projects / deliverable / linux.git / blob
? search:


f5a138c3fe96bf93490dab047d193d507b551518
[deliverable/linux.git] / arch / x86 / boot / compressed / kaslr.c
1 /*
2 * kaslr.c
3 *
4 * This contains the routines needed to generate a reasonable level of
5 * entropy to choose a randomized kernel base address offset in support
6 * of Kernel Address Space Layout Randomization (KASLR). Additionally
7 * handles walking the physical memory maps (and tracking memory regions
8 * to avoid) in order to select a physical memory location that can
9 * contain the entire properly aligned running kernel image.
10 *
11 */
12 #include "misc.h"
13 #include "error.h"
14
15 #include <asm/msr.h>
16 #include <asm/archrandom.h>
17 #include <asm/e820.h>
18
19 #include <generated/compile.h>
20 #include <linux/module.h>
21 #include <linux/uts.h>
22 #include <linux/utsname.h>
23 #include <generated/utsrelease.h>
24
25 /* Simplified build-specific string for starting entropy. */
26 static const char build_str[] = UTS_RELEASE " (" LINUX_COMPILE_BY "@"
27 LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") " UTS_VERSION;
28
29 #define I8254_PORT_CONTROL 0x43
30 #define I8254_PORT_COUNTER0 0x40
31 #define I8254_CMD_READBACK 0xC0
32 #define I8254_SELECT_COUNTER0 0x02
33 #define I8254_STATUS_NOTREADY 0x40
34 static inline u16 i8254(void)
35 {
36 u16 status, timer;
37
38 do {
39 outb(I8254_PORT_CONTROL,
40 I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
41 status = inb(I8254_PORT_COUNTER0);
42 timer = inb(I8254_PORT_COUNTER0);
43 timer |= inb(I8254_PORT_COUNTER0) << 8;
44 } while (status & I8254_STATUS_NOTREADY);
45
46 return timer;
47 }
48
49 static unsigned long rotate_xor(unsigned long hash, const void *area,
50 size_t size)
51 {
52 size_t i;
53 unsigned long *ptr = (unsigned long *)area;
54
55 for (i = 0; i < size / sizeof(hash); i++) {
56 /* Rotate by odd number of bits and XOR. */
57 hash = (hash << ((sizeof(hash) * 8) - 7)) | (hash >> 7);
58 hash ^= ptr[i];
59 }
60
61 return hash;
62 }
63
64 /* Attempt to create a simple but unpredictable starting entropy. */
65 static unsigned long get_random_boot(void)
66 {
67 unsigned long hash = 0;
68
69 hash = rotate_xor(hash, build_str, sizeof(build_str));
70 hash = rotate_xor(hash, boot_params, sizeof(*boot_params));
71
72 return hash;
73 }
74
75 static unsigned long get_random_long(void)
76 {
77 #ifdef CONFIG_X86_64
78 const unsigned long mix_const = 0x5d6008cbf3848dd3UL;
79 #else
80 const unsigned long mix_const = 0x3f39e593UL;
81 #endif
82 unsigned long raw, random = get_random_boot();
83 bool use_i8254 = true;
84
85 debug_putstr("KASLR using");
86
87 if (has_cpuflag(X86_FEATURE_RDRAND)) {
88 debug_putstr(" RDRAND");
89 if (rdrand_long(&raw)) {
90 random ^= raw;
91 use_i8254 = false;
92 }
93 }
94
95 if (has_cpuflag(X86_FEATURE_TSC)) {
96 debug_putstr(" RDTSC");
97 raw = rdtsc();
98
99 random ^= raw;
100 use_i8254 = false;
101 }
102
103 if (use_i8254) {
104 debug_putstr(" i8254");
105 random ^= i8254();
106 }
107
108 /* Circular multiply for better bit diffusion */
109 asm("mul %3"
110 : "=a" (random), "=d" (raw)
111 : "a" (random), "rm" (mix_const));
112 random += raw;
113
114 debug_putstr("...\n");
115
116 return random;
117 }
118
119 struct mem_vector {
120 unsigned long start;
121 unsigned long size;
122 };
123
124 enum mem_avoid_index {
125 MEM_AVOID_ZO_RANGE = 0,
126 MEM_AVOID_INITRD,
127 MEM_AVOID_CMDLINE,
128 MEM_AVOID_BOOTPARAMS,
129 MEM_AVOID_MAX,
130 };
131
132 static struct mem_vector mem_avoid[MEM_AVOID_MAX];
133
134 static bool mem_contains(struct mem_vector *region, struct mem_vector *item)
135 {
136 /* Item at least partially before region. */
137 if (item->start < region->start)
138 return false;
139 /* Item at least partially after region. */
140 if (item->start + item->size > region->start + region->size)
141 return false;
142 return true;
143 }
144
145 static bool mem_overlaps(struct mem_vector *one, struct mem_vector *two)
146 {
147 /* Item one is entirely before item two. */
148 if (one->start + one->size <= two->start)
149 return false;
150 /* Item one is entirely after item two. */
151 if (one->start >= two->start + two->size)
152 return false;
153 return true;
154 }
155
156 /*
157 * In theory, KASLR can put the kernel anywhere in the range of [16M, 64T).
158 * The mem_avoid array is used to store the ranges that need to be avoided
159 * when KASLR searches for an appropriate random address. We must avoid any
160 * regions that are unsafe to overlap with during decompression, and other
161 * things like the initrd, cmdline and boot_params. This comment seeks to
162 * explain mem_avoid as clearly as possible since incorrect mem_avoid
163 * memory ranges lead to really hard to debug boot failures.
164 *
165 * The initrd, cmdline, and boot_params are trivial to identify for
166 * avoiding. The are MEM_AVOID_INITRD, MEM_AVOID_CMDLINE, and
167 * MEM_AVOID_BOOTPARAMS respectively below.
168 *
169 * What is not obvious how to avoid is the range of memory that is used
170 * during decompression (MEM_AVOID_ZO_RANGE below). This range must cover
171 * the compressed kernel (ZO) and its run space, which is used to extract
172 * the uncompressed kernel (VO) and relocs.
173 *
174 * ZO's full run size sits against the end of the decompression buffer, so
175 * we can calculate where text, data, bss, etc of ZO are positioned more
176 * easily.
177 *
178 * For additional background, the decompression calculations can be found
179 * in header.S, and the memory diagram is based on the one found in misc.c.
180 *
181 * The following conditions are already enforced by the image layouts and
182 * associated code:
183 * - input + input_size >= output + output_size
184 * - kernel_total_size <= init_size
185 * - kernel_total_size <= output_size (see Note below)
186 * - output + init_size >= output + output_size
187 *
188 * (Note that kernel_total_size and output_size have no fundamental
189 * relationship, but output_size is passed to choose_random_location
190 * as a maximum of the two. The diagram is showing a case where
191 * kernel_total_size is larger than output_size, but this case is
192 * handled by bumping output_size.)
193 *
194 * The above conditions can be illustrated by a diagram:
195 *
196 * 0 output input input+input_size output+init_size
197 * | | | | |
198 * | | | | |
199 * |-----|--------|--------|--------------|-----------|--|-------------|
200 * | | |
201 * | | |
202 * output+init_size-ZO_INIT_SIZE output+output_size output+kernel_total_size
203 *
204 * [output, output+init_size) is the entire memory range used for
205 * extracting the compressed image.
206 *
207 * [output, output+kernel_total_size) is the range needed for the
208 * uncompressed kernel (VO) and its run size (bss, brk, etc).
209 *
210 * [output, output+output_size) is VO plus relocs (i.e. the entire
211 * uncompressed payload contained by ZO). This is the area of the buffer
212 * written to during decompression.
213 *
214 * [output+init_size-ZO_INIT_SIZE, output+init_size) is the worst-case
215 * range of the copied ZO and decompression code. (i.e. the range
216 * covered backwards of size ZO_INIT_SIZE, starting from output+init_size.)
217 *
218 * [input, input+input_size) is the original copied compressed image (ZO)
219 * (i.e. it does not include its run size). This range must be avoided
220 * because it contains the data used for decompression.
221 *
222 * [input+input_size, output+init_size) is [_text, _end) for ZO. This
223 * range includes ZO's heap and stack, and must be avoided since it
224 * performs the decompression.
225 *
226 * Since the above two ranges need to be avoided and they are adjacent,
227 * they can be merged, resulting in: [input, output+init_size) which
228 * becomes the MEM_AVOID_ZO_RANGE below.
229 */
230 static void mem_avoid_init(unsigned long input, unsigned long input_size,
231 unsigned long output)
232 {
233 unsigned long init_size = boot_params->hdr.init_size;
234 u64 initrd_start, initrd_size;
235 u64 cmd_line, cmd_line_size;
236 char *ptr;
237
238 /*
239 * Avoid the region that is unsafe to overlap during
240 * decompression.
241 */
242 mem_avoid[MEM_AVOID_ZO_RANGE].start = input;
243 mem_avoid[MEM_AVOID_ZO_RANGE].size = (output + init_size) - input;
244 add_identity_map(mem_avoid[MEM_AVOID_ZO_RANGE].start,
245 mem_avoid[MEM_AVOID_ZO_RANGE].size);
246
247 /* Avoid initrd. */
248 initrd_start = (u64)boot_params->ext_ramdisk_image << 32;
249 initrd_start |= boot_params->hdr.ramdisk_image;
250 initrd_size = (u64)boot_params->ext_ramdisk_size << 32;
251 initrd_size |= boot_params->hdr.ramdisk_size;
252 mem_avoid[MEM_AVOID_INITRD].start = initrd_start;
253 mem_avoid[MEM_AVOID_INITRD].size = initrd_size;
254 /* No need to set mapping for initrd, it will be handled in VO. */
255
256 /* Avoid kernel command line. */
257 cmd_line = (u64)boot_params->ext_cmd_line_ptr << 32;
258 cmd_line |= boot_params->hdr.cmd_line_ptr;
259 /* Calculate size of cmd_line. */
260 ptr = (char *)(unsigned long)cmd_line;
261 for (cmd_line_size = 0; ptr[cmd_line_size++]; )
262 ;
263 mem_avoid[MEM_AVOID_CMDLINE].start = cmd_line;
264 mem_avoid[MEM_AVOID_CMDLINE].size = cmd_line_size;
265 add_identity_map(mem_avoid[MEM_AVOID_CMDLINE].start,
266 mem_avoid[MEM_AVOID_CMDLINE].size);
267
268 /* Avoid boot parameters. */
269 mem_avoid[MEM_AVOID_BOOTPARAMS].start = (unsigned long)boot_params;
270 mem_avoid[MEM_AVOID_BOOTPARAMS].size = sizeof(*boot_params);
271 add_identity_map(mem_avoid[MEM_AVOID_BOOTPARAMS].start,
272 mem_avoid[MEM_AVOID_BOOTPARAMS].size);
273
274 /* We don't need to set a mapping for setup_data. */
275
276 #ifdef CONFIG_X86_VERBOSE_BOOTUP
277 /* Make sure video RAM can be used. */
278 add_identity_map(0, PMD_SIZE);
279 #endif
280 }
281
282 /* Does this memory vector overlap a known avoided area? */
283 static bool mem_avoid_overlap(struct mem_vector *img)
284 {
285 int i;
286 struct setup_data *ptr;
287
288 for (i = 0; i < MEM_AVOID_MAX; i++) {
289 if (mem_overlaps(img, &mem_avoid[i]))
290 return true;
291 }
292
293 /* Avoid all entries in the setup_data linked list. */
294 ptr = (struct setup_data *)(unsigned long)boot_params->hdr.setup_data;
295 while (ptr) {
296 struct mem_vector avoid;
297
298 avoid.start = (unsigned long)ptr;
299 avoid.size = sizeof(*ptr) + ptr->len;
300
301 if (mem_overlaps(img, &avoid))
302 return true;
303
304 ptr = (struct setup_data *)(unsigned long)ptr->next;
305 }
306
307 return false;
308 }
309
310 static unsigned long slots[KERNEL_IMAGE_SIZE / CONFIG_PHYSICAL_ALIGN];
311 static unsigned long slot_max;
312
313 static void slots_append(unsigned long addr)
314 {
315 /* Overflowing the slots list should be impossible. */
316 if (slot_max >= KERNEL_IMAGE_SIZE / CONFIG_PHYSICAL_ALIGN)
317 return;
318
319 slots[slot_max++] = addr;
320 }
321
322 static unsigned long slots_fetch_random(void)
323 {
324 /* Handle case of no slots stored. */
325 if (slot_max == 0)
326 return 0;
327
328 return slots[get_random_long() % slot_max];
329 }
330
331 static void process_e820_entry(struct e820entry *entry,
332 unsigned long minimum,
333 unsigned long image_size)
334 {
335 struct mem_vector region, img;
336
337 /* Skip non-RAM entries. */
338 if (entry->type != E820_RAM)
339 return;
340
341 /* Ignore entries entirely above our maximum. */
342 if (entry->addr >= KERNEL_IMAGE_SIZE)
343 return;
344
345 /* Ignore entries entirely below our minimum. */
346 if (entry->addr + entry->size < minimum)
347 return;
348
349 region.start = entry->addr;
350 region.size = entry->size;
351
352 /* Potentially raise address to minimum location. */
353 if (region.start < minimum)
354 region.start = minimum;
355
356 /* Potentially raise address to meet alignment requirements. */
357 region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
358
359 /* Did we raise the address above the bounds of this e820 region? */
360 if (region.start > entry->addr + entry->size)
361 return;
362
363 /* Reduce size by any delta from the original address. */
364 region.size -= region.start - entry->addr;
365
366 /* Reduce maximum size to fit end of image within maximum limit. */
367 if (region.start + region.size > KERNEL_IMAGE_SIZE)
368 region.size = KERNEL_IMAGE_SIZE - region.start;
369
370 /* Walk each aligned slot and check for avoided areas. */
371 for (img.start = region.start, img.size = image_size ;
372 mem_contains(&region, &img) ;
373 img.start += CONFIG_PHYSICAL_ALIGN) {
374 if (mem_avoid_overlap(&img))
375 continue;
376 slots_append(img.start);
377 }
378 }
379
380 static unsigned long find_random_addr(unsigned long minimum,
381 unsigned long size)
382 {
383 int i;
384 unsigned long addr;
385
386 /* Make sure minimum is aligned. */
387 minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
388
389 /* Verify potential e820 positions, appending to slots list. */
390 for (i = 0; i < boot_params->e820_entries; i++) {
391 process_e820_entry(&boot_params->e820_map[i], minimum, size);
392 }
393
394 return slots_fetch_random();
395 }
396
397 /*
398 * Since this function examines addresses much more numerically,
399 * it takes the input and output pointers as 'unsigned long'.
400 */
401 unsigned char *choose_random_location(unsigned long input,
402 unsigned long input_size,
403 unsigned long output,
404 unsigned long output_size)
405 {
406 unsigned long choice = output;
407 unsigned long random_addr;
408
409 #ifdef CONFIG_HIBERNATION
410 if (!cmdline_find_option_bool("kaslr")) {
411 warn("KASLR disabled: 'kaslr' not on cmdline (hibernation selected).");
412 goto out;
413 }
414 #else
415 if (cmdline_find_option_bool("nokaslr")) {
416 warn("KASLR disabled: 'nokaslr' on cmdline.");
417 goto out;
418 }
419 #endif
420
421 boot_params->hdr.loadflags |= KASLR_FLAG;
422
423 /* Record the various known unsafe memory ranges. */
424 mem_avoid_init(input, input_size, output);
425
426 /* Walk e820 and find a random address. */
427 random_addr = find_random_addr(output, output_size);
428 if (!random_addr) {
429 warn("KASLR disabled: could not find suitable E820 region!");
430 goto out;
431 }
432
433 /* Always enforce the minimum. */
434 if (random_addr < choice)
435 goto out;
436
437 choice = random_addr;
438
439 add_identity_map(choice, output_size);
440
441 /* This actually loads the identity pagetable on x86_64. */
442 finalize_identity_maps();
443 out:
444 return (unsigned char *)choice;
445 }
Linux kernel - Deliverables
This page took 0.139726 seconds and 5 git commands to generate.