Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
Significance: Critical
In support of Kernel Address Space Layout Randomization (KASLR) this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try.
Fixes: #12363 Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 906fde0c3..af96753fc 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE