Changeset e5aa02fe

Timestamp:

09/11/2022 04:09:18 AM (20 months ago)

Author:

Xi Ruoyao <xry111@…>

Branches:

11.3, 11.3-rc1, 12.0, 12.0-rc1, 12.1, 12.1-rc1, bdubbs/gcc13, multilib, renodr/libudev-from-systemd, trunk, xry111/arm64, xry111/arm64-12.0, xry111/clfs-ng, xry111/loongarch, xry111/loongarch-12.0, xry111/loongarch-12.1, xry111/mips64el, xry111/pip3, xry111/rust-wip-20221008, xry111/update-glibc

Children:

c10a327

Parents:

a710d35

git-author:

Xi Ruoyao <xry111@…> (09/11/2022 04:05:21 AM)

git-committer:

Xi Ruoyao <xry111@…> (09/11/2022 04:09:18 AM)

Message:

kernel: enable ASLR and SSP

It does not make too much sense to protect the userspace with PIE+ASLR
and SSP but leave the kernel alone...

File:

• chapter10/kernel.xml (modified) (5 diffs)

chapter10/kernel.xml

@@ -106 +106 @@
       not work correctly or boot at all:</para>
 
-      <screen role="nodump" revision="sysv">General setup -->
+      <screen role="nodump" revision="sysv">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
+General architecture-dependent options  ---&gt;
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Device Drivers  ---&gt;
   Graphics support ---&gt;
@@ -118 +124 @@
    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
 
-      <screen role="nodump" revision="systemd">General setup -->
+      <screen role="nodump" revision="systemd">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    [ ] Auditing Support [CONFIG_AUDIT]
@@ -131 +140 @@
 General architecture-dependent options  ---&gt;
    [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Networking support  ---&gt;
   Networking options  ---&gt;
@@ -190 +201 @@
 
       <varlistentry>
+        <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
+        <listitem>
+          <para>Enable ASLR for kernel image, to mitigate some attacks based
+          on fixed addresses of sensitive data or code in the kernel.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>
           <parameter>
@@ -211 +230 @@
           <para>This will require <command>cpio</command> building the kernel.
           <command>cpio</command> is not installed by LFS.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter>Strong Stack Protector</parameter></term>
+        <listitem>
+          <para>Enable SSP for the kernel.  We've enabled it for the entire
+          userspace with <parameter>--enable-default-ssp</parameter>
+          configuring GCC, but the kernel does not use GCC default setting
+          for SSP.  We enable it explicitly here.</para>
         </listitem>
       </varlistentry>