On Wed, Feb 21, 2018 at 01:44:27PM -0800, Kees Cook wrote: > On Sat, Feb 17, 2018 at 7:22 AM, Ahmed Soliman > <ahmedsoliman0x666@xxxxxxxxx> wrote: > > well in this case I tried searching and researching more and I found > > the idea for Rootkit blocking using KVM virtualization, it is > > described here: > > https://kernelnewbies.org/KernelProjects/VirtRootkitBlocker > > I think it's good to experiment with kernel hardening via hypervisors. > There isn't any particular direction defined for this approach, with > lots of different things getting tried (e.g. Samsung KNOX). One > problem with the hypervisor-control of memory protections is things > like kprobes, modules, etc, that need to do dynamic rewriting of > kernel text. FWIW, a while back, we had an intern prototype some stage-2 W^X protections for KVM guests on arm64. For kprobes, modules, and other things requiring text modification, we locked those down late in the boot process, which seemed like a reasonable tradeoff. One big issue was static keys, since those need to be flipped occasionally. We modified those to have two patchable branches rather than one, so that we could fall back to a slow path that read a variable when text modification was disabled. We didn't end up posting those patches because there were a number of open questions about the hypervisor ABI (e.g. how we could discover that the hypervisor provided this feature). For arm64, we'll need to do some FW standards work for that -- I'm not sure what the deal is for x86. Thanks, Mark.
