Return to kaslr.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / security

Annotation of wikisrc/security/kaslr.mdwn, revision 1.3

1.1       maxv        1: [[!meta title="Using KASLR"]]
                      2: 
                      3: NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
                      4: NetBSD 9.0.
                      5: 
                      6: Installation
                      7: ------------
                      8: 
                      9: Install the prekern:
                     10: 
                     11: [[!template id=programlisting text="""
                     12: # cp /usr/mdec/prekern /
                     13: """]]
                     14: 
                     15: Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
                     16: the NetBSD FTP server, for example on:
                     17: 
                     18: [[!template id=programlisting text="""
                     19: http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201808020450Z/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
                     20: """]]
                     21: 
                     22: Or compiled from scratch, using:
                     23: 
                     24: [[!template id=programlisting text="""
                     25: # cd /usr/src
                     26: # ./build.sh kernel=GENERIC_KASLR
                     27: """]]
                     28: 
                     29: Install this KASLR kernel:
                     30: 
                     31: [[!template id=programlisting text="""
1.3     ! maxv       32: # cp /path/to/your/kaslr/kernel /netbsd_kaslr
1.1       maxv       33: """]]
                     34: 
                     35: Finally, add the following line in the `/boot.cfg` file:
                     36: 
                     37: [[!template id=filecontent name="/boot.cfg" text="""
                     38: menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
                     39: """]]
                     40: 
                     41: Now the installation is complete.
                     42: 
                     43: Use
                     44: ---
                     45: 
                     46: To use KASLR, just choose the "Boot KASLR" option in the menu at boot
1.3     ! maxv       47: time. That's it! You are now using Kernel ASLR.
1.1       maxv       48: 
1.2       maxv       49: Technical Details
                     50: -----------------
                     51: 
                     52: Kernel ASLR is applied by default in GENERIC on as many VM areas as possible.
1.3     ! maxv       53: GENERIC_KASLR provides randomization of one more area: the Kernel Image.
1.2       maxv       54: 
                     55: Table of what gets randomized:
                     56: 
                     57: [[!table data="""
                     58: Memory Region          |GENERIC                |GENERIC_KASLR          |Xen dom0/domU
                     59: Userland               |Yes                    |Yes                    |Yes
                     60: PTE Area               |Yes                    |Yes                    |No
                     61: Main Kernel Memory     |Yes                    |Yes                    |Yes
                     62: Direct Map             |Yes                    |Yes                    |[Not Applicable]
                     63: PCPU Area              |[Not Applicable]       |[Not Applicable]       |[Not Applicable]
                     64: Kernel Image           |No                     |Yes                    |No
                     65: """]]
                     66: 
1.1       maxv       67: Technical Resources
                     68: -------------------
                     69: 
                     70: * NetBSD.org: [Kernel ASLR on amd64](http://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
                     71: * NetBSD.org: [The strongest KASLR, ever?](http://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
                     72: