Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-224 Hardened support for Funtoo's profiles
  3. FL-235

Add hardened support for coreboot on grub

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Incomplete
    • Icon: Normal Normal
    • None
    • None
    • None

      As GRUB uses nested functions, it needs an executable stack.

      Using these kernel options will give your grub-mkdevicemap, grub-setup and grub-probe unusable:

      CONFIG_PAX_PAGEEXEC=Y
      CONFIG_PAX_SEGMEXEC=Y

      There are two ways to solve this problem:

      1. Disabling the exec shield:
      echo 0 > /proc/sys/kernel/exec-shield
      [now run boot-update]
      echo 2 > /proc/sys/kernel/exec-shield

      2. Setting some PAX flags on the affected binaries (requires paxctl):
      paxctl -cms /sbin/grub-probe
      paxctl -cms /sbin/grub-mkdevicemap
      paxctl -cms /sbin/grub-setup

      The following links serves as referral pages where other distro users have found the same problem:

      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503173
      https://bugzilla.redhat.com/show_bug.cgi?id=731111
      http://forums.grsecurity.net/viewtopic.php?f=3&t=2963

            Unassigned Unassigned
            vroman vroman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: