From: Sean Christopherson <seanjc@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Nicolas Saenz Julienne" <nsaenz@amazon.com>,
"Borislav Petkov" <bp@alien8.de>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Kees Cook" <keescook@chromium.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Wanpeng Li" <wanpengli@tencent.com>,
"Rick P Edgecombe" <rick.p.edgecombe@intel.com>,
"Alexander Graf" <graf@amazon.com>,
"Angelina Vu" <angelinavu@linux.microsoft.com>,
"Anna Trikalinou" <atrikalinou@microsoft.com>,
"Chao Peng" <chao.p.peng@linux.intel.com>,
"Forrest Yuan Yu" <yuanyu@google.com>,
"James Gowans" <jgowans@amazon.com>,
"James Morris" <jamorris@linux.microsoft.com>,
"John Andersen" <john.s.andersen@intel.com>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
"Marian Rotariu" <marian.c.rotariu@gmail.com>,
"Mihai Donțu" <mdontu@bitdefender.com>,
"Nicușor Cîțu" <nicu.citu@icloud.com>,
"Thara Gopinath" <tgopinath@microsoft.com>,
"Trilok Soni" <quic_tsoni@quicinc.com>,
"Wei Liu" <wei.liu@kernel.org>, "Will Deacon" <will@kernel.org>,
"Yu Zhang" <yu.c.zhang@linux.intel.com>,
"Ștefan Șicleru" <ssicleru@bitdefender.com>,
dev@lists.cloudhypervisor.org, kvm@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, qemu-devel@nongnu.org,
virtualization@lists.linux-foundation.org, x86@kernel.org,
xen-devel@lists.xenproject.org
Subject: Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Date: Mon, 3 Jun 2024 17:29:49 -0700 [thread overview]
Message-ID: <Zl5f_T7Nb-Fk8Y1o@google.com> (raw)
In-Reply-To: <20240514.OoPohLaejai6@digikod.net>
On Tue, May 14, 2024, Mickaël Salaün wrote:
> On Tue, May 07, 2024 at 09:16:06AM -0700, Sean Christopherson wrote:
> > On Tue, May 07, 2024, Mickaël Salaün wrote:
> > > If yes, that would indeed require a *lot* of work for something we're not
> > > sure will be accepted later on.
> >
> > Yes and no. The AWS folks are pursuing VSM support in KVM+QEMU, and SVSM support
> > is trending toward the paired VM+vCPU model. IMO, it's entirely feasible to
> > design KVM support such that much of the development load can be shared between
> > the projects. And having 2+ use cases for a feature (set) makes it _much_ more
> > likely that the feature(s) will be accepted.
> >
> > And similar to what Paolo said regarding HEKI not having a complete story, I
> > don't see a clear line of sight for landing host-defined policy enforcement, as
> > there are many open, non-trivial questions that need answers. I.e. upstreaming
> > HEKI in its current form is also far from a done deal, and isn't guaranteed to
> > be substantially less work when all is said and done.
>
> I'm not sure to understand why "Heki not having a complete story". The
> goal is the same as the current kernel self-protection mechanisms.
HEKI doesn't have a complete story for how it's going to play nice with kexec(),
emulated RESET, etc. The kernel's existing self-protection mechanisms Just Work
because the protections are automatically disabled/lost on such transitions.
They are obviously significant drawbacks to that behavior, but they are accepted
drawbacks, i.e. solving those problems isn't in scope (yet) for the kernel. And
the "failure" mode is also loss of hardening, not an unusable guest.
In other words, the kernel's hardening is firmly best effort at this time,
whereas HEKI likely needs to be much more than "best effort" in order to justify
the extra complexity. And that means having answers to the various interoperability
questions.
next prev parent reply other threads:[~2024-06-04 0:29 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 13:19 [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 1/5] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki) Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 2/5] KVM: x86: Add new hypercall to lock control registers Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation Mickaël Salaün
2024-05-03 14:03 ` Sean Christopherson
2024-05-06 17:50 ` Mickaël Salaün
2024-05-07 1:34 ` Sean Christopherson
2024-05-07 9:30 ` Mickaël Salaün
2024-05-07 16:16 ` Sean Christopherson
2024-05-10 10:07 ` Nicolas Saenz Julienne
2024-05-14 12:23 ` Mickaël Salaün
2024-05-15 20:32 ` Sean Christopherson
2024-06-03 18:39 ` Mickaël Salaün
2024-06-04 0:30 ` Sean Christopherson
2024-05-16 14:02 ` Nicolas Saenz Julienne
2024-05-14 12:15 ` Mickaël Salaün
2024-06-04 0:29 ` Sean Christopherson [this message]
2024-05-03 13:19 ` [RFC PATCH v3 4/5] heki: Lock guest control registers at the end of guest kernel init Mickaël Salaün
2024-05-03 13:19 ` [RFC PATCH v3 5/5] virt: Add Heki KUnit tests Mickaël Salaün
2024-05-03 13:49 ` [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zl5f_T7Nb-Fk8Y1o@google.com \
--to=seanjc@google.com \
--cc=angelinavu@linux.microsoft.com \
--cc=atrikalinou@microsoft.com \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dev@lists.cloudhypervisor.org \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jamorris@linux.microsoft.com \
--cc=jgowans@amazon.com \
--cc=john.s.andersen@intel.com \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=marian.c.rotariu@gmail.com \
--cc=mdontu@bitdefender.com \
--cc=mic@digikod.net \
--cc=mingo@redhat.com \
--cc=nicu.citu@icloud.com \
--cc=nsaenz@amazon.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quic_tsoni@quicinc.com \
--cc=rick.p.edgecombe@intel.com \
--cc=ssicleru@bitdefender.com \
--cc=tglx@linutronix.de \
--cc=tgopinath@microsoft.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=yu.c.zhang@linux.intel.com \
--cc=yuanyu@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).