diff mbox series

[IMPISH] UBUNTU: [Config] Enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT

Message ID 20210625084217.7413-1-colin.king@canonical.com
State New
Headers show
Series [IMPISH] UBUNTU: [Config] Enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | expand

Commit Message

Colin Ian King June 25, 2021, 8:42 a.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

Kernel stack offset randomization is a useful security feature
that should be enabled. Benchmarking showed that the impact is
within the noise of various microbenchmarks so I believe this
has some added benefit with minimal performance impact. The
security folk believe this is worth enabling, so lets switch
it on.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 debian.master/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Krzysztof Kozlowski June 25, 2021, 9:40 a.m. UTC | #1 
On 25/06/2021 10:42, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Kernel stack offset randomization is a useful security feature
> that should be enabled. Benchmarking showed that the impact is
> within the noise of various microbenchmarks so I believe this
> has some added benefit with minimal performance impact. The
> security folk believe this is worth enabling, so lets switch
> it on.
> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  debian.master/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index ab828d5..0b46c98 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y
>  CONFIG_RAID_ATTRS=m
>  # CONFIG_RANDOM32_SELFTEST is not set
>  CONFIG_RANDOMIZE_BASE=y
> -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set
> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
>  CONFIG_RANDOMIZE_MEMORY=y
>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
>  CONFIG_RANDOMIZE_MODULE_REGION_FULL=y

My impish v5.11 does not have RANDOMIZE_KSTACK_OFFSET. Did you mean
unstable?


Best regards,
Krzysztof
Colin Ian King June 25, 2021, 9:49 a.m. UTC | #2 
On 25/06/2021 09:42, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Kernel stack offset randomization is a useful security feature
> that should be enabled. Benchmarking showed that the impact is
> within the noise of various microbenchmarks so I believe this
> has some added benefit with minimal performance impact. The
> security folk believe this is worth enabling, so lets switch
> it on.
> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  debian.master/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index ab828d5..0b46c98 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y
>  CONFIG_RAID_ATTRS=m
>  # CONFIG_RANDOM32_SELFTEST is not set
>  CONFIG_RANDOMIZE_BASE=y
> -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set
> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
>  CONFIG_RANDOMIZE_MEMORY=y
>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
>  CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
> 

s/IMPISH/UNSTABLE/
Krzysztof Kozlowski June 25, 2021, 9:54 a.m. UTC | #3 
On 25/06/2021 11:49, Colin Ian King wrote:
> On 25/06/2021 09:42, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> Kernel stack offset randomization is a useful security feature
>> that should be enabled. Benchmarking showed that the impact is
>> within the noise of various microbenchmarks so I believe this
>> has some added benefit with minimal performance impact. The
>> security folk believe this is worth enabling, so lets switch
>> it on.
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  debian.master/config/config.common.ubuntu | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
>> index ab828d5..0b46c98 100644
>> --- a/debian.master/config/config.common.ubuntu
>> +++ b/debian.master/config/config.common.ubuntu
>> @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y
>>  CONFIG_RAID_ATTRS=m
>>  # CONFIG_RANDOM32_SELFTEST is not set
>>  CONFIG_RANDOMIZE_BASE=y
>> -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set
>> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
>>  CONFIG_RANDOMIZE_MEMORY=y
>>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
>>  CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
>>
> 
> s/IMPISH/UNSTABLE/


Then LGTM:

Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Best regards,
Krzysztof
Seth Forshee July 9, 2021, 8:01 p.m. UTC | #4 
On Fri, Jun 25, 2021 at 09:42:17AM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Kernel stack offset randomization is a useful security feature
> that should be enabled. Benchmarking showed that the impact is
> within the noise of various microbenchmarks so I believe this
> has some added benefit with minimal performance impact. The
> security folk believe this is worth enabling, so lets switch
> it on.
> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Seems like a good idea to me.

Acked-by: Seth Forshee <seth.forshee@canonical.com>
Andrea Righi July 12, 2021, 6:33 a.m. UTC | #5 
On Fri, Jun 25, 2021 at 09:42:17AM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Kernel stack offset randomization is a useful security feature
> that should be enabled. Benchmarking showed that the impact is
> within the noise of various microbenchmarks so I believe this
> has some added benefit with minimal performance impact. The
> security folk believe this is worth enabling, so lets switch
> it on.
> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Applied to impish/linux (5.13).

Thanks,
-Andrea

> ---
>  debian.master/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index ab828d5..0b46c98 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -8415,7 +8415,7 @@ CONFIG_RAID6_PQ_BENCHMARK=y
>  CONFIG_RAID_ATTRS=m
>  # CONFIG_RANDOM32_SELFTEST is not set
>  CONFIG_RANDOMIZE_BASE=y
> -# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set
> +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
>  CONFIG_RANDOMIZE_MEMORY=y
>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
>  CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index ab828d5..0b46c98 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -8415,7 +8415,7 @@  CONFIG_RAID6_PQ_BENCHMARK=y
 CONFIG_RAID_ATTRS=m
 # CONFIG_RANDOM32_SELFTEST is not set
 CONFIG_RANDOMIZE_BASE=y
-# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_RANDOMIZE_MODULE_REGION_FULL=y