Linux 5.16 Has Early Preparations For Supporting FGKASLR

Being worked on for more than a year by Intel and other kernel developers has been FGKASLR to enhance kernel security. While the Linux kernel has long supported Address Space Layout Randomization (ASLR) to make memory addresses less predictable, FGKASLR ups the security much more by placing that randomization at the function level. It's looking like FGKASLR could be mainlined soon.

FGKASLR isn't being picked up for Linux 5.16 but there is preparation work landing in this kernel so hopefully the feature isn't too far out. Finer Grained Kernel Address Space Layout Randomization (or sometimes referred to as Function Granular KASLR) allows for function reordering on top of the base address randomization of ASLR.

FGKASLR ups the security against kernel attacks requiring known memory locations within the kernel but can cause minor (~1%) performance penalties. Since being first announced in 2020, FGKASLR has been undergoing several rounds of review.

What has landed in Linux 5.16 Git is the x86/core that includes "a bunch of changes" preparing for FGKASLR. Various low level kernel changes were made for being able to support FGKASLR when those patches do end up landing. Details on those specifics can be found via this pull from last week that has since been merged.