* Kees Cook <keesc...@chromium.org> wrote:
> This creates CONFIG_RANDOMIZE_BASE, so that the base offset of the kernel
> can be randomized at boot.
>
> This makes kernel vulnerabilities harder to reliably exploit, especially
> from remote attacks and local processes in seccomp containers. Keeping
> the location of kernel addresses secret becomes very important when using
> this feature, so enabling kptr_restrict and dmesg_restrict is recommended.
> Besides direct address leaks, several other attacks are possible to bypass
> this on local systems, including cache timing[1]. However, the benefits of
> this feature in certain environments exceed the perceived weaknesses[2].
>
> An added security benefit is making the IDT read-only.
>
> Current entropy is low, since the kernel has basically a minimum 2MB
> alignment and has been built with -2G memory addressing. As a result,
> available entropy will be 8 bits in the best case. The e820 entries on
> a given system may further limit the available memory.
>
> This feature is presently incompatible with hibernation.
>
> When built into the kernel, the "noaslr" kernel command line option will
> disable the feature.
>
> Heavily based on work by Dan Rosenberg[3] and Neill Clift.
>
> [1]
> http://www.internetsociety.org/sites/default/files/Practical%20Timing%20Side%20Channel%20Attacks%20Against%20Kernel%20Space%20ASLR.pdf
> [2] http://forums.grsecurity.net/viewtopic.php?f=7&t=3367
> [3] http://lkml.indiana.edu/hypermail/linux/kernel/1105.3/index.html#00520
>
> Signed-off-by: Kees Cook <keesc...@chromium.org>
> Cc: Eric Northup <digitale...@google.com>
> ---
> Documentation/kernel-parameters.txt | 4 +
> arch/x86/Kconfig | 51 +++++++++++--
> arch/x86/Makefile | 3 +
> arch/x86/boot/compressed/head_32.S | 21 +++++-
> arch/x86/boot/compressed/head_64.S | 135
> ++++++++++++++++++++++++++++++++--
> arch/x86/include/asm/fixmap.h | 4 +
> arch/x86/include/asm/page_32_types.h | 2 +
> arch/x86/include/asm/page_64_types.h | 4 -
> arch/x86/include/asm/page_types.h | 4 +
> arch/x86/kernel/asm-offsets.c | 14 ++++
> arch/x86/kernel/setup.c | 24 ++++++
> arch/x86/kernel/traps.c | 6 ++
> 12 files changed, 251 insertions(+), 21 deletions(-)
Before going into the details, I have a structural request: could you
please further increase the granularity of the patch-set?
In particular I'd suggest introducing a helper Kconfig bool that makes the
IDT readonly - instead of using CONFIG_RANDOMIZE_BASE for that.
CONFIG_RANDOMIZE_BASE can then select this helper Kconfig switch.
Users could also select a readonly-IDT - even if they don't want a
randomized kernel.
With that done, it would be nice to implement the read-only IDT changes in
a separate, preparatory patch. If it causes any problems it will be easier
to isolate.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
