KAISER Getting Ready To Better Protect The Linux Kernel

Recently a number of patches have been floating around the kernel mailing list for prepping "KAISER" in what will likely be merged come Linux 4.16. KAISER is a new security feature for the Linux kernel.

KAISER was originally devised at Austria's Graz University of Technology as Kernel Address Isolation to have Side-channels Efficiently Removed. KAISER unmaps most of the kernel from user-space page tables and makes it more difficult to defeat KASLR (Kernel Address Space Layout Randomization).

KAISER kernel isolation closes hardware side channels on kernel address information. The proof of concept patches developed in Graz resulted in syscalls and interrupts being slower, but now there is support for PCID (Process Context Identifiers) to make context switching faster and reduce TLB flushing to lower the overhead of this security feature.

From the new KAISER Kconfig switch, "This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace."

The original KAISER patches can be found on GitHub while the very newest KAISER patches can be found for review on the kernel mailing list.