grsec kernel with nvidia module
Compiling a grsec kernel on a laptop/workstation is a good way to add protection against wide classes of attacks. However, while the options may be easy to choose on a server, this may be difficult because a typical desktop needs more privileges. Here are a few points:
- Xorg (wants privileged I/O, unless you use KMS) conflicts with
PAX_NOEXECandGRKERNSEC_IO - power management: applets to display the battery level want
(non-root) read permission on /sys, this will conflict with
GRKERNSEC_SYSFS_RESTRICT. You can enableSYSFS_DEPRECATEDas a workaround. - power management: ACPI is required for a laptop (if you want to be able to use suspend/resume, control fan speed, etc.)
- power management: suspend/restore conflicts with some options
(
PAX_MEMORY_UDEREFandPAX_KERNEXEC) - virtualization:
PAX_KERNEXECconflicts with kvm/vmx
If you have other points to add/corrections, just send them to me !
Now, another problem I have is that I must use the proprietary kernel. Not that I really want to, but it is the only driver with proper support for my graphics card (GT555M), since the nouveau driver has some problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of autonomy with nouveau, and about 5 with Nvidia ..), and the card is almost supported except a bug that prevents changing the brightness ! So clearly, even if I don’t want to use the Nvidia stuff (proprietary, bad code, no optimus support), I have little choice
And of course, the Nvidia module does not build with a grsec kernel. I had to add patches taken and adapted from other sites, could not remember which ones). Here is a recipe to build a Debian package for module-assistant (*).
(*) Why should you build a Debian package ?Nothing forces you to do so ! That said, using a packages makes things clean when you uninstall it, does not break dependencies, allow smooth upgrades, and also allow to deploy the module on a set of machines if you have many.
0. Prerequisites
You will need a compiler and tools to build Debian packages. Install (at
least) build-essential, fakeroot and devscripts
1. Get the sources of the Nvidia package
Run the following as a non-privileged user !
apt-get source nvidia-graphics-drivers
cd nvidia-graphics-drivers-295.20
2. Add patches to the build system
The Debian package is compiled to create several other packages. One of
them is the nvidia-kernel-source package, which is the one we want to
contain the patches. This package has to be rebuilt each time you
compile a kernel, so it is interesting to use a package to make things
automatic.Copy the two attached patches 991-pax-usercopy.patch and
992-pax-const.patch
in the module directory, and add their names to
the
quilt patchset:
cp ../99*.patch debian/module/debian/patches
cd debian/module/debian/patches
ls -1 99*.patch >> series
cd -
The series file in the directory contains the patch names (one per
line) in the order to be applied.
3. Add a changelog entry
dch -l+grsec1 "Add pax/grsec patches"
This changes the debian/changelog file to add a new entry, set the
commit message and date, and the Debian package version.
4. Build the package
debuild -uc -us -b
This may fail if you don’t have the build dependencies (add them and re-run the command).
5. Install the source package
cd ..
sudo dpkg -i nvidia-kernel-source_295.20-1+grsec11_amd64.deb
Voila ! Now, each time you need to re-build the module, just run module-assistant as usual:
n. Build the module
As root:
m-a -t clean nvidia-kernel
m-a -t -f build nvidia-kernel
The compilation makes tons of warnings about signed/unsigned, always-true comparisons etc (what did you expect).If this succeeds, you will now have a shining deb package containing the binary module.
Finish the installation:
m-a -t install nvidia-kernel
and install the libgl1-nvidia-glx etc. packages with the exact same
version, to avoid problems.
Reboot, and if you’re lucky you should now have a GUI :) Otherwise,
check your /var/log/syslog for messages and your PaX/grsec options.