-
Notifications
You must be signed in to change notification settings - Fork 693
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add latest version of e1000e module, built for grsec kernel #4024
Comments
As part of the 1/9-/1/23 sprint, we've committed to a 4 person hour time-boxed investigation (likely led by @emkll and @zenmonkeykstop) to determine (and, if doable within the timebox, implement) the best way to ship/enable the driver with the next SecureDrop kernel release. |
This won't get in for 0.12.0, bumping this off the milestone into a potential 0.12.1 point release milestone |
I used to have e1000e cards for a few years before switching to igb and have built the driver many times (often complains about fPIC). FYI, the module that ships in the Linux kernel is typically a newer version than the source one can obtain from Intel. |
Did some more tests. TL;DR: the e1000e module provided with the current 4.4.167-grsec kernel doesn't have an alias defined for the NIC in the NUC7i5BNH, despite being the same version as the e1000e module provided with the 4.4.0131-generic kernel in Ubuntu 16.04.6, which does. This is why it doesn't detect the NIC. Device infoAll testing done against an Intel NUC7i5BNH, with the latest available BIOS version (0072). NIC device info from
Simple kernel testingTested the following kernels as installed, provided by @emkll, or retrieved from apt.freedom.press:
Comparing e1000e modulesthe output of
modinfo-vanilla.txt Compiling from scratchPulling down the latest e1000e tarball (3.4.2.1) and building against the 4.4.167-grsec kernel headers completes successfully, but the resulting module causes a kernel panic when loaded via adding the device via /sys/bus/.../new_idI tried to manually attach the NIC's PCI device using ConclusionI'd welcome ideas for further testing, but it looks like an upstream change is required to enable support for the NIC in the e1000e module build with the grsec kernel. Either that or the latest version of the module needs to be patched to avoid the kernel panic encountered as described above. |
Updated milestones; this won't make it onto 0.12.1 per discussion today, but continues to be a high priority. |
Reached out to the friendly folks upstream to confer about options for hardware support. In a nutshell, we were referred to these two patches:
We should rebuild the existing SD kernel with those two patches applied (in addition to the standard grsecurity patch, of course) and test the resulting packages on the 7th gen NUCs. Even with the patches applied, we will likely still be forced to disable RAP. That's unfortunate, but we can work with it. In recognition of time constraints, let's disable RAP on the candidate build with the additional patches above verify hardware compat. If networking is still broken, additional research is required. If networking works, then we can discuss a timeboxed attempt of rebuilding with RAP enabled. @zenmonkeykstop Care to take point on this one? |
Before we do this, @zenmonkeykstop / @emkll can you confirm that we've already tested 4.14.x with RAP disabled? If that setup works, let's discuss that as an option to expand hardware support, rather than getting into the game of backporting compatibility patches upon request. |
4.14.x did not boot successfully at all, but those kernels did not have RAP disabled. |
Confirmed that a 4.4.177-grsec kernel with the patches above applied and RAP disabled works happily with the i219V chipset on the NUC7i5BNH. |
Also confirmed that the 4.4.177-grsec kernel with above patches and RAP enabled works happily with the same chipset. |
Ideally we want to land this in a point release in April, updated milestone accordingly. |
Resolved by combination of:
We'll continue with hardware testing to confirm compatibility, and follow up with additional changes if necessary. |
Description
Intel 7-series NUCs use the e1000e kernel driver for built-in NIC support under Linux. The version that ships with Ubuntu 14.04.5, and the version that's currently installed with SD's grsec kernels, is out-of-date and does not support the Ethernet chipset on new NUCs. Version 3.4.2.1, available as a source tarball on the Intel support site, does. The module shipped with the grsec kernel should be updated to this version if possible. This will allow for a wider range of NUC hardware to be added to the SecureDrop HCL.
More info on the build process for this driver is available at https://downloadcenter.intel.com/download/15817 - The build process has been confirmed to work for 14.04.5's most recent 4.4.0 kernel with recent updates, but has not been tested for the SD grsec kernel as it requires a linux-headers package.
User Stories
As an organization investigating SecureDrop, I want to have a choice of NUC hardware that's up-to-date and commercially available.
The text was updated successfully, but these errors were encountered: