From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try Date: Tue, 12 Jul 2022 09:45:29 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2404984606883537571==" List-Id: --===============2404984606883537571== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Shouldn=E2=80=99t this rather be called an RFC before we propose this as a = patch? indeed, this should have had the RFC flag. Apologies. > AFAIK this causes problems on some single board computers - so those people= who run them would need to give feedback whether this is causing them any re= gressions. No, last time (in 2020) we tried this, things would not even compile. So no A= RM64 users were harmed, though I agree, we definitely need robust testing feedback= on such a change. Thanks, and best regards, Peter M=C3=BCller >=20 > Best, > -Michael >=20 >> On 11 Jul 2022, at 17:07, Peter M=C3=BCller w= rote: >> >> Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: >> >>> Significance: Critical >>> >>> In support of Kernel Address Space Layout Randomization (KASLR) this rand= omizes >>> the physical address at which the kernel image is decompressed and the vi= rtual >>> address where the kernel image is mapped as a security feature that deters >>> exploit attempts relying on knowledge of the location of kernel code inte= rnals. >> >> We tried to enable this back in 2020, and failed. Since then, things >> may have been improved, so let's give this low-hanging fruit another >> try. >> >> Fixes: #12363 >> Signed-off-by: Peter M=C3=BCller >> --- >> config/kernel/kernel.config.aarch64-ipfire | 2 +- >> config/rootfiles/common/aarch64/linux | 1 + >> 2 files changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/ke= rnel.config.aarch64-ipfire >> index 469884b20..9232335ff 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=3Dy >> CONFIG_ARM64_MODULE_PLTS=3Dy >> # CONFIG_ARM64_PSEUDO_NMI is not set >> CONFIG_RELOCATABLE=3Dy >> -# CONFIG_RANDOMIZE_BASE is not set >> +CONFIG_RANDOMIZE_BASE=3Dy >> CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=3Dy >> CONFIG_STACKPROTECTOR_PER_TASK=3Dy >> # end of Kernel Features >> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/comm= on/aarch64/linux >> index 906fde0c3..af96753fc 100644 >> --- a/config/rootfiles/common/aarch64/linux >> +++ b/config/rootfiles/common/aarch64/linux >> @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ >> #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK >> #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS >> +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE >> #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFA= ULT >> #lib/modules/KVER-ipfire/build/include/config/RAS >> #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE >> --=20 >> 2.35.3 >=20 --===============2404984606883537571==--