From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:59949)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QCGXe-0003Xy-9C
	for qemu-devel@nongnu.org; Tue, 19 Apr 2011 15:24:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QCGXd-0007sa-18
	for qemu-devel@nongnu.org; Tue, 19 Apr 2011 15:24:54 -0400
Received: from mail-vx0-f173.google.com ([209.85.220.173]:45397)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QCGXc-0007sG-Ul
	for qemu-devel@nongnu.org; Tue, 19 Apr 2011 15:24:52 -0400
Received: by vxb41 with SMTP id 41so28163vxb.4
	for <qemu-devel@nongnu.org>; Tue, 19 Apr 2011 12:24:52 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <BANLkTi==x5GF+BC4q=fSVvYLE_XY=SvxTw@mail.gmail.com>
References: <BANLkTi==x5GF+BC4q=fSVvYLE_XY=SvxTw@mail.gmail.com>
From: Blue Swirl <blauwirbel@gmail.com>
Date: Tue, 19 Apr 2011 22:24:31 +0300
Message-ID: <BANLkTim1a4EspaJk-rQhBCz-eRmKTM5KdA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] QEMU-KVM and hardened (GRSEC/PaX) kernel
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <http://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: anton.kochkov@gmail.com
Cc: qemu-devel <qemu-devel@nongnu.org>

2011/4/17 =D0=90=D0=BD=D1=82=D0=BE=D0=BD =D0=9A=D0=BE=D1=87=D0=BA=D0=BE=D0=
=B2 <anton.kochkov@gmail.com>:
> Good day!
> I'm trying to make working qemu-kvm with hardened gentoo on hardened kern=
el.
> When i'm using CONFIG_PAX_KERNPAGEXEC and CONFIG_PAX_MEM_UNDEREF qemu jus=
t start
> and go to infinite loop and take 100% of one of my CPU core. adn it
> even can't be killed.
> Also it is dont give answer for qemu monitor/remote gdb.
> When I'm changed these two values as disabled, qemu-kvm now start, and
> stop (i mean qemu monitor show that virtual machine is running, but no
> any activity/output). Also it's load about 0%.
> See details in bug http://bugs.gentoo.org/show_bug.cgi?id=3D363713

Given this description
http://grsecurity.net/~spender/uderef.txt
I'd say the problem is PaX vs. KVM (kernel module part of it). UDEREF
should be overridden for the process in question, which obviously
defeats security. Maybe CONFIG_GRKERNSEC_HARDENED_VIRTUALIZATION
suggested in the bug thread already does this, I don't know. It's not
possible to virtualize for example guests using self-modifying code if
the kernel protections are in the way. The alternative is to use only
guests, which never violate W^X, if they exist.