From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Garrett Subject: Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization". Date: Mon, 13 Feb 2017 08:41:15 +0000 Message-ID: <20170213084115.GA16815@srcf.ucam.org> References: <1486777021.2096.36.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Kees Cook , Matthew Giassa , "kernel-hardening@lists.openwall.com" , KVM To: Rik van Riel Return-path: Received: from cavan.codon.org.uk ([93.93.128.6]:40687 "EHLO cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751666AbdBMJZP (ORCPT ); Mon, 13 Feb 2017 04:25:15 -0500 Content-Disposition: inline In-Reply-To: <1486777021.2096.36.camel@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On Fri, Feb 10, 2017 at 08:37:01PM -0500, Rik van Riel wrote: > One of the things that Matthew can do is build on > the read-only memory protections in the kernel, and > have the hypervisor enforce that the memory the kernel > marks as read-only is never written from inside the > virtual machine, until the next reboot. > > That seems like it might be a useful place to start, > since it would immediately make the other read-only > protections that people are working on much harder to > get around, at least inside virtual machines. I agree that this is valuable, but it feels like doing so probably involves designing a consistent mechanism for lightweight kernel→hypervisor calls - the existing vfio framework seems heavier than necessary for this kind of thing. Going further probably involves having a good way for syscalls to call into the hypervisor, but again finding a generic solution that doesn't add too much overhead seems like a good plan. My implementation of this was very special cased and didn't attempt to do anything in a generic way, so I'm definitely not a good model! -- Matthew Garrett | mjg59@srcf.ucam.org