在 Raspberry Pi 2 上安装 Hardened Gentoo

一段时间以前入了树梅派,想当作日后的主力服务器使用,尝试配置一个好用的服务器,而且最近比较热衷于 hardened 系统,可以提供额外的安全。

配置参考:https://wiki.gentoo.org/wiki/Raspberry_Pi

首先应该配置sd卡分区,我之前用的raspbian,打算直接用旧的分区,不动boot分区,只对root分区(mount在/mnt/ext4上)进行修改。

首先下来最新的stage3,校验,解压:

wget http://distfiles.gentoo.org/experimental/arm/hardened/stage3-armv7a_hardfp-hardened-201xxxxx.tar.bz2

wget http://distfiles.gentoo.org/experimental/arm/hardened/stage3-armv7a_hardfp-hardened-201xxxxx.DIGESTS

和 DIGESTS 对比核对下各种校验值对不对,之后解压到sd卡根目录(/mnt/ext4):

tar xvf stage3-armv7a_hardfp-hardened-201xxxxx.tar.bz2 -C /mnt/ext4/

由于正在PC上使用gentoo,直接使用cp /usr/portage ./usr/ 复制portage tree。注意先清理一下distfiles。

cp /usr/portage /mnt/ext4/usr/portage -r

如果没有现成的Portage Tree下载解压一个即可。

 

Linux Kernel and Grsecurity Patch:

配置Toolchain:

Gentoo 中可以很方便地使用 crossdev 配置:

crossdev -S -v -t armv7a-hardfloat-linux-gnueabi

或者其他方式准备工具链,之后设置环境变量:

export ARCH=arm

export CROSS_COMPILE=armv7a-hardfloat-linux-gnueabi-

export INSTALL_MOD_PATH=/mnt/ext4

export INSTALL_HDR_PATH=/mnt/ext4

export KERNEL=kernel7

准备内核代码:

git clone git://github.com/raspberrypi/linux.git

如果已有现成的Linux git repo ,而且不介意加入更多remote的话,可以通过

git remote add rasp git://github.com/raspberrypi/linux.git

git fetch rasp

更快地获得代码。

应用Grsecurity补丁,使用branch rpi-4.3.y的代码。

git checkout rasp/rpi-4.3.y

wget https://grsecurity.net/test/grsecurity-3.1-4.3.3-201xxxxxxxxx.patch

patch -p1 -s < grsecurity-3.1-4.3.3-201xxxxxxxxx.patch

有Reject,一般比较好解决,手动解决即可。

写了个小Patch,修复驱动的小问题:

diff --git a/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_shim.c b/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_shim.c
index 8072ff6..74c3af3 100644
--- a/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_shim.c
+++ b/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_shim.c
@@ -39,8 +39,6 @@

#include "vchiq_util.h"

-#include <stddef.h>
-
#define vchiq_status_to_vchi(status) ((int32_t)status)

typedef struct {
diff --git a/drivers/net/wireless/rtl8192cu/include/hal_intf.h b/drivers/net/wireless/rtl8192cu/include/hal_intf.h
index cac4408..2c08180 100644
--- a/drivers/net/wireless/rtl8192cu/include/hal_intf.h
+++ b/drivers/net/wireless/rtl8192cu/include/hal_intf.h
@@ -231,7 +231,7 @@ struct hal_ops {

s32 (*c2h_handler)(_adapter *padapter, struct c2h_evt_hdr *c2h_evt);
c2h_id_filter c2h_id_filter_ccx;
-};
+} __no_const;

typedef        enum _RT_EEPROM_TYPE{
EEPROM_93C46,
diff --git a/drivers/net/wireless/rtl8192cu/include/rtw_io.h b/drivers/net/wireless/rtl8192cu/include/rtw_io.h
index daf342ac..1ef9295 100644
--- a/drivers/net/wireless/rtl8192cu/include/rtw_io.h
+++ b/drivers/net/wireless/rtl8192cu/include/rtw_io.h
@@ -152,7 +152,7 @@ struct _io_ops
void (*_read_port_cancel)(struct intf_hdl *pintfhdl);
void (*_write_port_cancel)(struct intf_hdl *pintfhdl);

-};
+} __no_const;

准备config,通过menuconfig开关一下Grsecurity的安全选项:

make bcm2709_defconfig

make menuconfig

按需修改,测试发现需要关闭以下Grsecurity相关标记,不然树梅派会不能启动。CONFIG_PAX_KERNEXEC,CONFIG_PAX_MEMORY_UDEREF,CONFIG_GRKERNSEC_RANDSTRUCT

注意:使用CONFIG_DEBUG_RODATA 会让 Grsecurity 的 RBAC 无法开启,开启会导致Kernel Panic。

编译内核,模块,Devtree。

make zImage modules dtbs

安装新内核:

make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=mnt/ext4 modules_install

make headers_install

cp mnt/fat32/$KERNEL.img mnt/fat32/$KERNEL-backup.img

scripts/mkknlimg arch/arm/boot/zImage mnt/fat32/$KERNEL.img

cp arch/arm/boot/dts/*.dtb mnt/fat32/

cp arch/arm/boot/dts/overlays/*.dtb* mnt/fat32/overlays/

cp arch/arm/boot/dts/overlays/README mnt/fat32/overlays/

sync

sudo umount mnt/fat32

sudo umount mnt/ext4

修改fstab,加上boot挂载点。

塞入SD可以开机了,其余参考Wiki配置即可。

 

相关连接:

树梅派官方内核编译向导:

https://www.raspberrypi.org/documentation/linux/kernel/building.md

Gentoo Wiki相关:

https://wiki.gentoo.org/wiki/Raspberry_Pi/Quick_Install_Guide

https://wiki.gentoo.org/wiki/Raspberry_Pi/Cross_building

已经打好补丁的Patch:

https://github.com/ryncsn/linux

由于GRSEC违反GPL2协议,应该不会再有更新了,默哀。

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.