File:  [NetBSD Developer Wiki] / wikisrc / security / kaslr.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Fri Feb 14 06:37:24 2020 UTC (7 months, 1 week ago) by maxv
Branches: MAIN
CVS tags: HEAD
Improve wording.

    1: [[!meta title="Using KASLR"]]
    2: 
    3: NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
    4: NetBSD 9.0.
    5: 
    6: Installation
    7: ------------
    8: 
    9: Install the prekern:
   10: 
   11: [[!template id=programlisting text="""
   12: # cp /usr/mdec/prekern /
   13: """]]
   14: 
   15: Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
   16: the NetBSD FTP server, for example on:
   17: 
   18: [[!template id=programlisting text="""
   19: https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
   20: """]]
   21: 
   22: Or compiled from scratch, using:
   23: 
   24: [[!template id=programlisting text="""
   25: # cd /usr/src
   26: # ./build.sh kernel=GENERIC_KASLR
   27: """]]
   28: 
   29: Extract this KASLR kernel, and install it:
   30: 
   31: [[!template id=programlisting text="""
   32: # cp /path/to/your/kaslr/kernel /netbsd_kaslr
   33: """]]
   34: 
   35: Finally, add the following line in the `/boot.cfg` file:
   36: 
   37: [[!template id=filecontent name="/boot.cfg" text="""
   38: menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
   39: """]]
   40: 
   41: Now the installation is complete.
   42: 
   43: Use
   44: ---
   45: 
   46: To use KASLR, just choose the "Boot KASLR" option in the menu at boot
   47: time. That's it! You are now using Kernel ASLR.
   48: 
   49: Technical Details
   50: -----------------
   51: 
   52: "Kernel ASLR" means randomizing the location of the kernel memory areas.
   53: By default, in GENERIC, all areas are already randomized except one: the
   54: Kernel Image.
   55: 
   56: The GENERIC_KASLR configuration provides randomization of this additional
   57: area.
   58: 
   59: Therefore, it should be understood that GENERIC actually provides 80% of
   60: KASLR, and GENERIC_KASLR covers the remaining 20%.
   61: 
   62: Table of what gets randomized:
   63: 
   64: [[!table data="""
   65: Memory Region		|GENERIC		|GENERIC_KASLR		|Xen dom0/domU
   66: Userland		|Yes			|Yes			|Yes
   67: PTE Area		|Yes			|Yes			|No
   68: Main Kernel Memory	|Yes			|Yes			|Yes
   69: Direct Map		|Yes			|Yes			|[Not Applicable]
   70: PCPU Area		|[Not Applicable]	|[Not Applicable]	|[Not Applicable]
   71: Kernel Image		|No			|Yes			|No
   72: """]]
   73: 
   74: Technical Resources
   75: -------------------
   76: 
   77: * NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
   78: * NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
   79: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb