Linux Kernel Considers Linking The Relocatable x86 Kernel As PIE In 2026
([Linux Kernel] 6 Hours Ago
Linux x86 PIE)
- Reference: 0001604815
- News link: https://www.phoronix.com/news/Linux-x86-RFC-Linking-PIE
- Source link:
To allow for additional security hardening of the Linux kernel, a patch series has been updated more than one year later to link the relocatable x86_64 kernel as [1]Position Independent Executable (PIE) code.
Ard Biesheuvel sent out the set of 19 patches today for switching to PIE linking for the relocatable kernel. This would provide long-term security benefits and would be paired with Kernel Address Space Layout Randomization (KASLR) usage.
Biesheuvel explained on today's patch series:
"This series is a follow-up to a series I sent a bit more than a year ago, to switch to PIE linking of x86_64 vmlinux, which is a prerequisite for further hardening measures, such as fg-kaslr, as well as further harmonization of the boot protocols between architectures.
The main sticking point is the fact that PIE linking on x86_64 requires PIE codegen, and that was shot down before on the basis that
a) GOTs in fully linked binaries are stupid
b) the code size increase would be prohibitive
c) the performance would suffer.
This series implements PIE codegen without permitting the use of GOT slots. The code size increase is between 0.2% (clang) and 0.5% (gcc), and I could not identify any performance regressions (using hackbench) on various different micro-architectures that I tried it on. (Suggestions for other benchmarks/test cases are welcome)
So now that we have some actual numbers, I would like to try and revisit this discussion, and get a conclusion on whether this is really a non-starter. Note that only the KASLR kernel would rely on this, and disabling CONFIG_RANDOMIZE_BASE will revert to the current situation (provided that patch #4 is applied)"
The final patch in the series adds:
"If the toolchain supports RELR relocation packing, build the virtually relocatable kernels as Position Independent (PIE) Executables. This results in more efficient relocation processing for the virtual displacement of the kernel applied at boot, using RELR relocations that take up only a fraction of the space occupied by ordinary RELA relocations.
More importantly, it instructs the linker to generate a binary that is really meant to be relocated at boot, using data structures that are intended for this purpose."
We'll see if this idea takes off in 2026 or not.
More details via the [2]patch series .
[1] https://www.phoronix.com/search/Position+Independent+Executable
[2] https://lore.kernel.org/lkml/20260108092526.28586-21-ardb@kernel.org/#t
Ard Biesheuvel sent out the set of 19 patches today for switching to PIE linking for the relocatable kernel. This would provide long-term security benefits and would be paired with Kernel Address Space Layout Randomization (KASLR) usage.
Biesheuvel explained on today's patch series:
"This series is a follow-up to a series I sent a bit more than a year ago, to switch to PIE linking of x86_64 vmlinux, which is a prerequisite for further hardening measures, such as fg-kaslr, as well as further harmonization of the boot protocols between architectures.
The main sticking point is the fact that PIE linking on x86_64 requires PIE codegen, and that was shot down before on the basis that
a) GOTs in fully linked binaries are stupid
b) the code size increase would be prohibitive
c) the performance would suffer.
This series implements PIE codegen without permitting the use of GOT slots. The code size increase is between 0.2% (clang) and 0.5% (gcc), and I could not identify any performance regressions (using hackbench) on various different micro-architectures that I tried it on. (Suggestions for other benchmarks/test cases are welcome)
So now that we have some actual numbers, I would like to try and revisit this discussion, and get a conclusion on whether this is really a non-starter. Note that only the KASLR kernel would rely on this, and disabling CONFIG_RANDOMIZE_BASE will revert to the current situation (provided that patch #4 is applied)"
The final patch in the series adds:
"If the toolchain supports RELR relocation packing, build the virtually relocatable kernels as Position Independent (PIE) Executables. This results in more efficient relocation processing for the virtual displacement of the kernel applied at boot, using RELR relocations that take up only a fraction of the space occupied by ordinary RELA relocations.
More importantly, it instructs the linker to generate a binary that is really meant to be relocated at boot, using data structures that are intended for this purpose."
We'll see if this idea takes off in 2026 or not.
More details via the [2]patch series .
[1] https://www.phoronix.com/search/Position+Independent+Executable
[2] https://lore.kernel.org/lkml/20260108092526.28586-21-ardb@kernel.org/#t