From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Will Deacon <will.deacon@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Leif Lindholm <leif.lindholm@linaro.org>,
LKML <linux-kernel@vger.kernel.org>,
stuart.yoder@freescale.com, bhupesh.sharma@freescale.com,
Arnd Bergmann <arnd@arndb.de>,
Marc Zyngier <marc.zyngier@arm.com>,
Christoffer Dall <christoffer.dall@linaro.org>
Subject: Re: [PATCH v2 00/13] arm64: implement support for KASLR
Date: Tue, 5 Jan 2016 12:08:22 -0800 [thread overview]
Message-ID: <CAGXu5jKW-Kq7BapCs=fbPqMrkof-69bVV6-6DtQAmGk_odC=kQ@mail.gmail.com> (raw)
In-Reply-To: <1451489172-17420-1-git-send-email-ard.biesheuvel@linaro.org>
On Wed, Dec 30, 2015 at 7:25 AM, Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> This series implements KASLR for arm64, by building the kernel as a PIE
> executable that can relocate itself at runtime, and moving it to a random
> offset in the vmalloc area. This v2 also implements physical randomization,
> i.e., it allows the kernel to deal with being loaded at any physical offset
> (modulo the required alignment), and invokes the EFI_RNG_PROTOCOL from the
> UEFI stub to obtain random bits and perform the actual randomization of the
> physical load address.
This is great! Thanks for working through all these details.
> Changes since v1/RFC:
> - This series now implements fully independent virtual and physical address
> randomization at load time. I have recycled some patches from this series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/455151, and updated the
> final UEFI stub patch to randomize the physical address as well.
I'd love to get virt/phy separated on x86. There was a series, but it
still needs more work. Any one on the kernel-hardening list want to
take a stab at this?
> - Added a patch to deal with the way KVM on arm64 makes assumptions about the
> relation between kernel symbols and the linear mapping (on which the HYP
> mapping is based), as these assumptions cease to be valid once we move the
> kernel Image out of the linear mapping.
> - Updated the module PLT patch so it works on BE kernels as well.
> - Moved the constant Image header values to head.S, and updated the linker
> script to provide the kernel size using R_AARCH64_ABS32 relocation rather
> than a R_AARCH64_ABS64 relocation, since those are always resolved at build
> time. This allows me to get rid of the post-build perl script to swab header
> values on BE kernels.
> - Minor style tweaks.
>
> Notes:
> - These patches apply on top of Mark Rutland's pagetable rework series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/462438
> - The arm64 Image is uncompressed by default, and the Elf64_Rela format uses
> 24 bytes per relocation entry. This results in considerable bloat (i.e., a
> couple of MBs worth of relocation data in an .init section). However, no
> build time postprocessing is required, we rely fully on the toolchain to
> produce the image
> - We have to rely on the bootloader to supply some randomness in register x1
> upon kernel entry. Since we have no decompressor, it is simply not feasible
> to collect randomness in the head.S code path before mapping the kernel and
> enabling the MMU.
> - The EFI_RNG_PROTOCOL that is invoked in patch #13 to supply randomness on
> UEFI systems is not universally available. A QEMU/KVM firmware image that
> implements a pseudo-random version is available here:
> http://people.linaro.org/~ard.biesheuvel/QEMU_EFI.fd.aarch64-rng.bz2
> (requires access to PMCCNTR_EL0 and support for AES instructions)
> See below for instructions how to run the pseudo-random version on real
> hardware.
> - Only mildly tested. Help appreciated.
>
> Code can be found here:
> git://git.linaro.org/people/ard.biesheuvel/linux-arm.git arm64-kaslr-v2
> https://git.linaro.org/people/ard.biesheuvel/linux-arm.git/shortlog/refs/heads/arm64-kaslr-v2
>
> Patch #1 updates the OF code to allow the minimum memblock physical address to
> be overridden by the arch.
>
> Patch #2 introduces KIMAGE_VADDR as the base of the kernel virtual region.
>
> Patch #3 memblock_reserve()'s the .bss, swapper_pg_dir and idmap_pg_dir
> individually.
>
> Patch #4 rewrites early_fixmap_init() so it does not rely on the linear mapping
> (i.e., the use of phys_to_virt() is avoided)
>
> Patch #5 updates KVM on arm64 so it can deal with kernel symbols whose addresses
> are not covered by the linear mapping.
>
> Patch #6 moves the kernel virtual mapping to the vmalloc area, along with the
> module region which is kept right below it, as before.
>
> Patch #7 adds support for PLTs in modules so that relative branches can be
> resolved via a PLT if the target is out of range.
>
> Patch #8 moves to the x86 version of the extable implementation so that it no
> longer contains absolute addresses that require fixing up at relocation time,
> but uses relative offsets instead.
>
> Patch #9 reverts some changes to the Image header population code so we no
> longer depend on the linker to populate the header fields. This is necessary
> since the R_AARCH64_ABS relocations that are emitted for these fields are not
> resolved at build time for PIE executables.
>
> Patch #10 updates the code in head.S that needs to execute before relocation to
> avoid the use of values that are subject to dynamic relocation. These values
> will not be populated in PIE executables.
>
> Patch #11 allows the kernel Image to be loaded anywhere in physical memory, by
> decoupling PHYS_OFFSET from the base of the kernel image.
>
> Patch #12 implements the core KASLR, by taking randomness supplied in register x1
> and using it to move the kernel inside the vmalloc area.
>
> Patch #13 adds an invocation of the EFI_RNG_PROTOCOL to supply randomness to the
> kernel proper.
I see a few other things that we'll probably want to add:
- kaslr/nokaslr command line (to either ignore boot loader hint or UEFI rng)
- randomization of module load address (see get_module_load_offset in
arch/x86/kernel/module.c)
- panic reporting of offset (see register_kernel_offset_dumper in
arch/x86/kernel/setup.c)
- vmcoreinfo reporting of offset (though I can't find vmcoreinfo on
arm64, so maybe not, as kexec appears unimplemented)
> Ard Biesheuvel (13):
> of/fdt: make memblock minimum physical address arch configurable
> arm64: introduce KIMAGE_VADDR as the virtual base of the kernel region
> arm64: use more granular reservations for static page table
> allocations
> arm64: decouple early fixmap init from linear mapping
> arm64: kvm: deal with kernel symbols outside of linear mapping
> arm64: move kernel image to base of vmalloc area
> arm64: add support for module PLTs
> arm64: use relative references in exception tables
> arm64: avoid R_AARCH64_ABS64 relocations for Image header fields
> arm64: avoid dynamic relocations in early boot code
> arm64: allow kernel Image to be loaded anywhere in physical memory
> arm64: add support for relocatable kernel
> arm64: efi: invoke EFI_RNG_PROTOCOL to supply KASLR randomness
>
> Documentation/arm64/booting.txt | 15 ++-
> arch/arm/include/asm/kvm_asm.h | 2 +
> arch/arm/include/asm/kvm_mmu.h | 2 +
> arch/arm/kvm/arm.c | 9 +-
> arch/arm/kvm/mmu.c | 12 +-
> arch/arm64/Kconfig | 18 +++
> arch/arm64/Makefile | 10 +-
> arch/arm64/include/asm/assembler.h | 17 ++-
> arch/arm64/include/asm/boot.h | 5 +
> arch/arm64/include/asm/compiler.h | 2 +
> arch/arm64/include/asm/futex.h | 4 +-
> arch/arm64/include/asm/kasan.h | 17 +--
> arch/arm64/include/asm/kernel-pgtable.h | 5 +-
> arch/arm64/include/asm/kvm_asm.h | 21 +--
> arch/arm64/include/asm/kvm_mmu.h | 2 +
> arch/arm64/include/asm/memory.h | 37 ++++--
> arch/arm64/include/asm/module.h | 11 ++
> arch/arm64/include/asm/pgtable.h | 7 -
> arch/arm64/include/asm/uaccess.h | 16 +--
> arch/arm64/include/asm/virt.h | 4 -
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/armv8_deprecated.c | 4 +-
> arch/arm64/kernel/efi-entry.S | 9 +-
> arch/arm64/kernel/head.S | 133 ++++++++++++++++---
> arch/arm64/kernel/image.h | 37 ++----
> arch/arm64/kernel/module-plts.c | 137 ++++++++++++++++++++
> arch/arm64/kernel/module.c | 7 +
> arch/arm64/kernel/module.lds | 4 +
> arch/arm64/kernel/setup.c | 15 ++-
> arch/arm64/kernel/vmlinux.lds.S | 29 +++--
> arch/arm64/kvm/debug.c | 4 +-
> arch/arm64/mm/dump.c | 12 +-
> arch/arm64/mm/extable.c | 102 ++++++++++++++-
> arch/arm64/mm/init.c | 75 +++++++++--
> arch/arm64/mm/mmu.c | 132 +++++++------------
> drivers/firmware/efi/libstub/arm-stub.c | 1 -
> drivers/firmware/efi/libstub/arm64-stub.c | 134 ++++++++++++++++---
> drivers/of/fdt.c | 5 +-
> include/linux/efi.h | 5 +-
> scripts/sortextable.c | 6 +-
> virt/kvm/arm/vgic-v3.c | 2 +-
> 41 files changed, 813 insertions(+), 257 deletions(-)
> create mode 100644 arch/arm64/kernel/module-plts.c
> create mode 100644 arch/arm64/kernel/module.lds
>
>
> EFI_RNG_PROTOCOL on real hardware
> =================================
>
> To test whether your UEFI implements the EFI_RNG_PROTOCOL, download the
> following executable and run it from the UEFI Shell:
> http://people.linaro.org/~ard.biesheuvel/RngTest.efi
>
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Fail - Status = Not Found]
>
> If your UEFI does not implement the EFI_RNG_PROTOCOL, you can download and
> install the pseudo-random version that uses the generic timer and PMCCNTR_EL0
> values and permutes them using a couple of rounds of AES.
> http://people.linaro.org/~ard.biesheuvel/RngDxe.efi
>
> NOTE: not for production!! This is a quick and dirty hack to test the KASLR
> code, and is not suitable for anything else.
>
> FS0:\> rngdxe
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Pass]
> -- Call RNG->GetInfo() interface :
> >> Supported RNG Algorithm (Count = 2) :
> 0) 44F0DE6E-4D8C-4045-A8C7-4DD168856B9E
> 1) E43176D7-B6E8-4827-B784-7FFDC4B68561
> -- Call RNG->GetRNG() interface :
> >> RNG with default algorithm : [Pass]
> >> RNG with SP800-90-HMAC-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-Hash-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-CTR-256 : [Pass]
> >> RNG with X9.31-3DES : [Fail - Status = Unsupported]
> >> RNG with X9.31-AES : [Fail - Status = Unsupported]
> >> RNG with RAW Entropy : [Pass]
> -- Random Number Generation Test with default RNG Algorithm (20 Rounds):
> 01) - 27
> 02) - 61E8
> 03) - 496FD8
> 04) - DDD793BF
> 05) - B6C37C8E23
> 06) - 4D183C604A96
> 07) - 9363311DB61298
> 08) - 5715A7294F4E436E
> 09) - F0D4D7BAA0DD52318E
> 10) - C88C6EBCF4C0474D87C3
> 11) - B5594602B482A643932172
> 12) - CA7573F704B2089B726B9CF1
> 13) - A93E9451CB533DCFBA87B97C33
> 14) - 45AA7B83DB6044F7BBAB031F0D24
> 15) - 3DD7A4D61F34ADCB400B5976730DCF
> 16) - 4DD168D21FAB8F59708330D6A9BEB021
> 17) - 4BBB225E61C465F174254159467E65939F
> 18) - 030A156C9616337A20070941E702827DA8E1
> 19) - AB0FC11C9A4E225011382A9D164D9D55CA2B64
> 20) - 72B9B4735DC445E5DA6AF88DE965B7E87CB9A23C
>
Have you done any repeated boot testing? When I originally did x86
kASLR, I had a machine rebooting over and over spitting the _text line
from /proc/kallsyms to the console. This both caught page table corner
cases where the system was unbootable and let me run a statistical
analysis of the offsets, just to make sure there wasn't any glaring
error in either the RNG or the relocation.
Very cool!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 00/13] arm64: implement support for KASLR
Date: Tue, 5 Jan 2016 12:08:22 -0800 [thread overview]
Message-ID: <CAGXu5jKW-Kq7BapCs=fbPqMrkof-69bVV6-6DtQAmGk_odC=kQ@mail.gmail.com> (raw)
In-Reply-To: <1451489172-17420-1-git-send-email-ard.biesheuvel@linaro.org>
On Wed, Dec 30, 2015 at 7:25 AM, Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> This series implements KASLR for arm64, by building the kernel as a PIE
> executable that can relocate itself at runtime, and moving it to a random
> offset in the vmalloc area. This v2 also implements physical randomization,
> i.e., it allows the kernel to deal with being loaded at any physical offset
> (modulo the required alignment), and invokes the EFI_RNG_PROTOCOL from the
> UEFI stub to obtain random bits and perform the actual randomization of the
> physical load address.
This is great! Thanks for working through all these details.
> Changes since v1/RFC:
> - This series now implements fully independent virtual and physical address
> randomization at load time. I have recycled some patches from this series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/455151, and updated the
> final UEFI stub patch to randomize the physical address as well.
I'd love to get virt/phy separated on x86. There was a series, but it
still needs more work. Any one on the kernel-hardening list want to
take a stab at this?
> - Added a patch to deal with the way KVM on arm64 makes assumptions about the
> relation between kernel symbols and the linear mapping (on which the HYP
> mapping is based), as these assumptions cease to be valid once we move the
> kernel Image out of the linear mapping.
> - Updated the module PLT patch so it works on BE kernels as well.
> - Moved the constant Image header values to head.S, and updated the linker
> script to provide the kernel size using R_AARCH64_ABS32 relocation rather
> than a R_AARCH64_ABS64 relocation, since those are always resolved at build
> time. This allows me to get rid of the post-build perl script to swab header
> values on BE kernels.
> - Minor style tweaks.
>
> Notes:
> - These patches apply on top of Mark Rutland's pagetable rework series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/462438
> - The arm64 Image is uncompressed by default, and the Elf64_Rela format uses
> 24 bytes per relocation entry. This results in considerable bloat (i.e., a
> couple of MBs worth of relocation data in an .init section). However, no
> build time postprocessing is required, we rely fully on the toolchain to
> produce the image
> - We have to rely on the bootloader to supply some randomness in register x1
> upon kernel entry. Since we have no decompressor, it is simply not feasible
> to collect randomness in the head.S code path before mapping the kernel and
> enabling the MMU.
> - The EFI_RNG_PROTOCOL that is invoked in patch #13 to supply randomness on
> UEFI systems is not universally available. A QEMU/KVM firmware image that
> implements a pseudo-random version is available here:
> http://people.linaro.org/~ard.biesheuvel/QEMU_EFI.fd.aarch64-rng.bz2
> (requires access to PMCCNTR_EL0 and support for AES instructions)
> See below for instructions how to run the pseudo-random version on real
> hardware.
> - Only mildly tested. Help appreciated.
>
> Code can be found here:
> git://git.linaro.org/people/ard.biesheuvel/linux-arm.git arm64-kaslr-v2
> https://git.linaro.org/people/ard.biesheuvel/linux-arm.git/shortlog/refs/heads/arm64-kaslr-v2
>
> Patch #1 updates the OF code to allow the minimum memblock physical address to
> be overridden by the arch.
>
> Patch #2 introduces KIMAGE_VADDR as the base of the kernel virtual region.
>
> Patch #3 memblock_reserve()'s the .bss, swapper_pg_dir and idmap_pg_dir
> individually.
>
> Patch #4 rewrites early_fixmap_init() so it does not rely on the linear mapping
> (i.e., the use of phys_to_virt() is avoided)
>
> Patch #5 updates KVM on arm64 so it can deal with kernel symbols whose addresses
> are not covered by the linear mapping.
>
> Patch #6 moves the kernel virtual mapping to the vmalloc area, along with the
> module region which is kept right below it, as before.
>
> Patch #7 adds support for PLTs in modules so that relative branches can be
> resolved via a PLT if the target is out of range.
>
> Patch #8 moves to the x86 version of the extable implementation so that it no
> longer contains absolute addresses that require fixing up at relocation time,
> but uses relative offsets instead.
>
> Patch #9 reverts some changes to the Image header population code so we no
> longer depend on the linker to populate the header fields. This is necessary
> since the R_AARCH64_ABS relocations that are emitted for these fields are not
> resolved at build time for PIE executables.
>
> Patch #10 updates the code in head.S that needs to execute before relocation to
> avoid the use of values that are subject to dynamic relocation. These values
> will not be populated in PIE executables.
>
> Patch #11 allows the kernel Image to be loaded anywhere in physical memory, by
> decoupling PHYS_OFFSET from the base of the kernel image.
>
> Patch #12 implements the core KASLR, by taking randomness supplied in register x1
> and using it to move the kernel inside the vmalloc area.
>
> Patch #13 adds an invocation of the EFI_RNG_PROTOCOL to supply randomness to the
> kernel proper.
I see a few other things that we'll probably want to add:
- kaslr/nokaslr command line (to either ignore boot loader hint or UEFI rng)
- randomization of module load address (see get_module_load_offset in
arch/x86/kernel/module.c)
- panic reporting of offset (see register_kernel_offset_dumper in
arch/x86/kernel/setup.c)
- vmcoreinfo reporting of offset (though I can't find vmcoreinfo on
arm64, so maybe not, as kexec appears unimplemented)
> Ard Biesheuvel (13):
> of/fdt: make memblock minimum physical address arch configurable
> arm64: introduce KIMAGE_VADDR as the virtual base of the kernel region
> arm64: use more granular reservations for static page table
> allocations
> arm64: decouple early fixmap init from linear mapping
> arm64: kvm: deal with kernel symbols outside of linear mapping
> arm64: move kernel image to base of vmalloc area
> arm64: add support for module PLTs
> arm64: use relative references in exception tables
> arm64: avoid R_AARCH64_ABS64 relocations for Image header fields
> arm64: avoid dynamic relocations in early boot code
> arm64: allow kernel Image to be loaded anywhere in physical memory
> arm64: add support for relocatable kernel
> arm64: efi: invoke EFI_RNG_PROTOCOL to supply KASLR randomness
>
> Documentation/arm64/booting.txt | 15 ++-
> arch/arm/include/asm/kvm_asm.h | 2 +
> arch/arm/include/asm/kvm_mmu.h | 2 +
> arch/arm/kvm/arm.c | 9 +-
> arch/arm/kvm/mmu.c | 12 +-
> arch/arm64/Kconfig | 18 +++
> arch/arm64/Makefile | 10 +-
> arch/arm64/include/asm/assembler.h | 17 ++-
> arch/arm64/include/asm/boot.h | 5 +
> arch/arm64/include/asm/compiler.h | 2 +
> arch/arm64/include/asm/futex.h | 4 +-
> arch/arm64/include/asm/kasan.h | 17 +--
> arch/arm64/include/asm/kernel-pgtable.h | 5 +-
> arch/arm64/include/asm/kvm_asm.h | 21 +--
> arch/arm64/include/asm/kvm_mmu.h | 2 +
> arch/arm64/include/asm/memory.h | 37 ++++--
> arch/arm64/include/asm/module.h | 11 ++
> arch/arm64/include/asm/pgtable.h | 7 -
> arch/arm64/include/asm/uaccess.h | 16 +--
> arch/arm64/include/asm/virt.h | 4 -
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/armv8_deprecated.c | 4 +-
> arch/arm64/kernel/efi-entry.S | 9 +-
> arch/arm64/kernel/head.S | 133 ++++++++++++++++---
> arch/arm64/kernel/image.h | 37 ++----
> arch/arm64/kernel/module-plts.c | 137 ++++++++++++++++++++
> arch/arm64/kernel/module.c | 7 +
> arch/arm64/kernel/module.lds | 4 +
> arch/arm64/kernel/setup.c | 15 ++-
> arch/arm64/kernel/vmlinux.lds.S | 29 +++--
> arch/arm64/kvm/debug.c | 4 +-
> arch/arm64/mm/dump.c | 12 +-
> arch/arm64/mm/extable.c | 102 ++++++++++++++-
> arch/arm64/mm/init.c | 75 +++++++++--
> arch/arm64/mm/mmu.c | 132 +++++++------------
> drivers/firmware/efi/libstub/arm-stub.c | 1 -
> drivers/firmware/efi/libstub/arm64-stub.c | 134 ++++++++++++++++---
> drivers/of/fdt.c | 5 +-
> include/linux/efi.h | 5 +-
> scripts/sortextable.c | 6 +-
> virt/kvm/arm/vgic-v3.c | 2 +-
> 41 files changed, 813 insertions(+), 257 deletions(-)
> create mode 100644 arch/arm64/kernel/module-plts.c
> create mode 100644 arch/arm64/kernel/module.lds
>
>
> EFI_RNG_PROTOCOL on real hardware
> =================================
>
> To test whether your UEFI implements the EFI_RNG_PROTOCOL, download the
> following executable and run it from the UEFI Shell:
> http://people.linaro.org/~ard.biesheuvel/RngTest.efi
>
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Fail - Status = Not Found]
>
> If your UEFI does not implement the EFI_RNG_PROTOCOL, you can download and
> install the pseudo-random version that uses the generic timer and PMCCNTR_EL0
> values and permutes them using a couple of rounds of AES.
> http://people.linaro.org/~ard.biesheuvel/RngDxe.efi
>
> NOTE: not for production!! This is a quick and dirty hack to test the KASLR
> code, and is not suitable for anything else.
>
> FS0:\> rngdxe
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Pass]
> -- Call RNG->GetInfo() interface :
> >> Supported RNG Algorithm (Count = 2) :
> 0) 44F0DE6E-4D8C-4045-A8C7-4DD168856B9E
> 1) E43176D7-B6E8-4827-B784-7FFDC4B68561
> -- Call RNG->GetRNG() interface :
> >> RNG with default algorithm : [Pass]
> >> RNG with SP800-90-HMAC-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-Hash-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-CTR-256 : [Pass]
> >> RNG with X9.31-3DES : [Fail - Status = Unsupported]
> >> RNG with X9.31-AES : [Fail - Status = Unsupported]
> >> RNG with RAW Entropy : [Pass]
> -- Random Number Generation Test with default RNG Algorithm (20 Rounds):
> 01) - 27
> 02) - 61E8
> 03) - 496FD8
> 04) - DDD793BF
> 05) - B6C37C8E23
> 06) - 4D183C604A96
> 07) - 9363311DB61298
> 08) - 5715A7294F4E436E
> 09) - F0D4D7BAA0DD52318E
> 10) - C88C6EBCF4C0474D87C3
> 11) - B5594602B482A643932172
> 12) - CA7573F704B2089B726B9CF1
> 13) - A93E9451CB533DCFBA87B97C33
> 14) - 45AA7B83DB6044F7BBAB031F0D24
> 15) - 3DD7A4D61F34ADCB400B5976730DCF
> 16) - 4DD168D21FAB8F59708330D6A9BEB021
> 17) - 4BBB225E61C465F174254159467E65939F
> 18) - 030A156C9616337A20070941E702827DA8E1
> 19) - AB0FC11C9A4E225011382A9D164D9D55CA2B64
> 20) - 72B9B4735DC445E5DA6AF88DE965B7E87CB9A23C
>
Have you done any repeated boot testing? When I originally did x86
kASLR, I had a machine rebooting over and over spitting the _text line
from /proc/kallsyms to the console. This both caught page table corner
cases where the system was unbootable and let me run a statistical
analysis of the offsets, just to make sure there wasn't any glaring
error in either the RNG or the relocation.
Very cool!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Will Deacon <will.deacon@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Leif Lindholm <leif.lindholm@linaro.org>,
LKML <linux-kernel@vger.kernel.org>,
stuart.yoder@freescale.com, bhupesh.sharma@freescale.com,
Arnd Bergmann <arnd@arndb.de>,
Marc Zyngier <marc.zyngier@arm.com>,
Christoffer Dall <christoffer.dall@linaro.org>
Subject: [kernel-hardening] Re: [PATCH v2 00/13] arm64: implement support for KASLR
Date: Tue, 5 Jan 2016 12:08:22 -0800 [thread overview]
Message-ID: <CAGXu5jKW-Kq7BapCs=fbPqMrkof-69bVV6-6DtQAmGk_odC=kQ@mail.gmail.com> (raw)
In-Reply-To: <1451489172-17420-1-git-send-email-ard.biesheuvel@linaro.org>
On Wed, Dec 30, 2015 at 7:25 AM, Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> This series implements KASLR for arm64, by building the kernel as a PIE
> executable that can relocate itself at runtime, and moving it to a random
> offset in the vmalloc area. This v2 also implements physical randomization,
> i.e., it allows the kernel to deal with being loaded at any physical offset
> (modulo the required alignment), and invokes the EFI_RNG_PROTOCOL from the
> UEFI stub to obtain random bits and perform the actual randomization of the
> physical load address.
This is great! Thanks for working through all these details.
> Changes since v1/RFC:
> - This series now implements fully independent virtual and physical address
> randomization at load time. I have recycled some patches from this series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/455151, and updated the
> final UEFI stub patch to randomize the physical address as well.
I'd love to get virt/phy separated on x86. There was a series, but it
still needs more work. Any one on the kernel-hardening list want to
take a stab at this?
> - Added a patch to deal with the way KVM on arm64 makes assumptions about the
> relation between kernel symbols and the linear mapping (on which the HYP
> mapping is based), as these assumptions cease to be valid once we move the
> kernel Image out of the linear mapping.
> - Updated the module PLT patch so it works on BE kernels as well.
> - Moved the constant Image header values to head.S, and updated the linker
> script to provide the kernel size using R_AARCH64_ABS32 relocation rather
> than a R_AARCH64_ABS64 relocation, since those are always resolved at build
> time. This allows me to get rid of the post-build perl script to swab header
> values on BE kernels.
> - Minor style tweaks.
>
> Notes:
> - These patches apply on top of Mark Rutland's pagetable rework series:
> http://thread.gmane.org/gmane.linux.ports.arm.kernel/462438
> - The arm64 Image is uncompressed by default, and the Elf64_Rela format uses
> 24 bytes per relocation entry. This results in considerable bloat (i.e., a
> couple of MBs worth of relocation data in an .init section). However, no
> build time postprocessing is required, we rely fully on the toolchain to
> produce the image
> - We have to rely on the bootloader to supply some randomness in register x1
> upon kernel entry. Since we have no decompressor, it is simply not feasible
> to collect randomness in the head.S code path before mapping the kernel and
> enabling the MMU.
> - The EFI_RNG_PROTOCOL that is invoked in patch #13 to supply randomness on
> UEFI systems is not universally available. A QEMU/KVM firmware image that
> implements a pseudo-random version is available here:
> http://people.linaro.org/~ard.biesheuvel/QEMU_EFI.fd.aarch64-rng.bz2
> (requires access to PMCCNTR_EL0 and support for AES instructions)
> See below for instructions how to run the pseudo-random version on real
> hardware.
> - Only mildly tested. Help appreciated.
>
> Code can be found here:
> git://git.linaro.org/people/ard.biesheuvel/linux-arm.git arm64-kaslr-v2
> https://git.linaro.org/people/ard.biesheuvel/linux-arm.git/shortlog/refs/heads/arm64-kaslr-v2
>
> Patch #1 updates the OF code to allow the minimum memblock physical address to
> be overridden by the arch.
>
> Patch #2 introduces KIMAGE_VADDR as the base of the kernel virtual region.
>
> Patch #3 memblock_reserve()'s the .bss, swapper_pg_dir and idmap_pg_dir
> individually.
>
> Patch #4 rewrites early_fixmap_init() so it does not rely on the linear mapping
> (i.e., the use of phys_to_virt() is avoided)
>
> Patch #5 updates KVM on arm64 so it can deal with kernel symbols whose addresses
> are not covered by the linear mapping.
>
> Patch #6 moves the kernel virtual mapping to the vmalloc area, along with the
> module region which is kept right below it, as before.
>
> Patch #7 adds support for PLTs in modules so that relative branches can be
> resolved via a PLT if the target is out of range.
>
> Patch #8 moves to the x86 version of the extable implementation so that it no
> longer contains absolute addresses that require fixing up at relocation time,
> but uses relative offsets instead.
>
> Patch #9 reverts some changes to the Image header population code so we no
> longer depend on the linker to populate the header fields. This is necessary
> since the R_AARCH64_ABS relocations that are emitted for these fields are not
> resolved at build time for PIE executables.
>
> Patch #10 updates the code in head.S that needs to execute before relocation to
> avoid the use of values that are subject to dynamic relocation. These values
> will not be populated in PIE executables.
>
> Patch #11 allows the kernel Image to be loaded anywhere in physical memory, by
> decoupling PHYS_OFFSET from the base of the kernel image.
>
> Patch #12 implements the core KASLR, by taking randomness supplied in register x1
> and using it to move the kernel inside the vmalloc area.
>
> Patch #13 adds an invocation of the EFI_RNG_PROTOCOL to supply randomness to the
> kernel proper.
I see a few other things that we'll probably want to add:
- kaslr/nokaslr command line (to either ignore boot loader hint or UEFI rng)
- randomization of module load address (see get_module_load_offset in
arch/x86/kernel/module.c)
- panic reporting of offset (see register_kernel_offset_dumper in
arch/x86/kernel/setup.c)
- vmcoreinfo reporting of offset (though I can't find vmcoreinfo on
arm64, so maybe not, as kexec appears unimplemented)
> Ard Biesheuvel (13):
> of/fdt: make memblock minimum physical address arch configurable
> arm64: introduce KIMAGE_VADDR as the virtual base of the kernel region
> arm64: use more granular reservations for static page table
> allocations
> arm64: decouple early fixmap init from linear mapping
> arm64: kvm: deal with kernel symbols outside of linear mapping
> arm64: move kernel image to base of vmalloc area
> arm64: add support for module PLTs
> arm64: use relative references in exception tables
> arm64: avoid R_AARCH64_ABS64 relocations for Image header fields
> arm64: avoid dynamic relocations in early boot code
> arm64: allow kernel Image to be loaded anywhere in physical memory
> arm64: add support for relocatable kernel
> arm64: efi: invoke EFI_RNG_PROTOCOL to supply KASLR randomness
>
> Documentation/arm64/booting.txt | 15 ++-
> arch/arm/include/asm/kvm_asm.h | 2 +
> arch/arm/include/asm/kvm_mmu.h | 2 +
> arch/arm/kvm/arm.c | 9 +-
> arch/arm/kvm/mmu.c | 12 +-
> arch/arm64/Kconfig | 18 +++
> arch/arm64/Makefile | 10 +-
> arch/arm64/include/asm/assembler.h | 17 ++-
> arch/arm64/include/asm/boot.h | 5 +
> arch/arm64/include/asm/compiler.h | 2 +
> arch/arm64/include/asm/futex.h | 4 +-
> arch/arm64/include/asm/kasan.h | 17 +--
> arch/arm64/include/asm/kernel-pgtable.h | 5 +-
> arch/arm64/include/asm/kvm_asm.h | 21 +--
> arch/arm64/include/asm/kvm_mmu.h | 2 +
> arch/arm64/include/asm/memory.h | 37 ++++--
> arch/arm64/include/asm/module.h | 11 ++
> arch/arm64/include/asm/pgtable.h | 7 -
> arch/arm64/include/asm/uaccess.h | 16 +--
> arch/arm64/include/asm/virt.h | 4 -
> arch/arm64/kernel/Makefile | 1 +
> arch/arm64/kernel/armv8_deprecated.c | 4 +-
> arch/arm64/kernel/efi-entry.S | 9 +-
> arch/arm64/kernel/head.S | 133 ++++++++++++++++---
> arch/arm64/kernel/image.h | 37 ++----
> arch/arm64/kernel/module-plts.c | 137 ++++++++++++++++++++
> arch/arm64/kernel/module.c | 7 +
> arch/arm64/kernel/module.lds | 4 +
> arch/arm64/kernel/setup.c | 15 ++-
> arch/arm64/kernel/vmlinux.lds.S | 29 +++--
> arch/arm64/kvm/debug.c | 4 +-
> arch/arm64/mm/dump.c | 12 +-
> arch/arm64/mm/extable.c | 102 ++++++++++++++-
> arch/arm64/mm/init.c | 75 +++++++++--
> arch/arm64/mm/mmu.c | 132 +++++++------------
> drivers/firmware/efi/libstub/arm-stub.c | 1 -
> drivers/firmware/efi/libstub/arm64-stub.c | 134 ++++++++++++++++---
> drivers/of/fdt.c | 5 +-
> include/linux/efi.h | 5 +-
> scripts/sortextable.c | 6 +-
> virt/kvm/arm/vgic-v3.c | 2 +-
> 41 files changed, 813 insertions(+), 257 deletions(-)
> create mode 100644 arch/arm64/kernel/module-plts.c
> create mode 100644 arch/arm64/kernel/module.lds
>
>
> EFI_RNG_PROTOCOL on real hardware
> =================================
>
> To test whether your UEFI implements the EFI_RNG_PROTOCOL, download the
> following executable and run it from the UEFI Shell:
> http://people.linaro.org/~ard.biesheuvel/RngTest.efi
>
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Fail - Status = Not Found]
>
> If your UEFI does not implement the EFI_RNG_PROTOCOL, you can download and
> install the pseudo-random version that uses the generic timer and PMCCNTR_EL0
> values and permutes them using a couple of rounds of AES.
> http://people.linaro.org/~ard.biesheuvel/RngDxe.efi
>
> NOTE: not for production!! This is a quick and dirty hack to test the KASLR
> code, and is not suitable for anything else.
>
> FS0:\> rngdxe
> FS0:\> rngtest
> UEFI RNG Protocol Testing :
> ----------------------------
> -- Locate UEFI RNG Protocol : [Pass]
> -- Call RNG->GetInfo() interface :
> >> Supported RNG Algorithm (Count = 2) :
> 0) 44F0DE6E-4D8C-4045-A8C7-4DD168856B9E
> 1) E43176D7-B6E8-4827-B784-7FFDC4B68561
> -- Call RNG->GetRNG() interface :
> >> RNG with default algorithm : [Pass]
> >> RNG with SP800-90-HMAC-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-Hash-256 : [Fail - Status = Unsupported]
> >> RNG with SP800-90-CTR-256 : [Pass]
> >> RNG with X9.31-3DES : [Fail - Status = Unsupported]
> >> RNG with X9.31-AES : [Fail - Status = Unsupported]
> >> RNG with RAW Entropy : [Pass]
> -- Random Number Generation Test with default RNG Algorithm (20 Rounds):
> 01) - 27
> 02) - 61E8
> 03) - 496FD8
> 04) - DDD793BF
> 05) - B6C37C8E23
> 06) - 4D183C604A96
> 07) - 9363311DB61298
> 08) - 5715A7294F4E436E
> 09) - F0D4D7BAA0DD52318E
> 10) - C88C6EBCF4C0474D87C3
> 11) - B5594602B482A643932172
> 12) - CA7573F704B2089B726B9CF1
> 13) - A93E9451CB533DCFBA87B97C33
> 14) - 45AA7B83DB6044F7BBAB031F0D24
> 15) - 3DD7A4D61F34ADCB400B5976730DCF
> 16) - 4DD168D21FAB8F59708330D6A9BEB021
> 17) - 4BBB225E61C465F174254159467E65939F
> 18) - 030A156C9616337A20070941E702827DA8E1
> 19) - AB0FC11C9A4E225011382A9D164D9D55CA2B64
> 20) - 72B9B4735DC445E5DA6AF88DE965B7E87CB9A23C
>
Have you done any repeated boot testing? When I originally did x86
kASLR, I had a machine rebooting over and over spitting the _text line
from /proc/kallsyms to the console. This both caught page table corner
cases where the system was unbootable and let me run a statistical
analysis of the offsets, just to make sure there wasn't any glaring
error in either the RNG or the relocation.
Very cool!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
next prev parent reply other threads:[~2016-01-05 20:08 UTC|newest]
Thread overview: 156+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-30 15:25 [PATCH v2 00/13] arm64: implement support for KASLR Ard Biesheuvel
2015-12-30 15:25 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:25 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 01/13] of/fdt: make memblock minimum physical address arch configurable Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 02/13] arm64: introduce KIMAGE_VADDR as the virtual base of the kernel region Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-05 14:36 ` Christoffer Dall
2016-01-05 14:36 ` [kernel-hardening] " Christoffer Dall
2016-01-05 14:36 ` Christoffer Dall
2016-01-05 14:46 ` Mark Rutland
2016-01-05 14:46 ` [kernel-hardening] " Mark Rutland
2016-01-05 14:46 ` Mark Rutland
2016-01-05 14:58 ` Christoffer Dall
2016-01-05 14:58 ` [kernel-hardening] " Christoffer Dall
2016-01-05 14:58 ` Christoffer Dall
2015-12-30 15:26 ` [PATCH v2 03/13] arm64: use more granular reservations for static page table allocations Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-07 13:55 ` Mark Rutland
2016-01-07 13:55 ` [kernel-hardening] " Mark Rutland
2016-01-07 13:55 ` Mark Rutland
2016-01-07 14:02 ` Ard Biesheuvel
2016-01-07 14:02 ` [kernel-hardening] " Ard Biesheuvel
2016-01-07 14:02 ` Ard Biesheuvel
2016-01-07 14:25 ` Mark Rutland
2016-01-07 14:25 ` [kernel-hardening] " Mark Rutland
2016-01-07 14:25 ` Mark Rutland
2015-12-30 15:26 ` [PATCH v2 04/13] arm64: decouple early fixmap init from linear mapping Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-06 16:35 ` James Morse
2016-01-06 16:35 ` [kernel-hardening] " James Morse
2016-01-06 16:35 ` James Morse
2016-01-06 16:42 ` Ard Biesheuvel
2016-01-06 16:42 ` [kernel-hardening] " Ard Biesheuvel
2016-01-06 16:42 ` Ard Biesheuvel
2016-01-08 12:00 ` Catalin Marinas
2016-01-08 12:00 ` [kernel-hardening] " Catalin Marinas
2016-01-08 12:00 ` Catalin Marinas
2016-01-08 12:05 ` Ard Biesheuvel
2016-01-08 12:05 ` [kernel-hardening] " Ard Biesheuvel
2016-01-08 12:05 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 05/13] arm64: kvm: deal with kernel symbols outside of " Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-04 10:08 ` Marc Zyngier
2016-01-04 10:08 ` [kernel-hardening] " Marc Zyngier
2016-01-04 10:08 ` Marc Zyngier
2016-01-04 10:31 ` Ard Biesheuvel
2016-01-04 10:31 ` [kernel-hardening] " Ard Biesheuvel
2016-01-04 10:31 ` Ard Biesheuvel
2016-01-04 11:02 ` Marc Zyngier
2016-01-04 11:02 ` [kernel-hardening] " Marc Zyngier
2016-01-04 11:02 ` Marc Zyngier
2016-01-05 14:41 ` Christoffer Dall
2016-01-05 14:41 ` [kernel-hardening] " Christoffer Dall
2016-01-05 14:41 ` Christoffer Dall
2016-01-05 14:51 ` Ard Biesheuvel
2016-01-05 14:51 ` [kernel-hardening] " Ard Biesheuvel
2016-01-05 14:51 ` Ard Biesheuvel
2016-01-05 14:56 ` Christoffer Dall
2016-01-05 14:56 ` [kernel-hardening] " Christoffer Dall
2016-01-05 14:56 ` Christoffer Dall
2015-12-30 15:26 ` [PATCH v2 06/13] arm64: move kernel image to base of vmalloc area Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 07/13] arm64: add support for module PLTs Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 08/13] arm64: use relative references in exception tables Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 09/13] arm64: avoid R_AARCH64_ABS64 relocations for Image header fields Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 10/13] arm64: avoid dynamic relocations in early boot code Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 11/13] arm64: allow kernel Image to be loaded anywhere in physical memory Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-08 11:26 ` Mark Rutland
2016-01-08 11:26 ` [kernel-hardening] " Mark Rutland
2016-01-08 11:26 ` Mark Rutland
2016-01-08 11:34 ` Ard Biesheuvel
2016-01-08 11:34 ` [kernel-hardening] " Ard Biesheuvel
2016-01-08 11:34 ` Ard Biesheuvel
2016-01-08 11:43 ` Mark Rutland
2016-01-08 11:43 ` [kernel-hardening] " Mark Rutland
2016-01-08 11:43 ` Mark Rutland
2016-01-08 15:27 ` Catalin Marinas
2016-01-08 15:27 ` [kernel-hardening] " Catalin Marinas
2016-01-08 15:27 ` Catalin Marinas
2016-01-08 15:30 ` Ard Biesheuvel
2016-01-08 15:30 ` [kernel-hardening] " Ard Biesheuvel
2016-01-08 15:30 ` Ard Biesheuvel
2016-01-08 15:36 ` Mark Rutland
2016-01-08 15:36 ` [kernel-hardening] " Mark Rutland
2016-01-08 15:36 ` Mark Rutland
2016-01-08 15:48 ` Catalin Marinas
2016-01-08 15:48 ` [kernel-hardening] " Catalin Marinas
2016-01-08 15:48 ` Catalin Marinas
2016-01-08 16:14 ` Mark Rutland
2016-01-08 16:14 ` [kernel-hardening] " Mark Rutland
2016-01-08 16:14 ` Mark Rutland
2015-12-30 15:26 ` [PATCH v2 12/13] arm64: add support for relocatable kernel Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-05 19:51 ` Kees Cook
2016-01-05 19:51 ` [kernel-hardening] " Kees Cook
2016-01-05 19:51 ` Kees Cook
2016-01-06 7:51 ` Ard Biesheuvel
2016-01-06 7:51 ` [kernel-hardening] " Ard Biesheuvel
2016-01-06 7:51 ` Ard Biesheuvel
2016-01-08 10:17 ` James Morse
2016-01-08 10:17 ` [kernel-hardening] " James Morse
2016-01-08 10:17 ` James Morse
2016-01-08 10:25 ` Ard Biesheuvel
2016-01-08 10:25 ` [kernel-hardening] " Ard Biesheuvel
2016-01-08 10:25 ` Ard Biesheuvel
2016-01-08 12:36 ` Mark Rutland
2016-01-08 12:36 ` [kernel-hardening] " Mark Rutland
2016-01-08 12:36 ` Mark Rutland
2016-01-08 12:38 ` Ard Biesheuvel
2016-01-08 12:38 ` [kernel-hardening] " Ard Biesheuvel
2016-01-08 12:38 ` Ard Biesheuvel
2016-01-08 12:40 ` Mark Rutland
2016-01-08 12:40 ` [kernel-hardening] " Mark Rutland
2016-01-08 12:40 ` Mark Rutland
2016-01-08 12:41 ` [PATCH] arm64: split elf relocs into a separate header Mark Rutland
2016-01-08 15:59 ` Will Deacon
2016-01-12 11:55 ` Ard Biesheuvel
2015-12-30 15:26 ` [PATCH v2 13/13] arm64: efi: invoke EFI_RNG_PROTOCOL to supply KASLR randomness Ard Biesheuvel
2015-12-30 15:26 ` [kernel-hardening] " Ard Biesheuvel
2015-12-30 15:26 ` Ard Biesheuvel
2016-01-05 19:53 ` Kees Cook
2016-01-05 19:53 ` [kernel-hardening] " Kees Cook
2016-01-05 19:53 ` Kees Cook
2016-01-06 7:51 ` Ard Biesheuvel
2016-01-06 7:51 ` [kernel-hardening] " Ard Biesheuvel
2016-01-06 7:51 ` Ard Biesheuvel
2016-01-07 18:46 ` Mark Rutland
2016-01-07 18:46 ` [kernel-hardening] " Mark Rutland
2016-01-07 18:46 ` Mark Rutland
2016-01-07 19:07 ` Kees Cook
2016-01-07 19:07 ` [kernel-hardening] " Kees Cook
2016-01-07 19:07 ` Kees Cook
2016-01-05 20:08 ` Kees Cook [this message]
2016-01-05 20:08 ` [kernel-hardening] Re: [PATCH v2 00/13] arm64: implement support for KASLR Kees Cook
2016-01-05 20:08 ` Kees Cook
2016-01-05 21:24 ` Ard Biesheuvel
2016-01-05 21:24 ` [kernel-hardening] " Ard Biesheuvel
2016-01-05 21:24 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKW-Kq7BapCs=fbPqMrkof-69bVV6-6DtQAmGk_odC=kQ@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bhupesh.sharma@freescale.com \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@linaro.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=leif.lindholm@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stuart.yoder@freescale.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.