FGKASLR Is An Exciting Linux Kernel Improvement To Look Forward To In 2022

Written by Michael Larabel in Linux Security on 26 December 2021 at 05:36 AM EST. 3 Comments
LINUX SECURITY
It's been nearly two years in the making since Intel posted FGKASLR patches for improving Linux kernel security. While that work on Finer Grained / Function Granular KASLR stalled for a year, in recent months work on it was revived and in 2022 looks like this security is on a path for mainlining.

FGKASLR is a step-up over the Kernel Address Space Layout Randomization widely used right now by the Linux kernel for thwarting attacks relying upon known positions of the kernel within memory. Rather than just randomizing the base address that can be figured out with enough guessing or leakage, FGKASLR will randomize the layout down to a code function level.

As a result, FGKASLR is much more robust for protecting systems against attacks relying upon known positions in memory. FGKASLR testing shows only minor impact to boot time performance from the function reordering/randomization. Sent out this past week were the FGKASLR v9 patches. The updated patches turns Assembly function sections on by default but can be disabled now if desired, deduplication of more code, always printing kallsyms in a random order for unprivileged users even if FGKASLR is disabled, and other code improvements.


FGKASLR is great for Linux security but can have some known implications on performance and kernel size.


If all goes well we will see this open-source Intel-led security feature land in a Linux kernel in the near future. Already in Linux 5.16 are some early preparations for FGKASLR.
3 Comments
Related News
Linux 6.11 Hardening Makes FineIBT Default Configurable At Build Time
spectre_bhi=vmexit Mitigation Merged For Linux 6.11 Cloud Use
Linux 6.11 To Allow Tightening Of /proc/[pid]/mem Access For Better Security
Linus Torvalds Unconvinced By getrandom() In The vDSO
getrandom() In The vDSO Aims For Linux 6.11 To Provide Faster Yet Secure User-Space RNG
"Indirector" Attack Disclosed For Intel Alder Lake & Raptor Lake CPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
EXT4 Has A Very Nice Performance Optimization For Linux 6.11
Microsoft's WSL 2.3.11 Brings "Hundreds Of New Kernel Modules" & New Features
systemd Talks Up Automatic Boot Assessment In Light Of The Crowdstrike-Microsoft Outage
XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer
New Linux Patches Enable The Snapdragon X1 Elite Powered Lenovo ThinkPad T14s Gen 6
KDE Developers Tackle The Five Most Common Plasma Crashes
USB & Thunderbolt Improvements Land In Linux 6.11
NVIDIA 560 Linux Driver Beta Released - Defaults To Open GPU Kernel Modules