
>>> (the package maintainer) conclussions.
>>>> The last available kernel is
>>>> apparently receiving long term support, there may not be any reason to
>>>> remove it.
>>> Not by the original upstream, and definitively not in the way in which
>>> Grsec used to (manually cherrypicking security related commits and not
>>> just those marked as security related).
>>>
>> All blueness says in that is that he can't personally support the
>> patches. That's fine, and nobody that I know of ever expected him to
>> do that. However, until they are unfixably broken, why remove them?
>> Keeping them until a suitable replacement is available seems like the
>> best option available.
>> There's no criteria in that notice for when they would be removed.
>> What criteria was used to decide they are generating useless work and
>> should be removed?
> They are already unfixably broken. They are affected by stack clash
> (when using certain obscure configs but nonetheless). They are to all
> effects unmaintained (as in upstream not publishing patches we can
> provide to you). And I'd rather not look at what other fixes came in the
> 4.9 tree since then that I have missed.

They are not unfixably broken for most users. I have no doubt that
there are stable packages in existence with bugs open against them.
Likewise there are no doubt unmaintained packages in existence.

>>> Although minipli's kernel patches are good and I personally recommend
>>> them, this is not something the Gentoo Hardened team will do. Also they
>>> probably should be renamed something else.
>> I'm not sure anyone is asking the hardened team to do anything, except
>> for people on the hardened team who want to remove the patches.
> Then please address blueness about this (on the aforementioned thread)
> and not me. I'm just the messenger who was asked to deliver the news.

I suppose I will rejoin the hardened mailing list. However, all I was
doing was asking you for explanations. I feel you should be able to
address my concerns as if you can't explain why you are doing what you
are doing, then why are you doing it?

>>>> If it isn't broken and creating work yet I'm not sure why
>>>> anyone cares.
>>> Go to #gentoo-hardened and see how there is people asking about this
>>> again and again :P
>>>
>> I'm not sure what you mean. There are people asking about it, but that
>> doesn't necessarily mean they want it to happen. If something is done
>> people are going to discuss it regardless of what it is.
> I mean people is asking "what happens with the hardened-sources?" and we
> having to answer. Now at least we have a clear path of action announced.

Keeping the sources in the tree seems to be an equally valid cause of action.

>> Please understand, I don't want to keep an old version of the kernel
>> and associated patches around forever, just until a replacement is
>> actually found.
> There are a few replacements, we aren't just providing an ebuild in the
> portage tree for them (except for gentoo-sources, of course).
>
> If you want to keep the ebuilds and patches I recommend you set up a
> personal overlay instead.
>

If there aren't Gentoo-maintained ebuilds for them, then they are not
really an option of the same caliber.

R0b0t1.