Compiling a grsec kernel on a laptop/workstation is a good way to add protection against wide classes of attacks. However, while the options may be easy to choose on a server, this may be difficult because a typical desktop needs more privileges. Here are a few points:

  • Xorg (wants privileged I/O, unless you use KMS) conflicts with PAX_NOEXEC and GRKERNSEC_IO
  • power management: applets to display the battery level want (non-root) read permission on /sys, this will conflict with GRKERNSEC_SYSFS_RESTRICT. You can enable SYSFS_DEPRECATED as a workaround.
  • power management: ACPI is required for a laptop (if you want to be able to use suspend/resume, control fan speed, etc.)
  • power management: suspend/restore conflicts with some options (PAX_MEMORY_UDEREF and PAX_KERNEXEC)
  • virtualization: PAX_KERNEXEC conflicts with kvm/vmx

If you have other points to add/corrections, just send them to me !

Now, another problem I have is that I must use the proprietary kernel. Not that I really want to, but it is the only driver with proper support for my graphics card (GT555M), since the nouveau driver has some problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of autonomy with nouveau, and about 5 with Nvidia ..), and the card is almost supported except a bug that prevents changing the brightness ! So clearly, even if I don’t want to use the Nvidia stuff (proprietary, bad code, no optimus support), I have little choice

And of course, the Nvidia module does not build with a grsec kernel. I had to add patches taken and adapted from other sites, could not remember which ones). Here is a recipe to build a Debian package for module-assistant (*).

(*) Why should you build a Debian package ?Nothing forces you to do so ! That said, using a packages makes things clean when you uninstall it, does not break dependencies, allow smooth upgrades, and also allow to deploy the module on a set of machines if you have many.

0. Prerequisites

You will need a compiler and tools to build Debian packages. Install (at least) build-essential, fakeroot and devscripts

1. Get the sources of the Nvidia package

Run the following as a non-privileged user !

apt-get source nvidia-graphics-drivers
cd nvidia-graphics-drivers-295.20

2. Add patches to the build system

The Debian package is compiled to create several other packages. One of them is the nvidia-kernel-source package, which is the one we want to contain the patches. This package has to be rebuilt each time you compile a kernel, so it is interesting to use a package to make things automatic.Copy the two attached patches 991-pax-usercopy.patch and 992-pax-const.patch in the module directory, and add their names to the quilt patchset:

cp ../99*.patch debian/module/debian/patches
cd debian/module/debian/patches
ls -1 99*.patch >> series
cd -

The series file in the directory contains the patch names (one per line) in the order to be applied.

3. Add a changelog entry

dch -l+grsec1 "Add pax/grsec patches"

This changes the debian/changelog file to add a new entry, set the commit message and date, and the Debian package version.

4. Build the package

debuild -uc -us -b

This may fail if you don’t have the build dependencies (add them and re-run the command).

5. Install the source package

cd ..
sudo dpkg -i nvidia-kernel-source_295.20-1+grsec11_amd64.deb

Voila ! Now, each time you need to re-build the module, just run module-assistant as usual:

n. Build the module

As root:

m-a -t clean nvidia-kernel
m-a -t -f build nvidia-kernel

The compilation makes tons of warnings about signed/unsigned, always-true comparisons etc (what did you expect).If this succeeds, you will now have a shining deb package containing the binary module.

Finish the installation:

m-a -t install nvidia-kernel

and install the libgl1-nvidia-glx etc. packages with the exact same version, to avoid problems.

Reboot, and if you’re lucky you should now have a GUI :) Otherwise, check your /var/log/syslog for messages and your PaX/grsec options.