On Sun, Nov 12, 2023 at 09:23:25PM -0500, Mickaël Salaün wrote: > From: Madhavan T. Venkataraman <madvenka@xxxxxxxxxxxxxxxxxxx> > > Implement a hypervisor function, kvm_protect_memory() that calls the > KVM_HC_PROTECT_MEMORY hypercall to request the KVM hypervisor to > set specified permissions on a list of guest pages. > > Using the protect_memory() function, set proper EPT permissions for all > guest pages. > > Use the MEM_ATTR_IMMUTABLE property to protect the kernel static > sections and the boot-time read-only sections. This enables to make sure > a compromised guest will not be able to change its main physical memory > page permissions. However, this also disable any feature that may change > the kernel's text section (e.g., ftrace, Kprobes), but they can still be > used on kernel modules. > > Module loading/unloading, and eBPF JIT is allowed without restrictions > for now, but we'll need a way to authenticate these code changes to > really improve the guests' security. We plan to use module signatures, > but there is no solution yet to authenticate eBPF programs. > > Being able to use ftrace and Kprobes in a secure way is a challenge not > solved yet. We're looking for ideas to make this work. > > Likewise, the JUMP_LABEL feature cannot work because the kernel's text > section is read-only. What is the actual problem? As is the kernel text map is already RO and never changed.