# [SOLVED] Is it possible to multi-patch a kernel ?

## lalebarde

Hi all,

I would like to patch my kernel with :

  - xen because I need to build some virtual server.

  - xenomai because I need real time and it is the solution of my choice.

  - tuxonice because I want to be able to suspend my desktop and save the planet with energy saving (my pwer-manager is set to 10').

  - hardened to possibly put my virtual server in production with maximum of security for my desktop. Further, is it required on the host ?

Is it easily doable ? What is the recpommended method ? As far as I know, patches are not available for every gentoo-sources releases.

xen :

	(2.6.18-r12)	2.6.18-r12!b!s

	(2.6.34-r3)	~2.6.34-r3!b!s

	(2.6.34-r4)	~2.6.34-r4!b!s

xenomai : 

http://www.xenomai.org/index.php/FAQs : "you may use any I-pipe patch for any kernel version ranging from 2.4.35/i386 to 2.6.29.4/x86."

tuxonice :

	(2.6.32-r17)	2.6.32-r17!b!s

	(2.6.32-r18)	~2.6.32-r18!b!s

	(2.6.32-r19)	~2.6.32-r19!b!s

	(2.6.34-r6)	2.6.34-r6!b!s

	(2.6.34-r7)	~2.6.34-r7!b!s

	(2.6.34-r :Cool: 	~2.6.34-r8!b!s

	(2.6.35-r3)	~2.6.35-r3!b!s

	(2.6.35-r4)	~2.6.35-r4!b!s

	(2.6.35-r5)	~2.6.35-r5!b!s

	(2.6.35-r6)	~2.6.35-r6!b!s

	(2.6.36)	~2.6.36!b!s

hardened

	(2.6.28-r9)	2.6.28-r9!b!s

	(2.6.32-r9)	2.6.32-r9!b!s

	(2.6.32-r22)	2.6.32-r22!b!s

	(2.6.32-r23)	~2.6.32-r23!b!s

	(2.6.34-r6)	2.6.34-r6!b!s

	(2.6.35-r4)	~2.6.35-r4!b!s

	(2.6.35-r5)	~2.6.35-r5!b!s

If I assume a 2.6.34-r6 the best fit, how to proceed ?Last edited by lalebarde on Tue Nov 09, 2010 3:38 pm; edited 1 time in total

----------

## aCOSwt

 *lalebarde wrote:*   

> ...put my virtual server in production with maximum of security for my desktop...

 

Are you sure it shouldn't be the other way around ?

BTW... what's all that mess about with your kernels ?

I assume that you are in the continuation of your project we spoke about on other thread.

Unless you get some irrealistic schedule, you cannot manage both learning your languages + setting up your websites + forum + paypal + security AND thinking hosting your services yourself reliably.

You just cannot cope with everything that will necessarily go wrong the first time you plug !

1/ Start the design of your web services and host them at ovh, nuxit or that kind of serious provider.

2/ When everything is OK with your services and you decide to host your services on your own system then

a : Think your server is a server and your desktop is a desktop.

Separate hardwares - separate systems.

FYI : My servers are under FreeBSD and my desktop under Gentoo-Sources

----------

## lalebarde

 *aCOSwt wrote:*   

> BTW... what's all that mess about with your kernels ?

 In the development phase, my desktop shall be capable of real time + virtualization. At the end, I will have :

  - a server with hardened-gentoo or a BSD.

  - some workstations with xenomai.

  - my desktop for remote administration, test, etc.

In the time between and to invest too much, I was wondering if I could put a virtual server in a dmz. But I understand your answer is no.

 *aCOSwt wrote:*   

> 2/ When everything is OK with your services and you decide to host your services on your own system then
> 
> a : Think your server is a server and your desktop is a desktop.
> 
> Separate hardwares - separate systems.
> ...

 Thank you very much for your advices. BTW, how does compare FreeBSD with NetBSD, OpenBSD and Hardened-Gentoo ? How have you made your choice ?

EDIT : Found that : http://www.freebsd.org/marketing/os-comparison.html *Quote:*   

> The network performance of Linux is 20-30% below the capability of FreeBSD running on the same hardware.

 Last edited by lalebarde on Fri Nov 05, 2010 6:05 pm; edited 1 time in total

----------

## chithanh

I don't think this is a particularly clever combination of patches. Real-time and security are often conflicting goals. Also if someone finds a vulnerability in the Xen hypervisor, your oh-so-secure hardened might come crashing down.

If isolation between server and desktop is a priority, then I would suggest to run the server in QEMU with its own user account.

----------

## lalebarde

 *chithanh wrote:*   

> I don't think this is a particularly clever combination of patches. Real-time and security are often conflicting goals. Also if someone finds a vulnerability in the Xen hypervisor, your oh-so-secure hardened might come crashing down.
> 
> If isolation between server and desktop is a priority, then I would suggest to run the server in QEMU with its own user account.

 

Thanks for your advice chithanh. Shall I understand that QEMU is more isolated than Xen ? What about QEMU vs KVM-QEMU ?

----------

## chithanh

When running QEMU as user, you have two layers of separation between an attacker inside the VM and the host. The attacker would need to both break out of the VM and perform a local privilege escalation to take control of the host.

If you run QEMU as root or use something kernel-based like KVM, Xen, etc. then compromising the hypervisor would be enough.

----------

## DaggyStyle

 *lalebarde wrote:*   

> 
> 
> EDIT : Found that : http://www.freebsd.org/marketing/os-comparison.html *Quote:*   The network performance of Linux is 20-30% below the capability of FreeBSD running on the same hardware. 

 

well this site: http://www.microsoft.com/windowsserver/compare/windows-server-vs-red-hat-linux.mspx claims that windows server is better then linux (of course that redhat is a representative of all linux).

the morale point of this, never believe a comparison of products that resides on a site of an product which is in the comparison.

----------

## lalebarde

 *DaggyStyle wrote:*   

> the morale point of this, never believe a comparison of products that resides on a site of an product which is in the comparison.

  Damned true   :Embarassed: 

----------

## lalebarde

 *chithanh wrote:*   

> When running QEMU as user, you have two layers of separation between an attacker inside the VM and the host. The attacker would need to both break out of the VM and perform a local privilege escalation to take control of the host.
> 
> If you run QEMU as root or use something kernel-based like KVM, Xen, etc. then compromising the hypervisor would be enough.

 Are there exploits known ?

----------

## eccerr0r

Offtopic section:

Know what... after thinking about this a bit, if the person running the VM never notices an issue with the VM and the 0wn3d VM continues to be 0wn3d, then does it really matter if the physical host gets compromised or not?  They still control a portion of your machine... network and all.  If you can do anything useful with the VM then the hacker has succeeded in getting what they wanted (store files? access network? botnet?  these three things tend to still be possible *inside* the VM).  Even worse if the intent of each VM was supposed to replace a real machine, they can still do what they could do on a real machine, to the network specifically.

Granted cleaning it up is a matter of replacing the image of the VM, but if you had data that you want to save in the VM... then it could just be as messy as a physical machine.  The good thing is the disk damage is contained... but network? that's shared!

Word of warning to users believing virtual machines is a security panacea... it's not!  Sorry, still have to secure each individual VM!

Sorry, I maintain my machine and am tired of all these botnet machines around... just wanted to spread the vigilante for people to watch their machines, virtual or not... please don't let your/a (virtual) machine be part of their collective...

Ontopic section:

With patches, people have not verified that each patch will work with another.  Results are not guaranteed and likely they will interfere with each other.  Unless you're a seasoned kernel hacker that can fix these locking/semaphore issues between subsystems, likely even if it will compile at all, may end up with race conditions leading to insecurity or inexplicable crashes.

Soapbox section:

24/7 servers weren't meant to be suspended and  power savings via suspend should be jettisoned if push comes to shove...

----------

## chithanh

 *lalebarde wrote:*   

> Are there exploits known ?

  The xen security history includes code execution vulnerabilities if you mean that.

 *eccerr0r wrote:*   

> 24/7 servers weren't meant to be suspended and power savings via suspend should be jettisoned if push comes to shove...

 There are valid reasons for suspend-to-disk on a server, eg. if you want to move it to another rack with little downtime. Or if it has only one PSU and UPS maintenance is needed.

----------

## eccerr0r

See the problem with suspend on servers:

It's still going to be down for the duration, isn't it?  And any active net connections to it will be stopped?  To me, the difference between suspended and reboot is not going to make much of a difference, plus the potential for machine state corruption while the machine is suspended, adding risk to reliability.

Again this is just an opinion, if people really want to suspend servers so be it, it might save a few seconds/minutes boot time out of the availability.

Remember, for 24/7 servers, boot time quickly adds up from the hundreds of times UPSes need service and physical machines need to be moved...

----------

## lalebarde

Thanks a lot all for your answers.

Concerning my kernel first question, I keep tuxonice kernel with kvm enabled that I will patch with xenomai (for my development PC - so hardened is useless).

For production, I will use qemu without kvm with a dedicated user or a dedicated hardware. I won't get hosting until it pays for it.

----------

## aCOSwt

 *DaggyStyle wrote:*   

>  *lalebarde wrote:*   
> 
> EDIT : Found that : http://www.freebsd.org/marketing/os-comparison.html *Quote:*   The network performance of Linux is 20-30% below the capability of FreeBSD running on the same hardware.  
> 
> the morale point of this, never believe a comparison of products that resides on a site of an product which is in the comparison.

 

Hmmm... This particular page is dated from year 2000, self claimed outdated and following your quote : "The situation has improved somewhat recently and the 2.4 release of the Linux kernel introduced a new virtual memory system based on the same concepts as the FreeBSD VM system. Since both operating systems are open source, beneficial technologies are shared and for this reason the performance of Linux and FreeBSD is rapidly converging"

The facts in favor (In my opinion, to date) for FreeBSD as a server are :

- Native support for the most robust file systems that no Linux FS can challenge

- FreeBSD having get rid of the GIANT_LOCK since V7 gives significant advantage to heavily loaded multiprocessor machines. (Linux will only start getting rid of it's equivalent with 2.6.37)

----------

## lalebarde

 *aCOSwt wrote:*   

> The facts in favor (In my opinion, to date) for FreeBSD as a server are :
> 
> - Native support for the most robust file systems that no Linux FS can challenge
> 
> - FreeBSD having get rid of the GIANT_LOCK since V7 gives significant advantage to heavily loaded multiprocessor machines. (Linux will only start getting rid of it's equivalent with 2.6.37)

 Thanks for the info aCOSwt.

----------

