Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2234756ybd; Mon, 24 Jun 2019 03:03:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqx8owX7UCPRMtXam3PZAmFawzdCJoXShO8wofPR0kt3g/A2HykEFlVPgJ5IwiLcJVq81Cwr X-Received: by 2002:a63:f953:: with SMTP id q19mr31892864pgk.367.1561370596365; Mon, 24 Jun 2019 03:03:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561370596; cv=none; d=google.com; s=arc-20160816; b=sErRt9RZGep2nKAKv3s4M6JaB941/26LHOhXokyHowiAbvgo+HU1b6fOu2LU5yUArU YQb8x53vZV5tGnw6Qb/K4YiyYi5n6DhBhXLtH3GS+/mtEmz26gJv60QW20qW1DLlLPdo 38E14oahJ7dOgfMRE5TXn13ZEDECmNXccCr/PxqRjMhhjRbgyXEUPyxZ6bEnhNl4Xc1l RT87bJtzphN+Gt39jO0rsXjoVo1KBDRu+vJRqgRgfyyTO7d0uP6YsBrtCX25+XHD/mQg vzbb8bFjb0qmTqzSaOApKwA0bRt142FkDyCtL16K/iOgLrrWs9PjkLElE9b/XUa/yy1i inWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=RVh9+WS/jGToq2gUiBhH2YYIMQ9rmpQ66QMfMFpq3L0=; b=NLL+mQW6QDYYWJnPGI4TCYgkiFsksbDV1v1WrMikh2kM/aAaVXUCFwIWz4S4Jy8CT6 trfI9JUaKms2sXf/zfq8yj/DszkI78nuHcPpuGDYnAAjC2G+toNEoQBPpfvDL+wgFtsd Qrbb3fPmoNPQgNWZg2PpG8D9i/zpQfn17yv5zGailVgMEPcunZ+0zPUtfksgW7pFt42M EAPKeMhPNczOFd7wPw1e382SszmmmrtcUek0cktrfQ6Sv0c2tyZfG7V0zNpTlk+upyp5 G86SCv5+G2cypJfi9Xin5ZWjArDU7+uEFr2HSLe33dIB7H+kX3MOgh3r1ol1qz1l89UE yiNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PH8NPjKF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j95si9759787plb.349.2019.06.24.03.02.57; Mon, 24 Jun 2019 03:03:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=PH8NPjKF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729037AbfFXKCA (ORCPT + 99 others); Mon, 24 Jun 2019 06:02:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:56256 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728881AbfFXJ55 (ORCPT ); Mon, 24 Jun 2019 05:57:57 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E245D21530; Mon, 24 Jun 2019 09:57:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561370276; bh=amAPfe8nFBVpmTr8hMxl5t1uBr6QIyXhovJtfP9avOo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PH8NPjKFKqV2/Ouf0NiSDD/uMJNA49llccgFqiKtinldirSIcTlW8GeD7XDGvb6Sn Aq/DDm+3wsjcEQD2fmh+hcwrcF6RYoZHw58Ud0RYLFcASrkTuW5R0oBNlPZ7vM0+p7 PuIYwfmfJ1im8epbd6fhZR4K/jkujtC2q43vUgCg= Date: Mon, 24 Jun 2019 10:57:50 +0100 From: Will Deacon To: Nick Desaulniers Cc: Ard Biesheuvel , Kees Cook , Sami Tolvanen , Jeffrey Vander Stoep , Mark Rutland , Enric Balletbo i Serra , Arnd Bergmann , Maxime Ripard , Catalin Marinas , Will Deacon , Linux Kernel Mailing List , Bjorn Andersson , Dinh Nguyen , Mark Brown , Jagan Teki , Olof Johansson , Shawn Guo , linux-arm-kernel Subject: Re: [PATCH] arm64: defconfig: update and enable CONFIG_RANDOMIZE_BASE Message-ID: <20190624095749.wasjfrgcda7ygdr5@willie-the-truck> References: <20190620003244.261595-1-ndesaulniers@google.com> <20190620074640.GA27228@brain-police> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Nick, Kees, Ard, Thanks for the responses. On Fri, Jun 21, 2019 at 01:27:45PM -0700, Nick Desaulniers wrote: > On Thu, Jun 20, 2019 at 1:17 AM Ard Biesheuvel > wrote: > > On Thu, 20 Jun 2019 at 09:47, Will Deacon wrote: > > > On the flip side, I worry that it could make debugging more difficult, but I > > > don't know whether that's a genuine concern or not. I'm assuming you've > > > debugged your fair share of crashes from KASLR-enabled kernels; how bad is > > > it? (I'm thinking of the case where somebody mails you part of a panic log > > > and a .config). > > I don't recall specific cases where KASLR made debugging difficult. I > went and spoke to our stability team that debugs crash reports from > the field. My understanding is that we capture full ramdumps. They > have a lot of custom tooling for debugging, but they did not recall > ever having to disable KASLR to debug further. We've had KASLR > enabled since I think the 2016 Pixel 1, so I assume their tooling > accounts for the seed/offset. > > I think if a full ramdump of the kernel image is loaded into GDB with > the matching kernel image it "just works" but could be mistaken. For > external developers, "nokaslr" boot time param is pretty standard. > > > In fact, given how many Android phones are running this code: Nick, > > can you check if there are any KASLR related kernel fixes that haven't > > been upstreamed? > > I spoke with the android common kernel team that's trying to burn down > their out of tree patches. I triple checked a doc they had where they > had audited every last patch, looking for for KASLR and > CONFIG_RANDOMIZE_BASE. I also triple checked our internal bug tracker > for burning down the out of tree patches. Finally I'm scanning each > branch of our android-common trees via `git log --all --grep > `. I haven't found anything yet, and the > team doesn't expect any out of tree patches related to that feature. > Sorry for not responding sooner, but I'm still going through our 4.4, > 4.9, 4.14, and 4.19 branches. Thanks for having a look. It could be that we've fixed the issue Catalin was running into in the past -- he was going to see if the problem persists with mainline, since it was frequent enough that it was causing us to ignore the results from our testing infrastructure when RANDOMIZE_BASE=y. > > So KASLR is known to be broken unless you enable KPTI as well, so that > > is something we could take into account. I.e., mitigations that don't > > reduce the attack surface at all are just pointless complexity, which > > should obviously be avoided. > > (Note to Sami + Jeff if they had KPTI on their radar) I mean, we could have RANDOMIZE_BASE select UNMAP_KERNEL_AT_EL0 if you like? The latter is already default y and hidden behind EXPERT. > > Another thing to note is that the runtime cost of KASLR is ~zero, with > > the exception of the module PLTs. However, the latter could do with > > some additional coverage as well, so in summary, I think enabling this > > is a good thing. Otherwise, we could disable full module randomization > > so that the module PLT code doesn't get used in practice. > > > > Acked-by: Ard Biesheuvel > > Olof mentioned on IRC that I should resend without the other defconfig > changes. Do others have thoughts on that? That's not a bad idea. If you do that, feel free to add my Ack to the one adding RANDOMIZE_BASE=y: Acked-by: Will Deacon Will