linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Matt Redfearn <matt.redfearn@imgtec.com>,
	Yves-Alexis Perez <corsac@debian.org>,
	Emrah Demir <ed@abdsec.com>, Jonathan Corbet <corbet@lwn.net>,
	x86@kernel.org, "Rafael J. Wysocki" <rjw@rjwysocki.net>,
	Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
	Borislav Petkov <bp@suse.de>, Andy Lutomirski <luto@kernel.org>,
	linux-doc@vger.kernel.org, linux-pm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: [PATCH] Prefer kASLR over Hibernation
Date: Wed, 6 Apr 2016 12:44:04 -0700	[thread overview]
Message-ID: <20160406194404.GA11150@www.outflux.net> (raw)

When building with both CONFIG_HIBERNATION and CONFIG_RANDOMIZE_BASE,
one or the other must be chosen at boot-time. Until now, hibernation
was selected when no choice was made on the command line.

To make the security benefits of kASLR more widely available to end
users (since the use of hibernation is becoming more rare and kASLR,
already available on x86, will be available on arm64 and MIPS soon),
this changes the default to preferring kASLR over hibernation. Users
wanting hibernation can turn off kASLR by adding "nokaslr" to the kernel
command line.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 Documentation/kernel-parameters.txt |  7 +++++--
 arch/x86/boot/compressed/aslr.c     |  7 -------
 kernel/power/hibernate.c            | 13 +++++++++++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index ecc74fa4bfde..71393ec89295 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1774,8 +1774,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Enable/disable kernel and module base offset ASLR
 			(Address Space Layout Randomization) if built into
 			the kernel. When CONFIG_HIBERNATION is selected,
-			kASLR is disabled by default. When kASLR is enabled,
-			hibernation will be disabled.
+			kASLR must be disabled for hibernation to be
+			available.
 
 	keepinitrd	[HW,ARM]
 
@@ -3513,6 +3513,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			(e.g. USB and MMC devices).
 
 	hibernate=	[HIBERNATION]
+			When CONFIG_RANDOMIZE_BASE is defined, hibernation
+			is disabled by default. Hibernation can be enabled
+			by passing "nokaslr" on the kernel command line.
 		noresume	Don't check if there's a hibernation image
 				present during boot.
 		nocompress	Don't compress/decompress hibernation images.
diff --git a/arch/x86/boot/compressed/aslr.c b/arch/x86/boot/compressed/aslr.c
index 6a9b96b4624d..81e2835c0dfb 100644
--- a/arch/x86/boot/compressed/aslr.c
+++ b/arch/x86/boot/compressed/aslr.c
@@ -304,17 +304,10 @@ unsigned char *choose_kernel_location(struct boot_params *boot_params,
 	unsigned long choice = (unsigned long)output;
 	unsigned long random;
 
-#ifdef CONFIG_HIBERNATION
-	if (!cmdline_find_option_bool("kaslr")) {
-		debug_putstr("KASLR disabled by default...\n");
-		goto out;
-	}
-#else
 	if (cmdline_find_option_bool("nokaslr")) {
 		debug_putstr("KASLR disabled by cmdline...\n");
 		goto out;
 	}
-#endif
 
 	boot_params->hdr.loadflags |= KASLR_FLAG;
 
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index fca9254280ee..be5041354b1e 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -35,8 +35,13 @@
 
 
 static int nocompress;
+#ifdef CONFIG_RANDOMIZE_BASE
+static int noresume = 1;
+static int nohibernate = 1;
+#else
 static int noresume;
 static int nohibernate;
+#endif
 static int resume_wait;
 static unsigned int resume_delay;
 static char resume_file[256] = CONFIG_PM_STD_PARTITION;
@@ -1159,6 +1164,13 @@ static int __init kaslr_nohibernate_setup(char *str)
 	return nohibernate_setup(str);
 }
 
+static int __init nokaslr_hibernate_setup(char *str)
+{
+	noresume = 0;
+	nohibernate = 0;
+	return 1;
+}
+
 static int __init page_poison_nohibernate_setup(char *str)
 {
 #ifdef CONFIG_PAGE_POISONING_ZERO
@@ -1183,4 +1195,5 @@ __setup("resumewait", resumewait_setup);
 __setup("resumedelay=", resumedelay_setup);
 __setup("nohibernate", nohibernate_setup);
 __setup("kaslr", kaslr_nohibernate_setup);
+__setup("nokaslr", nokaslr_hibernate_setup);
 __setup("page_poison=", page_poison_nohibernate_setup);
-- 
2.6.3


-- 
Kees Cook
Chrome OS & Brillo Security

next             reply	other threads:[~2016-04-06 19:44 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-06 19:44 Kees Cook [this message]
2016-04-06 20:17 ` [PATCH] Prefer kASLR over Hibernation Pavel Machek
2016-04-06 20:56   ` Linus Torvalds
2016-04-06 21:25     ` Kees Cook
2016-04-06 21:48       ` Ingo Molnar
2016-04-06 21:52         ` Ingo Molnar
2016-04-06 22:32           ` Rafael J. Wysocki
2016-04-07  0:49             ` Ingo Molnar
2016-04-06 21:49 ` Rafael J. Wysocki
2016-04-06 21:56   ` Ingo Molnar
2016-04-06 22:04     ` Rafael J. Wysocki
2016-04-06 22:16       ` Kees Cook
2016-04-06 22:41         ` Paul Bolle
2016-04-07  0:05         ` Ingo Molnar
2016-04-11  8:00 ` James Morse
2016-04-11 18:03   ` Kees Cook
2016-04-11 18:21     ` Geert Uytterhoeven
2016-04-11 18:47       ` Kees Cook
2016-04-12 17:51     ` James Morse

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:ecc74fa4bfd dfblob:6a9b96b4624 dfblob:fca9254280e
dfblob:71393ec8929 dfblob:81e2835c0df dfblob:be5041354b1
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160406194404.GA11150@www.outflux.net \
    --to=keescook@chromium.org \
    --cc=ard.biesheuvel@linaro.org \
    --cc=bp@suse.de \
    --cc=corbet@lwn.net \
    --cc=corsac@debian.org \
    --cc=ed@abdsec.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=len.brown@intel.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pm@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=matt.redfearn@imgtec.com \
    --cc=pavel@ucw.cz \
    --cc=rjw@rjwysocki.net \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).