Message ID | 20210625084217.7413-1-colin.king@canonical.com |
---|---|
State | New |
Headers | show |
Series | [IMPISH] UBUNTU: [Config] Enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | expand |
On 25/06/2021 10:42, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Kernel stack offset randomization is a useful security feature > that should be enabled. Benchmarking showed that the impact is > within the noise of various microbenchmarks so I believe this > has some added benefit with minimal performance impact. The > security folk believe this is worth enabling, so lets switch > it on. > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index ab828d5..0b46c98 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y > CONFIG_RAID_ATTRS=m > # CONFIG_RANDOM32_SELFTEST is not set > CONFIG_RANDOMIZE_BASE=y > -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set > +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y > CONFIG_RANDOMIZE_MEMORY=y > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > CONFIG_RANDOMIZE_MODULE_REGION_FULL=y My impish v5.11 does not have RANDOMIZE_KSTACK_OFFSET. Did you mean unstable? Best regards, Krzysztof
On 25/06/2021 09:42, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Kernel stack offset randomization is a useful security feature > that should be enabled. Benchmarking showed that the impact is > within the noise of various microbenchmarks so I believe this > has some added benefit with minimal performance impact. The > security folk believe this is worth enabling, so lets switch > it on. > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index ab828d5..0b46c98 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y > CONFIG_RAID_ATTRS=m > # CONFIG_RANDOM32_SELFTEST is not set > CONFIG_RANDOMIZE_BASE=y > -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set > +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y > CONFIG_RANDOMIZE_MEMORY=y > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > CONFIG_RANDOMIZE_MODULE_REGION_FULL=y > s/IMPISH/UNSTABLE/
On 25/06/2021 11:49, Colin Ian King wrote: > On 25/06/2021 09:42, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> Kernel stack offset randomization is a useful security feature >> that should be enabled. Benchmarking showed that the impact is >> within the noise of various microbenchmarks so I believe this >> has some added benefit with minimal performance impact. The >> security folk believe this is worth enabling, so lets switch >> it on. >> >> Signed-off-by: Colin Ian King <colin.king@canonical.com> >> --- >> debian.master/config/config.common.ubuntu | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu >> index ab828d5..0b46c98 100644 >> --- a/debian.master/config/config.common.ubuntu >> +++ b/debian.master/config/config.common.ubuntu >> @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y >> CONFIG_RAID_ATTRS=m >> # CONFIG_RANDOM32_SELFTEST is not set >> CONFIG_RANDOMIZE_BASE=y >> -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set >> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y >> CONFIG_RANDOMIZE_MEMORY=y >> CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa >> CONFIG_RANDOMIZE_MODULE_REGION_FULL=y >> > > s/IMPISH/UNSTABLE/ Then LGTM: Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Best regards, Krzysztof
On Fri, Jun 25, 2021 at 09:42:17AM +0100, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Kernel stack offset randomization is a useful security feature > that should be enabled. Benchmarking showed that the impact is > within the noise of various microbenchmarks so I believe this > has some added benefit with minimal performance impact. The > security folk believe this is worth enabling, so lets switch > it on. > > Signed-off-by: Colin Ian King <colin.king@canonical.com> Seems like a good idea to me. Acked-by: Seth Forshee <seth.forshee@canonical.com>
On Fri, Jun 25, 2021 at 09:42:17AM +0100, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Kernel stack offset randomization is a useful security feature > that should be enabled. Benchmarking showed that the impact is > within the noise of various microbenchmarks so I believe this > has some added benefit with minimal performance impact. The > security folk believe this is worth enabling, so lets switch > it on. > > Signed-off-by: Colin Ian King <colin.king@canonical.com> Applied to impish/linux (5.13). Thanks, -Andrea > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index ab828d5..0b46c98 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y > CONFIG_RAID_ATTRS=m > # CONFIG_RANDOM32_SELFTEST is not set > CONFIG_RANDOMIZE_BASE=y > -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set > +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y > CONFIG_RANDOMIZE_MEMORY=y > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > CONFIG_RANDOMIZE_MODULE_REGION_FULL=y > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index ab828d5..0b46c98 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y CONFIG_RAID_ATTRS=m # CONFIG_RANDOM32_SELFTEST is not set CONFIG_RANDOMIZE_BASE=y -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y CONFIG_RANDOMIZE_MEMORY=y CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa CONFIG_RANDOMIZE_MODULE_REGION_FULL=y