Return to kaslr.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / security

use https

[[!meta title="Using KASLR"]]

NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
NetBSD 9.0.

Installation
------------

Install the prekern:

[[!template id=programlisting text="""
# cp /usr/mdec/prekern /
"""]]

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
the NetBSD FTP server, for example on:

[[!template id=programlisting text="""
https://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201812280800Z/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
"""]]

Or compiled from scratch, using:

[[!template id=programlisting text="""
# cd /usr/src
# ./build.sh kernel=GENERIC_KASLR
"""]]

Install this KASLR kernel:

[[!template id=programlisting text="""
# cp /path/to/your/kaslr/kernel /netbsd_kaslr
"""]]

Finally, add the following line in the `/boot.cfg` file:

[[!template id=filecontent name="/boot.cfg" text="""
menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
"""]]

Now the installation is complete.

Use
---

To use KASLR, just choose the "Boot KASLR" option in the menu at boot
time. That's it! You are now using Kernel ASLR.

Technical Details
-----------------

Kernel ASLR is applied by default in GENERIC on as many VM areas as possible.
GENERIC_KASLR provides randomization of one more area: the Kernel Image.

Table of what gets randomized:

[[!table data="""
Memory Region		|GENERIC		|GENERIC_KASLR		|Xen dom0/domU
Userland		|Yes			|Yes			|Yes
PTE Area		|Yes			|Yes			|No
Main Kernel Memory	|Yes			|Yes			|Yes
Direct Map		|Yes			|Yes			|[Not Applicable]
PCPU Area		|[Not Applicable]	|[Not Applicable]	|[Not Applicable]
Kernel Image		|No			|Yes			|No
"""]]

Technical Resources
-------------------

* NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
* NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)