From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try
Date: Mon, 11 Jul 2022 18:58:44 +0200
Message-ID: <DB7BFB1C-C819-46CE-AF39-3DFBD0DFE55F@ipfire.org>
In-Reply-To: <194d274f-ff76-888f-5e47-25ab4d4fb163@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8661788760470079940=="
List-Id: <development.lists.ipfire.org>

--===============8661788760470079940==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Shouldn=E2=80=99t this rather be called an RFC before we propose this as a pa=
tch?

AFAIK this causes problems on some single board computers - so those people w=
ho run them would need to give feedback whether this is causing them any regr=
essions.

Best,
-Michael

> On 11 Jul 2022, at 17:07, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
>=20
>> Significance: Critical
>>=20
>> In support of Kernel Address Space Layout Randomization (KASLR) this rando=
mizes
>> the physical address at which the kernel image is decompressed and the vir=
tual
>> address where the kernel image is mapped as a security feature that deters
>> exploit attempts relying on knowledge of the location of kernel code inter=
nals.
>=20
> We tried to enable this back in 2020, and failed. Since then, things
> may have been improved, so let's give this low-hanging fruit another
> try.
>=20
> Fixes: #12363
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/rootfiles/common/aarch64/linux      | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>=20
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/ker=
nel.config.aarch64-ipfire
> index 469884b20..9232335ff 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=3Dy
> CONFIG_ARM64_MODULE_PLTS=3Dy
> # CONFIG_ARM64_PSEUDO_NMI is not set
> CONFIG_RELOCATABLE=3Dy
> -# CONFIG_RANDOMIZE_BASE is not set
> +CONFIG_RANDOMIZE_BASE=3Dy
> CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=3Dy
> CONFIG_STACKPROTECTOR_PER_TASK=3Dy
> # end of Kernel Features
> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/commo=
n/aarch64/linux
> index 906fde0c3..af96753fc 100644
> --- a/config/rootfiles/common/aarch64/linux
> +++ b/config/rootfiles/common/aarch64/linux
> @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
> #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
> +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
> #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAU=
LT
> #lib/modules/KVER-ipfire/build/include/config/RAS
> #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
> --=20
> 2.35.3


--===============8661788760470079940==--