[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6 00/27] x86: PIE support and option to extend KASLR randomization

To: Thomas Garnier <thgarnie@xxxxxxxxxxxx>
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Fri, 1 Feb 2019 08:59:21 +1300
Cc: Kernel Hardening <kernel-hardening@xxxxxxxxxxxxxxxxxx>, Jan Kiszka <jan.kiszka@xxxxxxxxxxx>, Pavel Machek <pavel@xxxxxx>, Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>, Christoph Lameter <cl@xxxxxxxxx>, Rafael Ávila de Espíndola <rafael@xxxxxxxxxx>, linux-arch <linux-arch@xxxxxxxxxxxxxxx>, Andi Kleen <ak@xxxxxxxxxxxxxxx>, Michael Ellerman <mpe@xxxxxxxxxxxxxx>, Sparse Mailing-list <linux-sparse@xxxxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Alexander Popov <alex.popov@xxxxxxxxx>, Len Brown <len.brown@xxxxxxxxx>, Linux PM list <linux-pm@xxxxxxxxxxxxxxx>, Nicholas Piggin <npiggin@xxxxxxxxx>, Cao jin <caoj.fnst@xxxxxxxxxxxxxx>, Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Dennis Zhou <dennis@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, nixiaoming <nixiaoming@xxxxxxxxxx>, Michal Marek <michal.lkml@xxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Nick Desaulniers <ndesaulniers@xxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Jia Zhang <qianyue.zj@xxxxxxxxxxxxxxx>, Luis Chamberlain <mcgrof@xxxxxxxxxx>, Masami Hiramatsu <mhiramat@xxxxxxxxxx>, Tejun Heo <tj@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, "open list:DOCUMENTATION" <linux-doc@xxxxxxxxxxxxxxx>, "Rafael J. Wysocki" <rjw@xxxxxxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, Masahiro Yamada <yamada.masahiro@xxxxxxxxxxxxx>, Nadav Amit <namit@xxxxxxxxxx>, Kristen Carlson Accardi <kristen@xxxxxxxxxxxxxxx>, Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>, Joe Lawrence <joe.lawrence@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Yonghong Song <yhs@xxxxxx>, linux-crypto <linux-crypto@xxxxxxxxxxxxxxx>, "H.J. Lu" <hjl.tools@xxxxxxxxx>, Michael Forney <forney@xxxxxxxxxx>, linux-kbuild <linux-kbuild@xxxxxxxxxxxxxxx>, Jason Baron <jbaron@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>, Thomas Garnier <thgarnie@xxxxxxxxxx>, Song Liu <songliubraving@xxxxxx>, Brijesh Singh <brijesh.singh@xxxxxxx>, Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Baoquan He <bhe@xxxxxxxxxx>, Jonathan Corbet <corbet@xxxxxxx>, Nayna Jain <nayna@xxxxxxxxxxxxx>, James Hogan <jhogan@xxxxxxxxxx>, Alexey Dobriyan <adobriyan@xxxxxxxxx>, Palmer Dabbelt <palmer@xxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>, Alok Kataria <akataria@xxxxxxxxxx>, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>, Michal Hocko <mhocko@xxxxxxxx>, KVM <kvm@xxxxxxxxxxxxxxx>, Radim Krčmář <rkrcmar@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, Joerg Roedel <joro@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Jordan Borgner <mail@xxxxxxxxxxxxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Nathan Chancellor <natechancellor@xxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Francis Deslauriers <francis.deslauriers@xxxxxxxxxxxx>, Adrian Hunter <adrian.hunter@xxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Luc Van Oostenryck <luc.vanoostenryck@xxxxxxxxx>
Delivery-date: Thu, 31 Jan 2019 20:07:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Feb 1, 2019 at 8:28 AM Thomas Garnier <thgarnie@xxxxxxxxxxxx> wrote:
> These patches make the changes necessary to build the kernel as Position
> Independent Executable (PIE) on x86_64. A PIE kernel can be relocated below
> the top 2G of the virtual address space. It allows to optionally extend the
> KASLR randomization range from 1G to 3G. The chosen range is the one currently
> available, future changes will allow the kernel module to have a wider
> randomization range.

This also lays the groundwork for doing compilation-unit-granularity
KASLR, as Kristen has been working on. With PIE working, the
relocations are more sane and boot-time reordering becomes possible
(or at least, it becomes the same logically as doing the work on
modules, etc).

-- 
Kees Cook

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v6 00/27] x86: PIE support and option to extend KASLR randomization
  - From: Thomas Garnier

Prev by Date: Re: [Xen-devel] [PATCH SpectreV1+L1TF v5 3/9] x86/hvm: block speculative out-of-bound accesses
Next by Date: [Xen-devel] [xen-unstable test] 132622: tolerable FAIL - PUSHED
Previous by thread: [Xen-devel] [PATCH v6 18/27] xen: Adapt assembly for PIE support
Next by thread: Re: [Xen-devel] [PATCH v6 00/27] x86: PIE support and option to extend KASLR randomization
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.