File:  [NetBSD Developer Wiki] / wikisrc / security / kaslr.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Fri Feb 14 06:37:24 2020 UTC (19 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
Improve wording.

[[!meta title="Using KASLR"]]

NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
NetBSD 9.0.

Installation
------------

Install the prekern:

[[!template id=programlisting text="""
# cp /usr/mdec/prekern /
"""]]

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
the NetBSD FTP server, for example on:

[[!template id=programlisting text="""
https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
"""]]

Or compiled from scratch, using:

[[!template id=programlisting text="""
# cd /usr/src
# ./build.sh kernel=GENERIC_KASLR
"""]]

Extract this KASLR kernel, and install it:

[[!template id=programlisting text="""
# cp /path/to/your/kaslr/kernel /netbsd_kaslr
"""]]

Finally, add the following line in the `/boot.cfg` file:

[[!template id=filecontent name="/boot.cfg" text="""
menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
"""]]

Now the installation is complete.

Use
---

To use KASLR, just choose the "Boot KASLR" option in the menu at boot
time. That's it! You are now using Kernel ASLR.

Technical Details
-----------------

"Kernel ASLR" means randomizing the location of the kernel memory areas.
By default, in GENERIC, all areas are already randomized except one: the
Kernel Image.

The GENERIC_KASLR configuration provides randomization of this additional
area.

Therefore, it should be understood that GENERIC actually provides 80% of
KASLR, and GENERIC_KASLR covers the remaining 20%.

Table of what gets randomized:

[[!table data="""
Memory Region		|GENERIC		|GENERIC_KASLR		|Xen dom0/domU
Userland		|Yes			|Yes			|Yes
PTE Area		|Yes			|Yes			|No
Main Kernel Memory	|Yes			|Yes			|Yes
Direct Map		|Yes			|Yes			|[Not Applicable]
PCPU Area		|[Not Applicable]	|[Not Applicable]	|[Not Applicable]
Kernel Image		|No			|Yes			|No
"""]]

Technical Resources
-------------------

* NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
* NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb