linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try

Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:

> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.

We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.

Fixes: #12363
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 469884b20f74c7fe7c3acb72b63509ff69417bc9..9232335ff3728cbd7765c3908e68cf185291a8ef 100644 (file)
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_PSEUDO_NMI is not set
 CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
 CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
 CONFIG_STACKPROTECTOR_PER_TASK=y
 # end of Kernel Features

diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index 6de30d1a0b2466a671081329a22863f4697f0913..dbd6e8f2f52d6e7db9c65368f9cf0c1c88b4fa7b 100644 (file)
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
 #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
 #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
+#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
 #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT
 #lib/modules/KVER-ipfire/build/include/config/RAS
 #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE