[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4DDC31DF.5010303@zytor.com>
Date: Tue, 24 May 2011 15:31:59 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: Dan Rosenberg <drosenberg@...curity.com>
CC: Tony Luck <tony.luck@...il.com>, linux-kernel@...r.kernel.org,
davej@...hat.com, kees.cook@...onical.com, davem@...emloft.net,
eranian@...gle.com, torvalds@...ux-foundation.org,
adobriyan@...il.com, penberg@...nel.org,
Arjan van de Ven <arjan@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Valdis.Kletnieks@...edu, Ingo Molnar <mingo@...e.hu>,
pageexec@...email.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
On 05/24/2011 01:31 PM, Dan Rosenberg wrote:
> This introduces CONFIG_RANDOMIZE_BASE, which randomizes the address at
> which the kernel is decompressed at boot as a security feature that
> deters exploit attempts relying on knowledge of the location of kernel
> internals. The default values of the kptr_restrict and dmesg_restrict
> sysctls are set to (1) when this is enabled, since hiding kernel
> pointers is necessary to preserve the secrecy of the randomized base
> address.
>
> This feature also uses a fixed mapping to move the IDT (if not already
> done as a fix for the F00F bug), to avoid exposing the location of
> kernel internals relative to the original IDT. This has the additional
> security benefit of marking the new virtual address of the IDT
> read-only.
As written, I think this is unsafe, simply because the kernel has no
idea what memory is actually safe to relocate into, and your code
doesn't actually make any attempt at doing so.
The fact that you change CONFIG_PHYSICAL_ALIGN is particularly
devastating, and will introduce boot failures on real systems.
For this to be acceptable, you need to at the very least:
1. Verify the in the address map passed to the kernel where it is safe
to locate the kernel;
2. Not introduce a performance regression (we avoid locating in the
bottom 16 MiB for performance reasons, except on very small systems);
3. Make sure not to break kdump.
Arguably this is really something that would be *much* better done in
the bootloader, but given that the dominant boot loader for Linux is
Grub, I don't expect that anything will ever happen until the cows come
home :(
-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists