On Mon, 22 Feb 2021 04:58:41 +0000, pnagar@xxxxxxxxxxxxxx wrote: > > On 2021-02-17 15:45, Marc Zyngier wrote: [...] > > +1 on that. Even if, as I suspect, this is targeting some unspecified > > hypervisor that is not KVM, the first course of action should be for > > this to be implemented in the kernel's own hypervisor first so that > > anyone can review understand what is at play. > > > > Thanks, > > > > M. > > Thank you for your comments. The key value add of the feature is a > third party independent entity keeping a watch on crucial kernel > assets, such that in case the kernel itself is compromised, still, > the protection can remain intact. Can this be achieved if the > implementation is done in KVM? I've limited knowledge of KVM > currently, can surely look into more details for a better > understanding. [+Quentin] KVM/arm64 doesn't currently support Stage-2 mappings on the host side, but there are patches[1] on the list that implement this functionality, and that I'm hoping to get in 5.13 (no pressure, Quentin... ;-). This could also be implemented with the current KVM code though, as a PV service to guests, and I'd suggest looking into that as an initial approach. Thanks, M. [1] https://lore.kernel.org/r/20210108121524.656872-1-qperret@xxxxxxxxxx -- Without deviation from the norm, progress is not possible.
