Annotation of wikisrc/security/kaslr.mdwn, revision 1.5

1.1       maxv        1: [[!meta title="Using KASLR"]]
                      2: 
                      3: NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
                      4: NetBSD 9.0.
                      5: 
                      6: Installation
                      7: ------------
                      8: 
                      9: Install the prekern:
                     10: 
                     11: [[!template id=programlisting text="""
                     12: # cp /usr/mdec/prekern /
                     13: """]]
                     14: 
                     15: Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
                     16: the NetBSD FTP server, for example on:
                     17: 
                     18: [[!template id=programlisting text="""
1.5     ! maxv       19: https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
1.1       maxv       20: """]]
                     21: 
                     22: Or compiled from scratch, using:
                     23: 
                     24: [[!template id=programlisting text="""
                     25: # cd /usr/src
                     26: # ./build.sh kernel=GENERIC_KASLR
                     27: """]]
                     28: 
1.5     ! maxv       29: Extract this KASLR kernel, and install it:
1.1       maxv       30: 
                     31: [[!template id=programlisting text="""
1.3       maxv       32: # cp /path/to/your/kaslr/kernel /netbsd_kaslr
1.1       maxv       33: """]]
                     34: 
                     35: Finally, add the following line in the `/boot.cfg` file:
                     36: 
                     37: [[!template id=filecontent name="/boot.cfg" text="""
                     38: menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
                     39: """]]
                     40: 
                     41: Now the installation is complete.
                     42: 
                     43: Use
                     44: ---
                     45: 
                     46: To use KASLR, just choose the "Boot KASLR" option in the menu at boot
1.3       maxv       47: time. That's it! You are now using Kernel ASLR.
1.1       maxv       48: 
1.2       maxv       49: Technical Details
                     50: -----------------
                     51: 
1.5     ! maxv       52: "Kernel ASLR" means randomizing the location of the kernel memory areas.
        !            53: By default, in GENERIC, all areas are already randomized except one: the
        !            54: Kernel Image.
        !            55: 
        !            56: The GENERIC_KASLR configuration provides randomization of this additional
        !            57: area.
        !            58: 
        !            59: Therefore, it should be understood that GENERIC actually provides 80% of
        !            60: KASLR, and GENERIC_KASLR covers the remaining 20%.
1.2       maxv       61: 
                     62: Table of what gets randomized:
                     63: 
                     64: [[!table data="""
                     65: Memory Region          |GENERIC                |GENERIC_KASLR          |Xen dom0/domU
                     66: Userland               |Yes                    |Yes                    |Yes
                     67: PTE Area               |Yes                    |Yes                    |No
                     68: Main Kernel Memory     |Yes                    |Yes                    |Yes
                     69: Direct Map             |Yes                    |Yes                    |[Not Applicable]
                     70: PCPU Area              |[Not Applicable]       |[Not Applicable]       |[Not Applicable]
                     71: Kernel Image           |No                     |Yes                    |No
                     72: """]]
                     73: 
1.1       maxv       74: Technical Resources
                     75: -------------------
                     76: 
1.4       maxv       77: * NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
                     78: * NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
1.1       maxv       79: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb