Annotation of wikisrc/security/kaslr.mdwn, revision 1.5
1.1 maxv 1: [[!meta title="Using KASLR"]]
2:
3: NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
4: NetBSD 9.0.
5:
6: Installation
7: ------------
8:
9: Install the prekern:
10:
11: [[!template id=programlisting text="""
12: # cp /usr/mdec/prekern /
13: """]]
14:
15: Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
16: the NetBSD FTP server, for example on:
17:
18: [[!template id=programlisting text="""
1.5 ! maxv 19: https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
1.1 maxv 20: """]]
21:
22: Or compiled from scratch, using:
23:
24: [[!template id=programlisting text="""
25: # cd /usr/src
26: # ./build.sh kernel=GENERIC_KASLR
27: """]]
28:
1.5 ! maxv 29: Extract this KASLR kernel, and install it:
1.1 maxv 30:
31: [[!template id=programlisting text="""
1.3 maxv 32: # cp /path/to/your/kaslr/kernel /netbsd_kaslr
1.1 maxv 33: """]]
34:
35: Finally, add the following line in the `/boot.cfg` file:
36:
37: [[!template id=filecontent name="/boot.cfg" text="""
38: menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
39: """]]
40:
41: Now the installation is complete.
42:
43: Use
44: ---
45:
46: To use KASLR, just choose the "Boot KASLR" option in the menu at boot
1.3 maxv 47: time. That's it! You are now using Kernel ASLR.
1.1 maxv 48:
1.2 maxv 49: Technical Details
50: -----------------
51:
1.5 ! maxv 52: "Kernel ASLR" means randomizing the location of the kernel memory areas.
! 53: By default, in GENERIC, all areas are already randomized except one: the
! 54: Kernel Image.
! 55:
! 56: The GENERIC_KASLR configuration provides randomization of this additional
! 57: area.
! 58:
! 59: Therefore, it should be understood that GENERIC actually provides 80% of
! 60: KASLR, and GENERIC_KASLR covers the remaining 20%.
1.2 maxv 61:
62: Table of what gets randomized:
63:
64: [[!table data="""
65: Memory Region |GENERIC |GENERIC_KASLR |Xen dom0/domU
66: Userland |Yes |Yes |Yes
67: PTE Area |Yes |Yes |No
68: Main Kernel Memory |Yes |Yes |Yes
69: Direct Map |Yes |Yes |[Not Applicable]
70: PCPU Area |[Not Applicable] |[Not Applicable] |[Not Applicable]
71: Kernel Image |No |Yes |No
72: """]]
73:
1.1 maxv 74: Technical Resources
75: -------------------
76:
1.4 maxv 77: * NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
78: * NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
1.1 maxv 79:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to kaslr.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security