Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753310AbcDURos (ORCPT <rfc822;w@1wt.eu>);
	Thu, 21 Apr 2016 13:44:48 -0400
Received: from mx2.suse.de ([195.135.220.15]:37193 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751720AbcDURoq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 21 Apr 2016 13:44:46 -0400
Date: Thu, 21 Apr 2016 19:44:23 +0200
From: Borislav Petkov <bp@suse.de>
To: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@kernel.org>, Baoquan He <bhe@redhat.com>,
        Yinghai Lu <yinghai@kernel.org>, Ingo Molnar <mingo@redhat.com>,
        x86@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Dmitry Vyukov <dvyukov@google.com>, "H.J. Lu" <hjl.tools@gmail.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Andy Lutomirski <luto@kernel.org>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/5] x86, KASLR: Drop CONFIG_RANDOMIZE_BASE_MAX_OFFSET
Message-ID: <20160421174423.GD29616@pd.tnic>
References: <1461185746-8017-1-git-send-email-keescook@chromium.org>
 <1461185746-8017-3-git-send-email-keescook@chromium.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1461185746-8017-3-git-send-email-keescook@chromium.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3301
Lines: 81

On Wed, Apr 20, 2016 at 01:55:43PM -0700, Kees Cook wrote:
> From: Baoquan He <bhe@redhat.com>
> 
> Currently CONFIG_RANDOMIZE_BASE_MAX_OFFSET is used to limit the maximum
> offset for kernel randomization. This limit doesn't need to be a CONFIG
> since it is tied completely to KERNEL_IMAGE_SIZE, and will make no sense
> once physical and virtual offsets are randomized separately. This patch
> removes CONFIG_RANDOMIZE_BASE_MAX_OFFSET and consolidates the Kconfig
> help text.
> 
> Signed-off-by: Baoquan He <bhe@redhat.com>
> [kees: rewrote changelog, dropped KERNEL_IMAGE_SIZE_DEFAULT, rewrote help]
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  arch/x86/Kconfig                     | 72 ++++++++++++++----------------------
>  arch/x86/boot/compressed/kaslr.c     | 12 +++---
>  arch/x86/include/asm/page_64_types.h |  8 ++--
>  arch/x86/mm/init_32.c                |  3 --
>  4 files changed, 36 insertions(+), 59 deletions(-)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 2dc18605831f..5892d549596d 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1932,54 +1932,38 @@ config RELOCATABLE
>  	  (CONFIG_PHYSICAL_START) is used as the minimum location.
>  
>  config RANDOMIZE_BASE
> -	bool "Randomize the address of the kernel image"
> +	bool "Randomize the address of the kernel image (KASLR)"
>  	depends on RELOCATABLE
>  	default n
>  	---help---
> -	   Randomizes the physical and virtual address at which the
> -	   kernel image is decompressed, as a security feature that
> -	   deters exploit attempts relying on knowledge of the location
> -	   of kernel internals.
> +	  In support of Kernel Address Space Layout Randomization (KASLR),
> +	  this randomizes the physical address at which the kernel image
> +	  is decompressed and the virtual address where the kernel

Just say "loaded" here.

> +	  image is mapped, as a security feature that deters exploit
> +	  attempts relying on knowledge of the location of kernel
> +	  code internals.
> +
> +	  The kernel physical and virtual address can be randomized
> +	  from 16MB up to 1GB on 64-bit and 512MB on 32-bit. (Note that
> +	  using RANDOMIZE_BASE reduces the memory space available to
> +	  kernel modules from 1.5GB to 1GB.)
> +
> +	  Entropy is generated using the RDRAND instruction if it is
> +	  supported. If RDTSC is supported, its value is mixed into
> +	  the entropy pool as well. If neither RDRAND nor RDTSC are
> +	  supported, then entropy is read from the i8254 timer.
> +
> +	  Since the kernel is built using 2GB addressing,

Does that try to refer to the 1G kernel and 1G fixmap pagetable
mappings? I.e., level2_kernel_pgt and level2_fixmap_pgt in
arch/x86/kernel/head_64.S?

> and
> +	  PHYSICAL_ALIGN must be at a minimum of 2MB, only 10 bits of
> +	  entropy is theoretically possible. Currently, with the
> +	  default value for PHYSICAL_ALIGN and due to page table
> +	  layouts, 64-bit uses 9 bits of entropy and 32-bit uses 8 bits.
> +
> +	  If CONFIG_HIBERNATE is also enabled, KASLR is disabled at boot
> +	  time. To enable it, boot with "kaslr" on the kernel command
> +	  line (which will also disable hibernation).

...

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--