From: Peter Müller <peter.mueller@ipfire.org>
Date: Mon, 1 Aug 2022 17:18:07 +0000 (+0000)
Subject: linux: Randomize layout of sensitive kernel structures
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c46e7f8180d75fe176c6e00bceaa1fccb0c4e97;p=people%2Fms%2Fipfire-2.x.git

linux: Randomize layout of sensitive kernel structures

To quote from the kernel documentation:

> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 513888a8f4..c6b63411d1 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y
 CONFIG_GCC_PLUGINS=y
 # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
 CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 # end of General architecture-dependent options
 
 CONFIG_RT_MUTEXES=y
diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux
index fc761f6455..0b6503f26e 100644
--- a/config/rootfiles/common/armv6l/linux
+++ b/config/rootfiles/common/armv6l/linux
@@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY
+#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT
+#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
 #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION
@@ -12132,6 +12134,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/generated/autoconf.h
 #lib/modules/KVER-ipfire/build/include/generated/bounds.h
 #lib/modules/KVER-ipfire/build/include/generated/compile.h
+#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h
 #lib/modules/KVER-ipfire/build/include/generated/timeconst.h
 #lib/modules/KVER-ipfire/build/include/generated/uapi
 #lib/modules/KVER-ipfire/build/include/generated/uapi/linux
@@ -17577,6 +17580,8 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c
+#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so
+#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index b25f85a3ab..1b78fe8c52 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/GARP
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY
+#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT
+#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK
 #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
 #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION
@@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/generated/autoconf.h
 #lib/modules/KVER-ipfire/build/include/generated/bounds.h
 #lib/modules/KVER-ipfire/build/include/generated/compile.h
+#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h
 #lib/modules/KVER-ipfire/build/include/generated/timeconst.h
 #lib/modules/KVER-ipfire/build/include/generated/uapi
 #lib/modules/KVER-ipfire/build/include/generated/uapi/linux
@@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c
+#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so
+#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c
 #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c