f5a138c3fe96bf93490dab047d193d507b551518
4 * This contains the routines needed to generate a reasonable level of
5 * entropy to choose a randomized kernel base address offset in support
6 * of Kernel Address Space Layout Randomization (KASLR). Additionally
7 * handles walking the physical memory maps (and tracking memory regions
8 * to avoid) in order to select a physical memory location that can
9 * contain the entire properly aligned running kernel image.
16 #include <asm/archrandom.h>
19 #include <generated/compile.h>
20 #include <linux/module.h>
21 #include <linux/uts.h>
22 #include <linux/utsname.h>
23 #include <generated/utsrelease.h>
25 /* Simplified build-specific string for starting entropy. */
26 static const char build_str
[] = UTS_RELEASE
" (" LINUX_COMPILE_BY
"@"
27 LINUX_COMPILE_HOST
") (" LINUX_COMPILER
") " UTS_VERSION
;
29 #define I8254_PORT_CONTROL 0x43
30 #define I8254_PORT_COUNTER0 0x40
31 #define I8254_CMD_READBACK 0xC0
32 #define I8254_SELECT_COUNTER0 0x02
33 #define I8254_STATUS_NOTREADY 0x40
34 static inline u16
i8254(void)
39 outb(I8254_PORT_CONTROL
,
40 I8254_CMD_READBACK
| I8254_SELECT_COUNTER0
);
41 status
= inb(I8254_PORT_COUNTER0
);
42 timer
= inb(I8254_PORT_COUNTER0
);
43 timer
|= inb(I8254_PORT_COUNTER0
) << 8;
44 } while (status
& I8254_STATUS_NOTREADY
);
49 static unsigned long rotate_xor(unsigned long hash
, const void *area
,
53 unsigned long *ptr
= (unsigned long *)area
;
55 for (i
= 0; i
< size
/ sizeof(hash
); i
++) {
56 /* Rotate by odd number of bits and XOR. */
57 hash
= (hash
<< ((sizeof(hash
) * 8) - 7)) | (hash
>> 7);
64 /* Attempt to create a simple but unpredictable starting entropy. */
65 static unsigned long get_random_boot(void)
67 unsigned long hash
= 0;
69 hash
= rotate_xor(hash
, build_str
, sizeof(build_str
));
70 hash
= rotate_xor(hash
, boot_params
, sizeof(*boot_params
));
75 static unsigned long get_random_long(void)
78 const unsigned long mix_const
= 0x5d6008cbf3848dd3UL
;
80 const unsigned long mix_const
= 0x3f39e593UL
;
82 unsigned long raw
, random
= get_random_boot();
83 bool use_i8254
= true;
85 debug_putstr("KASLR using");
87 if (has_cpuflag(X86_FEATURE_RDRAND
)) {
88 debug_putstr(" RDRAND");
89 if (rdrand_long(&raw
)) {
95 if (has_cpuflag(X86_FEATURE_TSC
)) {
96 debug_putstr(" RDTSC");
104 debug_putstr(" i8254");
108 /* Circular multiply for better bit diffusion */
110 : "=a" (random
), "=d" (raw
)
111 : "a" (random
), "rm" (mix_const
));
114 debug_putstr("...\n");
124 enum mem_avoid_index
{
125 MEM_AVOID_ZO_RANGE
= 0,
128 MEM_AVOID_BOOTPARAMS
,
132 static struct mem_vector mem_avoid
[MEM_AVOID_MAX
];
134 static bool mem_contains(struct mem_vector
*region
, struct mem_vector
*item
)
136 /* Item at least partially before region. */
137 if (item
->start
< region
->start
)
139 /* Item at least partially after region. */
140 if (item
->start
+ item
->size
> region
->start
+ region
->size
)
145 static bool mem_overlaps(struct mem_vector
*one
, struct mem_vector
*two
)
147 /* Item one is entirely before item two. */
148 if (one
->start
+ one
->size
<= two
->start
)
150 /* Item one is entirely after item two. */
151 if (one
->start
>= two
->start
+ two
->size
)
157 * In theory, KASLR can put the kernel anywhere in the range of [16M, 64T).
158 * The mem_avoid array is used to store the ranges that need to be avoided
159 * when KASLR searches for an appropriate random address. We must avoid any
160 * regions that are unsafe to overlap with during decompression, and other
161 * things like the initrd, cmdline and boot_params. This comment seeks to
162 * explain mem_avoid as clearly as possible since incorrect mem_avoid
163 * memory ranges lead to really hard to debug boot failures.
165 * The initrd, cmdline, and boot_params are trivial to identify for
166 * avoiding. The are MEM_AVOID_INITRD, MEM_AVOID_CMDLINE, and
167 * MEM_AVOID_BOOTPARAMS respectively below.
169 * What is not obvious how to avoid is the range of memory that is used
170 * during decompression (MEM_AVOID_ZO_RANGE below). This range must cover
171 * the compressed kernel (ZO) and its run space, which is used to extract
172 * the uncompressed kernel (VO) and relocs.
174 * ZO's full run size sits against the end of the decompression buffer, so
175 * we can calculate where text, data, bss, etc of ZO are positioned more
178 * For additional background, the decompression calculations can be found
179 * in header.S, and the memory diagram is based on the one found in misc.c.
181 * The following conditions are already enforced by the image layouts and
183 * - input + input_size >= output + output_size
184 * - kernel_total_size <= init_size
185 * - kernel_total_size <= output_size (see Note below)
186 * - output + init_size >= output + output_size
188 * (Note that kernel_total_size and output_size have no fundamental
189 * relationship, but output_size is passed to choose_random_location
190 * as a maximum of the two. The diagram is showing a case where
191 * kernel_total_size is larger than output_size, but this case is
192 * handled by bumping output_size.)
194 * The above conditions can be illustrated by a diagram:
196 * 0 output input input+input_size output+init_size
199 * |-----|--------|--------|--------------|-----------|--|-------------|
202 * output+init_size-ZO_INIT_SIZE output+output_size output+kernel_total_size
204 * [output, output+init_size) is the entire memory range used for
205 * extracting the compressed image.
207 * [output, output+kernel_total_size) is the range needed for the
208 * uncompressed kernel (VO) and its run size (bss, brk, etc).
210 * [output, output+output_size) is VO plus relocs (i.e. the entire
211 * uncompressed payload contained by ZO). This is the area of the buffer
212 * written to during decompression.
214 * [output+init_size-ZO_INIT_SIZE, output+init_size) is the worst-case
215 * range of the copied ZO and decompression code. (i.e. the range
216 * covered backwards of size ZO_INIT_SIZE, starting from output+init_size.)
218 * [input, input+input_size) is the original copied compressed image (ZO)
219 * (i.e. it does not include its run size). This range must be avoided
220 * because it contains the data used for decompression.
222 * [input+input_size, output+init_size) is [_text, _end) for ZO. This
223 * range includes ZO's heap and stack, and must be avoided since it
224 * performs the decompression.
226 * Since the above two ranges need to be avoided and they are adjacent,
227 * they can be merged, resulting in: [input, output+init_size) which
228 * becomes the MEM_AVOID_ZO_RANGE below.
230 static void mem_avoid_init(unsigned long input
, unsigned long input_size
,
231 unsigned long output
)
233 unsigned long init_size
= boot_params
->hdr
.init_size
;
234 u64 initrd_start
, initrd_size
;
235 u64 cmd_line
, cmd_line_size
;
239 * Avoid the region that is unsafe to overlap during
242 mem_avoid
[MEM_AVOID_ZO_RANGE
].start
= input
;
243 mem_avoid
[MEM_AVOID_ZO_RANGE
].size
= (output
+ init_size
) - input
;
244 add_identity_map(mem_avoid
[MEM_AVOID_ZO_RANGE
].start
,
245 mem_avoid
[MEM_AVOID_ZO_RANGE
].size
);
248 initrd_start
= (u64
)boot_params
->ext_ramdisk_image
<< 32;
249 initrd_start
|= boot_params
->hdr
.ramdisk_image
;
250 initrd_size
= (u64
)boot_params
->ext_ramdisk_size
<< 32;
251 initrd_size
|= boot_params
->hdr
.ramdisk_size
;
252 mem_avoid
[MEM_AVOID_INITRD
].start
= initrd_start
;
253 mem_avoid
[MEM_AVOID_INITRD
].size
= initrd_size
;
254 /* No need to set mapping for initrd, it will be handled in VO. */
256 /* Avoid kernel command line. */
257 cmd_line
= (u64
)boot_params
->ext_cmd_line_ptr
<< 32;
258 cmd_line
|= boot_params
->hdr
.cmd_line_ptr
;
259 /* Calculate size of cmd_line. */
260 ptr
= (char *)(unsigned long)cmd_line
;
261 for (cmd_line_size
= 0; ptr
[cmd_line_size
++]; )
263 mem_avoid
[MEM_AVOID_CMDLINE
].start
= cmd_line
;
264 mem_avoid
[MEM_AVOID_CMDLINE
].size
= cmd_line_size
;
265 add_identity_map(mem_avoid
[MEM_AVOID_CMDLINE
].start
,
266 mem_avoid
[MEM_AVOID_CMDLINE
].size
);
268 /* Avoid boot parameters. */
269 mem_avoid
[MEM_AVOID_BOOTPARAMS
].start
= (unsigned long)boot_params
;
270 mem_avoid
[MEM_AVOID_BOOTPARAMS
].size
= sizeof(*boot_params
);
271 add_identity_map(mem_avoid
[MEM_AVOID_BOOTPARAMS
].start
,
272 mem_avoid
[MEM_AVOID_BOOTPARAMS
].size
);
274 /* We don't need to set a mapping for setup_data. */
276 #ifdef CONFIG_X86_VERBOSE_BOOTUP
277 /* Make sure video RAM can be used. */
278 add_identity_map(0, PMD_SIZE
);
282 /* Does this memory vector overlap a known avoided area? */
283 static bool mem_avoid_overlap(struct mem_vector
*img
)
286 struct setup_data
*ptr
;
288 for (i
= 0; i
< MEM_AVOID_MAX
; i
++) {
289 if (mem_overlaps(img
, &mem_avoid
[i
]))
293 /* Avoid all entries in the setup_data linked list. */
294 ptr
= (struct setup_data
*)(unsigned long)boot_params
->hdr
.setup_data
;
296 struct mem_vector avoid
;
298 avoid
.start
= (unsigned long)ptr
;
299 avoid
.size
= sizeof(*ptr
) + ptr
->len
;
301 if (mem_overlaps(img
, &avoid
))
304 ptr
= (struct setup_data
*)(unsigned long)ptr
->next
;
310 static unsigned long slots
[KERNEL_IMAGE_SIZE
/ CONFIG_PHYSICAL_ALIGN
];
311 static unsigned long slot_max
;
313 static void slots_append(unsigned long addr
)
315 /* Overflowing the slots list should be impossible. */
316 if (slot_max
>= KERNEL_IMAGE_SIZE
/ CONFIG_PHYSICAL_ALIGN
)
319 slots
[slot_max
++] = addr
;
322 static unsigned long slots_fetch_random(void)
324 /* Handle case of no slots stored. */
328 return slots
[get_random_long() % slot_max
];
331 static void process_e820_entry(struct e820entry
*entry
,
332 unsigned long minimum
,
333 unsigned long image_size
)
335 struct mem_vector region
, img
;
337 /* Skip non-RAM entries. */
338 if (entry
->type
!= E820_RAM
)
341 /* Ignore entries entirely above our maximum. */
342 if (entry
->addr
>= KERNEL_IMAGE_SIZE
)
345 /* Ignore entries entirely below our minimum. */
346 if (entry
->addr
+ entry
->size
< minimum
)
349 region
.start
= entry
->addr
;
350 region
.size
= entry
->size
;
352 /* Potentially raise address to minimum location. */
353 if (region
.start
< minimum
)
354 region
.start
= minimum
;
356 /* Potentially raise address to meet alignment requirements. */
357 region
.start
= ALIGN(region
.start
, CONFIG_PHYSICAL_ALIGN
);
359 /* Did we raise the address above the bounds of this e820 region? */
360 if (region
.start
> entry
->addr
+ entry
->size
)
363 /* Reduce size by any delta from the original address. */
364 region
.size
-= region
.start
- entry
->addr
;
366 /* Reduce maximum size to fit end of image within maximum limit. */
367 if (region
.start
+ region
.size
> KERNEL_IMAGE_SIZE
)
368 region
.size
= KERNEL_IMAGE_SIZE
- region
.start
;
370 /* Walk each aligned slot and check for avoided areas. */
371 for (img
.start
= region
.start
, img
.size
= image_size
;
372 mem_contains(®ion
, &img
) ;
373 img
.start
+= CONFIG_PHYSICAL_ALIGN
) {
374 if (mem_avoid_overlap(&img
))
376 slots_append(img
.start
);
380 static unsigned long find_random_addr(unsigned long minimum
,
386 /* Make sure minimum is aligned. */
387 minimum
= ALIGN(minimum
, CONFIG_PHYSICAL_ALIGN
);
389 /* Verify potential e820 positions, appending to slots list. */
390 for (i
= 0; i
< boot_params
->e820_entries
; i
++) {
391 process_e820_entry(&boot_params
->e820_map
[i
], minimum
, size
);
394 return slots_fetch_random();
398 * Since this function examines addresses much more numerically,
399 * it takes the input and output pointers as 'unsigned long'.
401 unsigned char *choose_random_location(unsigned long input
,
402 unsigned long input_size
,
403 unsigned long output
,
404 unsigned long output_size
)
406 unsigned long choice
= output
;
407 unsigned long random_addr
;
409 #ifdef CONFIG_HIBERNATION
410 if (!cmdline_find_option_bool("kaslr")) {
411 warn("KASLR disabled: 'kaslr' not on cmdline (hibernation selected).");
415 if (cmdline_find_option_bool("nokaslr")) {
416 warn("KASLR disabled: 'nokaslr' on cmdline.");
421 boot_params
->hdr
.loadflags
|= KASLR_FLAG
;
423 /* Record the various known unsafe memory ranges. */
424 mem_avoid_init(input
, input_size
, output
);
426 /* Walk e820 and find a random address. */
427 random_addr
= find_random_addr(output
, output_size
);
429 warn("KASLR disabled: could not find suitable E820 region!");
433 /* Always enforce the minimum. */
434 if (random_addr
< choice
)
437 choice
= random_addr
;
439 add_identity_map(choice
, output_size
);
441 /* This actually loads the identity pagetable on x86_64. */
442 finalize_identity_maps();
444 return (unsigned char *)choice
;
This page took 0.139726 seconds and 5 git commands to generate.