Description

This project proposes the design and implementation of Kernel Address Space Layout Randomization (KASLR) for the coconut-svsm environment. Although coconut-svsm is capable of booting a Linux guest OS, its own SVSM kernel is currently loaded at fixed memory locations.

Introducing KASLR into coconut-svsm requires extending the early boot logic so that the SVSM kernel can be safely relocated to randomized addresses at boot time. This involves ensuring that the kernel is fully position-independent, adapting the boot process to relocate the image at runtime, and defining safe randomized address ranges consistent with the SVSM memory model.

Goals

The work can be structured into the following stages:

1. Study the SVSM boot process: understand the boot flow, memory map, static offsets, and how the SVSM binary is currently loaded and executed.
2. Identify which parts of the kernel rely on fixed addresses or absolute references.
3. Make the SVSM code position-independent: compile and link the kernel in a way that supports relocation.
4. Enable loading the kernel at alternate addresses: modify the early boot stages so that the loader places the SVSM image at a non-default location.
5. Validate that the kernel behaves correctly when executed from different load addresses.
6. Determine which regions of the SVSM address space are valid for kernel placement.
7. Establish a strategy for computing randomized addresses within these constraints.
8. Test the system across different load addresses and randomization seeds.
9. Validate and document the KASLR implementation.

Resources

coconut-svsm source: https://github.com/coconut-svsm/svsm