Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
Significance: Critical
In support of Kernel Address Space Layout Randomization (KASLR) this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try.
Fixes: #12363 Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 906fde0c3..af96753fc 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
Shouldn’t this rather be called an RFC before we propose this as a patch?
AFAIK this causes problems on some single board computers - so those people who run them would need to give feedback whether this is causing them any regressions.
Best, -Michael
On 11 Jul 2022, at 17:07, Peter Müller peter.mueller@ipfire.org wrote:
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
Significance: Critical
In support of Kernel Address Space Layout Randomization (KASLR) this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try.
Fixes: #12363 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 906fde0c3..af96753fc 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS
#lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
2.35.3
Hello Michael,
Shouldn’t this rather be called an RFC before we propose this as a patch?
indeed, this should have had the RFC flag. Apologies.
AFAIK this causes problems on some single board computers - so those people who run them would need to give feedback whether this is causing them any regressions.
No, last time (in 2020) we tried this, things would not even compile. So no ARM64 users were harmed, though I agree, we definitely need robust testing feedback on such a change.
Thanks, and best regards, Peter Müller
Best, -Michael
On 11 Jul 2022, at 17:07, Peter Müller peter.mueller@ipfire.org wrote:
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
Significance: Critical
In support of Kernel Address Space Layout Randomization (KASLR) this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try.
Fixes: #12363 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 906fde0c3..af96753fc 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS
#lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE
2.35.3
-
Michael Tremer -
Peter Müller