Navigation: Linux Kernel Driver DataBase - web LKDDB: Main index - R index

CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image

General informations

The Linux kernel configuration item CONFIG_RANDOMIZE_BASE has multiple definitions:

Randomize the address of the kernel image (KASLR) found in arch/x86/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped, as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.

The kernel physical and virtual address can be randomized from 16MB up to 1GB on 64-bit and 512MB on 32-bit. (Note that using RANDOMIZE_BASE reduces the memory space available to kernel modules from 1.5GB to 1GB.)

Entropy is generated using the RDRAND instruction if it is supported. If RDTSC is supported, its value is mixed into the entropy pool as well. If neither RDRAND nor RDTSC are supported, then entropy is read from the i8254 timer.

Since the kernel is built using 2GB addressing, and PHYSICAL_ALIGN must be at a minimum of 2MB, only 10 bits of entropy is theoretically possible. Currently, with the default value for PHYSICAL_ALIGN and due to page table layouts, 64-bit uses 9 bits of entropy and 32-bit uses 8 bits.

If HIBERNATE is also enabled, KASLR is disabled at boot time. To enable it, boot with "kaslr" on the kernel command line (which will also disable hibernation).

If unsure, say N.

Randomize the address of the kernel image found in arch/arm64/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

It is the bootloader's job to provide entropy, by passing a random u64 value in /chosen/kaslr-seed at kernel entry.

When booting via the UEFI stub, it will invoke the firmware's EFI_RNG_PROTOCOL implementation (if available) to supply entropy to the kernel proper. In addition, it will randomise the physical location of the kernel Image as well.

If unsure, say N.

Randomize the address of the kernel image found in arch/mips/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the physical and virtual address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

Entropy is generated using any coprocessor 0 registers available.

The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET.

If unsure, say N.

Randomize the address of the kernel image found in arch/x86/Kconfig

The configuration item CONFIG_RANDOMIZE_BASE:

Help text

Randomizes the physical and virtual address at which the kernel image is decompressed, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

Entropy is generated using the RDRAND instruction if it is supported. If RDTSC is supported, it is used as well. If neither RDRAND nor RDTSC are supported, then randomness is read from the i8254 timer.

The kernel will be offset by up to RANDOMIZE_BASE_MAX_OFFSET, and aligned according to PHYSICAL_ALIGN. Since the kernel is built using 2GiB addressing, and PHYSICAL_ALGIN must be at a minimum of 2MiB, only 10 bits of entropy is theoretically possible. At best, due to page table layouts, 64-bit can use 9 bits of entropy and 32-bit uses 8 bits.

If unsure, say N.

Hardware

LKDDb

Raw data from LKDDb:

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

Automatic links from Google (and ads)

Custom Search

Popular queries:

Navigation: Linux Kernel Driver DataBase - web LKDDB: main index - R index

Automatically generated (in year 2016) with gen-web-lkddb.py in lkddb-sources.