From: Dan Rosenberg <drosenberg@vsecurity.com>
To: Ingo Molnar <mingo@elte.hu>
Cc: Tony Luck <tony.luck@gmail.com>,
linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
torvalds@linux-foundation.org, adobriyan@gmail.com,
penberg@kernel.org, hpa@zytor.com,
Arjan van de Ven <arjan@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Valdis.Kletnieks@vt.edu, pageexec@freemail.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Tue, 24 May 2011 18:55:58 -0400 [thread overview]
Message-ID: <1306277758.1921.0.camel@dan> (raw)
In-Reply-To: <20110524210233.GI27634@elte.hu>
On Tue, 2011-05-24 at 23:02 +0200, Ingo Molnar wrote:
> * Dan Rosenberg <drosenberg@vsecurity.com> wrote:
>
> > This introduces CONFIG_RANDOMIZE_BASE, which randomizes the address at
> > which the kernel is decompressed at boot as a security feature that
> > deters exploit attempts relying on knowledge of the location of kernel
> > internals. The default values of the kptr_restrict and dmesg_restrict
> > sysctls are set to (1) when this is enabled, since hiding kernel
> > pointers is necessary to preserve the secrecy of the randomized base
> > address.
>
> That was quick! :-)
>
> > This feature also uses a fixed mapping to move the IDT (if not already
> > done as a fix for the F00F bug), to avoid exposing the location of
> > kernel internals relative to the original IDT. This has the additional
> > security benefit of marking the new virtual address of the IDT
> > read-only.
>
> Btw., as i suggested before the IDT should be made percpu, that way we could
> split out and evaluate the IDT change independently of any security
> considerations, as a potential scalability improvement. Makes the decision
> easier because right now moving the IDT to a 4K TLB increases the kernel's TLB
> footprint a tiny bit.
>
Alright, I'll start working on this.
> > Entropy is generated using the RDRAND instruction if it is supported. If not,
> > then RDTSC is used, if supported. If neither RDRAND nor RDTSC are supported,
> > then no randomness is introduced. Support for the CPUID instruction is
> > required to check for the availability of these two instructions.
>
> Btw., i'd suggest to fall back not to zero but to something system specific
> like RAM size or a BIOS signature such as the contents of 0xf0000 or so. This,
> while clearly not random, will at least *somewhat* randomize the kernel against
> remote attackers who do not know the RAM size or the system type.
>
Good idea, will do.
-Dan
next prev parent reply other threads:[~2011-05-24 22:56 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55 ` Dan Rosenberg [this message]
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00 ` Dan Rosenberg
2011-05-25 11:23 ` Ingo Molnar
2011-05-25 14:20 ` Dan Rosenberg
2011-05-25 14:29 ` Ingo Molnar
2011-05-24 23:06 ` H. Peter Anvin
2011-05-25 14:03 ` Dan Rosenberg
2011-05-25 14:14 ` Ingo Molnar
2011-05-25 15:48 ` H. Peter Anvin
2011-05-25 16:15 ` Dan Rosenberg
2011-05-25 16:24 ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01 ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04 ` Dan Rosenberg
2011-05-24 23:07 ` H. Peter Anvin
2011-05-24 23:34 ` Dan Rosenberg
2011-05-24 23:36 ` H. Peter Anvin
2011-05-24 23:14 ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25 2:05 ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06 ` Dan Rosenberg
2011-05-26 20:16 ` Valdis.Kletnieks
2011-05-26 20:31 ` Vivek Goyal
2011-05-27 9:36 ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40 ` Vivek Goyal
2011-05-26 20:44 ` Dan Rosenberg
2011-05-26 20:55 ` Vivek Goyal
2011-05-27 9:38 ` Ingo Molnar
2011-05-27 13:07 ` Vivek Goyal
2011-05-27 13:38 ` Ingo Molnar
2011-05-27 13:13 ` Vivek Goyal
2011-05-27 13:21 ` Dan Rosenberg
2011-05-27 13:46 ` Ingo Molnar
2011-05-27 13:50 ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27 7:15 ` Ingo Molnar
2011-05-31 16:52 ` Matthew Garrett
2011-05-31 18:40 ` H. Peter Anvin
2011-05-31 18:51 ` Matthew Garrett
2011-05-31 19:03 ` Dan Rosenberg
2011-05-31 19:07 ` H. Peter Anvin
2011-05-31 19:50 ` Ingo Molnar
2011-05-31 19:55 ` Ingo Molnar
2011-05-31 20:15 ` H. Peter Anvin
2011-05-31 20:27 ` Ingo Molnar
2011-05-31 20:30 ` H. Peter Anvin
2011-06-01 6:18 ` Ingo Molnar
2011-06-01 15:44 ` H. Peter Anvin
2011-05-31 20:17 ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32 ` H. Peter Anvin
2011-05-27 0:26 ` Dan Rosenberg
2011-05-27 16:21 ` Rafael J. Wysocki
2011-05-27 2:45 ` Dave Jones
2011-05-27 9:40 ` Ingo Molnar
2011-05-27 16:11 ` Rafael J. Wysocki
2011-05-27 16:07 ` Rafael J. Wysocki
2011-05-27 15:42 ` Linus Torvalds
2011-05-27 16:11 ` Dan Rosenberg
2011-05-27 17:00 ` Ingo Molnar
2011-05-27 17:06 ` H. Peter Anvin
2011-05-27 17:10 ` Dan Rosenberg
2011-05-27 17:13 ` H. Peter Anvin
2011-05-27 17:16 ` Linus Torvalds
2011-05-27 17:38 ` Ingo Molnar
2011-05-27 17:20 ` Kees Cook
2011-05-27 17:16 ` Ingo Molnar
2011-05-27 17:21 ` Linus Torvalds
2011-05-27 17:46 ` Ingo Molnar
2011-05-27 17:53 ` H. Peter Anvin
2011-05-27 18:05 ` Linus Torvalds
2011-05-27 19:15 ` Vivek Goyal
2011-05-27 21:37 ` H. Peter Anvin
2011-05-27 23:51 ` H. Peter Anvin
2011-05-28 12:18 ` Ingo Molnar
2011-05-29 1:13 ` H. Peter Anvin
2011-05-29 12:47 ` Ingo Molnar
2011-05-29 18:19 ` H. Peter Anvin
2011-05-29 18:44 ` Ingo Molnar
2011-05-29 18:52 ` H. Peter Anvin
2011-05-29 19:56 ` Ingo Molnar
2011-05-27 17:57 ` Linus Torvalds
2011-05-27 18:17 ` Ingo Molnar
2011-05-27 18:43 ` Kees Cook
2011-05-27 18:48 ` david
2011-05-27 21:51 ` Olivier Galibert
2011-05-27 22:11 ` Valdis.Kletnieks
2011-05-28 0:50 ` H. Peter Anvin
2011-05-28 6:32 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306277758.1921.0.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eranian@google.com \
--cc=hpa@zytor.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=tony.luck@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.