x86/KASLR: Drop CONFIG_RANDOMIZE_BASE_MAX_OFFSET
Currently CONFIG_RANDOMIZE_BASE_MAX_OFFSET is used to limit the maximum offset for kernel randomization. This limit doesn't need to be a CONFIG since it is tied completely to KERNEL_IMAGE_SIZE, and will make no sense once physical and virtual offsets are randomized separately. This patch removes CONFIG_RANDOMIZE_BASE_MAX_OFFSET and consolidates the Kconfig help text. [kees: rewrote changelog, dropped KERNEL_IMAGE_SIZE_DEFAULT, rewrote help] Signed-off-by: Baoquan He <bhe@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Borislav Petkov <bp@suse.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: H.J. Lu <hjl.tools@gmail.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Yinghai Lu <yinghai@kernel.org> Link: http://lkml.kernel.org/r/1461185746-8017-3-git-send-email-keescook@chromium.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit is contained in:
Baoquan He
Ingo Molnar
parent
4252db1055
commit
e8581e3d67
|
|
@ -1932,54 +1932,38 @@ config RELOCATABLE
|
|||
(CONFIG_PHYSICAL_START) is used as the minimum location.
|
||||
|
||||
config RANDOMIZE_BASE
|
||||
bool "Randomize the address of the kernel image"
|
||||
bool "Randomize the address of the kernel image (KASLR)"
|
||||
depends on RELOCATABLE
|
||||
default n
|
||||
---help---
|
||||
Randomizes the physical and virtual address at which the
|
||||
kernel image is decompressed, as a security feature that
|
||||
deters exploit attempts relying on knowledge of the location
|
||||
of kernel internals.
|
||||
In support of Kernel Address Space Layout Randomization (KASLR),
|
||||
this randomizes the physical address at which the kernel image
|
||||
is decompressed and the virtual address where the kernel
|
||||
image is mapped, as a security feature that deters exploit
|
||||
attempts relying on knowledge of the location of kernel
|
||||
code internals.
|
||||
|
||||
Entropy is generated using the RDRAND instruction if it is
|
||||
supported. If RDTSC is supported, it is used as well. If
|
||||
neither RDRAND nor RDTSC are supported, then randomness is
|
||||
read from the i8254 timer.
|
||||
The kernel physical and virtual address can be randomized
|
||||
from 16MB up to 1GB on 64-bit and 512MB on 32-bit. (Note that
|
||||
using RANDOMIZE_BASE reduces the memory space available to
|
||||
kernel modules from 1.5GB to 1GB.)
|
||||
|
||||
The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET,
|
||||
and aligned according to PHYSICAL_ALIGN. Since the kernel is
|
||||
built using 2GiB addressing, and PHYSICAL_ALGIN must be at a
|
||||
minimum of 2MiB, only 10 bits of entropy is theoretically
|
||||
possible. At best, due to page table layouts, 64-bit can use
|
||||
9 bits of entropy and 32-bit uses 8 bits.
|
||||
Entropy is generated using the RDRAND instruction if it is
|
||||
supported. If RDTSC is supported, its value is mixed into
|
||||
the entropy pool as well. If neither RDRAND nor RDTSC are
|
||||
supported, then entropy is read from the i8254 timer.
|
||||
|
||||
If unsure, say N.
|
||||
Since the kernel is built using 2GB addressing, and
|
||||
PHYSICAL_ALIGN must be at a minimum of 2MB, only 10 bits of
|
||||
entropy is theoretically possible. Currently, with the
|
||||
default value for PHYSICAL_ALIGN and due to page table
|
||||
layouts, 64-bit uses 9 bits of entropy and 32-bit uses 8 bits.
|
||||
|
||||
config RANDOMIZE_BASE_MAX_OFFSET
|
||||
hex "Maximum kASLR offset allowed" if EXPERT
|
||||
depends on RANDOMIZE_BASE
|
||||
range 0x0 0x20000000 if X86_32
|
||||
default "0x20000000" if X86_32
|
||||
range 0x0 0x40000000 if X86_64
|
||||
default "0x40000000" if X86_64
|
||||
---help---
|
||||
The lesser of RANDOMIZE_BASE_MAX_OFFSET and available physical
|
||||
memory is used to determine the maximal offset in bytes that will
|
||||
be applied to the kernel when kernel Address Space Layout
|
||||
Randomization (kASLR) is active. This must be a multiple of
|
||||
PHYSICAL_ALIGN.
|
||||
If CONFIG_HIBERNATE is also enabled, KASLR is disabled at boot
|
||||
time. To enable it, boot with "kaslr" on the kernel command
|
||||
line (which will also disable hibernation).
|
||||
|
||||
On 32-bit this is limited to 512MiB by page table layouts. The
|
||||
default is 512MiB.
|
||||
|
||||
On 64-bit this is limited by how the kernel fixmap page table is
|
||||
positioned, so this cannot be larger than 1GiB currently. Without
|
||||
RANDOMIZE_BASE, there is a 512MiB to 1.5GiB split between kernel
|
||||
and modules. When RANDOMIZE_BASE_MAX_OFFSET is above 512MiB, the
|
||||
modules area will shrink to compensate, up to the current maximum
|
||||
1GiB to 1GiB split. The default is 1GiB.
|
||||
|
||||
If unsure, leave at the default value.
|
||||
If unsure, say N.
|
||||
|
||||
# Relocation on x86 needs some additional build support
|
||||
config X86_NEED_RELOCS
|
||||
|
|
|
|||
|
|
@ -217,15 +217,13 @@ static bool mem_avoid_overlap(struct mem_vector *img)
|
|||
return false;
|
||||
}
|
||||
|
||||
static unsigned long slots[CONFIG_RANDOMIZE_BASE_MAX_OFFSET /
|
||||
CONFIG_PHYSICAL_ALIGN];
|
||||
static unsigned long slots[KERNEL_IMAGE_SIZE / CONFIG_PHYSICAL_ALIGN];
|
||||
static unsigned long slot_max;
|
||||
|
||||
static void slots_append(unsigned long addr)
|
||||
{
|
||||
/* Overflowing the slots list should be impossible. */
|
||||
if (slot_max >= CONFIG_RANDOMIZE_BASE_MAX_OFFSET /
|
||||
CONFIG_PHYSICAL_ALIGN)
|
||||
if (slot_max >= KERNEL_IMAGE_SIZE / CONFIG_PHYSICAL_ALIGN)
|
||||
return;
|
||||
|
||||
slots[slot_max++] = addr;
|
||||
|
|
@ -251,7 +249,7 @@ static void process_e820_entry(struct e820entry *entry,
|
|||
return;
|
||||
|
||||
/* Ignore entries entirely above our maximum. */
|
||||
if (entry->addr >= CONFIG_RANDOMIZE_BASE_MAX_OFFSET)
|
||||
if (entry->addr >= KERNEL_IMAGE_SIZE)
|
||||
return;
|
||||
|
||||
/* Ignore entries entirely below our minimum. */
|
||||
|
|
@ -276,8 +274,8 @@ static void process_e820_entry(struct e820entry *entry,
|
|||
region.size -= region.start - entry->addr;
|
||||
|
||||
/* Reduce maximum size to fit end of image within maximum limit. */
|
||||
if (region.start + region.size > CONFIG_RANDOMIZE_BASE_MAX_OFFSET)
|
||||
region.size = CONFIG_RANDOMIZE_BASE_MAX_OFFSET - region.start;
|
||||
if (region.start + region.size > KERNEL_IMAGE_SIZE)
|
||||
region.size = KERNEL_IMAGE_SIZE - region.start;
|
||||
|
||||
/* Walk each aligned slot and check for avoided areas. */
|
||||
for (img.start = region.start, img.size = image_size ;
|
||||
|
|
|
|||
|
|
@ -47,12 +47,10 @@
|
|||
* are fully set up. If kernel ASLR is configured, it can extend the
|
||||
* kernel page table mapping, reducing the size of the modules area.
|
||||
*/
|
||||
#define KERNEL_IMAGE_SIZE_DEFAULT (512 * 1024 * 1024)
|
||||
#if defined(CONFIG_RANDOMIZE_BASE) && \
|
||||
CONFIG_RANDOMIZE_BASE_MAX_OFFSET > KERNEL_IMAGE_SIZE_DEFAULT
|
||||
#define KERNEL_IMAGE_SIZE CONFIG_RANDOMIZE_BASE_MAX_OFFSET
|
||||
#if defined(CONFIG_RANDOMIZE_BASE)
|
||||
#define KERNEL_IMAGE_SIZE (1024 * 1024 * 1024)
|
||||
#else
|
||||
#define KERNEL_IMAGE_SIZE KERNEL_IMAGE_SIZE_DEFAULT
|
||||
#define KERNEL_IMAGE_SIZE (512 * 1024 * 1024)
|
||||
#endif
|
||||
|
||||
#endif /* _ASM_X86_PAGE_64_DEFS_H */
|
||||
|
|
|
|||
|
|
@ -804,9 +804,6 @@ void __init mem_init(void)
|
|||
BUILD_BUG_ON(VMALLOC_START >= VMALLOC_END);
|
||||
#undef high_memory
|
||||
#undef __FIXADDR_TOP
|
||||
#ifdef CONFIG_RANDOMIZE_BASE
|
||||
BUILD_BUG_ON(CONFIG_RANDOMIZE_BASE_MAX_OFFSET > KERNEL_IMAGE_SIZE);
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_HIGHMEM
|
||||
BUG_ON(PKMAP_BASE + LAST_PKMAP*PAGE_SIZE > FIXADDR_START);
|
||||
|
|
|
|||
Loading…
Reference in New Issue