Re: [RFC][PATCH] Randomize kernel base address on boot

From: Ingo Molnar
Date: Tue May 24 2011 - 17:03:00 EST

Next message: Dan Williams: "Re: [PATCH] dmaengine: Add API documentation for slave dma usage"
Previous message: Zimny Lech: "Re: (Short?) merge window reminder"
In reply to: Dan Rosenberg: "[RFC][PATCH] Randomize kernel base address on boot"
Next in thread: Dan Rosenberg: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> wrote:

> This introduces CONFIG_RANDOMIZE_BASE, which randomizes the address at
> which the kernel is decompressed at boot as a security feature that
> deters exploit attempts relying on knowledge of the location of kernel
> internals. The default values of the kptr_restrict and dmesg_restrict
> sysctls are set to (1) when this is enabled, since hiding kernel
> pointers is necessary to preserve the secrecy of the randomized base
> address.

That was quick! :-)

> This feature also uses a fixed mapping to move the IDT (if not already
> done as a fix for the F00F bug), to avoid exposing the location of
> kernel internals relative to the original IDT. This has the additional
> security benefit of marking the new virtual address of the IDT
> read-only.

Btw., as i suggested before the IDT should be made percpu, that way we could
split out and evaluate the IDT change independently of any security
considerations, as a potential scalability improvement. Makes the decision
easier because right now moving the IDT to a 4K TLB increases the kernel's TLB
footprint a tiny bit.

> Entropy is generated using the RDRAND instruction if it is supported. If not,
> then RDTSC is used, if supported. If neither RDRAND nor RDTSC are supported,
> then no randomness is introduced. Support for the CPUID instruction is
> required to check for the availability of these two instructions.

Btw., i'd suggest to fall back not to zero but to something system specific
like RAM size or a BIOS signature such as the contents of 0xf0000 or so. This,
while clearly not random, will at least *somewhat* randomize the kernel against
remote attackers who do not know the RAM size or the system type.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Williams: "Re: [PATCH] dmaengine: Add API documentation for slave dma usage"
Previous message: Zimny Lech: "Re: (Short?) merge window reminder"
In reply to: Dan Rosenberg: "[RFC][PATCH] Randomize kernel base address on boot"
Next in thread: Dan Rosenberg: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]