On Thu, 16 May 2024 at 16:59, Chaney, Ben bchaney@akamai.com wrote:
The 'nokaslr' flag does work around this issue, but using it has a few downsides.
First, we would like the security benefit provided be ASLR.
We wouldn't need to disable virtual KASLR only physical KASLR.
Also, this imposes a restriction on what memmaps are possible. It would then be required to have them offset from the beginning of the memory.
Relying on the KASLR code to move the kernel away from the base of RAM is rather risky - even when KASLR is in effect, the logic will fall back to placement at the base of memory if physical randomization is not possible for any reason.
I also think there are a few other features that may be impacted by this, that were not addressed by the patch. crashkernel and pstore both probably need physical kaslr disabled as well.
Please reply to the patch if you have any comments on it. Thanks.