FGKASLR Revised For Better Linux Security Via Enhanced Address Space Randomization

Written by Michael Larabel in Linux Kernel on 23 June 2020 at 06:57 PM EDT. 3 Comments
One of many high profile features that didn't make it in time for Linux 5.8 is FGKASLR, Function Granular Kernel Address Space Layout Randomization.

Intel's Kristen Carlson Accardi sent out the original FGKASLR patches back in February for enhancing kernel security by providing address space layout randomization on a function level rather than just changing out the base address of the kernel. Function reordering is used on top of KASLR to make relative addresses within the kernel far less predictable. This reordering is done at boot time.

Function Granular Kernel Address Space Layout Randomization is great for improving the kernel security but it can impact the performance besides slightly longer boot times. Reported benchmark results with FGKASLR were mixed while we still have our own plans to benchmark the patches on our ever long TODO list.

Sent out on Tuesday by Kristen were the v3 patches for this functionality. She has been improving the commit messages / cover letter / documentation and making various minor tweaks and code improvements.

See the mailing list thread for more details on the latest FGKASLR support. We'll see if this work gets tidied up in time for merging with Linux 5.9 later this summer. Hopefully in the coming days I'll find the time to run our benchmarks of it.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week