Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1224633rwd; Thu, 25 May 2023 09:33:02 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ79kKjG622Wd3RTNg9S4ZV5ff1m8rPczyQua6AdUcFkmPU0Dz3/GjkJk6mhXWpSH4d7TRit X-Received: by 2002:a05:6a20:3d87:b0:10c:f674:3bab with SMTP id s7-20020a056a203d8700b0010cf6743babmr7959134pzi.61.1685032381922; Thu, 25 May 2023 09:33:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685032381; cv=none; d=google.com; s=arc-20160816; b=b4ULGJKmY31S2D0aoZobNbbRn/CK8OmGPCLKYY/Yoa7m6R4IBjtUZjx3ia/ior0AgH kLpVs5lx2bOFYoGLULHzehW74AP4eX0OFikPEqB+sIiI6gRQP614r+G2o2w0uIKN89XQ QVbMAHnaJfqnYpYPLTNEpHHI3W6P7Auj7AGd7v6zI0PZpZzjoNHjaMfuBHdZNKxj76EM MRx5hbKFSUmktI7ZoLURZUImDqDyxWTaTAFXZYLiAwaZxicfsm7LLWag+kiZ1gh5pg4r RN5vRNg2tMbbK1TcuOF9DcYZx4JSGnEQvbHhJf/BBX5M9IlY1WHcp++CCFcYjCpifz1D dITQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=T8fhdJsa5NorDsEqTWIJQ5b4Ve27T8A/3D8mN23h+AM=; b=OKs6ALtyobsN/TvrL/Mw5OduCSG93turatOkrHAkC6w4qeFKpF0n5YGyoHh6jYR/RC IuhNOz2IHjXUYfUFW74Ia9lO/YhYD8xBv/W6DxMHwCqKvtMOUKnE/851SABbK/IzNnvs adDCYgQVnxzSp/7mJvQ7ODOVKffbuN2CR2opxwZT46yiTXRusYO+KeySNahC28X3vHuG JDF9aqU4JoH8lBaDOVQgTb/hV+Nyf3ktep6zyIpcDLDirsFLDCQIplgHpgtC7fDtye6X rmJmTjX3WymyMZqhdvwA22YupzC2HheusHtj3WMk6nKnO677JPEtou8QyVb+u3zIK+7/ +JQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=FEqq2WYT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x24-20020a63db58000000b00534e67fd867si1393052pgi.62.2023.05.25.09.32.48; Thu, 25 May 2023 09:33:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=FEqq2WYT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240719AbjEYQHK (ORCPT + 99 others); Thu, 25 May 2023 12:07:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241071AbjEYQHG (ORCPT ); Thu, 25 May 2023 12:07:06 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F4117E4C for ; Thu, 25 May 2023 09:07:02 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-ba8cf175f5bso1669444276.0 for ; Thu, 25 May 2023 09:07:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685030822; x=1687622822; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=T8fhdJsa5NorDsEqTWIJQ5b4Ve27T8A/3D8mN23h+AM=; b=FEqq2WYT2bpFD+1TtSHkaFzNdRiEuyI2g6NACjIvhMwGd2nTXz/TFAkSgH9Ujas6q/ vhfG2wZKYTJDUOpnLW2+ofbeXlQQzMc4kCX+fmSU72PlK4P1Bu6ChRJwig3K6o+kmK9V pCl4CF26O5Po2Isyv/JlTTvFCsfs3ZUrFwA7UHCTWbISgu9JRVShkNuOUaec2GLwo+qR 9KOOx1CsOYaN5w2VTeTg1ACrMvUsp1nWuR5WaKwUiyP0rqYNcgG1cqc/7vdfOhawEkwt dDqOiNZlzeyBYZO39XTCtpGesfMZs3DSR4tffu8EiIq8HLxLRNoWCQV/DwcUzn5RT3NK ujWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685030822; x=1687622822; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T8fhdJsa5NorDsEqTWIJQ5b4Ve27T8A/3D8mN23h+AM=; b=PcIov7GKScfvuPS3bbUdIjpAoNa0Cpv3dS/G/p+NeYR5DruDMwj6eDLpZAfrq0LAA8 RTb3RMl/h3s4cnoHYyH6wqjxLp++5fP+MbdsjxinpXMNZ2qg/gZIZiNdi2zZY0izxyWc JihI+gAuNwogoWN3kKs0YlPnjzXBvuZHuyuxsh0vk2OwCcZnIAp0Url9KE5LKafOao/U 2bOpkgAqQzUY3a31BKaDxKAoDGXpu79NY73x5a1dkRO+jEZ+TLeAJXTJjZVVb1MD6hqB llcAQF18bHai9yJyir/EbVVyTAntJr4bxr+N5XlaOsAAA7PD4Hu7om3GGp9wrlSrzHaL cdLg== X-Gm-Message-State: AC+VfDwYraqurGqY3wOTFyFgRR/fhtg24Tgz4m/Px4wf8zaF0pqvgL5c XnEEjwLpRWgVB9bgJrySvn2fPK+ZLUk= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:6584:0:b0:ba8:381b:f764 with SMTP id z126-20020a256584000000b00ba8381bf764mr2233557ybb.3.1685030821985; Thu, 25 May 2023 09:07:01 -0700 (PDT) Date: Thu, 25 May 2023 09:07:00 -0700 In-Reply-To: <7cb6c4c28c077bb9f866c2d795e918610e77d49f.camel@intel.com> Mime-Version: 1.0 References: <20230505152046.6575-1-mic@digikod.net> <93726a7b9498ec66db21c5792079996d5fed5453.camel@intel.com> <7cb6c4c28c077bb9f866c2d795e918610e77d49f.camel@intel.com> Message-ID: Subject: Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity From: Sean Christopherson To: Rick P Edgecombe Cc: "mic@digikod.net" , "dave.hansen@linux.intel.com" , "bp@alien8.de" , "keescook@chromium.org" , "hpa@zytor.com" , "mingo@redhat.com" , "tglx@linutronix.de" , "pbonzini@redhat.com" , "wanpengli@tencent.com" , "vkuznets@redhat.com" , "kvm@vger.kernel.org" , "qemu-devel@nongnu.org" , "liran.alon@oracle.com" , "marian.c.rotariu@gmail.com" , Alexander Graf , John S Andersen , "madvenka@linux.microsoft.com" , "ssicleru@bitdefender.com" , "yuanyu@google.com" , "linux-kernel@vger.kernel.org" , "tgopinath@microsoft.com" , "jamorris@linux.microsoft.com" , "linux-security-module@vger.kernel.org" , "xen-devel@lists.xenproject.org" , "will@kernel.org" , "dev@lists.cloudhypervisor.org" , "mdontu@bitdefender.com" , "linux-hardening@vger.kernel.org" , "linux-hyperv@vger.kernel.org" , "virtualization@lists.linux-foundation.org" , "nicu.citu@icloud.com" , "ztarkhani@microsoft.com" , "x86@kernel.org" Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 25, 2023, Rick P Edgecombe wrote: > I wonder if it might be a good idea to POC the guest side before > settling on the KVM interface. Then you can also look at the whole > thing and judge how much usage it would get for the different options > of restrictions. As I said earlier[*], IMO the control plane logic needs to live in host userspace. I think any attempt to have KVM providen anything but the low level plumbing will suffer the same fate as CR4 pinning and XO memory. Iterating on an imperfect solution to incremently improve security is far, far easier to do in userspace, and far more likely to get merged. [*] https://lore.kernel.org/all/ZFUyhPuhtMbYdJ76@google.com