[RFC PATCH v2 18/19] heki: x86: Protect guest kernel memory using the KVM hypervisor
Peter Zijlstra
peterz at infradead.org
Mon Nov 13 08:54:03 UTC 2023
On Sun, Nov 12, 2023 at 09:23:25PM -0500, Mickaël Salaün wrote:
> From: Madhavan T. Venkataraman <madvenka at linux.microsoft.com>
>
> Implement a hypervisor function, kvm_protect_memory() that calls the
> KVM_HC_PROTECT_MEMORY hypercall to request the KVM hypervisor to
> set specified permissions on a list of guest pages.
>
> Using the protect_memory() function, set proper EPT permissions for all
> guest pages.
>
> Use the MEM_ATTR_IMMUTABLE property to protect the kernel static
> sections and the boot-time read-only sections. This enables to make sure
> a compromised guest will not be able to change its main physical memory
> page permissions. However, this also disable any feature that may change
> the kernel's text section (e.g., ftrace, Kprobes), but they can still be
> used on kernel modules.
>
> Module loading/unloading, and eBPF JIT is allowed without restrictions
> for now, but we'll need a way to authenticate these code changes to
> really improve the guests' security. We plan to use module signatures,
> but there is no solution yet to authenticate eBPF programs.
>
> Being able to use ftrace and Kprobes in a secure way is a challenge not
> solved yet. We're looking for ideas to make this work.
>
> Likewise, the JUMP_LABEL feature cannot work because the kernel's text
> section is read-only.
What is the actual problem? As is the kernel text map is already RO and
never changed.
More information about the Linux-security-module-archive
mailing list