Test experimental securedrop-workstation (w/ grsec) template on Buster

[eloquence]

In preparation of the transition to Debian Buster for all Debian-based templates used by the workstation (#306), we want to create an experimental version of the securedrop-workstation template based on Debian Buster, w/ grsec enabled, in order to:

• Verify kernel compatibility
• Verify basic client operations

This can be done in an experimental branch or otherwise in such a manner as to not impact the ordinary course of development.

[conorsch]

Attempted a quick-and-dirty evaluation by running a dist-upgrade inside the securedrop-workstation template. As expected, the kernel showed problems on a reboot—if I revert the VM's kernel to a Qubes-provided kernel, e.g. qvm-prefs securedrop-workstation kernel 4.14.103-1, then the VM works fine. We'll likely have to build a fresh kernel and distribute that via the apt channels.

[emkll]

On a default debian-9 qubes-provided template cloned and upgraded to VM, I attempted to boot it using the default kernel by setting kernel to '' and virt_mode to HVM. The VM does boot, but the terminal output is corrupted

I've also tested the same thing with the qubes-template-debian-10 that is in the testing repos, installing the template via:
sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10
and observed the same behavior described above.

[emkll]

This bug has already been reported/tracked upstream in QubesOS/qubes-issues#5212 (comment)

[emkll]

Update:

The default debian-provided kernel now works in HVM mode on Debian 10, both on a dist-upgraded debian-9 template, but also the qubes-hosted template [1]
🎉 :

user@my-new-qube:~$ uname -r
4.19.0-6-amd64
user@my-new-qube:~$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
user@my-new-qube:~$ 

Unfortunately, installing the currently hosted 4.14.128 debs for linux-headers and linux-image, and setting those as default kernel in grub2 config via GRUB_DEFAULT="Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux 4.14.128-grsec" results in a template that boots, but with GUI issues: windows don't open. The logs indicate that the machine booted correctly, and the only information found in the various logs (this one was in /var/log/syslog is Oct 23 13:52:06 localhost qubes-gui[488]: Waiting on /var/run/xf86-qubes-socket socket...

Now trying to build a newer kernel, if that fails will look more closely at the upstream kernel configs.
[1] sudo qubes-dom0-update {--enablerepo=qubes-templates-itl-testing} qubes-template-debian-10

[eloquence]

Thanks for the update @emkll ! Our remaining sprint commitment for 10/23-11/6 is still accurately described in the top-level comment, but just noting for the record that we've also agreed to:

• create a Buster channel in our package repository for testing the kernel (tracked in infra)
• create an RPM package and VM image

Our goal here is to allow developers to create new Buster VMs using a grsec kernel, not to immediately override the default for all existing SDW VMs.

[emkll]

Lifting proc restrictions for GID1000 (user group) instead of 900 (qubes group), which was introduced in freedomofpress/ansible-role-grsecurity-build@55998eb resolves the issue.

Because 4.14 < 4.19 (the default Buster kernel series), we must set the following option in /etc/default/grub: GRUB_DEFAULT="Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux 4.14.150-grsec"

Building an HVM qube with the modifications described above will result in a functional HVM Qube running a grsecurity kernel.

user@debian-10-grsec-test:~$ paxtest blackhat
PaXtest - Copyright(c) 2003-2014 by Peter Busser <[email protected]> and Brad Spengler <[email protected]>
Released under the GNU Public Licence version 2 or later

Writing output to /home/user/paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003-2014 by Peter Busser <[email protected]> and Brad Spengler <[email protected]>
Released under the GNU Public Licence version 2 or later

Mode: 1
Blackhat
Kernel: 
Linux debian-10-grsec-test 4.14.150-grsec #1 SMP PREEMPT Fri Oct 25 10:25:04 UTC 2019 x86_64 GNU/Linux

Relase information: 
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
Test results:
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomization test     : 33 quality bits (guessed)
Heap randomization test (ET_EXEC)        : 40 quality bits (guessed)
Heap randomization test (PIE)            : 40 quality bits (guessed)
Main executable randomization (ET_EXEC)  : 33 quality bits (guessed)
Main executable randomization (PIE)      : 33 quality bits (guessed)
Shared library randomization test        : 33 quality bits (guessed)
VDSO randomization test                  : 33 quality bits (guessed)
Stack randomization test (SEGMEXEC)      : 40 quality bits (guessed)
Stack randomization test (PAGEEXEC)      : 40 quality bits (guessed)
Arg/env randomization test (SEGMEXEC)    : 44 quality bits (guessed)
Arg/env randomization test (PAGEEXEC)    : 44 quality bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         : Vulnerable