[[!meta title="Using KASLR"]] NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from NetBSD 9.0. Installation ------------ Install the prekern: [[!template id=programlisting text=""" # cp /usr/mdec/prekern / """]] Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from the NetBSD FTP server, for example on: [[!template id=programlisting text=""" https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz """]] Or compiled from scratch, using: [[!template id=programlisting text=""" # cd /usr/src # ./build.sh kernel=GENERIC_KASLR """]] Extract this KASLR kernel, and install it: [[!template id=programlisting text=""" # cp /path/to/your/kaslr/kernel /netbsd_kaslr """]] Finally, add the following line in the `/boot.cfg` file: [[!template id=filecontent name="/boot.cfg" text=""" menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr """]] Now the installation is complete. Use --- To use KASLR, just choose the "Boot KASLR" option in the menu at boot time. That's it! You are now using Kernel ASLR. Technical Details ----------------- "Kernel ASLR" means randomizing the location of the kernel memory areas. By default, in GENERIC, all areas are already randomized except one: the Kernel Image. The GENERIC_KASLR configuration provides randomization of this additional area. Therefore, it should be understood that GENERIC actually provides 80% of KASLR, and GENERIC_KASLR covers the remaining 20%. Table of what gets randomized: [[!table data=""" Memory Region |GENERIC |GENERIC_KASLR |Xen dom0/domU Userland |Yes |Yes |Yes PTE Area |Yes |Yes |No Main Kernel Memory |Yes |Yes |Yes Direct Map |Yes |Yes |[Not Applicable] PCPU Area |[Not Applicable] |[Not Applicable] |[Not Applicable] Kernel Image |No |Yes |No """]] Technical Resources ------------------- * NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64) * NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)