On Tue, 2006-08-22 at 07:59 -0700, Jeremy Fitzhardinge wrote: > Alan Cox wrote: > > It would be nice not to export it at all or to protect it, paravirt_ops > > is a rootkit authors dream ticket. I'm opposed to paravirt_ops until it > > is properly protected, its an unpleasantly large security target if not. > > > > Do you have an example of an attack which would become significantly > easier with pv_ops in use? I agree it might make a juicy target, but > surely it is just a matter of degree given that any attacker who can get > to pv_ops can do pretty much anything else. it makes for a "clean" and robust rootkit rather than a fragile one > > > It would be a lot safer if we could have the struct paravirt_ops in > > protected read-only const memory space, set it up in the core kernel > > early on in boot when we play "guess todays hypervisor" and then make > > sure it stays in read only (even to kernel) space. > > > > Yes, I'd thought about doing something like that, but as Arjan pointed > out, nothing is actually read-only in the kernel when using a 2M that's why there is a config option :) THe 2Mb advantage is a bit overrated btw; there are very few such tlbs in current processors so the kernel gets tlb misses anyway. And since most of the code is in the first 2Mb (which isn't broken up) of the kernel text it's not that bad tlb wise either (and it was Andi that pointed that out, not me)
