Project:Hardened uClibc/Lilblue
Description
Lilblue Gentoo, named after the Blue Penguin of New Zealand, a smaller cousin of the Gentoo Penguin, is a security-enhanced, fully featured XFCE4 desktop, amd64 Gentoo system, built with uClibc as its C standard library.
The "security-enhancement" comes from a toolchain which builds all of userland
- with stack smashing protection and stack-check,
- as position independent executables --- even executables are marked ET_DYN
- with hardened linking --- relocation read only and no lazy binding (relro and bindnow),
- with a non-executable stack, only RW permitted on a GNU_STACK phdr,
and a kernel which provides:
- various memory protection features for processes (PAGEEXEC, MPROTECT, RANDMMAP, EMUTRAMP),
- an enhanced address space layout randomization in conjunction with PIE above,
- numerous internal and kernel-userland surface hardening features,
See PaX and grsecurity for more information on the various hardening features in the kernel. If you want a laundry list of security features, you might consider what Ubuntu does. Most of these features, or some variation of them, are in Lilblue. However, Lilblue goes further with grsecurity/PaX which is a major boost to hardening. There's a nice little utility by Tobias Klein, checksec.sh. Run it against the latest Ubuntu and Lilblue for a comparison.
The "fully featured desktop" describes the fact that the system comes with over 870 packages covering most desktop needs. XFCE4 was chosen because of its slim and flexible nature. These include:
- midori, claws, hexchat for browsing, email and IRC
- abiword, evince, gcalctool, gtext for generic office software
- gqview, smplayer for multimedia with many open codecs
- transmission for bittorrent
- and no! busybox does not provide most of the core utilities
Lilblue should not be thought of as an "embedded" system. The major difference between it and a stock Gentoo system built with the same package set is that uClibc replaces glibc. Work is on the way to make about 7000 packages available via binpkg hosting via the GRS project.
Finally, why uClibc and why only amd64? Let me address the latter first: almost all desktop systems today support X86_64 architecture. Factored in with time constraints, mostly revolving around the difficulties maintaining hardening on X86, this made the choice to only support amd64 seem reasonable. The uClibc is harder to justify, so you may or may not accept the following reasons:
- uClibc is a configurable standard C library aimed at embedded systems, and it should remain so, but it is not just for embedded systems anymore!
- uClibc is fast! Lilblue boots in 10 seconds off a SSD
- uClibc is small ~400 KB for uClibc vs 1.7 MB
- uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)
- It is not the mainstream and forces the developer to confront design principles when building against a different C standard library
- I like working with the people who work on Gentoo and uClibc. Its not a reason to use Lilblue, but it was a motivation for me to do this
Installation
Okay, so you're curious. Maybe not enough to install it on a real box, but you'll give it a spin as a virtual machine. Good! Installation is manual, but much easier than the full Gentoo installation described in the Handbook. Of course, there are less choices to be made. What we give below will most likely "just work", but feel free to deviate from it if you want to try something different. For instance, the kernel is compiled with lots of support. Do you want to try Btrfs instead of ext4?
1. First, prepare a boot device and boot into it. Download the install ISO image using
root #
wget http://[mirror]/pub/linux/gentoo/releases/amd64/current-iso/install-amd64-minimal-[date].iso
Here [mirror] is any Gentoo mirror and [date] is whatever the date is of the latest release. This is just Gentoo's generic amd64 minimal install image. Its glibc based, but that's okay, it won't prevent chrooting into the uClibc chroot later on. If you are putting this on a physical box, then burn the ISO image to a CD/DVD. For a virtual machine, just aim its virtual CD/DVD device to the ISO file. Alternatively, you may want to boot from a pen drive. Gentoo's install ISO is not your only option. You may want to try SystemRescueCD, a Gentoo-derived distribution with lots of uses. Or, if you already have a working Linux system and you want to install Lilblue to another drive, just use your current system. Whatever your choice, boot off that device now.
2. Prepare root/boot/swap partitions, format and mount them. Using parted or fdisk, prepare at least three partitions. The following table gives you suggested sizes. /boot only has to hold a kernel or two, so you can get away with less, but the others are reasonable minimums.
Partition | Mount Point | Size |
---|---|---|
/dev/sda1 | /boot | 128 MB |
/dev/sda2 | swap | >1 GB |
/dev/sda3 | / | >4 GB |
3. Format the partitions and mount them:
root #
mke2fs /dev/sda1
root #
mkswap /dev/sda2
root #
mkfs.ext4 /dev/sda3
root #
mkdir -p /mnt/gentoo
root #
mount /dev/sda3 /mnt/gentoo
root #
mkdir -p /mnt/gentoo/boot
root #
mount /dev/sda1 /mnt/gentoo/boot
4. Download and unpack the tarball image:
root #
cd /mnt/gentoo
root #
wget http://releases.freeharbor.net/desktop-amd64-uclibc-hardened-[date].tar.xz
root #
tar --xattrs -xvf desktop-amd64-uclibc-hardened-[date].tar.bz2
5. Prepare the chroot and chroot into it. Assuming you're still in the same directory as in the previous step, do
root #
mount --bind /dev dev/
root #
mount --bind /dev/pts dev/pts
root #
mount --bind /proc proc/
root #
mount --bind /sys sys/
root #
chroot . /bin/bash -l
root #
source /etc/profile
root #
env-update
>>> Regenerating /etc/ld.so.cache... /sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf' /sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf' /sbin/ldconfig: skipping /usr/games/lib: No such file or directory
Don't worry about the warning messages generated by ldconfig, they are harmless issues.
If you changed any of the above values for /dev/sda*, or you're not installing onto sda, then edit /etc/lilo.conf and /etc/fstab accordingly. Finally, install lilo to the boot drive, exit the chroot, and reboot:
root #
lilo
root #
exit
root #
reboot
Added Gentoo + *
6. Log in and enjoy! You have one user account and root. You can only log into the desktop as user gentoo, but can sudo or su root.
Username | Password |
---|---|
gentoo | gentoo |
root | root |
Maintaining a Lilblue system
Lilblue is Gentoo, not a separate distro, so you can maintain it as you would any other Gentoo system as documented in the Handbook.
However, Lilblue is built as a GRS system and so can be maintained using grsup as described in the GRS project page. The install image an binary packages are being distributed from http://releases.freeharbor.net.
Reporting Bugs and Feature Requests
- Submit bugs to: Gentoo's Bugzilla
- Assign to: blueness@gentoo.org
- CC: hardened@gentoo.org