From patchwork Tue Apr 12 22:16:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 8816961
Return-Path: <linux-pm-owner@kernel.org>
X-Original-To: patchwork-linux-pm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 4B24AC0553
	for <patchwork-linux-pm@patchwork.kernel.org>;
	Tue, 12 Apr 2016 22:17:07 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 46E9F20379
	for <patchwork-linux-pm@patchwork.kernel.org>;
	Tue, 12 Apr 2016 22:17:06 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 2FD7920373
	for <patchwork-linux-pm@patchwork.kernel.org>;
	Tue, 12 Apr 2016 22:17:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932478AbcDLWRD (ORCPT
	<rfc822;patchwork-linux-pm@patchwork.kernel.org>);
	Tue, 12 Apr 2016 18:17:03 -0400
Received: from mail-pa0-f54.google.com ([209.85.220.54]:35913 "EHLO
	mail-pa0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756171AbcDLWRC (ORCPT
	<rfc822;linux-pm@vger.kernel.org>); Tue, 12 Apr 2016 18:17:02 -0400
Received: by mail-pa0-f54.google.com with SMTP id bx7so20952888pad.3
	for <linux-pm@vger.kernel.org>; Tue, 12 Apr 2016 15:17:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
	bh=wYSgL7OyMM+DAkMvlCu3S8b8TtzoCxKSnhzbd6vdQzg=;
	b=ci8ZkljqDaUjzaE7izkImz86YYQzxPCFekYEiIYeetKYC3GFbOtx4Pg7ve8k8H4QaQ
	ZuuaDfVCqOgvQtwDbcsy6CWxDIELRReDEktBv2Kn2RJZQowWZzzSiiJu30v4spGbj8KU
	GuptaQ0FelD8dj8cmoqf80Ol/xuFa45faJBQM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition;
	bh=wYSgL7OyMM+DAkMvlCu3S8b8TtzoCxKSnhzbd6vdQzg=;
	b=GxR1kIHLmaduKlnuSznAlXsjUmFe0ZjpUtkk3A1CgPgmxk/QkH1Q7ELg2Xmzow3ULh
	eyh3H2uQ2iDGonr8ftmSVJLahVjHgBkx2egKnPybLaDxVcWAAXc2reDBd26YkZRlvJKq
	MukKl03sD9aZrVh1f1xNpZw/+X36U8HzKAAcKmoRhTX2hz4rEEMZrra5bborXettbNCD
	1wkDG4SyX+THB8n8ZcttFuHBwTS1KrNCZT6uXkPfzulPpHJbtKhzE6MOXhKJ0EbUXI34
	EXjjkEmXzvtEeZDyqXtR6FN96agWd3aPfQSFi8FLCxxGJBCJZILHqDioQw73uTD+Djca
	PAJg==
X-Gm-Message-State: 
 AOPr4FVnYTYF4dMRD3jcVuUl/6mlwGCjkqcGKMv7PSWwpaBPNV+6D4Ly/tchCaf0HRaY8g==
X-Received: by 10.66.140.70 with SMTP id re6mr8045074pab.100.1460499420796;
	Tue, 12 Apr 2016 15:17:00 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
	by smtp.gmail.com with ESMTPSA id
	p26sm45903339pfi.84.2016.04.12.15.17.00
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 12 Apr 2016 15:17:00 -0700 (PDT)
Date: Tue, 12 Apr 2016 15:16:59 -0700
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Pavel Machek <pavel@denx.de>, "Rafael J. Wysocki" <rafael@kernel.org>,
	Ingo Molnar <mingo@kernel.org>, James Morse <james.morse@arm.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Matt Redfearn <matt.redfearn@imgtec.com>,
	Yves-Alexis Perez <corsac@debian.org>,
	Emrah Demir <ed@abdsec.com>, Jonathan Corbet <corbet@lwn.net>,
	x86@kernel.org, Len Brown <len.brown@intel.com>,
	Borislav Petkov <bp@suse.de>,
	Andy Lutomirski <luto@kernel.org>, linux-doc@vger.kernel.org,
	linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: [PATCH v2] kaslr: allow kASLR to be default over Hibernation
Message-ID: <20160412221659.GA18102@www.outflux.net>
MIME-Version: 1.0
Content-Disposition: inline
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Since kASLR and Hibernation can not currently coexist at runtime
on x86, the default behavior was to disable kASLR by default when
CONFIG_HIBERNATION was present (to retain original behavior).

The behavior of kASLR on arm64 (and soon MIPS) is to be enabled by
default when selected at build time. Since arm64 Hibernation does not
conflict with kASLR, this fixes the hibernation argument parsing to be
x86-specific. Additionally, since end users want to be able to select
kASLR on x86 by default at build time, create CONFIG_RANDOMIZE_BASE_ON
that is present only on x86.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2:
- make this x86-specific selectable, rather than global default
---
 Documentation/kernel-parameters.txt |  9 +++------
 arch/x86/Kconfig                    | 16 +++++++++++++++-
 arch/x86/boot/compressed/aslr.c     |  2 +-
 kernel/power/hibernate.c            | 31 +++++++++++++++++++++++++------
 4 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index ecc74fa4bfde..282e5c826c32 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1770,12 +1770,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 	js=		[HW,JOY] Analog joystick
 			See Documentation/input/joystick.txt.
 
-	kaslr/nokaslr	[X86]
-			Enable/disable kernel and module base offset ASLR
-			(Address Space Layout Randomization) if built into
-			the kernel. When CONFIG_HIBERNATION is selected,
-			kASLR is disabled by default. When kASLR is enabled,
-			hibernation will be disabled.
+	kaslr/nokaslr	[KNL] When CONFIG_RANDOMIZE_BASE is set, this
+			enables/disables kernel and module base offset ASLR
+			(Address Space Layout Randomization).
 
 	keepinitrd	[HW,ARM]
 
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 2dc18605831f..e0fb1717fe3c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1932,7 +1932,7 @@ config RELOCATABLE
 	  (CONFIG_PHYSICAL_START) is used as the minimum location.
 
 config RANDOMIZE_BASE
-	bool "Randomize the address of the kernel image"
+	bool "Randomize the address of the kernel image (kASLR)"
 	depends on RELOCATABLE
 	default n
 	---help---
@@ -1955,6 +1955,20 @@ config RANDOMIZE_BASE
 
 	   If unsure, say N.
 
+config RANDOMIZE_BASE_ON
+	bool "Prefer kASLR over Hibernation"
+	depends on RANDOMIZE_BASE
+	depends on HIBERNATION
+	default n
+	---help---
+	  Currently Hibernation and kASLR are not compatible at runtime
+	  on x86. To enable kASLR by default (and disable Hibernation),
+	  enable this option. To enable Hibernation by default (and
+	  disable kASLR), disable this option. Regardless of this
+	  setting, the availability of kASLR (and therefore Hibernation)
+	  can be chosen at boot time with the "kaslr" or "nokaslr"
+	  kernel argument.
+
 config RANDOMIZE_BASE_MAX_OFFSET
 	hex "Maximum kASLR offset allowed" if EXPERT
 	depends on RANDOMIZE_BASE
diff --git a/arch/x86/boot/compressed/aslr.c b/arch/x86/boot/compressed/aslr.c
index 6a9b96b4624d..8214b174b9bd 100644
--- a/arch/x86/boot/compressed/aslr.c
+++ b/arch/x86/boot/compressed/aslr.c
@@ -304,7 +304,7 @@ unsigned char *choose_kernel_location(struct boot_params *boot_params,
 	unsigned long choice = (unsigned long)output;
 	unsigned long random;
 
-#ifdef CONFIG_HIBERNATION
+#ifndef CONFIG_RANDOMIZE_BASE_ON
 	if (!cmdline_find_option_bool("kaslr")) {
 		debug_putstr("KASLR disabled by default...\n");
 		goto out;
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index fca9254280ee..526a6403fb2e 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -35,8 +35,13 @@
 
 
 static int nocompress;
+#ifndef CONFIG_RANDOMIZE_BASE_ON
 static int noresume;
 static int nohibernate;
+#else
+static int noresume = 1;
+static int nohibernate = 1;
+#endif
 static int resume_wait;
 static unsigned int resume_delay;
 static char resume_file[256] = CONFIG_PM_STD_PARTITION;
@@ -1154,11 +1159,6 @@ static int __init nohibernate_setup(char *str)
 	return 1;
 }
 
-static int __init kaslr_nohibernate_setup(char *str)
-{
-	return nohibernate_setup(str);
-}
-
 static int __init page_poison_nohibernate_setup(char *str)
 {
 #ifdef CONFIG_PAGE_POISONING_ZERO
@@ -1175,6 +1175,26 @@ static int __init page_poison_nohibernate_setup(char *str)
 	return 1;
 }
 
+/*
+ * Hibernation on x86 currently conflicts with kASLR, so only change
+ * hibernation boot defaults when seeing kaslr arguments on x86.
+ */
+#if defined(CONFIG_X86) && defined(CONFIG_RANDOMIZE_BASE)
+static int __init kaslr_nohibernate_setup(char *str)
+{
+	return nohibernate_setup(str);
+}
+
+static int __init nokaslr_hibernate_setup(char *str)
+{
+	noresume = 0;
+	nohibernate = 0;
+	return 1;
+}
+__setup("kaslr", kaslr_nohibernate_setup);
+__setup("nokaslr", nokaslr_hibernate_setup);
+#endif
+
 __setup("noresume", noresume_setup);
 __setup("resume_offset=", resume_offset_setup);
 __setup("resume=", resume_setup);
@@ -1182,5 +1202,4 @@ __setup("hibernate=", hibernate_setup);
 __setup("resumewait", resumewait_setup);
 __setup("resumedelay=", resumedelay_setup);
 __setup("nohibernate", nohibernate_setup);
-__setup("kaslr", kaslr_nohibernate_setup);
 __setup("page_poison=", page_poison_nohibernate_setup);