KASLR support

KASLR support

https://www.ibm.com/docs/en/linux-on-systems?topic=shutdown-kaslr-support

Last Updated: 2025-10-05

6.14 LPAR mode z/VM guest KVM guest

With kernel address space layout randomisation (KASLR), the kernel is loaded to a random location in memory.

Loading the kernel to a random location can protect against attacks that rely on knowledge of the kernel addresses.

The KASLR feature is enabled by default.

With KASLR enabled, the kernel is loaded to a random address, but kernel messages can reveal kernel internal addresses. Prevent access to the kernel messages for unprivileged users by setting the dmesg_restrict sysctl to 1. This setting restricts dmesg access to users with CAP_SYSLOG privilege. Alternatively, select the kernel config option CONFIG_SECURITY_DMESG_RESTRICT, which sets the default value of dmesg_restrict to 1.

Kernel addresses can also be compromised through /proc and other interfaces. To prevent this, set the kptr_restrict sysctl to 1.

For more information about the dmesg_restrict and kptr_restrict sysctls, see the Documentation/sysctl/kernel.txt in the kernel source tree . KASLR and crash

To open a dump of a KASLR-enabled kernel, you require crash as of version 7.2.6. Use crash with the –kaslr auto option. KASLR requires that the dump contains vmcoreinfo, which is always included with kdump. For all other dump types, such as VMDUMP, stand-alone dumps, and qemu dumps, convert the dump to an ELF dump before using crash. To convert the dump, use the command zgetdump -f elf.

Building a kernel with KASLR
Control the build options for the KASLR feature through the kernel configuration menu.
Kernel parameters
The KASLR feature is compiled into the kernel, you configure it by adding parameters to the kernel parameter line.

Parent topic: Booting and shutdown