Building a kernel with KASLR
Control the build options for the KASLR feature through the kernel configuration menu.
Figure 1 summarizes the kernel configuration menu options that are relevant to KASLR:
- CONFIG_RELOCATABLE
-
This option builds a kernel image that retains relocation information so it can be loaded at an arbitrary address.
The kernel is linked as a position-independent executable (PIE) and contains dynamic re-locations which are processed early in the boot process.
The re-locations make the kernel image about 15% larger (compressed 10%), but are discarded at runtime.
- CONFIG_RANDOMIZE_BASE
In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.
- CONFIG_SECURITY_DMESG_RESTRICT
- Sets the default value of dmesg_restrict to 1, which restricts access to users that have CAP_SYSLOG privilege.