From patchwork Tue Oct 25 14:12:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Evgeniy Baskov X-Patchwork-Id: 10820 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1033075wru; Tue, 25 Oct 2022 07:15:24 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6kP5T7CmEL9TYovhDZy7ZOJLCvaEiZCFkaHtw1D0b7JV7cY4HMlp090RfG1u1y4mZYu+VW X-Received: by 2002:a62:4c6:0:b0:55f:c739:51e0 with SMTP id 189-20020a6204c6000000b0055fc73951e0mr38814200pfe.49.1666707323759; Tue, 25 Oct 2022 07:15:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666707323; cv=none; d=google.com; s=arc-20160816; b=hFLYHuSvejlpz9Rzt3TtLFuqjNQhiImIk4hNbH7Rh5JAGB580PNT3CDqdcPlJbzYAO C3lwgCIt4ouxOlsZAtO9JTERmXfrk7nICmoaxlhY+KVvnhqXpK2OFeaiPcKmoUEPSPKX hrB+PJ8rGiMVVlgs/Z0tWGgmshQ54K/ZLuJyq10raYJKdlHGGGRqdQmtPzk61Ou9MG7R pXrRxpfeFrKdcoSeODZvkLxtMV5zZ2PYDLMcWzWsGke0kdG4SXDqCBJ1a3UAk/+Vsv/a b1THYIVgj/JF5MM4TQn5VE/7FPnqkiDyv0T5mHg51mzewqMPICdIjrLrjMZSR3X4+QWF rmlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=r8nCG+BSFMZKNWwE0pHsrN0ffee0dDoDl2C/gh/xQ4M=; b=T+vH2+xb9nmCxMEpWmZORez4rvCF4UVtUybX+0JyHSXq2SqvA90kh4NWjnR9PaJ/9W ADD92bpnUaprI0uaeoHXfcwcp9mv3N5k3lZ9J+ZqRDaWvNIzYyXCkAkBXbw87vbJW0qD cEkKB5QyXjnX42L6RIpHfKok3gll6GkpGET5sc99evzunONI6D4RiWbe+0xDgRtf3jtj qabF3ajP0a0wqYMbgYVlke4i+e/Ix1sXNiM5ghTmQuGM4xItdChfZYdxjr/ESLF766Vp ko/k0EKp2Y4hI99ZCwlN3jLTnwE+1CzKitwiN03BLcRULPeN89FiFT8EA7F6jwRHiRiQ TNhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=U5YTbnVc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 190-20020a6300c7000000b0045fad1c30e6si2967142pga.602.2022.10.25.07.15.10; Tue, 25 Oct 2022 07:15:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=U5YTbnVc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233045AbiJYOOv (ORCPT + 99 others); Tue, 25 Oct 2022 10:14:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233170AbiJYOOH (ORCPT ); Tue, 25 Oct 2022 10:14:07 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A9A605F9B5; Tue, 25 Oct 2022 07:14:05 -0700 (PDT) Received: from localhost.localdomain (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 2720940737B6; Tue, 25 Oct 2022 14:14:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 2720940737B6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1666707244; bh=r8nCG+BSFMZKNWwE0pHsrN0ffee0dDoDl2C/gh/xQ4M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U5YTbnVct96Q5WoGPafr04RLpBH2PEo1QCEmDD8Tkty7iD60sHwC1d9QjPlFcEYzt 2Y6ngA/HFyjIs5z/D6xXG9+gXjXGVDvZ0CG4sOqZRyuLlBWsT2Wnz/SgX5T5vjY0lD z6M9RgYzN/1RRfx1NdIM7sd/CV1xeMYfi2vuxPt4= From: Evgeniy Baskov To: Ard Biesheuvel Cc: Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 16/23] x86/boot: Reduce lower limit of physical KASLR Date: Tue, 25 Oct 2022 17:12:54 +0300 Message-Id: <663de36ee68f37998a809b315fa81b360ce5e2a5.1666705333.git.baskov@ispras.ru> X-Mailer: git-send-email 2.37.4 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747669298660733094?= X-GMAIL-MSGID: =?utf-8?q?1747669298660733094?= Set lower limit of physical KASLR to 64M. Previously is was set to 512M when kernel is loaded higher than that. That prevented physical KASLR from being performed on x86_32, where upper limit is also set to 512M. The limit is pretty arbitrary, and the most important is to set it above the ISA hole, i.e. higher than 16M. It was not that important before, but now kernel is not getting relocated to the lower address when booting via EFI, exposing the KASLR failures. Signed-off-by: Evgeniy Baskov --- arch/x86/boot/compressed/kaslr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c index 7e09d65f7b57..672550686f62 100644 --- a/arch/x86/boot/compressed/kaslr.c +++ b/arch/x86/boot/compressed/kaslr.c @@ -852,10 +852,10 @@ void choose_random_location(unsigned long input, /* * Low end of the randomization range should be the - * smaller of 512M or the initial kernel image + * smaller of 64M or the initial kernel image * location: */ - min_addr = min(*output, 512UL << 20); + min_addr = min(*output, 64UL << 20); /* Make sure minimum is aligned. */ min_addr = ALIGN(min_addr, CONFIG_PHYSICAL_ALIGN);