Re: [PATCH V6 0/8] KVM: X86: Introducing ROE Protection Kernel Hardening

From: Paolo Bonzini
Date: Thu Nov 08 2018 - 15:25:51 EST

Next message: Qian Cai: "BUG: KASAN: slab-out-of-bounds in cts_cbc_encrypt+0xec/0x3c0"
Previous message: Thomas Gleixner: "Re: [patch 2/2] Documentation/process: Add tip tree handbook"
Next in thread: Ahmed Soliman: "Re: [PATCH V6 0/8] KVM: X86: Introducing ROE Protection Kernel Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/11/2018 18:11, Ahmed Abd El Mawgood wrote:
> Our model assumes that an attacker got full root access to a running guest and
> his goal is to manipulate kernel code/data (hook syscalls, overwrite IDT ..etc).
>
> There is future work in progress to also put some sort of protection on the page
> table register CR3 and other critical registers that can be intercepted by KVM.
> This way it won't be possible for an attacker to manipulate any part of the
> guests page table.
>

Do you have patches that enable usage of ROE in the kernel?
Alternatively you can write testcases in tools/testing/selftests/kvm to
test how guests should use it.

I would remove CONFIG_KVM_ROE altogether. You can enable it
unconditionally.

I will continue reviewing the patches soon.

Paolo

Next message: Qian Cai: "BUG: KASAN: slab-out-of-bounds in cts_cbc_encrypt+0xec/0x3c0"
Previous message: Thomas Gleixner: "Re: [patch 2/2] Documentation/process: Add tip tree handbook"
Next in thread: Ahmed Soliman: "Re: [PATCH V6 0/8] KVM: X86: Introducing ROE Protection Kernel Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]