Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1106396ybi; Fri, 21 Jun 2019 14:01:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyGEZU+ToryPTmARviLQ+Gf5edelvylgX9pefFYbQkWPpCQlLX/IPtNPud+ANAPD/lW7FCV X-Received: by 2002:a17:90a:9201:: with SMTP id m1mr9231307pjo.38.1561150914590; Fri, 21 Jun 2019 14:01:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561150914; cv=none; d=google.com; s=arc-20160816; b=dPCXdS2NoIetvv4MDOxyIKrQuMZBBN1VfZzfsHbVm3TiNCNWGe/TTclmjKyLr1MA44 ubn1e/Pa476BM/d0RA7AnG9RG44gQfEx7yrKueXpy6d1Yiy27YRhfv+bzSh7ixKlS4Bp pocP4kj3RySksOeZFmzVkcSciVJD7f4xNgauHM5Rv6ZPPvuIwLxOs6S0v50ECCKQu6kC ZACGw58+ulREud63sDQzyooE7UZ3HsHd5UHDPEFdij5xl/26woGywN9X37bKe3Wl3Pec SdgX2Bl01h79qMSVS7Sl3iDt+7cn4dqY2sRh1SW9FQdeKd5H5xuIUumPaIWasMHGFqTX f+xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=pSX96sM10spT9GCGhKGP6T0HRGkaamy9kXn0AhO6OpQ=; b=mGweChwnWCoKxebNGmxmKQ+UQCDQ/wjZYaQNujlyt7jPMvqdyQsTxA0XJ0ReZhI8Nt H6Qm7eOhcu012SuLjfSLdhtMhxZ8Hyiu/JK+2N1A1ovQQZgrjaVU7HrjViHRIjEr1OC1 xAUUzJAkLLWAR2SRJAFEqES1AqlQ76xtVGunlfF8TOeI3JnR5X1VJ/tWUkz0bYkih1ie dD3bNKyQMA1MDHIjfzp3FoK9imDsgyHk62reQgZEeB2ddt67JpfDJZCR+FsN1/t760NV KVBmKsTgyuUpzOTEB+nzKwCpxLxNnyeWW9Zyupsd2y/UqJDI/hCpTgNUr903TiVwz75E GkNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="mnnK/RC5"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10si3436159pgh.472.2019.06.21.14.01.38; Fri, 21 Jun 2019 14:01:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="mnnK/RC5"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726080AbfFUVBe (ORCPT + 99 others); Fri, 21 Jun 2019 17:01:34 -0400 Received: from mail-yb1-f196.google.com ([209.85.219.196]:40600 "EHLO mail-yb1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725992AbfFUVBd (ORCPT ); Fri, 21 Jun 2019 17:01:33 -0400 Received: by mail-yb1-f196.google.com with SMTP id i14so3205186ybp.7 for ; Fri, 21 Jun 2019 14:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pSX96sM10spT9GCGhKGP6T0HRGkaamy9kXn0AhO6OpQ=; b=mnnK/RC5tvWJlKJ/B22Unej4mg4lye4l3Sd5mF9TCZlrGiCVTskGE4Zd0b7sszz9AF fJJP2mrh0TCOa2wVfS3NS3at+qHRCZNxgLDOecsYHiXO9tCIWUHaq1d+Cqm+Olr3FvQZ uaSElwbeFVo8Qjd9jiOsV2wHSDgEfTjmcxrIk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pSX96sM10spT9GCGhKGP6T0HRGkaamy9kXn0AhO6OpQ=; b=HbEsJrGJ/GIu68nbVmQsn68vRZYGoZ76ESkvX+K81uSOxLLnZ1WqfzoFuMWizoAx91 o3MgcqXR5dToky1Ln/bcbFwCQQGV8MZMBaeTJmAAmthKN5twnN0I+X2strXn9+G/I3HR KuFecJMDRVGbafeHqoP+sRxGEDxhVEhGZOYP/ay5L0VgqC4ppkOuTUfVhXO2cGCmg7+M xdVLN8FTfrcdsiTTrxT7vjumLNwRJ05cGUFsJgSaS4LD2j53mRZzikeIUjBNTJYLWUAh JriMJEl2OH63z8eGr2PHXviN6yB40R4s/mZpA7TBAFZ6v8Gn/1oqCEFO1FD8o82aBbht f2dg== X-Gm-Message-State: APjAAAUb+BJTnW27FT9w05Ii3JYoIbqC3JbNSVZMgGfE/xZH5dCAME0F OMc/u4HiEvExDcuKIni+zDdkwb8KzwY= X-Received: by 2002:a25:d310:: with SMTP id e16mr1824349ybf.10.1561150892249; Fri, 21 Jun 2019 14:01:32 -0700 (PDT) Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com. [209.85.219.179]) by smtp.gmail.com with ESMTPSA id n64sm904057ywe.76.2019.06.21.14.01.31 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jun 2019 14:01:32 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id 189so3212005ybh.4 for ; Fri, 21 Jun 2019 14:01:31 -0700 (PDT) X-Received: by 2002:a25:9704:: with SMTP id d4mr68039393ybo.312.1561150464251; Fri, 21 Jun 2019 13:54:24 -0700 (PDT) MIME-Version: 1.0 References: <20190620003244.261595-1-ndesaulniers@google.com> <20190620074640.GA27228@brain-police> In-Reply-To: From: Kees Cook Date: Fri, 21 Jun 2019 13:54:10 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] arm64: defconfig: update and enable CONFIG_RANDOMIZE_BASE To: Nick Desaulniers Cc: Ard Biesheuvel , Sami Tolvanen , Jeffrey Vander Stoep , Will Deacon , Catalin Marinas , Mark Brown , Mark Rutland , Olof Johansson , Maxime Ripard , Jagan Teki , Arnd Bergmann , Shawn Guo , Bjorn Andersson , Dinh Nguyen , Enric Balletbo i Serra , linux-arm-kernel , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 21, 2019 at 1:28 PM Nick Desaulniers wrote: > > On Thu, Jun 20, 2019 at 1:17 AM Ard Biesheuvel > wrote: > > I think it is mostly controversial among non-security folks, who think > > that every mitigation by itself should be bullet proof. Security folks > > tend to think more about how each layer reduces the attack surface, > > hopefully resulting in a secure system when all layers are enabled. > > + Kees, Sami, Jeff > It's a relatively low cost part of our defense in depth strategy. > Maybe (Kees, Sami, Jeff) have more thoughts? Right -- the thought is that it provides more benefit than complication. It is hardly a perfect defense, but it does provide building blocks to more interesting situations. For example, once execute-only memory is more common, KASLR + XOM means there is a not insignificant defense against automated ROP. And KASLR is a general precursor to fine-grained KASLR (i.e. randomizing on function). > > So KASLR is known to be broken unless you enable KPTI as well, so that > > is something we could take into account. I.e., mitigations that don't > > reduce the attack surface at all are just pointless complexity, which > > should obviously be avoided. > > (Note to Sami + Jeff if they had KPTI on their radar) I prefer that KPTI always stay enabled. :) > > Another thing to note is that the runtime cost of KASLR is ~zero, with > > the exception of the module PLTs. However, the latter could do with > > some additional coverage as well, so in summary, I think enabling this > > is a good thing. Otherwise, we could disable full module randomization > > so that the module PLT code doesn't get used in practice. > > > > Acked-by: Ard Biesheuvel Reviewed-by: Kees Cook -- Kees Cook