head 1.10; access; symbols netbsd-10-0-RELEASE:1.10 netbsd-10-0-RC6:1.10 netbsd-10-0-RC5:1.10 netbsd-10-0-RC4:1.10 netbsd-10-0-RC3:1.10 netbsd-10-0-RC2:1.10 netbsd-10-0-RC1:1.10 netbsd-10:1.10.0.10 netbsd-10-base:1.10 netbsd-9-3-RELEASE:1.10 cjep_sun2x-base1:1.10 cjep_sun2x:1.10.0.8 cjep_sun2x-base:1.10 cjep_staticlib_x-base1:1.10 netbsd-9-2-RELEASE:1.10 cjep_staticlib_x:1.10.0.6 cjep_staticlib_x-base:1.10 netbsd-9-1-RELEASE:1.10 phil-wifi-20200421:1.10 phil-wifi-20200411:1.10 is-mlppp:1.10.0.4 is-mlppp-base:1.10 phil-wifi-20200406:1.10 netbsd-9-0-RELEASE:1.10 netbsd-9-0-RC2:1.10 netbsd-9-0-RC1:1.10 phil-wifi-20191119:1.10 netbsd-9:1.10.0.2 netbsd-9-base:1.10 phil-wifi-20190609:1.9 pgoyette-compat-merge-20190127:1.1.2.6 pgoyette-compat-20190127:1.9 pgoyette-compat-20190118:1.9 pgoyette-compat-1226:1.9 pgoyette-compat-1126:1.9 pgoyette-compat-1020:1.7 pgoyette-compat-0930:1.6 pgoyette-compat-0906:1.5 pgoyette-compat-0728:1.1 phil-wifi:1.1.0.4 phil-wifi-base:1.1 pgoyette-compat:1.1.0.2 pgoyette-compat-0625:1.1; locks; strict; comment @# @; 1.10 date 2019.06.20.17.33.30; author maxv; state Exp; branches; next 1.9; commitid Ob2HTsg7N95E5XrB; 1.9 date 2018.11.24.17.54.18; author maxv; state Exp; branches; next 1.8; commitid XGO3Cr2jfq1kTd1B; 1.8 date 2018.11.24.17.31.10; author maxv; state Exp; branches; next 1.7; commitid hLZqHp3tMphnLd1B; 1.7 date 2018.10.13.05.53.50; author maxv; state Exp; branches; next 1.6; commitid 0k4SaFLaGmcQfLVA; 1.6 date 2018.09.07.10.20.32; author maxv; state Exp; branches; next 1.5; commitid JNYNP7v7WDg6T9RA; 1.5 date 2018.09.04.15.41.08; author maxv; state Exp; branches; next 1.4; commitid eI44JYnJT3B4LNQA; 1.4 date 2018.08.24.17.09.30; author maxv; state Exp; branches; next 1.3; commitid GO3TY1iUAIJiBoPA; 1.3 date 2018.08.12.15.33.36; author maxv; state Exp; branches; next 1.2; commitid 0KDe4HLSwpYjsQNA; 1.2 date 2018.08.02.17.34.51; author maxv; state Exp; branches; next 1.1; commitid zzvvQxBra7fQrzMA; 1.1 date 2018.06.18.06.09.56; author maxv; state Exp; branches 1.1.2.1 1.1.4.1; next ; commitid ejCRVTj300my6JGA; 1.1.2.1 date 2018.06.18.06.09.56; author pgoyette; state dead; branches; next 1.1.2.2; commitid 8PtAu9af7VvhiDHA; 1.1.2.2 date 2018.06.25.07.25.11; author pgoyette; state Exp; branches; next 1.1.2.3; commitid 8PtAu9af7VvhiDHA; 1.1.2.3 date 2018.09.06.06.51.43; author pgoyette; state Exp; branches; next 1.1.2.4; commitid HCi1bXD317XIK0RA; 1.1.2.4 date 2018.09.30.01.45.07; author pgoyette; state Exp; branches; next 1.1.2.5; commitid SQ44grEPCeKPh4UA; 1.1.2.5 date 2018.10.20.06.58.18; author pgoyette; state Exp; branches; next 1.1.2.6; commitid mTSoqZEZ4arHnFWA; 1.1.2.6 date 2018.11.26.01.49.59; author pgoyette; state Exp; branches; next ; commitid Zj4q5SspGdKXto1B; 1.1.4.1 date 2019.06.10.21.42.38; author christos; state Exp; branches; next 1.1.4.2; commitid jtc8rnCzWiEEHGqB; 1.1.4.2 date 2020.04.13.07.45.37; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; desc @@ 1.10 log @Add KASLR support in UEFI. @ text @====== POINTER LEAKS ====== [DONE] -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html -- The address of a non-public section is leaked because of Meltdown, "jmp handler". This can easily be fixed by pushing the handlers into their own section. -- Replace the "%p" fmt by something relative to the kernel section (if any). Eg, from printf("%p", &some_global_var); --> "0xffffffffe38010f0" to printf("%p", &some_global_var); --> ".data.4:0x8010f0" This eases debugging and also prevents leaks if a driver prints kernel addresses as debug (I've seen that already). [DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) -- Several entry points leak kernel addresses: [DONE] - "modstat -k" [DONE] - kern.proc [DONE] - kern.proc2 [DONE] - kern.file [DONE] - kern.file2 [DONE] - kern.lwp [DONE] - sysctl_inpcblist [DONE] - sysctl_unpcblist [DONE] - sysctl_doevcnt [DONE] - sysctl_dobuf -- Be careful with dmesg. ====== RANDOMIZATION ====== [DONE] -- Randomize the PTE space. [DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). [DONE] -- Randomize the direct map. [POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. ====== GENERAL ====== -- Sort the kernel sections by size, from largest to smallest, to save memory. [DONE] -- Add the "pkboot" command in the EFI bootloader. @ 1.9 log @Mark as done the two entries I added just minutes ago, they are now fixed. @ text @d49 1 a49 1 -- Add the "pkboot" command in the EFI bootloader. @ 1.8 log @Mark four issues as fixed, add two more. Netstat was actually sysctl_unpcblist, so remove it as duplicate. @ text @d29 2 a30 2 - sysctl_doevcnt - sysctl_dobuf @ 1.7 log @Mark one entry as done, and another one as pointless. @ text @a21 1 - "netstat -nat" d24 1 a24 1 - kern.file d26 5 a30 3 - kern.lwp - sysctl_inpcblist - sysctl_unpcblist @ 1.6 log @mark two entries as done, and add two more @ text @d26 1 a26 1 - kern.file2 d41 1 a41 1 -- Randomize the PCPU area. @ 1.5 log @more kernel address leaks @ text @d23 2 a24 2 - kern.proc - kern.proc2 d28 2 @ 1.4 log @mark one entry as done @ text @d20 8 a27 3 -- "netstat -nat" leaks kernel addresses. -- Investigate some other tools. @ 1.3 log @mark two entries as done @ text @d18 1 a18 1 -- PPPoE sends a kernel address as host unique. (What is this shit.) @ 1.2 log @Mark two entries as done. @ text @d28 1 a28 1 -- Randomize the PTE space. d30 1 a30 1 -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). @ 1.1 log @todo list for kaslr, with the issues I can think of right now @ text @d3 2 a4 2 -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html d32 1 a32 1 -- Randomize the direct map. @ 1.1.4.1 log @Sync with HEAD @ text @d3 2 a4 2 [DONE] -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html d18 1 a18 1 [DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) d20 3 a22 11 -- Several entry points leak kernel addresses: [DONE] - "modstat -k" [DONE] - kern.proc [DONE] - kern.proc2 [DONE] - kern.file [DONE] - kern.file2 [DONE] - kern.lwp [DONE] - sysctl_inpcblist [DONE] - sysctl_unpcblist [DONE] - sysctl_doevcnt [DONE] - sysctl_dobuf d28 1 a28 1 [DONE] -- Randomize the PTE space. d30 1 a30 1 [DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). d32 1 a32 1 [DONE] -- Randomize the direct map. d34 1 a34 1 [POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. @ 1.1.4.2 log @Mostly merge changes from HEAD upto 20200411 @ text @d49 1 a49 1 [DONE] -- Add the "pkboot" command in the EFI bootloader. @ 1.1.2.1 log @file TODO.kaslr was added on branch pgoyette-compat on 2018-06-25 07:25:11 +0000 @ text @d1 41 @ 1.1.2.2 log @Sync with HEAD @ text @a0 41 ====== POINTER LEAKS ====== -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html -- The address of a non-public section is leaked because of Meltdown, "jmp handler". This can easily be fixed by pushing the handlers into their own section. -- Replace the "%p" fmt by something relative to the kernel section (if any). Eg, from printf("%p", &some_global_var); --> "0xffffffffe38010f0" to printf("%p", &some_global_var); --> ".data.4:0x8010f0" This eases debugging and also prevents leaks if a driver prints kernel addresses as debug (I've seen that already). -- PPPoE sends a kernel address as host unique. (What is this shit.) -- "netstat -nat" leaks kernel addresses. -- Investigate some other tools. -- Be careful with dmesg. ====== RANDOMIZATION ====== -- Randomize the PTE space. -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). -- Randomize the direct map. -- Randomize the PCPU area. ====== GENERAL ====== -- Sort the kernel sections by size, from largest to smallest, to save memory. -- Add the "pkboot" command in the EFI bootloader. @ 1.1.2.3 log @Sync with HEAD Resolve a couple of conflicts (result of the uimin/uimax changes) @ text @d3 2 a4 2 [DONE] -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html d18 1 a18 1 [DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) d20 3 a22 8 -- Several entry points leak kernel addresses: [DONE] - "modstat -k" - "netstat -nat" - kern.proc - kern.proc2 - kern.file - kern.file2 - kern.lwp d28 1 a28 1 [DONE] -- Randomize the PTE space. d30 1 a30 1 [DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). d32 1 a32 1 [DONE] -- Randomize the direct map. @ 1.1.2.4 log @Ssync with HEAD @ text @d23 2 a24 2 [DONE] - kern.proc [DONE] - kern.proc2 a27 2 - sysctl_inpcblist - sysctl_unpcblist @ 1.1.2.5 log @Sync with head @ text @d26 1 a26 1 [DONE] - kern.file2 d41 1 a41 1 [POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. @ 1.1.2.6 log @Sync with HEAD, resolve a couple of conflicts @ text @d22 1 d25 1 a25 1 [DONE] - kern.file d27 3 a29 5 [DONE] - kern.lwp [DONE] - sysctl_inpcblist [DONE] - sysctl_unpcblist [DONE] - sysctl_doevcnt [DONE] - sysctl_dobuf @