KAISER Getting Ready To Better Protect The Linux Kernel

Written by Michael Larabel in Linux Kernel on 27 November 2017 at 06:18 AM EST. 27 Comments
Recently a number of patches have been floating around the kernel mailing list for prepping "KAISER" in what will likely be merged come Linux 4.16. KAISER is a new security feature for the Linux kernel.

KAISER was originally devised at Austria's Graz University of Technology as Kernel Address Isolation to have Side-channels Efficiently Removed. KAISER unmaps most of the kernel from user-space page tables and makes it more difficult to defeat KASLR (Kernel Address Space Layout Randomization).

KAISER kernel isolation closes hardware side channels on kernel address information. The proof of concept patches developed in Graz resulted in syscalls and interrupts being slower, but now there is support for PCID (Process Context Identifiers) to make context switching faster and reduce TLB flushing to lower the overhead of this security feature.

From the new KAISER Kconfig switch, "This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace."

The original KAISER patches can be found on GitHub while the very newest KAISER patches can be found for review on the kernel mailing list.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week