File:  [NetBSD Developer Wiki] / wikisrc / security / kaslr.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Fri Feb 14 06:37:24 2020 UTC (2 years, 7 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
Improve wording.

[[!meta title="Using KASLR"]]

NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from
NetBSD 9.0.


Install the prekern:

[[!template id=programlisting text="""
# cp /usr/mdec/prekern /

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from
the NetBSD FTP server, for example on:

[[!template id=programlisting text="""

Or compiled from scratch, using:

[[!template id=programlisting text="""
# cd /usr/src
# ./ kernel=GENERIC_KASLR

Extract this KASLR kernel, and install it:

[[!template id=programlisting text="""
# cp /path/to/your/kaslr/kernel /netbsd_kaslr

Finally, add the following line in the `/boot.cfg` file:

[[!template id=filecontent name="/boot.cfg" text="""
menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr

Now the installation is complete.


To use KASLR, just choose the "Boot KASLR" option in the menu at boot
time. That's it! You are now using Kernel ASLR.

Technical Details

"Kernel ASLR" means randomizing the location of the kernel memory areas.
By default, in GENERIC, all areas are already randomized except one: the
Kernel Image.

The GENERIC_KASLR configuration provides randomization of this additional

Therefore, it should be understood that GENERIC actually provides 80% of
KASLR, and GENERIC_KASLR covers the remaining 20%.

Table of what gets randomized:

[[!table data="""
Memory Region		|GENERIC		|GENERIC_KASLR		|Xen dom0/domU
Userland		|Yes			|Yes			|Yes
PTE Area		|Yes			|Yes			|No
Main Kernel Memory	|Yes			|Yes			|Yes
Direct Map		|Yes			|Yes			|[Not Applicable]
PCPU Area		|[Not Applicable]	|[Not Applicable]	|[Not Applicable]
Kernel Image		|No			|Yes			|No

Technical Resources

* [Kernel ASLR on amd64](
* [The strongest KASLR, ever?](

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb