I installed xubuntu on my now very old Dell XPS m1330 the other day. \u00a0Windows 10 just wasn’t cutting it for me, though that’s probably because I had an excess of crap installed. \u00a0It was taking upwards of 5 minutes to reboot though, so I thought I’d try something else.<\/p>\n
Xubuntu was the obvious choice, Gnome can die in a fire and KDE while nice is too UI heavy for what I want. \u00a0I love XFCE, it’s small, clean and does a great job, so xubuntu got the nod.<\/p>\n
Once installed and working, I then downloaded the 4.1.3 kernel source and the latest grsecurity patch for it. \u00a0Patched the source and fired up make menuconfig. \u00a0Ubuntu being ubuntu it comes with pretty much every freaking option, module and setting defaulted to yes. \u00a0Rather than piss about making a nice small custom kernel, I just went with all the defaults, then turned on pretty much every grsec feature. \u00a0The few items I kept disabled are:<\/p>\n
They’re only\u00a0minor things (well, the RBAC system isn’t really “minor”), all of the main memory protection features (thanks, PaX) and the other grsecurity hardening features\u00a0are enabled.<\/p>\n
Then it’s just a matter of making sure all the right packages are installed to be able to do a “make-kpkg –initrd kernel_image<\/em>” and waiting for a very long time. \u00a0Oh and it helps to set the CONCURRENCY_LEVEL to 2, which is how many Core’s the CPU has. \u00a0Then you wait about 3 hours…<\/p>\n Finally\u00a0you end up with a .deb that you install and off you go. \u00a0Install it and reboot and….<\/p>\n It worked first go. Not that I really expected otherwise. \u00a0The only problems encountered are the expected ones, some binaries don’t like the hardened memory protections, so those protections have to turned off on a per-binary basis. \u00a0So it’s apt-get install pax-utils<\/em> and apt-get install paxctl<\/em>.<\/p>\n The binaries I adjusted flags for are:<\/p>\n c<\/strong>: creates a pax header,\u00a0m<\/strong>: disables mProtect,\u00a0p<\/strong>: disables pageexec<\/p>\n The only problems I’ve faced apart from this are issues with the sound module. \u00a0Under a default ubuntu kernel the sound just works. \u00a0Under my compiled kernel, the module needs to be removed and re-added for sound to work, and then it fails if you suspend the laptop. \u00a0I’m 99% sure this isn’t anything to do with grsecurity, but rather the fact it’s a vanilla kernel source, not a heavily-patched ubuntu kernel source with fixes for all those sorts of things. \u00a0I’ll get to the bottom of it at some stage.<\/p>\n But the laptop works and works well. \u00a0I’m not using the proprietary Nvidia drivers, just the nouveau ones. \u00a0Suspend works. \u00a0It’s still fast and browsing is quick, despite all of the PaX and grsecurity options turned on, some of which have a known performance impact (I’m looking at you Userland Dereference<\/a> and Memory Sanitize<\/a>)<\/p>\n The whole process has been easy, quick and painless. \u00a0The hardest part has been waiting for the kernel to compile. \u00a0When I have a bit more free time I’ll go through and build an image for just this laptop, disabling all the drivers and options that are totally unnecessary. \u00a0I’ll end up with a much leaner kernel that’s quick to compile. \u00a0But this image I have now could be given to anyone with a x64 system and it’d boot and work perfectly.<\/p>\n Thanks spender, pipacs and emese for their work on PaX\/grsecurity.<\/p>\n Tim<\/p>\n UPDATE:\u00a0<\/strong>A couple of updates to this post. \u00a0Firstly, the issue with sound was caused by\u00a0CONFIG_GRKERNSEC_SYSFS_RESTRICT being set. \u00a0Disabling this, building again works. \u00a0I also found that I was getting slower performance, disabling uderef on the command line as well as slab sanitization has fixed this, giving me excellent performance again. \u00a0Beause they’re command line, I can re-enable them easily withouth having to recompile. \u00a0My full linux boot command is:<\/p>\n Finally, I sat down over the weekend and stripped out all the unneeded modules and settings. \u00a0Ubuntu by default sets a lot of debugging features, so all those are turned off now in the aims of squeezing a bit more performance out of the laptop. \u00a0Plus now my kernel image is ~25Mb, instead of ~250mb.<\/p>\n","protected":false},"excerpt":{"rendered":" I installed xubuntu on my now very old Dell XPS m1330 the other day. \u00a0Windows 10 just wasn’t cutting it for me, though that’s probably because I had an excess of crap installed. \u00a0It was taking upwards of 5 minutes to reboot though, so I thought I’d try something else. Xubuntu was the obvious choice, […]<\/p>\n","protected":false},"author":1,"featured_media":151,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,17,22,18,10,2],"tags":[92,59,21,93,20,91],"class_list":["post-148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computers","category-grsecurity","category-linux","category-security","category-technical","category-thoughts","tag-grsecurity","tag-laptop","tag-linux","tag-pax","tag-security","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/comments?post=148"}],"version-history":[{"count":8,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions\/240"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/media\/151"}],"wp:attachment":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/media?parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/categories?post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/tags?post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
paxctl -cpm \/path\/to\/binary<\/pre>\n
BOOT_IMAGE=\/boot\/vmlinuz-4.1.4-grsec root=\/dev\/sda1 ro reboot=w nouveau.runpm=1 nouveau.pstate=1 pax_nouderef pax_sanitize_slab=off pax_extra_latent_entropy<\/pre>\n