Is there any examples or information on implementation of KASLR for Linux on a iMX8M processor? I see signs of KASLR in Uboot and Linux, but info on implementation and what if any version of Uboot supports setting KASLR up.
I have changed settings in Uboot based on what searches have returned, but it appears that something is still not correct as Linux is not getting the "KASLR "seed".
Any information would be greatly appreciated.
Solved! Go to Solution.
Hi @flobro
I tested this feature with i.MX 8M Plus Evaluation kit + Linux 6.6.36_2.1.0 + U-BOOT2024.04 on my side. It works.
I can see the address of kmalloc_info is changed each time when I reboot. First is ffffdbdc70f57980, after reboot, it changed to ffffd9c59a557980.
I can see the kaslr-seed in device tree
what I did is just enabled +CONFIG_DM_RNG=y and +CONFIG_KASLR=y in u-boot config.
CONFIG_RANDOMIZE_BASE is set by default in Linux kernel.
Could you please refer to u-boot-imx 2024.04 ?
Regards
Daniel
Also, please ask your web people to change the authentication, the "Recaptcha" is awful
Thanks , I will forward it to our web team.
(There is no BSP since this is a Variscite board)
I am using uboot 2023.04 (this is based on Variscite's Yocto build) and a Linux 5.10.52 (also from Variscite) that appears that would work if uboot was setting up the KASLR seed.
The issue is that other than the basic uboot and Linux configs needed, there is no other information about the mechanics that uboot requires... such
There needs to be howto other than "set these configs", because either something is missing from the imx8m Plus layers in uboot, or I am missing something in the overall process (probably both)
Hi @flobro :
To enable the KASLR feature. Just to make sure to enable KASLR related configs:
+CONFIG_DM_RNG=y
+CONFIG_KASLR=y
Regards
Daniel
The reply( +CONFIG_DM...) is easily found on a google search. That is the easy part. If only it worked.
All configs are in place, but nothing works as far as uboot is concerned. I still have not seen any more information on a "howto" for an imx8M plus as far as image type required, what device tree is appended to,...
I currently pass a device tree with the kernel that are signed for HAB, and I do not see how that would work with KASLR since the device tree is modified which would cause the boot to fail.
Hi flobro:
After enabling the following configuration in u-boot:
+CONFIG_DM_RNG=y
+CONFIG_KASLR=y
It writes kaslr-seed to dtb file and kernel get the seed value to calculate offset.
For verification, you can just run the following commands to check whether the address is changed each time you boot the board:
root@imx8mpevk:~# cat /proc/kallsyms | grep kmalloc_info
ffffcf56c0f57980 D kmalloc_info
Pay attention that make sure CONFIG_RANDOMIZE_BASE is set in kernel config and do not set "nokaslr" in bootargs
Where are any sample configurations for uboot that works for imx8M (plus) that actually works? That would include the image type needed and the device tree that uboot is told to use? I cannot find anything other then the simple "Set these things in the Uboot config -..."
Been there done that, does not work. There are no howto's, or sample projects for imx8 that I have seen. Seems KASLR has worked for x86* for quite awhile, and now I am told that this is an exploit waiting to happen...
I also realize that each arch and chip type require layers for many of the option in uboot, and I am worried that imx8M Plus is missing some of them.
Come on NXP, all the security stuff in the chip and we can't get KASLR as a standard thing to do on these chips we have invested in?
Hi @flobro
I tested this feature with i.MX 8M Plus Evaluation kit + Linux 6.6.36_2.1.0 + U-BOOT2024.04 on my side. It works.
I can see the address of kmalloc_info is changed each time when I reboot. First is ffffdbdc70f57980, after reboot, it changed to ffffd9c59a557980.
I can see the kaslr-seed in device tree
what I did is just enabled +CONFIG_DM_RNG=y and +CONFIG_KASLR=y in u-boot config.
CONFIG_RANDOMIZE_BASE is set by default in Linux kernel.
Could you please refer to u-boot-imx 2024.04 ?
Regards
Daniel
I had to use Variscite's 2024.04 version that they prepared (and make some adjustments for our version of their design.
So after some grief and debugging, Uboot works, and so does KASLR even with an older 5.10.52 Linux kernel.
Hopefully anyone else looking at KASLR for imx8M can find these messages.
Now the problem of "DMA hacking" via pcie/M.2" because the processor does not have a "SMMU"... I guess the only solution is not to have a pcie bus exposed on the board.
This is starting to sound insightful. I will look at 2024.04 and the next question is to resolve how the device tree is handled from uboot to the kernel.
Is there a link to build the evk? I downloaded it, but the real issue is that there are undefined symbols for the uboot-2024.04 config file which mt older version does not have... like:
.config:180:warning: symbol value '' invalid for TEXT_BASE
.config:249:warning: symbol value '' invalid for SYS_LOAD_ADDR
.config:310:warning: symbol value '' invalid for SYS_UBOOT_START
.config:519:warning: symbol value '' invalid for SPL_BSS_MAX_SIZE
.config:1174:warning: symbol value '' invalid for FASTBOOT_FLASH_MMC_DEV
Thanks
sorry, I forgot about looking at default configs... looking at the imx8mp_evk_defconfig now