Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 25 Sep 2017 00:37:08 +0200
From: Pavel Machek <>
To: Ingo Molnar <>
Cc: "H. Peter Anvin" <>, Peter Zijlstra <>,
	Thomas Garnier <>,
	Herbert Xu <>,
	"David S . Miller" <>,
	Thomas Gleixner <>,
	Ingo Molnar <>,
	Josh Poimboeuf <>, Arnd Bergmann <>,
	Matthias Kaehlcke <>,
	Boris Ostrovsky <>,
	Juergen Gross <>,
	Paolo Bonzini <>,
	Radim Krčmář <>,
	Joerg Roedel <>,
	Tom Lendacky <>,
	Andy Lutomirski <>, Borislav Petkov <>,
	Brian Gerst <>,
	"Kirill A . Shutemov" <>,
	"Rafael J . Wysocki" <>,
	Len Brown <>, Tejun Heo <>,
	Christoph Lameter <>,
	Paul Gortmaker <>,
	Chris Metcalf <>,
	Andrew Morton <>,
	"Paul E . McKenney" <>,
	Nicolas Pitre <>,
	Christopher Li <>,
	"Rafael J . Wysocki" <>,
	Lukas Wunner <>,
	Mika Westerberg <>,
	Dou Liyang <>,
	Daniel Borkmann <>,
	Alexei Starovoitov <>,
	Masahiro Yamada <>,
	Markus Trippelsdorf <>,
	Steven Rostedt <>,
	Kees Cook <>, Rik van Riel <>,
	David Howells <>,
	Waiman Long <>, Kyle Huey <>,
	Peter Foley <>,
	Tim Chen <>,
	Catalin Marinas <>,
	Ard Biesheuvel <>,
	Michal Hocko <>,
	Matthew Wilcox <>,
	"H . J . Lu" <>, Paul Bolle <>,
	Rob Landley <>, Baoquan He <>,
	Daniel Micay <>,
	the arch/x86 maintainers <>,, LKML <>,, kvm list <>,
	Linux PM list <>,
	linux-arch <>,,
	Kernel Hardening <>,
	Linus Torvalds <>,
	Borislav Petkov <>
Subject: Re: x86: PIE support and option to extend KASLR randomization


> > We do need to consider how we want modules to fit into whatever model we
> > choose, though.  They can be adjacent, or we could go with a more
> > traditional dynamic link model where the modules can be separate, and
> > chained together with the main kernel via the GOT.
> So I believe we should start with 'adjacent'. The thing is, having modules 
> separately randomized mostly helps if any of the secret locations fails and
> we want to prevent hopping from one to the other. But if one the kernel-privileged
> secret location fails then KASLR has already failed to a significant degree...
> So I think the large-PIC model for modules does not buy us any real advantages in 
> practice, and the disadvantages of large-PIC are real and most Linux users have to 
> pay that cost unconditionally, as distro kernels have half of their kernel 
> functionality living in modules.
> But I do see fundamental value in being able to hide the kernel somewhere in a ~48 
> bits address space, especially if we also implement Linus's suggestion to utilize 
> the lower bits as well. 0..281474976710656 is a nicely large range and will get 
> larger with time.
> But it should all be done smartly and carefully:
> For example, there would be collision with regular user-space mappings, right?
> Can local unprivileged users use mmap(MAP_FIXED) probing to figure out where
> the kernel lives?

Local unpriviledged users can probably get your secret bits using
cache probing and jump prediction buffers.

Yes, you don't want to leak the information using mmap(MAP_FIXED), but
CPU will leak it for you, anyway.

(cesky, pictures)

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.