kernel: enable ASLR and SSP

It does not make too much sense to protect the userspace with PIE+ASLR
and SSP but leave the kernel alone...

1 files changed, 31 insertions, 2 deletions

diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml
index 9042f570b..76a6f86ca 100644
--- a/chapter10/kernel.xml
+++ b/chapter10/kernel.xml
@@ -105,9 +105,15 @@
       <para>Be sure to enable/disable/set the following features or the system might
       not work correctly or boot at all:</para>
 
-      <screen role="nodump" revision="sysv">General setup -->
+      <screen role="nodump" revision="sysv">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
+General architecture-dependent options  ---&gt;
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Device Drivers  ---&gt;
   Graphics support ---&gt;
    Frame buffer Devices ---&gt;
@@ -117,7 +123,10 @@ Device Drivers  ---&gt;
    [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
 
-      <screen role="nodump" revision="systemd">General setup -->
+      <screen role="nodump" revision="systemd">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    [ ] Auditing Support [CONFIG_AUDIT]
    CPU/Task time and stats accounting ---&gt;
@@ -130,6 +139,8 @@ Device Drivers  ---&gt;
       [*] open by fhandle syscalls [CONFIG_FHANDLE]
 General architecture-dependent options  ---&gt;
    [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Networking support  ---&gt;
   Networking options  ---&gt;
    &lt;*&gt; The IPv6 protocol [CONFIG_IPV6]
@@ -189,6 +200,14 @@ Device Drivers ---&gt;
       <title>The rationale for the above configuration items:</title>
 
       <varlistentry>
+        <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
+        <listitem>
+          <para>Enable ASLR for kernel image, to mitigate some attacks based
+          on fixed addresses of sensitive data or code in the kernel.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>
           <parameter>
             Compile the kernel with warnings as errors
@@ -214,6 +233,16 @@ Device Drivers ---&gt;
       </varlistentry>
 
       <varlistentry>
+        <term><parameter>Strong Stack Protector</parameter></term>
+        <listitem>
+          <para>Enable SSP for the kernel.  We've enabled it for the entire
+          userspace with <parameter>--enable-default-ssp</parameter>
+          configuring GCC, but the kernel does not use GCC default setting
+          for SSP.  We enable it explicitly here.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><parameter>Support for uevent helper</parameter></term>
         <listitem>
           <para>Having this option set may interfere with device