From patchwork Mon Jul 11 15:07:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5744 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LhS0w1nV8z3x1v for ; Mon, 11 Jul 2022 15:07:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LhS0t4jfHzcV; Mon, 11 Jul 2022 15:07:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LhS0t40Plz2yp1; Mon, 11 Jul 2022 15:07:26 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LhS0s4hRsz2xNg for ; Mon, 11 Jul 2022 15:07:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LhS0r5b8HzZF for ; Mon, 11 Jul 2022 15:07:24 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1657552045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IdsFRbIzUDmxrr0tz8FNXsQ79Vbbqw3lLg7ufxYuEWk=; b=iF4Vuz5tKiYZP4tahXaSkSENkMa9gAeY3T1mq0Bz6fT6whK/UOJbYxDyDyRy1RH/M0tbM0 9pqnYta4f3eGfxDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1657552045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IdsFRbIzUDmxrr0tz8FNXsQ79Vbbqw3lLg7ufxYuEWk=; b=DqBtHxjCbBiESfA8sLRI9SSr4NucFjh1TaiOH2LWhCGF7kzi3xCKlmSEl+QY/AgVps/Kms lv+5PVqmWqkIzqvwVJOcUVjQWPKsLTZKCqYjTDqbKiwKvvg7iHnZJno6G4W2L2WIIGG3l4 w9rAPb87cVq/QRC9xdnjmmAu3Sgip/zHOKH1x9k+mTwXIwvSPhB13RVYXwY3N0PNJ5am6Y 7XuaxEpNS5JBdvvkRWefLShzXu5jIjpJL+OCDhMPR5m47KZfQc97FRfOjOdUaERnLVkt0q C8qTXoyZjrsW03pD8ZI32Xn7LCUw9xL/fv5S71VqUTz8XT/hvRfHZGHJ9I+sMQ== Message-ID: <194d274f-ff76-888f-5e47-25ab4d4fb163@ipfire.org> Date: Mon, 11 Jul 2022 15:07:22 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: > Significance: Critical > > In support of Kernel Address Space Layout Randomization (KASLR) this randomizes > the physical address at which the kernel image is decompressed and the virtual > address where the kernel image is mapped as a security feature that deters > exploit attempts relying on knowledge of the location of kernel code internals. We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try. Fixes: #12363 Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 906fde0c3..af96753fc 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE