Red Hat SummitChapter 42. Enabling kstack randomization offset to improve security
The kernel stack (kstack) randomization offset security feature randomizes the kernel stack location for each system call. This prevents attackers to exploit kernel vulnerabilities.
Unlike other architectures that rely on cycle counters for kstack randomization, a method that can be unreliable, 64-bit ARM (aarch64) uses the kernel’s random number generator (RNG). This approach is preferred for several reasons:
- The absence of a consistently enabled or fast cycle counter
- The lack of a ubiquitous high-frequency timer
-
Systems that do not support the v8.5
FEAT_RNGinstruction set
While the kernel RNG is generally a robust solution, it can introduce significant latency spikes, particularly for real-time (RT) workloads. As a result, the kstack randomization offset feature is disabled by default in the aarch64 real-time kernel. This decision, however, includes a tradeoff: it slightly reduces kernel security.
42.1. Enabling kstack randomization offset on 64-bit ARM
On 64-bit ARM (aarch64) systems, the kstack randomization offset feature is disabled by default in the real-time kernel. If the potential latency is acceptable for your use case, you can re-enable this feature to improve kernel security.
Prerequisites
- You have administrator permissions.
- Your system is running on 64-bit ARM (aarch64) architecture.
Procedure
Enable the
randomize_kstack_offsetkernel parameter by usinggrubby.# grubby --update-kernel=ALL --args="randomize_kstack_offset=y"Reboot the system for changes to take effect.
# reboot
Verification
Check that the
randomize_kstack_offset=yparameter is specified in the/proc/cmdlinefile.# cat /proc/cmdlineThe output includes
randomize_kstack_offset=y.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}