[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTimVQbHvW8tCACAcC8zRkyY1KyU2ww@mail.gmail.com>
Date: Fri, 27 May 2011 11:05:07 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Ingo Molnar <mingo@...e.hu>,
Dan Rosenberg <drosenberg@...curity.com>,
"Rafael J. Wysocki" <rjw@...k.pl>, Tony Luck <tony.luck@...il.com>,
linux-kernel@...r.kernel.org, davej@...hat.com,
kees.cook@...onical.com, davem@...emloft.net, eranian@...gle.com,
adobriyan@...il.com, penberg@...nel.org,
Arjan van de Ven <arjan@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Valdis.Kletnieks@...edu, pageexec@...email.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
On Fri, May 27, 2011 at 10:53 AM, H. Peter Anvin <hpa@...or.com> wrote:
>
> That doesn't solve any problems with the memory map.
Actually, it does.
You can load the kernel at the same virtual address we always load it,
and/or perhaps shift it up by just small amounts (ie "single pages"
rather than "ten bits worth of pages")
And then rely on the fact that you mixed up symbols in other ways.
"Look ma, no need to worry about memory map". At least no more than we do now.
Put another way: think about our /proc/iomem right now:
00100000-bdc6ffff : System RAM
01000000-016bdced : Kernel code
016bdcee-01ca8b7f : Kernel data
01d36000-01de2fff : Kernel bss
with the "shift kernel up at load-time", the above information is
suddenly very scary, because the "Kernel code" part is magically
important.
In contrast, if your randomization depends on just relinking things a
bit differently, you don't really give out any of the random
information in /proc/iomem. Nor does it affect the load address and
the e820 memory map.
And, in fact, it does give you way more bits of randomness to play
around with the text addresses.
With something like function-sections, it should be possible to do
quite a serious job of relinking (and then keep some "function section
to actual relinked address" mapping around so that you can do the
/proc/kallsyms mappings).
But that's actually the "fancy" model. I don't think we should aim at
that to begin with. Start off with something much less ambitious, like
just shifting the kernel by a few pages. People have argued that even
just a 50% chance of an oops is preferable to nothing. So we can start
small and stupid.
See?
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists