x86, kaslr: Return location from decompress_kernel

This allows decompress_kernel to return a new location for the kernel to be relocated to. Additionally, enforces CONFIG_PHYSICAL_START as the minimum relocation position when building with CONFIG_RELOCATABLE. With CONFIG_RANDOMIZE_BASE set, the choose_kernel_location routine will select a new location to decompress the kernel, though here it is presently a no-op. The kernel command line option "nokaslr" is introduced to bypass these routines. Signed-off-by: Kees Cook <keescook@chromium.org> Link: http://lkml.kernel.org/r/1381450698-28710-3-git-send-email-keescook@chromium.org Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
author: Kees Cook <keescook@chromium.org> 2013-10-10 20:18:14 -0400
committer: H. Peter Anvin <hpa@linux.intel.com> 2013-10-13 06:12:07 -0400
commit: 8ab3820fd5b2896d66da7bb2a906bc382e63e7bc (patch)
tree: 50f6f4458f86eb66552c13bef81169e44d27dc28 /arch/x86/Kconfig
parent: dd78b97367bd575918204cc89107c1479d3fc1a7 (diff)
1 files changed, 34 insertions, 4 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index ee2fb9d37745..992701d4d4f8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1722,16 +1722,46 @@ config RELOCATABLE
          Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address
          it has been loaded at and the compile time physical address
-          (CONFIG_PHYSICAL_START) is ignored.
+          (CONFIG_PHYSICAL_START) is used as the minimum location.
-# Relocation on x86-32 needs some additional build support
+config RANDOMIZE_BASE
+        bool "Randomize the address of the kernel image"
+        depends on RELOCATABLE
+        depends on !HIBERNATION
+        default n
+        ---help---
+           Randomizes the physical and virtual address at which the
+           kernel image is decompressed, as a security feature that
+           deters exploit attempts relying on knowledge of the location
+           of kernel internals.
+           Entropy is generated using the RDRAND instruction if it
+           is supported.  If not, then RDTSC is used, if supported. If
+           neither RDRAND nor RDTSC are supported, then no randomness
+           is introduced.
+           The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET,
+           and aligned according to PHYSICAL_ALIGN.
+config RANDOMIZE_BASE_MAX_OFFSET
+        hex "Maximum ASLR offset allowed"
+        depends on RANDOMIZE_BASE
+        default "0x10000000"
+        range 0x0 0x10000000
+        ---help---
+         Determines the maximal offset in bytes that will be applied to the
+         kernel when Address Space Layout Randomization (ASLR) is active.
+         Must be less than or equal to the actual physical memory on the
+         system. This must be a power of two.
+# Relocation on x86 needs some additional build support
 config X86_NEED_RELOCS
        def_bool y
-        depends on X86_32 && RELOCATABLE
+        depends on RANDOMIZE_BASE || (X86_32 && RELOCATABLE)
 config PHYSICAL_ALIGN
        hex "Alignment value to which kernel should be aligned"
-        default "0x1000000"
+        default "0x200000"
        range 0x2000 0x1000000 if X86_32
        range 0x200000 0x1000000 if X86_64
        ---help---
author	Kees Cook <keescook@chromium.org>	2013-10-10 20:18:14 -0400
committer	H. Peter Anvin <hpa@linux.intel.com>	2013-10-13 06:12:07 -0400
commit	8ab3820fd5b2896d66da7bb2a906bc382e63e7bc (patch)
tree	50f6f4458f86eb66552c13bef81169e44d27dc28 /arch/x86/Kconfig
parent	dd78b97367bd575918204cc89107c1479d3fc1a7 (diff)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index ee2fb9d37745..992701d4d4f8 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig
@@ -1722,16 +1722,46 @@ config RELOCATABLE
1722		1722
1723	Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address	1723	Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address
1724	it has been loaded at and the compile time physical address	1724	it has been loaded at and the compile time physical address
1725	(CONFIG_PHYSICAL_START) is ignored.	1725	(CONFIG_PHYSICAL_START) is used as the minimum location.
1726		1726
1727	# Relocation on x86-32 needs some additional build support	1727	config RANDOMIZE_BASE
		1728	bool "Randomize the address of the kernel image"
		1729	depends on RELOCATABLE
		1730	depends on !HIBERNATION
		1731	default n
		1732	---help---
		1733	Randomizes the physical and virtual address at which the
		1734	kernel image is decompressed, as a security feature that
		1735	deters exploit attempts relying on knowledge of the location
		1736	of kernel internals.
		1737
		1738	Entropy is generated using the RDRAND instruction if it
		1739	is supported. If not, then RDTSC is used, if supported. If
		1740	neither RDRAND nor RDTSC are supported, then no randomness
		1741	is introduced.
		1742
		1743	The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET,
		1744	and aligned according to PHYSICAL_ALIGN.
		1745
		1746	config RANDOMIZE_BASE_MAX_OFFSET
		1747	hex "Maximum ASLR offset allowed"
		1748	depends on RANDOMIZE_BASE
		1749	default "0x10000000"
		1750	range 0x0 0x10000000
		1751	---help---
		1752	Determines the maximal offset in bytes that will be applied to the
		1753	kernel when Address Space Layout Randomization (ASLR) is active.
		1754	Must be less than or equal to the actual physical memory on the
		1755	system. This must be a power of two.
		1756
		1757	# Relocation on x86 needs some additional build support
1728	config X86_NEED_RELOCS	1758	config X86_NEED_RELOCS
1729	def_bool y	1759	def_bool y
1730	depends on X86_32 && RELOCATABLE	1760	depends on RANDOMIZE_BASE \|\| (X86_32 && RELOCATABLE)
1731		1761
1732	config PHYSICAL_ALIGN	1762	config PHYSICAL_ALIGN
1733	hex "Alignment value to which kernel should be aligned"	1763	hex "Alignment value to which kernel should be aligned"
1734	default "0x1000000"	1764	default "0x200000"
1735	range 0x2000 0x1000000 if X86_32	1765	range 0x2000 0x1000000 if X86_32
1736	range 0x200000 0x1000000 if X86_64	1766	range 0x200000 0x1000000 if X86_64
1737	---help---	1767	---help---