Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <38e10823-8916-66d0-7fe9-1fe465a9c5e0@infradead.org>
Date: Mon, 25 Jun 2018 16:41:09 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Thomas Garnier <thgarnie@...gle.com>, kernel-hardening@...ts.openwall.com
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
 Matthias Kaehlcke <mka@...omium.org>,
 "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Tom Lendacky <thomas.lendacky@....com>, Cao jin <caoj.fnst@...fujitsu.com>,
 Kees Cook <keescook@...omium.org>, Baoquan He <bhe@...hat.com>,
 "H.J. Lu" <hjl.tools@...il.com>, Jan H. Schönherr
 <jschoenh@...zon.de>, Kate Stewart <kstewart@...uxfoundation.org>,
 Josh Poimboeuf <jpoimboe@...hat.com>, Borislav Petkov <bp@...e.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 27/27] x86/kaslr: Add option to extend KASLR range from
 1GB to 3GB

On 06/25/18 15:39, Thomas Garnier wrote:
> Add a new CONFIG_RANDOMIZE_BASE_LARGE option to benefit from PIE
> support. It increases the KASLR range from 1GB to 3GB. The new range
> stars at 0xffffffff00000000 just above the EFI memory region. This
> option is off by default.
> 
> The boot code is adapted to create the appropriate page table spanning
> three PUD pages.
> 
> The relocation table uses 64-bit integers generated with the updated
> relocation tool with the large-reloc option.
> 
> Signed-off-by: Thomas Garnier <thgarnie@...gle.com>
> ---
>  arch/x86/Kconfig                     | 21 +++++++++++++++++++++
>  arch/x86/boot/compressed/Makefile    |  5 +++++
>  arch/x86/boot/compressed/misc.c      | 10 +++++++++-
>  arch/x86/include/asm/page_64_types.h |  9 +++++++++
>  arch/x86/kernel/head64.c             | 15 ++++++++++++---
>  arch/x86/kernel/head_64.S            | 11 ++++++++++-
>  6 files changed, 66 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 42f77aff5df1..f6cb20a66e8a 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2236,6 +2236,27 @@ config X86_PIE
>  	select DYNAMIC_MODULE_BASE
>  	select MODULE_REL_CRCS if MODVERSIONS
>  
> +config RANDOMIZE_BASE_LARGE
> +	bool "Increase the randomization range of the kernel image"
> +	depends on X86_64 && RANDOMIZE_BASE
> +	select X86_PIE
> +	select X86_MODULE_PLTS if MODULES
> +	default n
> +	---help---
> +	  Build the kernel as a Position Independent Executable (PIE) and
> +	  increase the available randomization range from 1GB to 3GB.
> +
> +	  This option impacts performance on kernel CPU intensive workloads up
> +	  to 10% due to PIE generated code. Impact on user-mode processes and
> +	  typical usage would be significantly less (0.50% when you build the

how about:
	                                            (0.5% during a kernel build).

> +	  kernel).
> +
> +	  The kernel and modules will generate slightly more assembly (1 to 2%
> +	  increase on the .text sections). The vmlinux binary will be
> +	  significantly smaller due to less relocations.

preferably s/less/fewer/

> +
> +	  If unsure say N
> +
>  config HOTPLUG_CPU
>  	bool "Support for hot-pluggable CPUs"
>  	depends on SMP


-- 
~Randy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.