Jump to: navigation, search


Grsecurity + Pax[edit]


Grsecurity is a GPL licensed, extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for Grsecurity is available through Open Source Security, Inc.

Instead of chasing and fixing individual bugs, Grsecurity and PaX end exploitation of entire bug classes and provide kernel self-protection against zero-days.

How-To: Non-Qubes-Whonix[edit]

Grsecurity Kernel Setup[edit]

This guide is to get you up and running with the latest Grsecurity kernel inside a KVM Whonix guest or Host. The instructions here are inspired by the official Grsecurity guide but adapted for the command line and includes helpful information not mentioned in the original. It will cover downloading, verifying, configuring, compiling and installing the hardened kernel and how to install and use its admin tools. With minimal changes you can compile another architecture. There are many attempts to automate this and get them in upstream Debian but a solution is yet to exist.

The kernel should be anonymously compiled in Whonix-Workstation. Be sure to add more CPUs to speed up the compilation process before starting.

Import and verify developer keys. Always check the fingerprint for yourself:

pub  4096R/0x44D1C0F82525FE49 2013-11-10 Bradley Spengler (spender) <spender@grsecurity.net>
      Key fingerprint = DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49
pub   4096R/0x38DBBDC86092693E 2011-09-23
      Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

gpg --recv-keys "DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49"

gpg --recv-keys "647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E"

gpg --list-keys --fingerprint "DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49"

gpg --list-keys --fingerprint "647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E"

By the time you read this the file names may be outdated despite best efforts to keep this guide current so you may have to adjust file names accordingly.

Download the latest components for your chosen hardware architecture (Only the Testing branch is freely available) and their matching signatures: [1] [2]

scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch
scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch.sig
scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz
scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz.sig
scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch
scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch.sig
scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb
scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb.sig

Look at the matching kernel version number in the patch name grsecurity-3.1-4.2.7-201512092320.patch and fetch the tarball from kernel.org:

scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.xz
scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.sign

The command will verify everything just downloaded in the home directory. Look for file names that passed the check in this part of the output: assuming signed data in `paxctld_1.0-3_i386.deb'. You should see Good signature from "Bradley Spengler (spender) <spender@grsecurity.net> for each component.

gpg --verify --multifile grsecurity* gradm* paxctld*

The signature is made against the uncompressed version of the archive. This is done so there is only one signature required for .gz, .bz2 and .xz compressed versions of the release. Start by uncompressing the archive, using unxz. You should see Good signature from "Greg Kroah-Hartman:

sudo apt-get install xz-utils
unxz linux*.tar.xz
gpg --verify linux*.tar.sign

In this document the kernel source archive linux*.tar and the matching grsecurity patch grsecurity*.patch are both files are in the same directory.

tar -xf linux*.tar
cd linux*
sudo patch -p1 < ../grsecurity-*-*-*.patch

Install the build tools:

sudo apt-get install flex bison libncurses5-dev fakeroot gcc-4.9-plugin-dev libgmp-dev libmpfr-dev libmpc-dev libssl-dev build-essential

See what version of GCC you have installed and install the matching plugin-dev packages for it.[3]

gcc -v

To open the kernel configuration menu run:

sudo make menuconfig

Grsecurity is endlessly customizable and if you have different security requirements feel free to dive in the documentation[4][5] but be advised very high security settings usually break Xorg server and common packages like Iceweasel and OpenJDK. However for the purposes of compiling a kernel suitable for normal desktop use the Automatic configuration comes with sane defaults. Same for the other usage profiles provided. To have a bootable desktop you will need to disable PaX mprotect at first[6] It can be re-enabled later when an exception list is loaded.

The configuration should look like this. A lack of mention means leave as default:

Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support

Security options -> Grsecurity -> Configuration Method -> Automatic
			       -> Usage Type -> Desktop
			       -> Virtualization Type -> Guest
			       -> Virtualization Software -> KVM		
                               -> Required Priorities -> Security	       
			       -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect
                               -> Customize Configuration -> Memory Protections -> Disable privileged I/O
                               -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes
                               -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support 

To save time you can compile one kernel for both the guest and host . NB This only works if you compiled a custom Whonix x64. A x64 Linux Host/Guest configuration would look like:

64-bit kernel

Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support

Security options -> Grsecurity -> Configuration Method -> Automatic
			       -> Usage Type -> Desktop
			       -> Virtualization Type -> Host
			       -> Virtualization Software -> KVM
                               -> Required Priorities -> Security	       
			       -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect
                               -> Customize Configuration -> Memory Protections -> Disable privileged I/O
                               -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes
                               -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support 

Once you are done select save and keep the .config name then exit out of all menus.

Compile while specifying the number of cores after the -j option. The number should be the number of cores assigned to the VM + 1. This will result in a huge speed up during compilation and reduce compilation time drastically.

sudo fakeroot make -j 5 deb-pkg

Now sit tight. Go make yourself a cup of coffee or read a book until its finished.

To install your new packages including Pax's configuration utility in the guest run:

cd ..
sudo dpkg -i linux-image-*-grsec_*-*_*.deb
sudo dpkg -i linux-firmware*.deb
sudo dpkg -i linux-headers*.deb
sudo dpkg -i linux-libc*.deb
sudo dpkg -i paxctld*.deb

Move the package to the host via a shared folder and install with dpkg from there.

mv linux-image-*-grsec_*-*_*.deb /mnt/shared
mv linux-firmware*.deb /mnt/shared
mv linux-headers*.deb /mnt/shared
mv linux-libc*.deb /mnt/shared

Done. After installation the system should automatically boot up with the Grsecurity kernel. To inspect the kernel version type:

uname -r

Upgraded Kernel Builds[edit]

Backup your customized kernel configuration file [named .config]. Its available in the root of the kernel source code folder. You may need to enable viewing of hidden files to see it.

To build with newer kernel releases, restore the .config file to the source folder and run:

sudo make oldconfig

Hold 'Enter' to answer questions about new kernel features.


Gradm is the administration tool for RBAC, Grsecurity's intelligent Mandatory Access Control system. Unlike other MACs that require painstaking attention to configuration, RBAC is capable of automatic behavior learning and auto-generating safe program acess policies.

Compilation and Installation[edit]

To prepare and compile:

tar xzf gradm*.tar.gz
cd gradm

Add the iptables patch:

sudo patch -p1 < ../grsecurity-*-iptables.patch

Compile and install:

sudo make install

For the Host install the required build dependencies (make sure apt-transport-tor is installed on host first) then move the patched extracted and patched gradm directory via the shared folder into your home directory. Then run the same commands as above.

sudo apt-get install bison flex

Its very important you choose a long password that's different from your root account's.

To upgrade to a newer gradm release, re-run the same build commands above.


A detailed guide on generating and enforcing RBAC policy is available on the Arch Linux wiki. Note these instructions apply to all distros.

How-To: Qubes-Whonix[edit]

This work is being undertaken by Coldhak and these instructions are drawn almost exclusively from their blog and github account.[7][8]

The Debian-8 TemplateVM is currently supported. Work is ongoing to support the Fedora and Whonix TemplateVMs, as well as the Qubes DispVM and dom0.[9]

Warning: These instructions are extremely alpha and may potentially break your template. Clone your default template(s) before proceeding!

Debian TemplateVM[edit]

Configuring the Debian TemplateVM[edit]

1. Clone your Debian-8 TemplateVM

2. Increase the maximum storage size of the Debian-8 TemplateVM


Note: A minimum of 4GB is recommended. 10GB is a safe value so you don't run out of disk space at the end of the build.

3. Edit your sources.list

In the Debian TemplateVM, run:

   sudo nano /etc/apt/sources.list

Uncomment the lines starting with deb-src. It should look something like this:

   deb http://http.debian.net/debian jessie main contrib non-free
   deb-src http://http.debian.net/debian jessie main contrib non-free
   deb https://security.debian.org jessie/updates main contrib non-free
   deb-src https://security.debian.org jessie/updates main contrib non-free

Save and exit.

4. Install dom0 dependencies.

In dom0, run:

   sudo qubes-dom0-update grub2-xen

5. Install Debian dependencies.

In the Debian TemplateVM, run:

   sudo apt install qubes-kernel-vm-support grub2-common
   sudo apt install paxctl bc wget gnupg fakeroot build-essential devscripts libfile-fcntllock-perl git gcc-4.9-plugin-dev
   sudo apt-get build-dep linux

Building the grsec Coldkernel[edit]

1. Clone and verify the coldkernel build scripts.

Note: always verify and checkout the latest kernel available from coldhak. As at January, 2016 this was the 4.8.15 Linux kernel.

In the Debian TemplateVM, run:

   wget "https://coldhak.ca/coldhak/keys/coldhak.asc" -O coldhak.asc
   gpg --import coldhak.asc
   git clone https://github.com/coldhakca/coldkernel
   cd coldkernel
   git verify-tag coldkernel-0.9a-4.8.15
   git checkout tags/coldkernel-0.9a-4.8.15

The verfication step should produce a good signature from the Coldhak developers:


2. Build the grsec coldkernel.

Note: This step can take several hours depending on your computer hardware; later architectures can finish this step in less than one hour. This process is CPU intensive, and your system may crash if you use other programs simultaneously.

To make the build with hypervisor support, in your Debian TemplateVM run:

   make qubes-guest


Installing the grsec Coldkernel[edit]

Post-build, in the Debian Template VM run:

   wget https://grsecurity.net/paxctld/paxctld_1.2.1-1_amd64.{deb,deb.sig}
   gpg --homedir=.gnupg --verify paxctld_1.2.1-1_amd64.{deb.sig,deb}
   sudo dpkg -i paxctld_1.2.1-1_amd64.deb
   sudo make install-deb
   sudo cp paxctld.conf /etc/paxctld.conf
   sudo paxctld -d
   sudo systemctl enable paxctld
   sudo mkdir /boot/grub
   sudo update-grub2
   sudo shutdown -h now

Post-install TemplateVM Configuration[edit]

1. Change the Debian-8 TemplateVM kernel.

After the TemplateVM has been shutdown, change the kernel in the Qubes VM Manager to use pvgrub.


2. Check the Debian-8 TemplateVM is functional.

Start the Debian-8 TemplateVM. If successful, the VM state should be green in Qubes VM Manager and the VM log should show something similar to:

   Linux Version 4.8.15-coldkernel-grsec-2

3. Set default grsec special groups.

In the Debian TemplateVM, run:

  sudo groupadd -g 9001 grsecproc
  sudo groupadd -g 9002 tpeuntrusted
  sudo groupadd -g 9003 denysockets

Note: Respectively, users in these groups are:

  • Exempted from grsecurity's /proc restrictions;
  • Unable to execute any files that are not in root-owned directories writable only by root; and
  • Unable to connect to other hosts from your machine or run server applications.

Post-install Debian-8 AppVM Configuration[edit]

1. Create an AppVM based on the Debian-8 coldkernel template.

2. Change the AppVM kernel selection.

Use Qubes VM Manager to set 'pvgrub2' for the AppVM's kernel selection. Otherwise, it defaults to the standard Qubes kernel.

Fedora TemplateVM[edit]

To do following Coldhak release.

Whonix TemplateVMs[edit]

To do following Coldhak release.

Qubes DispVM[edit]

To do following Coldhak release.

Qubes dom0[edit]

To do following Coldhak release.


  1. https://grsecurity.net/download.php
  2. https://superuser.com/questions/301044/how-to-wget-a-file-with-correct-name-when-redirected
  3. https://forums.grsecurity.net/viewtopic.php?f=3&t=3484
  4. https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options
  5. https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
  6. http://www.insanitybit.com/2012/05/31/compile-and-patch-your-own-secure-linux-kernel-with-pax-and-grsecurity/
  7. https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html
  8. https://github.com/coldhakca/coldkernel
  9. https://github.com/coldhakca/coldkernel/issues

Random News:

Check out Whonix blog.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.