linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try

Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: > Significance: Critical > > In support of Kernel Address Space Layout Randomization (KASLR) this randomizes > the physical address at which the kernel image is decompressed and the virtual > address where the kernel image is mapped as a security feature that deters > exploit attempts relying on knowledge of the location of kernel code internals. We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try. Fixes: #12363 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-07-11 15:07:22 +00:00
parent 67261075a3
commit 7caecf45fb
2 changed files with 2 additions and 1 deletions
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_PSEUDO_NMI is not set
 CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
 CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y
 CONFIG_STACKPROTECTOR_PER_TASK=y
 # end of Kernel Features
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ
 #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK
 #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS
+#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE
 #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT
 #lib/modules/KVER-ipfire/build/include/config/RAS
 #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE