On 12/6/23 12:51, Peter Zijlstra wrote: > On Wed, Dec 06, 2023 at 10:37:33AM -0600, Madhavan T. Venkataraman wrote: >> >> >> On 11/30/23 05:33, Peter Zijlstra wrote: >>> On Wed, Nov 29, 2023 at 03:07:15PM -0600, Madhavan T. Venkataraman wrote: >>> >>>> Kernel Lockdown >>>> --------------- >>>> >>>> But, we must provide at least some security in V2. Otherwise, it is useless. >>>> >>>> So, we have implemented what we call a kernel lockdown. At the end of kernel >>>> boot, Heki establishes permissions in the extended page table as mentioned >>>> before. Also, it adds an immutable attribute for kernel text and kernel RO data. >>>> Beyond that point, guest requests that attempt to modify permissions on any of >>>> the immutable pages will be denied. >>>> >>>> This means that features like FTrace and KProbes will not work on kernel text >>>> in V2. This is a temporary limitation. Once authentication is in place, the >>>> limitation will go away. >>> >>> So either you're saying your patch 17 / text_poke is broken (so why >>> include it ?!?) or your statement above is incorrect. Pick one. >>> >> >> It has been included so that people can be aware of the changes. >> >> I will remove the text_poke() changes from the patchset and send it later when >> I have some authentication in place. It will make sense then. > > If you know its broken then fucking say so in the Changelog instead of > wasting everybody's time.. OMG. It is not broken. It addresses one part of the problem. The other part is WIP. I am preparing a detailed response to your comments. I ask you to be patient until then. In fact, I would appreciate your input/suggestions on some problems we are trying to solve in this context. I will mention them in my response. Madhavan