* Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > Turning KASLR off actively degrades that randomization of the kernel virtual > > addresses. > > > > Am I missing anything? > > > > No, I think you are right. UEFI runtime services region are likely to consist of > R+W+X mappings for the foreseeable future on x86, and the more we tighten down > security in other places, the more appealing the UEFI regions become for > exploitation (even if they are only mapped while runtime services calls are in > progress). Ok, so I'm fine with the current proposed patch as a temporary workaround, but only if we are going to get a real fix as well, ASAP. Thanks, Ingo