KASLR Warning on Fedora Boot

September 7, 2016

This is new. KASLR is a security enhancement that's supposed to be good for us, but like so many things its implementers decided to get right up into our faces with a warning on boot "kaslr not on cmdline (hibernation selected)".

Notice how that LWN article is from 3 years ago. Well, in the meantime KASLR wound up in Linus's kernel tree and is now busily announcing itself to anyone with the latest 4.7.2 kernel (Fedora 24, kernel-4.7.2-200.fc24; Fedora 23, kernel-4.7.2-101.fc23). Ironically the method used by KASLR to secure the kernel may be completely ineffective in newer Intel processors.

Fixing things is easy, assuming you're OK with ditching hibernation (with which KASLR is totally incompatible). All you need to do is enable KASLR explicitly with a couple of command line options in your kernel boot configuration.

On Fedora (and probably most other distros) you do that by editing /etc/default/grub and inserting the directives "nohibernate" and "kaslr in the GRUB_CMDLINE_LINUX string. Here's what mine looks like:

GRUB_CMDLINE_LINUX="rd.lvm.kv=fedora/root rd.lvm.lv=fedora/swap net.ifnames=0 nohibernate kaslr rhgb quiet"

After that you need to run grub2-mkconfig to update /boot/grub2/grub.cfg, like this:

grub2-mkconfig -o /boot/grub2/grub.cfg

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1350174

https://bodhi.fedoraproject.org/updates/FEDORA-2016-c654464bce

http://forums.fedoraforum.org/showthread.php?p=1770213