Bug 1568461 - [RFE] Kernel address space layout randomization [KASLR] support
Summary: [RFE] Kernel address space layout randomization [KASLR] support
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.2.2
Hardware: All
OS: Linux
medium
high
Target Milestone: ovirt-4.4.3
: ---
Assignee: Michal Skrivanek
QA Contact: meital avital
URL:
Whiteboard:
Depends On: 1290840 1395248 1398633 1411490 1424943 1493125 1519748 1555268 1555276 1568736
Blocks: 1288169 1298243 1317091 1469590 1522983
TreeView+ depends on / blocked
 
Reported: 2018-04-17 14:40 UTC by Michal Skrivanek
Modified: 2020-11-11 06:45 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1555268
Environment:
Last Closed: 2020-10-11 09:36:32 UTC
oVirt Team: Virt
Embargoed:
pm-rhel: ovirt-4.4?
rbarry: ovirt-4.5?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 90056 0 None MERGED core: add EnableKASLRDump vdc_option 2020-10-23 10:10:09 UTC
oVirt gerrit 90378 0 None MERGED core: add EnableKASLRDump vdc_option 2020-10-23 10:09:56 UTC
oVirt gerrit 90755 0 master MERGED core: expose EnableKASLRDump in engine-config 2020-10-23 10:09:57 UTC
oVirt gerrit 111653 0 master MERGED enable dump capability for KASLR-enabled kernels 2020-10-23 10:09:56 UTC

Description Michal Skrivanek 2018-04-17 14:40:29 UTC
+++ This bug was initially created as a clone of Bug #1555268 +++

Description of problem:
Kernel Address Space Randomization [KASLR] allows to randomize the physical and virtual address at which the kernel image is decompressed, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals. 

The feature has been described in LWN article:
https://lwn.net/Articles/569635/

With upstream patchsets of:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e8236c4d9338d52d0f2fcecc0b792ac0542e4ee9

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da2b6fb990cf782b18952f534ec7323453bc4fc9

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a653f3563c51c7bb7de63d607bef09d3baddaeb8

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5bfce5ef55cbe78ee2ee6e97f2e26a8a582008f3

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6145cfe394a7f138f6b64491c5663f97dba12450

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19259943f0954dcd1817f94776376bf51c6a46d5

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f32360ef6608434a032dc7ad262d45e9693c27f3

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ab3820fd5b2896d66da7bb2a906bc382e63e7bc

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=82fa9637a2ba285bcc7c5050c73010b2c1b3d803

Version-Release number of selected component (if applicable):
went upstream in 3.14


Additional info:

https://lwn.net/Articles/569635/

Fixed upstream:

commit 7e4177a35bae49a53b04940be04418daaa988734
Author:     Marc-André Lureau <marcandre.lureau>
AuthorDate: Thu Nov 16 17:49:38 2017 +0100
Commit:     Martin Kletzander <mkletzan>
CommitDate: Sat Nov 18 10:45:10 2017 +0100

    qemu: add vmcoreinfo support
    
    Starting from qemu 2.11, the `-device vmcoreinfo` will create a fw_cfg
    entry for a guest to store dump details, necessary to process kernel
    dump with KASLR enabled and providing additional kernel details.
    
    In essence, it is similar to -fw_cfg name=etc/vmcoreinfo,file=X but in
    this case it is not backed by a file, but collected by QEMU itself.
    
    Since the device is a singleton and shouldn't use additional hardware
    resources, it is presented as a <feature> element in the libvirt
    domain XML.
    
    The device is arm/x86 only for now (targets that support fw_cfg+dma).
    
    Related to:
    https://bugzilla.redhat.com/show_bug.cgi?id=1395248
    
    Signed-off-by: Marc-André Lureau <marcandre.lureau>

Comment 1 Michal Skrivanek 2018-04-17 14:48:42 UTC
requires qemu-2.11 or qemu-kvm-ev 2.10
Need to decide if that is something to enable by default mid-version (4.2.z) or it has to wait to 4.3 since it changes the virtual guest configuration

With current patches in 4.2.3 it can be enabled in vdc_options.

Comment 2 Michal Skrivanek 2018-08-29 08:07:28 UTC
should be safe enough to enable in 4.3 even though it would enable it for 4.2 clusters. It will still possible to disable it globally

Comment 3 Ryan Barry 2019-01-21 14:54:10 UTC
Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both

Comment 6 Sandro Bonazzola 2020-11-11 06:45:38 UTC
This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.