Debian Bug report logs -
#816439
Grsec's RANDSTRUCT and Reproducible Builds
Reported by: bancfc@openmailbox.org
Date: Tue, 1 Mar 2016 20:45:01 UTC
Severity: normal
Tags: patch
Merged with 814787
Fixed in version 4.9.65-2+grsecunoff1+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Yves-Alexis Perez <corsac@debian.org>:
Bug#816439; Package linux-grsec.
(Tue, 01 Mar 2016 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to bancfc@openmailbox.org:
New Bug report received and forwarded. Copy sent to Yves-Alexis Perez <corsac@debian.org>.
(Tue, 01 Mar 2016 20:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: linux-grsec
Severity: normal
While sill a long way Reproducible builds might pose a problem for a
Grsec kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this
feature randomizes kernel symbols and structures during compilation and
is not meant to be the same. For a publicly distributed kernel binary
this feature does not provide any protection anyhow because these
addresses are already known. This feature will need to be disabled for
full compatibility with reproducible build systems.
-- System Information:
Debian Release: 8.2
Information forwarded
to debian-bugs-dist@lists.debian.org, Yves-Alexis Perez <corsac@debian.org>:
Bug#816439; Package linux-grsec.
(Wed, 02 Mar 2016 07:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dato Simó <dato@debian.org>:
Extra info received and forwarded to list. Copy sent to Yves-Alexis Perez <corsac@debian.org>.
(Wed, 02 Mar 2016 07:45:03 GMT) (full text, mbox, link).
Message #10 received at 816439@bugs.debian.org (full text, mbox, reply):
> While sill a long way Reproducible builds might pose a problem for a Grsec
> kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this feature
> randomizes kernel symbols and structures during compilation and is not meant
> to be the same. For a publicly distributed kernel binary this feature does
> not provide any protection anyhow because these addresses are already known.
> This feature will need to be disabled for full compatibility with
> reproducible build systems.
Just FYI, the @grsecurity account tweeted the following today:
Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
actually compatible with reproducible builds, just need to
keep randomize_layout_seed.h.
https://twitter.com/grsecurity/status/704869584218685440
No idea how relevant this is for reproducible builds in Debian. Just
relaying it.
Ciao,
-d
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#816439; Package linux-grsec.
(Wed, 02 Mar 2016 08:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list.
(Wed, 02 Mar 2016 08:27:04 GMT) (full text, mbox, link).
Message #15 received at 816439@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: reassign -1 src:linux-grsec
control: forcemerge -1 #814787
On mer., 2016-03-02 at 04:43 -0300, Dato Simó wrote:
> >
> > While sill a long way Reproducible builds might pose a problem for a Grsec
> > kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this feature
> > randomizes kernel symbols and structures during compilation and is not
> > meant
> > to be the same. For a publicly distributed kernel binary this feature does
> > not provide any protection anyhow because these addresses are already
> > known.
> > This feature will need to be disabled for full compatibility with
> > reproducible build systems.
> Just FYI, the @grsecurity account tweeted the following today:
>
> Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
> actually compatible with reproducible builds, just need to
> keep randomize_layout_seed.h.
>
> https://twitter.com/grsecurity/status/704869584218685440
>
> No idea how relevant this is for reproducible builds in Debian. Just
> relaying it.
>
I'm merging it to #814787 which is also about RANDKSTRUCT. I still think
RANDKSTRUCT is useful, and someone should be able to make it work with
reproducible builds and external/DKMS modules. As far as I understand it, it's
just packaging issues.
Any help welcome on this, because I don't think I'll do it myself.
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Merged 814787 816439
Request was from Yves-Alexis Perez <corsac@debian.org>
to 816439-submit@bugs.debian.org.
(Wed, 02 Mar 2016 08:27:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Yves-Alexis Perez <corsac@debian.org>:
Bug#816439; Package src:linux-grsec.
(Fri, 06 May 2016 11:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Yves-Alexis Perez <corsac@debian.org>.
(Fri, 06 May 2016 11:03:08 GMT) (full text, mbox, link).
Message #24 received at 816439@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
user reproducible-builds@lists.alioth.debian.org
usertag 816439 randomness
thanks
Hi,
Dato wrote:
> Just FYI, the @grsecurity account tweeted the following today:
>
> Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
> actually compatible with reproducible builds, just need to
> keep randomize_layout_seed.h.
> https://twitter.com/grsecurity/status/704869584218685440
seens like the it should be seeded with
https://reproducible-builds.org/specs/source-date-epoch/
--
cheers,
Holger
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Yves-Alexis Perez <corsac@debian.org>:
Bug#816439; Package src:linux-grsec.
(Sun, 15 May 2016 00:00:13 GMT) (full text, mbox, link).
Acknowledgement sent
to bancfc@openmailbox.org:
Extra info received and forwarded to list. Copy sent to Yves-Alexis Perez <corsac@debian.org>.
(Sun, 15 May 2016 00:00:13 GMT) (full text, mbox, link).
Message #29 received at 816439@bugs.debian.org (full text, mbox, reply):
On 2016-03-02 08:43, Dato Simó wrote:
>> While sill a long way Reproducible builds might pose a problem for a
>> Grsec
>> kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this
>> feature
>> randomizes kernel symbols and structures during compilation and is not
>> meant
>> to be the same. For a publicly distributed kernel binary this feature
>> does
>> not provide any protection anyhow because these addresses are already
>> known.
>> This feature will need to be disabled for full compatibility with
>> reproducible build systems.
>
> Just FYI, the @grsecurity account tweeted the following today:
>
> Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
> actually compatible with reproducible builds, just need to
> keep randomize_layout_seed.h.
>
> https://twitter.com/grsecurity/status/704869584218685440
>
> No idea how relevant this is for reproducible builds in Debian. Just
> relaying it.
>
> Ciao,
> -d
Spender's solution is better than completely disabling randkstruct
because it forces adversaries to maintain exploit versions against every
kernel version released - forcing them to expend more resources.
Information forwarded
to debian-bugs-dist@lists.debian.org, Yves-Alexis Perez <corsac@debian.org>:
Bug#816439; Package src:linux-grsec.
(Tue, 12 Jul 2016 23:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <stevenc@debian.org>:
Extra info received and forwarded to list. Copy sent to Yves-Alexis Perez <corsac@debian.org>.
(Tue, 12 Jul 2016 23:45:04 GMT) (full text, mbox, link).
Message #34 received at 816439@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 816439 + patch
thanks
Hi,
> > Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
> > actually compatible with reproducible builds, just need to
> > keep randomize_layout_seed.h.
> > https://twitter.com/grsecurity/status/704869584218685440
Holger Levsen wrote:
> seens like the it should be seeded with
> https://reproducible-builds.org/specs/source-date-epoch/
Patch attached! (please read it for the long description)
I'm afraid I couldn't find where to do this in linux-grsec Git.
So I've attached it in debdiff form instead.
There might still be other reproducibility issues after this.
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
[linux-grsec_4.6.3-1+grsec201607062159+1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Steven Chamberlain <stevenc@debian.org>
to control@bugs.debian.org.
(Tue, 12 Jul 2016 23:45:06 GMT) (full text, mbox, link).
Message #37 received at 814787-done@bugs.debian.org (full text, mbox, reply):
Version: 4.9.65-2+grsecunoff1+rm
Dear submitter,
as the package linux-grsec has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/895433
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 May 2018 07:29:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 09:33:56 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.