diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-20 17:45:50 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-20 17:45:50 -0500 |
| commit | f4bcd8ccddb02833340652e9f46f5127828eb79d (patch) | |
| tree | 8e00cf5d56b332b129284c070316be1b25d4c3fb /arch/x86/Kconfig | |
| parent | 7fe67a1180db49d41a3f764c379a08f8e31580ec (diff) | |
| parent | da2b6fb990cf782b18952f534ec7323453bc4fc9 (diff) | |
Merge branch 'x86-kaslr-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 kernel address space randomization support from Peter Anvin:
"This enables kernel address space randomization for x86"
* 'x86-kaslr-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86, kaslr: Clarify RANDOMIZE_BASE_MAX_OFFSET
x86, kaslr: Remove unused including <linux/version.h>
x86, kaslr: Use char array to gain sizeof sanity
x86, kaslr: Add a circular multiply for better bit diffusion
x86, kaslr: Mix entropy sources together as needed
x86/relocs: Add percpu fixup for GNU ld 2.23
x86, boot: Rename get_flags() and check_flags() to *_cpuflags()
x86, kaslr: Raise the maximum virtual address to -1 GiB on x86_64
x86, kaslr: Report kernel offset on panic
x86, kaslr: Select random position from e820 maps
x86, kaslr: Provide randomness functions
x86, kaslr: Return location from decompress_kernel
x86, boot: Move CPU flags out of cpucheck
x86, relocs: Add more per-cpu gold special cases
Diffstat (limited to 'arch/x86/Kconfig')
| -rw-r--r-- | arch/x86/Kconfig | 59 |
1 files changed, 55 insertions, 4 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5216e283820d..cd18b8393400 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig | |||
| @@ -1693,16 +1693,67 @@ config RELOCATABLE | |||
| 1693 | 1693 | ||
| 1694 | Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address | 1694 | Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address |
| 1695 | it has been loaded at and the compile time physical address | 1695 | it has been loaded at and the compile time physical address |
| 1696 | (CONFIG_PHYSICAL_START) is ignored. | 1696 | (CONFIG_PHYSICAL_START) is used as the minimum location. |
| 1697 | 1697 | ||
| 1698 | # Relocation on x86-32 needs some additional build support | 1698 | config RANDOMIZE_BASE |
| 1699 | bool "Randomize the address of the kernel image" | ||
| 1700 | depends on RELOCATABLE | ||
| 1701 | depends on !HIBERNATION | ||
| 1702 | default n | ||
| 1703 | ---help--- | ||
| 1704 | Randomizes the physical and virtual address at which the | ||
| 1705 | kernel image is decompressed, as a security feature that | ||
| 1706 | deters exploit attempts relying on knowledge of the location | ||
| 1707 | of kernel internals. | ||
| 1708 | |||
| 1709 | Entropy is generated using the RDRAND instruction if it is | ||
| 1710 | supported. If RDTSC is supported, it is used as well. If | ||
| 1711 | neither RDRAND nor RDTSC are supported, then randomness is | ||
| 1712 | read from the i8254 timer. | ||
| 1713 | |||
| 1714 | The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET, | ||
| 1715 | and aligned according to PHYSICAL_ALIGN. Since the kernel is | ||
| 1716 | built using 2GiB addressing, and PHYSICAL_ALGIN must be at a | ||
| 1717 | minimum of 2MiB, only 10 bits of entropy is theoretically | ||
| 1718 | possible. At best, due to page table layouts, 64-bit can use | ||
| 1719 | 9 bits of entropy and 32-bit uses 8 bits. | ||
| 1720 | |||
| 1721 | If unsure, say N. | ||
| 1722 | |||
| 1723 | config RANDOMIZE_BASE_MAX_OFFSET | ||
| 1724 | hex "Maximum kASLR offset allowed" if EXPERT | ||
| 1725 | depends on RANDOMIZE_BASE | ||
| 1726 | range 0x0 0x20000000 if X86_32 | ||
| 1727 | default "0x20000000" if X86_32 | ||
| 1728 | range 0x0 0x40000000 if X86_64 | ||
| 1729 | default "0x40000000" if X86_64 | ||
| 1730 | ---help--- | ||
| 1731 | The lesser of RANDOMIZE_BASE_MAX_OFFSET and available physical | ||
| 1732 | memory is used to determine the maximal offset in bytes that will | ||
| 1733 | be applied to the kernel when kernel Address Space Layout | ||
| 1734 | Randomization (kASLR) is active. This must be a multiple of | ||
| 1735 | PHYSICAL_ALIGN. | ||
| 1736 | |||
| 1737 | On 32-bit this is limited to 512MiB by page table layouts. The | ||
| 1738 | default is 512MiB. | ||
| 1739 | |||
| 1740 | On 64-bit this is limited by how the kernel fixmap page table is | ||
| 1741 | positioned, so this cannot be larger than 1GiB currently. Without | ||
| 1742 | RANDOMIZE_BASE, there is a 512MiB to 1.5GiB split between kernel | ||
| 1743 | and modules. When RANDOMIZE_BASE_MAX_OFFSET is above 512MiB, the | ||
| 1744 | modules area will shrink to compensate, up to the current maximum | ||
| 1745 | 1GiB to 1GiB split. The default is 1GiB. | ||
| 1746 | |||
| 1747 | If unsure, leave at the default value. | ||
| 1748 | |||
| 1749 | # Relocation on x86 needs some additional build support | ||
| 1699 | config X86_NEED_RELOCS | 1750 | config X86_NEED_RELOCS |
| 1700 | def_bool y | 1751 | def_bool y |
| 1701 | depends on X86_32 && RELOCATABLE | 1752 | depends on RANDOMIZE_BASE || (X86_32 && RELOCATABLE) |
| 1702 | 1753 | ||
| 1703 | config PHYSICAL_ALIGN | 1754 | config PHYSICAL_ALIGN |
| 1704 | hex "Alignment value to which kernel should be aligned" | 1755 | hex "Alignment value to which kernel should be aligned" |
| 1705 | default "0x1000000" | 1756 | default "0x200000" |
| 1706 | range 0x2000 0x1000000 if X86_32 | 1757 | range 0x2000 0x1000000 if X86_32 |
| 1707 | range 0x200000 0x1000000 if X86_64 | 1758 | range 0x200000 0x1000000 if X86_64 |
| 1708 | ---help--- | 1759 | ---help--- |