Project:Hardened uClibc/Lilblue

"Lilblue" is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc.

Project Description
"Lilblue", named after the Little Blue Penguin of New Zealand, a smaller cousin of the Gentoo, is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc.

The "security-enhancement" comes from a toolchain which builds all of userland


 * with stack smashing protection and stack-check,
 * as position independent executables --- even executables are marked ET_DYN
 * with hardened linking --- relocation read only and no lazy binding ( relro and bindnow ),
 * with a non-executable stack, only RW permitted on a GNU_STACK phdr,

and a kernel which provides:


 * various memory protection features for processes ( PAGEEXEC, MPROTECT , RANDMMAP , EMUTRAMP ),
 * an enhanced address space layout randomization in conjunction with PIE above,
 * numerous internal and kernel-userland surface hardening features,

See PaX and grsecurity for more information on the various hardening features in the kernel. If you want a laundry list of security features, you might consider what Ubuntu does. Most of these features, or some variation of them, are in Lilblue. However, Lilblue goes further with grsecurity/PaX which is a major boost to hardening. There's a nice little utility by Tobias Klein, checksec.sh. Run it against the latest Ubuntu and Lilblue for a comparison.

The "fully featured desktop" comes the fact that the system comes with over 800 packages covering most desktop needs. XFCE4 was chosen because of its slim and flexible nature. These include:


 * ephiphany, claws, hexchat for browsing, email and IRC
 * abiword, evince, gcalctool, gtext for generic office software
 * gqview, smplayer for multimedia with many open codecs
 * transmission for bittorrent
 * and no! busybox does not provide most of the core utilities

Lilblue should not be thought of as an "embedded" system. The major difference between it and a stock Gentoo system built with the same package set is that uClibc replaces glibc. Work is on the way to make about 7000 packages available via binpkg hosting.

Finally, why uClibc and why only amd64? Let me address the latter first: almost all desktop systems today support X86_64 architecture. Factored in with time constraints, mostly revolving around the difficulties maintaining hardening on X86, this made the choice to only support amd64 seem reasonable. The uClibc is harder to justify, so may or may not accept the following reasons:


 * uClibc is a configurable standard C library aimed at embedded systems, and it should remain so, but it is not just for embedded systems anymore!
 * uClibc is fast! Lilblue boots in 10 seconds off a SSD
 * uClibc is small ~400 KB for uClibc vs 1.7 MB
 * uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)
 * It is not the mainstream and forces the developer to confront design principles when building a "Standard C Library" and executables that link against it
 * I like working with the people who work on Gentoo and uClibc. Its not a reason to use Lilblue, but it was a motivation for me to do this

Installation
Okay, so you're curious. Maybe not enough to install it on a real box, but you'll give it a spin as a virtual machine. Good! Installation is manual, but much easier than the full Gentoo installation described in the Handbook. Of course, there are less choices to be made. What we give below will most likely "just work", but feel free to deviate from it if you want to try something different. For instance, the kernel is compiled with lots of support. Do you want to try BTRFS instead of EXT4?

Here are the steps:

1. First let's prepare a boot device and boot into it. Download the install ISO image using

Here [mirror] is any Gentoo mirror and [date] is whatever the date is of the latest release. This is just Gentoo's generic amd64 minimal install image. Its glibcbased, but that's okay, it won't prevent chrooting into the uClibc desktop which you have to do later on. If you are putting this on a physical box, then burn the ISO image to a CD or DVD. For a virtual machine, just aim its virtual CD/DVD device to the ISO file. Alternatively, you may want to boot from a pen drive. Gentoo's install ISO is not the best for this. You may want to try SystemRescueCD, a Gentoo-derived distro with lots of uses. Or, if you already have a working Linux system and you want to install Lilblue to another drive, just boot off your current system and partition the other drive. Whatever your choice, boot off that device now.

2. Prepare root/boot/swap partitions, format and mount them. Usingfdisk, prepare at least three partitions. boot only has to hold a kernel or two, so you can get away with less, but the others are reasonable minima:

3. Format the partitions and mount them:

4. Download and unpack the tarball image:

5. Prepare the chroot and chroot into it. Assuming you're still in the same directory as in the previous step, do

Don't worry about the warning messages generated by , they are harmless issues.

If you changed any of the above values for /dev/sda*, or you're not installing onto sda, then edit /etc/lilo.conf and /etc/fstab. Change the values to what you picked. Finally, install lilo to your boot drive, exit the chroot and reboot:

6. Log in and enjoy! You have one user account and root. You can only log into the desktop as user gentoo, but can  or   root.

Working with Lilblue
Lilblue is Gentoo, not a separate distro. Gentoo covers many possibilities and building all userland against uClibc is just one choice. You can learn how to work with a Gentoo system by reading the Handbook. Skip the section on "Installing Gentoo" since we've already done that; but take a look at "Working with Gentoo", "Working with Portage" and "Gentoo Network Configuration".

Reporting Bugs and Feature Requests

 * Submit bugs to: Gentoo's Bugzilla
 * Assign to: blueness@gentoo.org
 * CC: hardened@gentoo.org