Re: [PATCH 3/3] x86: kernel base offset ASLR

From: Ingo Molnar
Date: Fri Apr 05 2013 - 03:11:53 EST

Next message: Ingo Molnar: "Re: [PATCH 2/3] x86: build reloc tool for both 64 and 32 bit"
Previous message: Sourav Poddar: "Re: [PATCH/Resend 2/2] arm: mach-omap2: prevent UART console idleon suspend while using "no_console_suspend""
In reply to: H. Peter Anvin: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Next in thread: Julien Tinnes: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> This creates CONFIG_RANDOMIZE_BASE, so that the base offset of the kernel
> can be randomized at boot.
>
> This makes kernel vulnerabilities harder to reliably exploit, especially
> from remote attacks and local processes in seccomp containers. Keeping
> the location of kernel addresses secret becomes very important when using
> this feature, so enabling kptr_restrict and dmesg_restrict is recommended.
> Besides direct address leaks, several other attacks are possible to bypass
> this on local systems, including cache timing[1]. However, the benefits of
> this feature in certain environments exceed the perceived weaknesses[2].
>
> An added security benefit is making the IDT read-only.
>
> Current entropy is low, since the kernel has basically a minimum 2MB
> alignment and has been built with -2G memory addressing. As a result,
> available entropy will be 8 bits in the best case. The e820 entries on
> a given system may further limit the available memory.
>
> This feature is presently incompatible with hibernation.
>
> When built into the kernel, the "noaslr" kernel command line option will
> disable the feature.
>
> Heavily based on work by Dan Rosenberg[3] and Neill Clift.
>
> [1] http://www.internetsociety.org/sites/default/files/Practical%20Timing%20Side%20Channel%20Attacks%20Against%20Kernel%20Space%20ASLR.pdf
> [2] http://forums.grsecurity.net/viewtopic.php?f=7&t=3367
> [3] http://lkml.indiana.edu/hypermail/linux/kernel/1105.3/index.html#00520
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Eric Northup <digitaleric@xxxxxxxxxx>
> ---
> Documentation/kernel-parameters.txt | 4 +
> arch/x86/Kconfig | 51 +++++++++++--
> arch/x86/Makefile | 3 +
> arch/x86/boot/compressed/head_32.S | 21 +++++-
> arch/x86/boot/compressed/head_64.S | 135 ++++++++++++++++++++++++++++++++--
> arch/x86/include/asm/fixmap.h | 4 +
> arch/x86/include/asm/page_32_types.h | 2 +
> arch/x86/include/asm/page_64_types.h | 4 -
> arch/x86/include/asm/page_types.h | 4 +
> arch/x86/kernel/asm-offsets.c | 14 ++++
> arch/x86/kernel/setup.c | 24 ++++++
> arch/x86/kernel/traps.c | 6 ++
> 12 files changed, 251 insertions(+), 21 deletions(-)

Before going into the details, I have a structural request: could you
please further increase the granularity of the patch-set?

In particular I'd suggest introducing a helper Kconfig bool that makes the
IDT readonly - instead of using CONFIG_RANDOMIZE_BASE for that.
CONFIG_RANDOMIZE_BASE can then select this helper Kconfig switch.

Users could also select a readonly-IDT - even if they don't want a
randomized kernel.

With that done, it would be nice to implement the read-only IDT changes in
a separate, preparatory patch. If it causes any problems it will be easier
to isolate.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH 2/3] x86: build reloc tool for both 64 and 32 bit"
Previous message: Sourav Poddar: "Re: [PATCH/Resend 2/2] arm: mach-omap2: prevent UART console idleon suspend while using "no_console_suspend""
In reply to: H. Peter Anvin: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Next in thread: Julien Tinnes: "Re: [PATCH 3/3] x86: kernel base offset ASLR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]