public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Rosenberg <drosenberg@vsecurity.com>
To: Matthew Garrett <mjg@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>, Tony Luck <tony.luck@gmail.com>,
	linux-kernel@vger.kernel.org, kees.cook@canonical.com,
	davej@redhat.com, torvalds@linux-foundation.org,
	adobriyan@gmail.com, eranian@google.com, penberg@kernel.org,
	davem@davemloft.net, Arjan van de Ven <arjan@infradead.org>,
	Valdis.Kletnieks@vt.edu,
	Andrew Morton <akpm@linux-foundation.org>,
	pageexec@freemail.hu, Ingo Molnar <mingo@elte.hu>,
	Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Tue, 31 May 2011 15:03:29 -0400	[thread overview]
Message-ID: <1306868609.6317.25.camel@dan> (raw)
In-Reply-To: <20110531185122.GA11998@srcf.ucam.org>

On Tue, 2011-05-31 at 19:51 +0100, Matthew Garrett wrote:
> On Tue, May 31, 2011 at 11:40:13AM -0700, H. Peter Anvin wrote:
> > On 05/31/2011 09:52 AM, Matthew Garrett wrote:
> > > The BIOS E820 map, or the kernel representation? In either case, this 
> > > isn't going to work well with EFI. There are regions that will be marked 
> > > as available in the E820 map that we *mustn't* touch until we've entered 
> > > EFI virtual mode.
> > > 
> > > (This is, clearly, insane).
> > > 
> > 
> > I believe we could (should!) mark them reserved, not available, in the
> > E820 map and free them later.
> 
> That was my original approach, but it requires that the bootloader be 
> modified and it turns out that it's a lot harder to hand reserved 
> regions back to the OS than it is to just reserve it in-kernel. The 
> complete inflexibility of e820 is massively unhelpful here. It's just 
> not possible to represent all of the EFI memory map data in it.
> 

Just for the record, I've put this patch on hold until there's some more
consensus about whether boot-time randomization of the physical kernel
address is the best approach.  There are some other potential issues
that haven't been brought up yet publicly, such as the possibility of
local attackers performing cache timing attacks to find the kernel image
location at runtime, which may make traditional ASLR somewhat pointless
regardless (except in the case of remote attackers, I suppose).  Perhaps
HPA's suggestion of further modularizing the kernel would have some
advantages in this regard.

-Dan

> -- 
> Matthew Garrett | mjg59@srcf.ucam.org



  reply	other threads:[~2011-05-31 19:03 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55   ` Dan Rosenberg
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00   ` Dan Rosenberg
2011-05-25 11:23     ` Ingo Molnar
2011-05-25 14:20       ` Dan Rosenberg
2011-05-25 14:29         ` Ingo Molnar
2011-05-24 23:06   ` H. Peter Anvin
2011-05-25 14:03     ` Dan Rosenberg
2011-05-25 14:14       ` Ingo Molnar
2011-05-25 15:48       ` H. Peter Anvin
2011-05-25 16:15         ` Dan Rosenberg
2011-05-25 16:24           ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01   ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04   ` Dan Rosenberg
2011-05-24 23:07     ` H. Peter Anvin
2011-05-24 23:34       ` Dan Rosenberg
2011-05-24 23:36         ` H. Peter Anvin
2011-05-24 23:14   ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25  2:05   ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06   ` Dan Rosenberg
2011-05-26 20:16   ` Valdis.Kletnieks
2011-05-26 20:31     ` Vivek Goyal
2011-05-27  9:36       ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40   ` Vivek Goyal
2011-05-26 20:44     ` Dan Rosenberg
2011-05-26 20:55       ` Vivek Goyal
2011-05-27  9:38         ` Ingo Molnar
2011-05-27 13:07           ` Vivek Goyal
2011-05-27 13:38             ` Ingo Molnar
2011-05-27 13:13       ` Vivek Goyal
2011-05-27 13:21         ` Dan Rosenberg
2011-05-27 13:46           ` Ingo Molnar
2011-05-27 13:50           ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27  7:15   ` Ingo Molnar
2011-05-31 16:52   ` Matthew Garrett
2011-05-31 18:40     ` H. Peter Anvin
2011-05-31 18:51       ` Matthew Garrett
2011-05-31 19:03         ` Dan Rosenberg [this message]
2011-05-31 19:07           ` H. Peter Anvin
2011-05-31 19:50           ` Ingo Molnar
2011-05-31 19:55           ` Ingo Molnar
2011-05-31 20:15             ` H. Peter Anvin
2011-05-31 20:27               ` Ingo Molnar
2011-05-31 20:30                 ` H. Peter Anvin
2011-06-01  6:18                   ` Ingo Molnar
2011-06-01 15:44                     ` H. Peter Anvin
2011-05-31 20:17             ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32   ` H. Peter Anvin
2011-05-27  0:26     ` Dan Rosenberg
2011-05-27 16:21       ` Rafael J. Wysocki
2011-05-27  2:45     ` Dave Jones
2011-05-27  9:40       ` Ingo Molnar
2011-05-27 16:11         ` Rafael J. Wysocki
2011-05-27 16:07     ` Rafael J. Wysocki
2011-05-27 15:42   ` Linus Torvalds
2011-05-27 16:11     ` Dan Rosenberg
2011-05-27 17:00     ` Ingo Molnar
2011-05-27 17:06       ` H. Peter Anvin
2011-05-27 17:10       ` Dan Rosenberg
2011-05-27 17:13         ` H. Peter Anvin
2011-05-27 17:16           ` Linus Torvalds
2011-05-27 17:38             ` Ingo Molnar
2011-05-27 17:20           ` Kees Cook
2011-05-27 17:16         ` Ingo Molnar
2011-05-27 17:21           ` Linus Torvalds
2011-05-27 17:46             ` Ingo Molnar
2011-05-27 17:53               ` H. Peter Anvin
2011-05-27 18:05                 ` Linus Torvalds
2011-05-27 19:15                   ` Vivek Goyal
2011-05-27 21:37                   ` H. Peter Anvin
2011-05-27 23:51                     ` H. Peter Anvin
2011-05-28 12:18                   ` Ingo Molnar
2011-05-29  1:13                     ` H. Peter Anvin
2011-05-29 12:47                       ` Ingo Molnar
2011-05-29 18:19                         ` H. Peter Anvin
2011-05-29 18:44                           ` Ingo Molnar
2011-05-29 18:52                             ` H. Peter Anvin
2011-05-29 19:56                               ` Ingo Molnar
2011-05-27 17:57               ` Linus Torvalds
2011-05-27 18:17                 ` Ingo Molnar
2011-05-27 18:43                   ` Kees Cook
2011-05-27 18:48                   ` david
2011-05-27 21:51                   ` Olivier Galibert
2011-05-27 22:11                     ` Valdis.Kletnieks
2011-05-28  0:50                     ` H. Peter Anvin
2011-05-28  6:32                     ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1306868609.6317.25.camel@dan \
    --to=drosenberg@vsecurity.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@infradead.org \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=eranian@google.com \
    --cc=hpa@zytor.com \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mjg@redhat.com \
    --cc=pageexec@freemail.hu \
    --cc=penberg@kernel.org \
    --cc=tony.luck@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox