linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try
Commit Message
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.
Fixes: #12363
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/rootfiles/common/aarch64/linux | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
Comments
Shouldn’t this rather be called an RFC before we propose this as a patch?
AFAIK this causes problems on some single board computers - so those people who run them would need to give feedback whether this is causing them any regressions.
Best,
-Michael
> On 11 Jul 2022, at 17:07, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
>
>> Significance: Critical
>>
>> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
>> the physical address at which the kernel image is decompressed and the virtual
>> address where the kernel image is mapped as a security feature that deters
>> exploit attempts relying on knowledge of the location of kernel code internals.
>
> We tried to enable this back in 2020, and failed. Since then, things
> may have been improved, so let's give this low-hanging fruit another
> try.
>
> Fixes: #12363
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/rootfiles/common/aarch64/linux | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 469884b20..9232335ff 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y
> CONFIG_ARM64_MODULE_PLTS=y
> # CONFIG_ARM64_PSEUDO_NMI is not set
> CONFIG_RELOCATABLE=y
> -# CONFIG_RANDOMIZE_BASE is not set
> +CONFIG_RANDOMIZE_BASE=y
> CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
> CONFIG_STACKPROTECTOR_PER_TASK=y
> # end of Kernel Features
> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
> index 906fde0c3..af96753fc 100644
> --- a/config/rootfiles/common/aarch64/linux
> +++ b/config/rootfiles/common/aarch64/linux
> @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
> #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
> +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
> #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT
> #lib/modules/KVER-ipfire/build/include/config/RAS
> #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
> --
> 2.35.3
Hello Michael,
> Shouldn’t this rather be called an RFC before we propose this as a patch?
indeed, this should have had the RFC flag. Apologies.
> AFAIK this causes problems on some single board computers - so those people who run them would need to give feedback whether this is causing them any regressions.
No, last time (in 2020) we tried this, things would not even compile. So no ARM64
users were harmed, though I agree, we definitely need robust testing feedback on
such a change.
Thanks, and best regards,
Peter Müller
>
> Best,
> -Michael
>
>> On 11 Jul 2022, at 17:07, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
>>
>>> Significance: Critical
>>>
>>> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
>>> the physical address at which the kernel image is decompressed and the virtual
>>> address where the kernel image is mapped as a security feature that deters
>>> exploit attempts relying on knowledge of the location of kernel code internals.
>>
>> We tried to enable this back in 2020, and failed. Since then, things
>> may have been improved, so let's give this low-hanging fruit another
>> try.
>>
>> Fixes: #12363
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>> config/rootfiles/common/aarch64/linux | 1 +
>> 2 files changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index 469884b20..9232335ff 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y
>> CONFIG_ARM64_MODULE_PLTS=y
>> # CONFIG_ARM64_PSEUDO_NMI is not set
>> CONFIG_RELOCATABLE=y
>> -# CONFIG_RANDOMIZE_BASE is not set
>> +CONFIG_RANDOMIZE_BASE=y
>> CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
>> CONFIG_STACKPROTECTOR_PER_TASK=y
>> # end of Kernel Features
>> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
>> index 906fde0c3..af96753fc 100644
>> --- a/config/rootfiles/common/aarch64/linux
>> +++ b/config/rootfiles/common/aarch64/linux
>> @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
>> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
>> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
>> #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
>> +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
>> #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT
>> #lib/modules/KVER-ipfire/build/include/config/RAS
>> #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
>> --
>> 2.35.3
>
@@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y
CONFIG_ARM64_MODULE_PLTS=y
# CONFIG_ARM64_PSEUDO_NMI is not set
CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
CONFIG_STACKPROTECTOR_PER_TASK=y
# end of Kernel Features
@@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
#lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
#lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
+#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT
#lib/modules/KVER-ipfire/build/include/config/RAS
#lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE