x86, kaslr: boot-time selectable with hibernation

Changes kASLR from being compile-time selectable (blocked by
CONFIG_HIBERNATION), to being boot-time selectable (with hibernation
available by default) via the "kaslr" kernel command line.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

2 files changed, 8 insertions, 2 deletions

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fcefdda5136d..a8f749ef0fdc 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1672,7 +1672,6 @@ config RELOCATABLE
 config RANDOMIZE_BASE
         bool "Randomize the address of the kernel image"
         depends on RELOCATABLE
-        depends on !HIBERNATION
         default n
         ---help---
            Randomizes the physical and virtual address at which the
diff --git a/arch/x86/boot/compressed/aslr.c b/arch/x86/boot/compressed/aslr.c
index 4dbf967da50d..fc6091abedb7 100644
--- a/arch/x86/boot/compressed/aslr.c
+++ b/arch/x86/boot/compressed/aslr.c
@@ -289,10 +289,17 @@ unsigned char *choose_kernel_location(unsigned char *input,
         unsigned long choice = (unsigned long)output;
         unsigned long random;
 
+#ifdef CONFIG_HIBERNATION
+        if (!cmdline_find_option_bool("kaslr")) {
+                debug_putstr("KASLR disabled by default...\n");
+                goto out;
+        }
+#else
         if (cmdline_find_option_bool("nokaslr")) {
-                debug_putstr("KASLR disabled...\n");
+                debug_putstr("KASLR disabled by cmdline...\n");
                 goto out;
         }
+#endif
 
         /* Record the various known unsafe memory ranges. */
         mem_avoid_init((unsigned long)input, input_size,