File:  [NetBSD Developer Wiki] / wikisrc / security / kaslr.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Tue Aug 28 13:11:52 2018 UTC (3 years, 11 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
briefly say that GENERIC does ASLR on kernel memory already

[[!meta title="Using KASLR"]]

NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
NetBSD 9.0.


Install the prekern:

[[!template id=programlisting text="""
# cp /usr/mdec/prekern /

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
the NetBSD FTP server, for example on:

[[!template id=programlisting text="""

Or compiled from scratch, using:

[[!template id=programlisting text="""
# cd /usr/src
# ./ kernel=GENERIC_KASLR

Install this KASLR kernel:

[[!template id=programlisting text="""
# cp /path/to/your/kernel /netbsd_kaslr

Finally, add the following line in the `/boot.cfg` file:

[[!template id=filecontent name="/boot.cfg" text="""
menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr

Now the installation is complete.


To use KASLR, just choose the "Boot KASLR" option in the menu at boot
time. That's it!

Technical Details

Kernel ASLR is applied by default in GENERIC on as many VM areas as possible.
GENERIC_KASLR offers randomization of one more area: the Kernel Image.

Table of what gets randomized:

[[!table data="""
Memory Region		|GENERIC		|GENERIC_KASLR		|Xen dom0/domU
Userland		|Yes			|Yes			|Yes
PTE Area		|Yes			|Yes			|No
Main Kernel Memory	|Yes			|Yes			|Yes
Direct Map		|Yes			|Yes			|[Not Applicable]
PCPU Area		|[Not Applicable]	|[Not Applicable]	|[Not Applicable]
Kernel Image		|No			|Yes			|No

Technical Resources

* [Kernel ASLR on amd64](
* [The strongest KASLR, ever?](

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb