8.Locks HexConnections CodeGlobe Esm W900

Going back years there has been patches for allowing the Linux x86_64 kernel to build as Position Independent Executable (PIE) code to further enhance the system security. Antgroup engineers most recently have been tackling the Linux x86_64 PIE support and last week sent out a new patch series.

Based on the Linux PIE patches from a few years ago, Hou Wenlong with the Antgroup sent out updated patches for allowing Linux x86_64 PIE builds: 

"These patches make the changes necessary to build the kernel as Position Independent Executable (PIE) on x86_64. A PIE kernel can be relocated below the top 2G of the virtual address space. And this patchset provides an example to allow kernel image to be relocated in top 512G of the address space.

The ultimate purpose for PIE kernel is to increase the security of the the kernel and also the [flexibility] of the kernel image's virtual address, which can be even in the low half of the address space. More locations the kernel can fit in, this means an attacker could guess harder.

The patchset is based on Thomas Garnier's X86 PIE patchset v6 and v11. However, some design changes are made and some bugs are fixed by testing with different configurations and compilers."

The link for this article located at Phoronix is no longer available.