Navigation: Linux Kernel Driver DataBase - web LKDDB: Main index - R index

CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image (KASLR)

General informations

The Linux kernel configuration item CONFIG_RANDOMIZE_BASE has multiple definitions:

Randomize the address of the kernel image (KASLR) found in arch/x86/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped, as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.

On 64-bit, the kernel physical and virtual addresses are randomized separately. The physical address will be anywhere between 16MB and the top of physical memory (up to 64TB). The virtual address will be randomized from 16MB up to 1GB (9 bits of entropy). Note that this also reduces the memory space available to kernel modules from 1.5GB to 1GB.

On 32-bit, the kernel physical and virtual addresses are randomized together. They will be randomized from 16MB up to 512MB (8 bits of entropy).

Entropy is generated using the RDRAND instruction if it is supported. If RDTSC is supported, its value is mixed into the entropy pool as well. If neither RDRAND nor RDTSC are supported, then entropy is read from the i8254 timer. The usable entropy is limited by the kernel being built using 2GB addressing, and that PHYSICAL_ALIGN must be at a minimum of 2MB. As a result, only 10 bits of entropy are theoretically possible, but the implementations are further limited due to memory layouts.

If unsure, say Y.

Randomize the address of the kernel image (KASLR) found in arch/s390/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

Randomize the address of the kernel (KASLR) found in arch/loongarch/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the physical and virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET.

If unsure, say N.

Randomize the address of the kernel image found in arch/riscv/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

It is the bootloader's job to provide entropy, by passing a random u64 value in /chosen/kaslr-seed at kernel entry.

When booting via the UEFI stub, it will invoke the firmware's EFI_RNG_PROTOCOL implementation (if available) to supply entropy to the kernel proper. In addition, it will randomise the physical location of the kernel Image as well.

If unsure, say N.

Randomize the address of the kernel image found in arch/powerpc/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

If unsure, say Y.

Randomize the address of the kernel image found in arch/mips/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the physical and virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

Entropy is generated using any coprocessor 0 registers available.

The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET.

If unsure, say N.

Randomize the address of the kernel image found in arch/arm64/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

It is the bootloader's job to provide entropy, by passing a random u64 value in /chosen/kaslr-seed at kernel entry.

When booting via the UEFI stub, it will invoke the firmware's EFI_RNG_PROTOCOL implementation (if available) to supply entropy to the kernel proper. In addition, it will randomise the physical location of the kernel Image as well.

If unsure, say N.

Randomize the address of the kernel image found in arch/x86/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the physical and virtual address at which the kernel image is decompressed, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

Entropy is generated using the RDRAND instruction if it is supported. If RDTSC is supported, it is used as well. If neither RDRAND nor RDTSC are supported, then randomness is read from the i8254 timer.

The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET, and aligned according to PHYSICAL_ALIGN. Since the kernel is built using 2GiB addressing, and PHYSICAL_ALGIN must be at a minimum of 2MiB, only 10 bits of entropy is theoretically possible. At best, due to page table layouts, 64-bit can use 9 bits of entropy and 32-bit uses 8 bits.

If unsure, say N.

Hardware

LKDDb

Raw data from LKDDb:

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

Automatic links from Google (and ads)

Custom Search

Popular queries:

Navigation: Linux Kernel Driver DataBase - web LKDDB: main index - R index

Automatically generated (in year 2024). See also LKDDb sources on GitLab