KAISER Getting Ready To Better Protect The Linux Kernel
Written by Michael Larabel in Linux Kernel on 27 November 2017 at 06:18 AM EST. 27 Comments
LINUX KERNEL --
Recently a number of patches have been floating around the kernel mailing list for prepping "KAISER" in what will likely be merged come Linux 4.16. KAISER is a new security feature for the Linux kernel.

KAISER was originally devised at Austria's Graz University of Technology as Kernel Address Isolation to have Side-channels Efficiently Removed. KAISER unmaps most of the kernel from user-space page tables and makes it more difficult to defeat KASLR (Kernel Address Space Layout Randomization).

KAISER kernel isolation closes hardware side channels on kernel address information. The proof of concept patches developed in Graz resulted in syscalls and interrupts being slower, but now there is support for PCID (Process Context Identifiers) to make context switching faster and reduce TLB flushing to lower the overhead of this security feature.

From the new KAISER Kconfig switch, "This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace."

The original KAISER patches can be found on GitHub while the very newest KAISER patches can be found for review on the kernel mailing list.

About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Linux Kernel News
Popular News