Do we finally know how much the impact is at compile time?
-Michael
On 1 Aug 2022, at 18:18, Peter Müller peter.mueller@ipfire.org wrote:
To quote from the kernel documentation:
If you say Y here, the layouts of structures that are entirely function pointers (and have not been manually annotated with __no_randomize_layout), or structures that have been explicitly marked with __randomize_layout, will be randomized at compile-time. This can introduce the requirement of an additional information exposure vulnerability for exploits targeting these structure types.
Enabling this feature will introduce some performance impact, slightly increase memory usage, and prevent the use of forensic tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation).
The seed used for compilation is located at scripts/gcc-plgins/randomize_layout_seed.h. It remains after a make clean to allow for external modules to be compiled with the existing seed and will be removed by a make mrproper or make distclean.
Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.x86_64-ipfire | 3 ++- config/rootfiles/common/aarch64/linux | 5 +++++ config/rootfiles/common/armv6l/linux | 5 +++++ config/rootfiles/common/x86_64/linux | 5 +++++ 4 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 40975b5fc..c8e7ada01 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y CONFIG_GCC_PLUGINS=y # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_GCC_PLUGIN_RANDSTRUCT=y +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y # end of General architecture-dependent options
CONFIG_RT_MUTEXES=y diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index dbd6e8f2f..b3a642e56 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GARP #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux index 79e4facfe..c3411fe8d 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index b25f85a3a..1b78fe8c5 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GARP #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c
#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c
2.35.3