Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1655375ybi; Thu, 20 Jun 2019 01:19:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxVffr+UYKZPmbhcKV7C6dcqxbJDcT0q9tz+tPHkQfOdyFQ/TF1Vej3hTMDTM9U/Zqar4NN X-Received: by 2002:a17:902:f01:: with SMTP id 1mr122868318ply.170.1561018774478; Thu, 20 Jun 2019 01:19:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561018774; cv=none; d=google.com; s=arc-20160816; b=pqQ85GBrd/Qcmjv5z57D8wyXPGYIS4GslpJXCLBy30ImP58vyDpErJmc4917tZ10ph X6Hou4jW35h8BtBMNA+8uIizU/BcHijemeDibbGTgu1OVgmg+VxoGj3mTzuRQocJYSeV bMcmAl7h3iQgy4pBEK+n7+tEk9sBfwrjuq0WaY3qwSz+4MrQwpiTc/EG0cqWVNUXKq3b xK3ud6q1j022lfWpJM2zT8YVR9WjeYPKS/earBgY9MIPRU+ASGHisL8BHKjTvccre5ex f0ZQ/+m9YylSwXz3F0jXOuOELfpvZSYIfDDRujATBDAp2A6pmwZLXyrH8+hZ5dX7k5FH VbiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=L4YztDUoEeZNSItpvBqXAMHzKgEhPW4KSrwgqWZNxZ0=; b=IMMZAa+RxbUAWvxgzKBplDKEUDgBn/kZoaftujyh1c2sa+YHcF/7CqohgigfUXN6oM n7Cp7SnfmdWdbvDRhJ2Dr9Jc8ebnelMjvPi53uS6RYl5lrgLNpNYJI2bqD3/LaLaiRoJ ImL1rixlmm6WI99swCLYcGLcz4PLsNv927pQdaVnHysDD0C5ZzR9xKhd+LZB7Xz2m1eX uo5kEJPZJuyv7y3cfEVeZ5j4FQkSHcRxQqrPm2FmPFzNwEB7TwXbf2nSkex/ZiWkf444 zXUbsoTkSpZz2MNNtuSG6AvpZG6HewEiiNAe7h1PCTVUN8jK11mwuYsOpsw1hW4X3s3a y9Iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OBkhp4o3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si5171224pgy.541.2019.06.20.01.19.19; Thu, 20 Jun 2019 01:19:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OBkhp4o3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730611AbfFTIRk (ORCPT + 99 others); Thu, 20 Jun 2019 04:17:40 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:36837 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726506AbfFTIRk (ORCPT ); Thu, 20 Jun 2019 04:17:40 -0400 Received: by mail-io1-f68.google.com with SMTP id h6so112462ioh.3 for ; Thu, 20 Jun 2019 01:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L4YztDUoEeZNSItpvBqXAMHzKgEhPW4KSrwgqWZNxZ0=; b=OBkhp4o3op8N2jgrTX4I/tH93sjhXYIrF0FFetZzSv5AC5XT2nhL0Kjz7jdLDHnSGI ArUBUXG3lrb4oqMsxfLQA0Aza0zz9fjxvKqUw7IW8o4VFBzy/sSIGS5DPEVQKynMo4Hq cc72AEowt4e+lj0UWxoRKW5uhJoH1TTTQOQlOB6s030MpuGnWMzevxg9fObiQFOMcUzv 94xb/435Se3+UVm+a1r9qtsgPjAbQ2jsRiaKilMEVCsLHzp7GvyVifWDs/tg7HVxTkHp ngruAOTG+MemFJ5d7eYJAsLl9ylhIpBA+ip8zoTQTIVIdf+3ZqIKhak8k94Nh6iiqbku qG4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L4YztDUoEeZNSItpvBqXAMHzKgEhPW4KSrwgqWZNxZ0=; b=hvUvdjHJEBw+XdV1rWjJrsbhf/pxAMFYcXra/IiBPnSkoRHvdx+/nJXY0du4iu7VSG 14dmX0ykmgiylBb5gnIHhhVnehuNy/kcW/xOTjc0e4LQ5x+zefMGohgT7zo1SB6HOyWj dGTrPhTv1HFO9SgX57ZPaUGDGcXezxtkPo/ttIgu3nO8gErHHkfOBQL77W8/81xBdEgq ovzdJy7TFWCnQdzXrcLXf1H6gm9NgTQrnjaBGKVMoz2LInJdSB7712owL9mll0OYje1W JePNzil7d71166zshUD4tuNANKqS1rEq+oeOhfW71CdsMX0ZiYZ5++CsOwo7BU6QJXU3 EzHQ== X-Gm-Message-State: APjAAAXdls8Fqy6WRat0CrAz6t5l0JZQ8C/ivnUIR1C7wDsn8Rt//xa0 MgyjmUs5dtzaqUbUMOTcWx7NnAg2+x/yPDMVoN5e6g== X-Received: by 2002:a02:3308:: with SMTP id c8mr33710225jae.103.1561018658694; Thu, 20 Jun 2019 01:17:38 -0700 (PDT) MIME-Version: 1.0 References: <20190620003244.261595-1-ndesaulniers@google.com> <20190620074640.GA27228@brain-police> In-Reply-To: <20190620074640.GA27228@brain-police> From: Ard Biesheuvel Date: Thu, 20 Jun 2019 10:17:25 +0200 Message-ID: Subject: Re: [PATCH] arm64: defconfig: update and enable CONFIG_RANDOMIZE_BASE To: Will Deacon Cc: Nick Desaulniers , Catalin Marinas , Mark Brown , Mark Rutland , Olof Johansson , Maxime Ripard , Jagan Teki , Arnd Bergmann , Shawn Guo , Bjorn Andersson , Dinh Nguyen , Enric Balletbo i Serra , linux-arm-kernel , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 20 Jun 2019 at 09:47, Will Deacon wrote: > > Hi Nick, > > On Wed, Jun 19, 2019 at 05:32:42PM -0700, Nick Desaulniers wrote: > > Generated via: > > $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make defconfig > > $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make menuconfig > > > > $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make savedefconfig > > $ mv defconfig arch/arm64/configs/defconfig > > Hmm, I'm in two minds about whether we want this on by default. On the plus > side, it gets us extra testing coverage, although the /vast/ majority of > firmware implementations I run into either don't pass a seed or don't > provide a working EFI_RNG. Perhaps that's just a chicken-and-egg problem > which can be solved if we shout loud enough when we fail to randomize; we'll > also eventually be in a better position when CPUs start implementing the > v8.5 RNG instructions (but don't hold your breath unless you have an > unusually high lung capacity). > For testing coverage purposes, exercising the relocation machinery etc even on no-kaslr boots would be beneficial imo. (The kernel is relocated once for non-kaslr boots and twice for kaslr boots on kaslr capable kernels) > On the flip side, I worry that it could make debugging more difficult, but I > don't know whether that's a genuine concern or not. I'm assuming you've > debugged your fair share of crashes from KASLR-enabled kernels; how bad is > it? (I'm thinking of the case where somebody mails you part of a panic log > and a .config). > When you are debugging using GDB, it can get a bit tedious, since you have to pass the offset when you load the symbols. However, in that case, you can just pass 'nokaslr' unless you are debugging something that is affected by the randomization. For reading backtraces etc, nothing really changes, since we get symbol+nnn/mmm entries (and the full panic log prints the KASLR offset as well, in case it matters) > Irrespective of the above, I know Catalin was running into issues with his > automated tests where the kernel would die silently during early boot with > some seeds. That's a bit rubbish if it's still the case -- Catalin? > Yes, it would be good if we could fix that. In fact, I would argue that having this change in would have increased the likelihood that someone else would have spotted it and fixed it :-) In fact, given how many Android phones are running this code: Nick, can you check if there are any KASLR related kernel fixes that haven't been upstreamed? > Finally, I know that (K)ASLR can be a bit controversial amongst security > folks, with some seeing it as purely a smoke-and-mirrors game with no > tangible benefits other than making us feel better about ourselves. Is it > still the case that it can be trivially bypassed, or do you see it actually > preventing some attacks in production? > > Sorry for the barrage of questions, but I think enabling this one by default > is quite a significant thing to do and probably deserves a bit of scrutiny > beforehand. > I think it is mostly controversial among non-security folks, who think that every mitigation by itself should be bullet proof. Security folks tend to think more about how each layer reduces the attack surface, hopefully resulting in a secure system when all layers are enabled. So KASLR is known to be broken unless you enable KPTI as well, so that is something we could take into account. I.e., mitigations that don't reduce the attack surface at all are just pointless complexity, which should obviously be avoided. Another thing to note is that the runtime cost of KASLR is ~zero, with the exception of the module PLTs. However, the latter could do with some additional coverage as well, so in summary, I think enabling this is a good thing. Otherwise, we could disable full module randomization so that the module PLT code doesn't get used in practice. Acked-by: Ard Biesheuvel