Building a kernel with KASLR

6.10 LPAR mode z/VM guest KVM guest

Control the build options for the KASLR feature through the kernel configuration menu.

Kernel builders: This information is intended for those who want to build their own kernel. Be aware that both compiling your own kernel or recompiling an existing distribution usually means that you have to maintain your kernel yourself.

Figure 1 summarizes the kernel configuration menu options that are relevant to KASLR:

Figure 1. KASLR kernel configuration menu options

 ...
 Processor type and features --->
    ...
    Build a relocatable kernel                                (CONFIG_RELOCATABLE)
   └─ Randomize the address of the kernel image (KASLR)       (CONFIG_RANDOMIZE_BASE)
    ...
 Security options --->
    ...
    Restrict unprivileged access to the kernel syslog         (CONFIG_SECURITY_DMESG_RESTRICT)
CONFIG_RELOCATABLE

This option builds a kernel image that retains relocation information so it can be loaded at an arbitrary address.

The kernel is linked as a position-independent executable (PIE) and contains dynamic re-locations which are processed early in the boot process.

The re-locations make the kernel image about 15% larger (compressed 10%), but are discarded at runtime.

CONFIG_RANDOMIZE_BASE

In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the address at which the kernel image is loaded, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals.

CONFIG_SECURITY_DMESG_RESTRICT
Sets the default value of dmesg_restrict to 1, which restricts access to users that have CAP_SYSLOG privilege.