| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d673649d6f371e82d4a94ba62bfd0d44efeca7b4.camel@buserror.net>
Date: Wed, 04 Mar 2020 15:21:21 -0600
From: Scott Wood <oss@...error.net>
To: Daniel Axtens <dja@...ens.net>, Jason Yan <yanaijie@...wei.com>,
mpe@...erman.id.au, linuxppc-dev@...ts.ozlabs.org,
diana.craciun@....com, christophe.leroy@....fr,
benh@...nel.crashing.org, paulus@...ba.org, npiggin@...il.com,
keescook@...omium.org, kernel-hardening@...ts.openwall.com
Cc: linux-kernel@...r.kernel.org, zhaohongjiang@...wei.com
Subject: Re: [PATCH v3 0/6] implement KASLR for powerpc/fsl_booke/64
On Wed, 2020-02-26 at 18:16 +1100, Daniel Axtens wrote:
> Hi Jason,
>
> > This is a try to implement KASLR for Freescale BookE64 which is based on
> > my earlier implementation for Freescale BookE32:
> > https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=131718
> >
> > The implementation for Freescale BookE64 is similar as BookE32. One
> > difference is that Freescale BookE64 set up a TLB mapping of 1G during
> > booting. Another difference is that ppc64 needs the kernel to be
> > 64K-aligned. So we can randomize the kernel in this 1G mapping and make
> > it 64K-aligned. This can save some code to creat another TLB map at
> > early boot. The disadvantage is that we only have about 1G/64K = 16384
> > slots to put the kernel in.
> >
> > KERNELBASE
> >
> > 64K |--> kernel <--|
> > | | |
> > +--+--+--+ +--+--+--+--+--+--+--+--+--+ +--+--+
> > | | | |....| | | | | | | | | |....| | |
> > +--+--+--+ +--+--+--+--+--+--+--+--+--+ +--+--+
> > | | 1G
> > |-----> offset <-----|
> >
> > kernstart_virt_addr
> >
> > I'm not sure if the slot numbers is enough or the design has any
> > defects. If you have some better ideas, I would be happy to hear that.
> >
> > Thank you all.
> >
>
> Are you making any attempt to hide kernel address leaks in this series?
> I've just been looking at the stackdump code just now, and it directly
> prints link registers and stack pointers, which is probably enough to
> determine the kernel base address:
>
> SPs: LRs: %pS pointer
> [ 0.424506] [c0000000de403970] [c000000001fc0458] dump_stack+0xfc/0x154
> (unreliable)
> [ 0.424593] [c0000000de4039c0] [c000000000267eec] panic+0x258/0x5ac
> [ 0.424659] [c0000000de403a60] [c0000000024d7a00]
> mount_block_root+0x634/0x7c0
> [ 0.424734] [c0000000de403be0] [c0000000024d8100]
> prepare_namespace+0x1ec/0x23c
> [ 0.424811] [c0000000de403c60] [c0000000024d7010]
> kernel_init_freeable+0x804/0x880
>
> git grep \\\"REG\\\" arch/powerpc shows a few other uses like this, all
> in process.c or in xmon.
>
> Maybe replacing the REG format string in KASLR mode would be sufficient?
Whatever we decide to do here, it's not book3e-specific so it should be
considered separately from these patches.
-Scott
Powered by blists - more mailing lists