Uses grsecurity-patched kernels for all templates #169
Conversation
Using metapackages for config and kernel install. Requires HVM virtualization mode, as well as an empty string for kernel setting, to opt out of the Qubes-supplied kernels, and use what's inside the VM. Installing from the "apt-test-qubes" repo, using the test signing key.
Tried to make the test DRY, covering: * HVM virtualization mode is set * Qubes-managed kernel disabled * Expected exact version of kernel is running Works well.
|
Just flagging that this PR should be merged before the |
|
N.B. the Whonix-based VMs do not use grsec:
Haven't tested modifying those with grsecurity-patched, but we can circle back after #138 & #161. The Tor Browser application will definitely crash under grsec, without custom PaX flags, but the Python native client may be A-OK. |
There was a problem hiding this comment.
Amazing work @conorsch , the diff is very clean, and everything works as advertised: tests pass, and i can decrypt/display submissions.
To address potential concerns regarding memory overhead of using HVM virtualization with grsecurity kernels: based on my local testing opening 10 submissions (depending on the application used to open the file), each HVM qube consume 600MB of memory average (for comparison, my email qube uses over 1GB, and sd-journalist, whonix-workstation based qube uses 1.1GB).
Closes #156.
Installs FPF-maintained custom kernels in the workstation TemplateVMs. Includes updates to config tests to confirm grsec-patched kernels are running.
Testing
make allindom0and confirm no errors.make testindom0and confirm no errors.geditin a DisposableVM.I also confirmed that a JPG submission was displayed successfully, but it first tried to open Firefox, failed, then tried and succeeded with
/usr/bin/display. The error message regarding Firefox is ugly, but we should resolve that behavior as part of #158, not here.Note also that we intend to remove these custom apt logic for the VM config via #157 in the near future. This PR still allows us to start using custom kernels and shake out the issues as they arise.