Re: amd64: kernel aslr support

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: amd64: kernel aslr support
From: Thomas Klausner <tk%giga.or.at@localhost>
Date: Tue, 16 Jan 2018 23:54:39 +0100

Hi!

On Wed, Nov 15, 2017 at 07:40:55PM +0100, Maxime Villard wrote:
> Le 14/11/2017 à 15:43, Maxime Villard a écrit :
> > The size and number of these blocks is controlled by the split-by-file
> > parameter in Makefile.amd64. Right now it is set to 2MB, which produces a
> > kernel with ~23 allocatable (ie useful at runtime) sections, which is a third
> > of the total number supported (BTSPACE_NSEGS = 64). I will probably reduce
> > this parameter a bit in the future, to 1.5MB, or even 1MB.
> 
> Actually I just did it. So now it's 1MB (better security), physically shifted
> by the prekern (better entropy), and mapped with large pages (better
> performance). And along the way it mostly mitigates TLB cache attacks.
> 
> This is still wip but feel free to test, as always,

I've tried out the instructions at
http://m00nbsd.net/542a5cfd448aaf7db7adcadce74123d2.html and they
worked fine for me. Thank you!

I have a couple questions:

How can I check (after booting) if the kernel is using ASLR properly?

Why does GENERIC_KASLR disable KDTRACE_HOOKS? Is this necessary, or
are KDTRACE_HOOKS lowering the security somehow?

Thanks,
 Thomas

Follow-Ups:
- Re: amd64: kernel aslr support
  - From: Maxime Villard

References:
- amd64: kernel aslr support
  - From: Maxime Villard
- Re: amd64: kernel aslr support
  - From: Maxime Villard
- Re: amd64: kernel aslr support
  - From: Maxime Villard

Prev by Date: Re: virtual to physical memory address translation
Next by Date: Re: starting dhclient on odroid-c1 (arm)
Previous by Thread: Re: amd64: kernel aslr support
Next by Thread: Re: amd64: kernel aslr support
Indexes:

Home | Main Index | Thread Index | Old Index