Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2606568rwd; Fri, 26 May 2023 08:41:39 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7OwdEChlMkO4TBINJoKMCdwftZ4oOgLUaSIVscBW7RkQwKnxTaeKWcPTG8AEXXp6wK9AtN X-Received: by 2002:a05:6a21:980d:b0:10d:d0cd:c1c7 with SMTP id ue13-20020a056a21980d00b0010dd0cdc1c7mr2167177pzb.15.1685115699097; Fri, 26 May 2023 08:41:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685115699; cv=none; d=google.com; s=arc-20160816; b=oyMSGtzMFXxIapjsjDdpfNX+DoryUgHC9+HVtE5I8TlGLn+qekXb8ucwmw2qqJM56O v2yg10eA3nBQ2hdQlv7Y9YlqlhxMY+VhNAbvoUDARCluY2M95iC0Xn4OO1xEVv02MMZj SCcXHvbieypD5v2OHGWn65eor9o7YdUKEBhJV7QJvjVulGeiPgWxeeGgUJSdLXHZoZDH 190X8QMc2+2zd6fmomRVFkOsHf3rXzr0hb2ejco0rwElcE4FjuVKe45CEUrvBCWuI2fA M2ufoCFje6cM7o9wRbroGpYZvA396c8FEzFD77qIoByGqxI2v2Nj79W0w+XyWcgtdxFg wgKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=E+GWRfGuP0ooIbxTWa7UtmjBCCRmj4QAFZsf2JYXYIg=; b=jE1KjCXiK05vpE7tzMfUW9sPwYqeuZ43IlYn/76sUrTmLfsyt8usG3QRV8KhRTd0U/ w8AQnWbUKmAmEqmGX9MAqm3HUXLWv9v9xmuwMOi52WSV96d14pTS6mEws7SuBVV1TXZB MvWPj7WBbdvVIHAHStXT2pSo0S9pS/H1o2dB31EiikOyHUp0ihdtU6nMnZFC38atupsF Pmjc1rCZZT9bB50Bv0ZKnkye3t12Rd7vE4+ULPh6kzH3tdaHw5GtLyRMhINw/IUG/Ae/ XVPAkTuNfqqTrN2fXZy7b5OgY+Eo3Ru41lpMfwL31pGuNxkSepvLctfzJ3xb/Lx5M+U3 bH6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=kVMTGpVq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 125-20020a630183000000b0052c9cacb70dsi916240pgb.592.2023.05.26.08.41.24; Fri, 26 May 2023 08:41:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=kVMTGpVq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244136AbjEZPgL (ORCPT + 99 others); Fri, 26 May 2023 11:36:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244058AbjEZPgB (ORCPT ); Fri, 26 May 2023 11:36:01 -0400 X-Greylist: delayed 94219 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 26 May 2023 08:35:52 PDT Received: from smtp-190c.mail.infomaniak.ch (smtp-190c.mail.infomaniak.ch [185.125.25.12]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95867F3 for ; Fri, 26 May 2023 08:35:52 -0700 (PDT) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4QSTXP6kHdzMqPDr; Fri, 26 May 2023 17:35:49 +0200 (CEST) Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4QSTXL3K3rz1Sjg; Fri, 26 May 2023 17:35:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1685115349; bh=IVLXl6zuTaxu1Zgxrh25RMUzIB63fNH4/OIZK2HDhZ0=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=kVMTGpVqhamFd/35Tv8GgGxW+MQc9ut6C15rUQoLevvrCTeKGaS+bLkhx73UqS/CF F+QUQYt6dTBHCqDv3OJzGYoC8livFVhydjlyIX+RYotxBnPtUyqUMczbhbmQDNz+Be GJfCUWCNzFZiETlN+G79KrUNM0ssQag3MigoVxSk= Message-ID: Date: Fri, 26 May 2023 17:35:45 +0200 MIME-Version: 1.0 User-Agent: Subject: Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity Content-Language: en-US To: "Edgecombe, Rick P" , "Christopherson,, Sean" , "dave.hansen@linux.intel.com" , "bp@alien8.de" , "keescook@chromium.org" , "hpa@zytor.com" , "mingo@redhat.com" , "tglx@linutronix.de" , "pbonzini@redhat.com" , "wanpengli@tencent.com" , "vkuznets@redhat.com" Cc: "kvm@vger.kernel.org" , "qemu-devel@nongnu.org" , "liran.alon@oracle.com" , "marian.c.rotariu@gmail.com" , "Graf, Alexander" , "Andersen, John S" , "madvenka@linux.microsoft.com" , "ssicleru@bitdefender.com" , "yuanyu@google.com" , "linux-kernel@vger.kernel.org" , "tgopinath@microsoft.com" , "jamorris@linux.microsoft.com" , "linux-security-module@vger.kernel.org" , "xen-devel@lists.xenproject.org" , "will@kernel.org" , "dev@lists.cloudhypervisor.org" , "mdontu@bitdefender.com" , "linux-hardening@vger.kernel.org" , "linux-hyperv@vger.kernel.org" , "virtualization@lists.linux-foundation.org" , "nicu.citu@icloud.com" , "ztarkhani@microsoft.com" , "x86@kernel.org" References: <20230505152046.6575-1-mic@digikod.net> <93726a7b9498ec66db21c5792079996d5fed5453.camel@intel.com> <7cb6c4c28c077bb9f866c2d795e918610e77d49f.camel@intel.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= In-Reply-To: <7cb6c4c28c077bb9f866c2d795e918610e77d49f.camel@intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Infomaniak-Routing: alpha X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 25/05/2023 17:52, Edgecombe, Rick P wrote: > On Thu, 2023-05-25 at 15:59 +0200, Mickaël Salaün wrote: > [ snip ] > >>> The kernel often creates writable aliases in order to write to >>> protected data (kernel text, etc). Some of this is done right as >>> text >>> is being first written out (alternatives for example), and some >>> happens >>> way later (jump labels, etc). So for verification, I wonder what >>> stage >>> you would be verifying? If you want to verify the end state, you >>> would >>> have to maintain knowledge in the verifier of all the touch-ups the >>> kernel does. I think it would get very tricky. >> >> For now, in the static kernel case, all rodata and text GPA is >> restricted, so aliasing such memory in a writable way before or after >> the KVM enforcement would still restrict write access to this memory, >> which could be an issue but not a security one. Do you have such >> examples in mind? >> > > On x86, look at all the callers of the text_poke() family. In > arch/x86/include/asm/text-patching.h. OK, thanks! > >> >>> >>> It also seems it will be a decent ask for the guest kernel to keep >>> track of GPA permissions as well as normal virtual memory >>> pemirssions, >>> if this thing is not widely used. >> >> This would indeed be required to properly handle the dynamic cases. >> >> >>> >>> So I wondering if you could go in two directions with this: >>> 1. Make this a feature only for super locked down kernels (no >>> modules, >>> etc). Forbid any configurations that might modify text. But eBPF is >>> used for seccomp, so you might be turning off some security >>> protections >>> to get this. >> >> Good idea. For "super locked down kernels" :) , we should disable all >> kernel executable changes with the related kernel build configuration >> (e.g. eBPF JIT, kernel module, kprobes…) to make sure there is no >> such >> legitimate access. This looks like an acceptable initial feature. > > How many users do you think will want this protection but not > protections that would have to be disabled? The main one that came to > mind for me is cBPF seccomp stuff. > > But also, the alternative to JITing cBPF is the eBPF interpreter which > AFAIU is considered a juicy enough target for speculative attacks that > they created an option to compile it out. And leaving an interpreter in > the kernel means any data could be "executed" in the normal non- > speculative scenario, kind of working around the hypervisor executable > protections. Dropping e/cBPF entirely would be an option, but then I > wonder how many users you have left. Hopefully that is all correct, > it's hard to keep track with the pace of BPF development. seccomp-bpf doesn't rely on JIT, so it is not an issue. For eBPF, JIT is optional, but other text changes may be required according to the eBPF program type (e.g. using kprobes). > > I wonder if it might be a good idea to POC the guest side before > settling on the KVM interface. Then you can also look at the whole > thing and judge how much usage it would get for the different options > of restrictions. The next step is to handle dynamic permissions, but it will be easier to first implement that in KVM itself (which already has the required authentication code). The current interface may be flexible enough though, only new attribute flags should be required (and potentially an async mode). Anyway, this will enable to look at the whole thing. > >> >> >>> 2. Loosen the rules to allow the protections to not be so one-way >>> enable. Get less security, but used more widely. >> >> This is our goal. I think both static and dynamic cases are >> legitimate >> and have value according to the level of security sought. This should >> be >> a build-time configuration. > > Yea, the proper way to do this is probably to move all text handling > stuff into a separate domain of some sort, like you mentioned > elsewhere. It would be quite a job. Not necessarily to move this code, but to make sure that the changes are legitimate (e.g. text signatures, legitimate addresses). This doesn't need to be perfect but it should improve the current state by increasing the cost of attacks.