1 files changed, 55 insertions, 4 deletions

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 5216e283820d..cd18b8393400 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1693,16 +1693,67 @@ config RELOCATABLE
 
           Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address
           it has been loaded at and the compile time physical address
-          (CONFIG_PHYSICAL_START) is ignored.
+          (CONFIG_PHYSICAL_START) is used as the minimum location.
 
-# Relocation on x86-32 needs some additional build support
+config RANDOMIZE_BASE
+        bool "Randomize the address of the kernel image"
+        depends on RELOCATABLE
+        depends on !HIBERNATION
+        default n
+        ---help---
+           Randomizes the physical and virtual address at which the
+           kernel image is decompressed, as a security feature that
+           deters exploit attempts relying on knowledge of the location
+           of kernel internals.
+
+           Entropy is generated using the RDRAND instruction if it is
+           supported. If RDTSC is supported, it is used as well. If
+           neither RDRAND nor RDTSC are supported, then randomness is
+           read from the i8254 timer.
+
+           The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET,
+           and aligned according to PHYSICAL_ALIGN. Since the kernel is
+           built using 2GiB addressing, and PHYSICAL_ALGIN must be at a
+           minimum of 2MiB, only 10 bits of entropy is theoretically
+           possible. At best, due to page table layouts, 64-bit can use
+           9 bits of entropy and 32-bit uses 8 bits.
+
+           If unsure, say N.
+
+config RANDOMIZE_BASE_MAX_OFFSET
+        hex "Maximum kASLR offset allowed" if EXPERT
+        depends on RANDOMIZE_BASE
+        range 0x0 0x20000000 if X86_32
+        default "0x20000000" if X86_32
+        range 0x0 0x40000000 if X86_64
+        default "0x40000000" if X86_64
+        ---help---
+          The lesser of RANDOMIZE_BASE_MAX_OFFSET and available physical
+          memory is used to determine the maximal offset in bytes that will
+          be applied to the kernel when kernel Address Space Layout
+          Randomization (kASLR) is active. This must be a multiple of
+          PHYSICAL_ALIGN.
+
+          On 32-bit this is limited to 512MiB by page table layouts. The
+          default is 512MiB.
+
+          On 64-bit this is limited by how the kernel fixmap page table is
+          positioned, so this cannot be larger than 1GiB currently. Without
+          RANDOMIZE_BASE, there is a 512MiB to 1.5GiB split between kernel
+          and modules. When RANDOMIZE_BASE_MAX_OFFSET is above 512MiB, the
+          modules area will shrink to compensate, up to the current maximum
+          1GiB to 1GiB split. The default is 1GiB.
+
+          If unsure, leave at the default value.
+
+# Relocation on x86 needs some additional build support
 config X86_NEED_RELOCS
         def_bool y
-        depends on X86_32 && RELOCATABLE
+        depends on RANDOMIZE_BASE || (X86_32 && RELOCATABLE)
 
 config PHYSICAL_ALIGN
         hex "Alignment value to which kernel should be aligned"
-        default "0x1000000"
+        default "0x200000"
         range 0x2000 0x1000000 if X86_32
         range 0x200000 0x1000000 if X86_64
         ---help---