Shouldn’t this rather be called an RFC before we propose this as a patch? AFAIK this causes problems on some single board computers - so those people who run them would need to give feedback whether this is causing them any regressions. Best, -Michael > On 11 Jul 2022, at 17:07, Peter Müller wrote: > > Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: > >> Significance: Critical >> >> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes >> the physical address at which the kernel image is decompressed and the virtual >> address where the kernel image is mapped as a security feature that deters >> exploit attempts relying on knowledge of the location of kernel code internals. > > We tried to enable this back in 2020, and failed. Since then, things > may have been improved, so let's give this low-hanging fruit another > try. > > Fixes: #12363 > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.aarch64-ipfire | 2 +- > config/rootfiles/common/aarch64/linux | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire > index 469884b20..9232335ff 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y > CONFIG_ARM64_MODULE_PLTS=y > # CONFIG_ARM64_PSEUDO_NMI is not set > CONFIG_RELOCATABLE=y > -# CONFIG_RANDOMIZE_BASE is not set > +CONFIG_RANDOMIZE_BASE=y > CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y > CONFIG_STACKPROTECTOR_PER_TASK=y > # end of Kernel Features > diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux > index 906fde0c3..af96753fc 100644 > --- a/config/rootfiles/common/aarch64/linux > +++ b/config/rootfiles/common/aarch64/linux > @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ > #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK > #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS > +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE > #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT > #lib/modules/KVER-ipfire/build/include/config/RAS > #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE > -- > 2.35.3