Return to kaslr.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / security

Annotation of wikisrc/security/kaslr.mdwn, revision 1.2

1.1       maxv        1: [[!meta title="Using KASLR"]]
                      2: 
                      3: NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
                      4: NetBSD 9.0.
                      5: 
                      6: Installation
                      7: ------------
                      8: 
                      9: Install the prekern:
                     10: 
                     11: [[!template id=programlisting text="""
                     12: # cp /usr/mdec/prekern /
                     13: """]]
                     14: 
                     15: Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
                     16: the NetBSD FTP server, for example on:
                     17: 
                     18: [[!template id=programlisting text="""
                     19: http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201808020450Z/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
                     20: """]]
                     21: 
                     22: Or compiled from scratch, using:
                     23: 
                     24: [[!template id=programlisting text="""
                     25: # cd /usr/src
                     26: # ./build.sh kernel=GENERIC_KASLR
                     27: """]]
                     28: 
                     29: Install this KASLR kernel:
                     30: 
                     31: [[!template id=programlisting text="""
                     32: # cp /path/to/your/kernel /netbsd_kaslr
                     33: """]]
                     34: 
                     35: Finally, add the following line in the `/boot.cfg` file:
                     36: 
                     37: [[!template id=filecontent name="/boot.cfg" text="""
                     38: menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
                     39: """]]
                     40: 
                     41: Now the installation is complete.
                     42: 
                     43: Use
                     44: ---
                     45: 
                     46: To use KASLR, just choose the "Boot KASLR" option in the menu at boot
                     47: time. That's it!
                     48: 
1.2     ! maxv       49: Technical Details
        !            50: -----------------
        !            51: 
        !            52: Kernel ASLR is applied by default in GENERIC on as many VM areas as possible.
        !            53: GENERIC_KASLR offers randomization of one more area: the Kernel Image.
        !            54: 
        !            55: Table of what gets randomized:
        !            56: 
        !            57: [[!table data="""
        !            58: Memory Region          |GENERIC                |GENERIC_KASLR          |Xen dom0/domU
        !            59: Userland               |Yes                    |Yes                    |Yes
        !            60: PTE Area               |Yes                    |Yes                    |No
        !            61: Main Kernel Memory     |Yes                    |Yes                    |Yes
        !            62: Direct Map             |Yes                    |Yes                    |[Not Applicable]
        !            63: PCPU Area              |[Not Applicable]       |[Not Applicable]       |[Not Applicable]
        !            64: Kernel Image           |No                     |Yes                    |No
        !            65: """]]
        !            66: 
1.1       maxv       67: Technical Resources
                     68: -------------------
                     69: 
                     70: * NetBSD.org: [Kernel ASLR on amd64](http://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
                     71: * NetBSD.org: [The strongest KASLR, ever?](http://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
                     72: