Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3355318rwd; Mon, 29 May 2023 09:11:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4D+fg+sb7Jy2eXvVItkLz5xO8Fc0B+cMta06fecDwk34VvyFJqBl4/Ubu0jgCWqE7m5KXu X-Received: by 2002:a17:902:e806:b0:1a9:8ba4:d0d3 with SMTP id u6-20020a170902e80600b001a98ba4d0d3mr16299407plg.8.1685376678950; Mon, 29 May 2023 09:11:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685376678; cv=none; d=google.com; s=arc-20160816; b=jOQrnrZKuf9UyRjGaNXhwOd2OGF5+wXfSO4950xEFWh5Hnrrw3WGoNO4kq0IBpjEY2 W3KTDztTR2asz7DfSw7nOrVtV1REsKk+Sk4okJAwJ8CELHDvTUyz7Wa/pMTjZekJY/JY Qf+Y1PUnjCNTG8P8dG8nNsdSciR1RobX5l0ZR1hBxq9bOlmBLeAluLUQuHa9tE3GT6RF 3Wr9sI7fHBEmweAR3YX/NswLdBloNz5gqYICvtCD9+Hotvd/8Ngg4KmnZN2bGK/DcsaK gAklyZaZUEMcztR3cKQZvsvvyI0ao9f2A2GuCZYIiIl+YQJu0rKgo9dKbnqAKx+jxSCR yAqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=vgPTVJXus0E7lnJFLBM2/yQLOiPkgPmqIupgNGf4C6k=; b=hdotN9ZTN+kBY6iqBf9vjCmOvJ1UNzebLDHnb6QJFNl2uz+j+i38TPaHE4+4KBRtb/ LEkIdG6vbuePoI91frS/TSu9EhDsmr8x6SS00I1AvLTFIRnJEra8ab1CogtHXPqiQ+6X Y4ZVnRTKdu3+9j1WPFfp7qf9HaV+GdwoXy5lSi5uhthg+G7M6eXW/vpYp1/nCOFjPmD1 JLSScjG753LTQ3Ecaw0OeB9UMbzwnZMrAE6ZGpSb9H9U1Q+6+X0J86pvbVBzJEM7NvIa wv9FaQ+bTKtg8LI1EbjGdTkqLfl18oF3CXJ0dhtQoO4fCH+otp1qFk9qbzy1n3eCBG4y 0fCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=kQUNssi6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y11-20020a17090322cb00b001ab20d029e0si10608793plg.582.2023.05.29.09.11.06; Mon, 29 May 2023 09:11:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=kQUNssi6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229519AbjE2QDp (ORCPT + 99 others); Mon, 29 May 2023 12:03:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229512AbjE2QDo (ORCPT ); Mon, 29 May 2023 12:03:44 -0400 Received: from smtp-8faf.mail.infomaniak.ch (smtp-8faf.mail.infomaniak.ch [83.166.143.175]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CAB23CD; Mon, 29 May 2023 09:03:36 -0700 (PDT) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4QVL131MNPzMqYfG; Mon, 29 May 2023 18:03:35 +0200 (CEST) Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4QVL0w4znNz3vb2; Mon, 29 May 2023 18:03:28 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1685376215; bh=n6vDyeLcnXuJ2e1Kx1oy6dfLDQBfFmEzNL/ERVZDqQU=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=kQUNssi6VBi8KE2R5ANm9fpqaLV9V+BO/pl/pZOb+r07FAQvClXzKkx8C9t2Hytji /4n7ba89FjY/Zfl8t2rhFg1o9pE4iawj/J1DIhc82vGXeZvlW/Z9zID2JwoJwYww3/ p8LCe3PI5P3tfO/+Mau3UxTlSDY6CLpnXs/pesiA= Message-ID: <90ca1173-4ec1-099f-5744-3d6dc29d919d@digikod.net> Date: Mon, 29 May 2023 18:03:28 +0200 MIME-Version: 1.0 User-Agent: Subject: Re: [PATCH v1 3/9] virt: Implement Heki common code Content-Language: en-US To: "Madhavan T. Venkataraman" , Wei Liu Cc: Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Ingo Molnar , Kees Cook , Paolo Bonzini , Sean Christopherson , Thomas Gleixner , Vitaly Kuznetsov , Wanpeng Li , Alexander Graf , Forrest Yuan Yu , James Morris , John Andersen , Marian Rotariu , =?UTF-8?Q?Mihai_Don=c8=9bu?= , =?UTF-8?B?TmljdciZb3IgQ8OuyJt1?= , Rick Edgecombe , Thara Gopinath , Will Deacon , Zahra Tarkhani , =?UTF-8?Q?=c8=98tefan_=c8=98icleru?= , dev@lists.cloudhypervisor.org, kvm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org, x86@kernel.org, xen-devel@lists.xenproject.org References: <20230505152046.6575-1-mic@digikod.net> <20230505152046.6575-4-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Infomaniak-Routing: alpha X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 17/05/2023 14:47, Madhavan T. Venkataraman wrote: > Sorry for the delay. See inline... > > On 5/8/23 12:29, Wei Liu wrote: >> On Fri, May 05, 2023 at 05:20:40PM +0200, Mickaël Salaün wrote: >>> From: Madhavan T. Venkataraman >>> >>> Hypervisor Enforced Kernel Integrity (Heki) is a feature that will use >>> the hypervisor to enhance guest virtual machine security. >>> >>> Configuration >>> ============= >>> >>> Define the config variables for the feature. This feature depends on >>> support from the architecture as well as the hypervisor. >>> >>> Enabling HEKI >>> ============= >>> >>> Define a kernel command line parameter "heki" to turn the feature on or >>> off. By default, Heki is on. >> >> For such a newfangled feature can we have it off by default? Especially >> when there are unsolved issues around dynamically loaded code. >> > > Yes. We can certainly do that. By default the Kconfig option should definitely be off. We also need to change the Kconfig option to only be set if kernel module, JIT, kprobes and other dynamic text change feature are disabled at build time (see discussion with Sean). With this new Kconfig option for the static case, I think the boot option should be on by default because otherwise it would not really be possible to switch back to on later without taking the risk to silently breaking users' machines. However, we should rename this option to something like "heki_static" to be in line with the new Kconfig option. The goal of Heki is to improve and complement kernel self-protection mechanisms (which don't have boot time options), and to make it available to everyone, see https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings In practice, it would then be kind of useless to be required to set a boot option to enable Heki (rather than to disable it). > >>> >> [...] >>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig >>> index 3604074a878b..5cf5a7a97811 100644 >>> --- a/arch/x86/Kconfig >>> +++ b/arch/x86/Kconfig >>> @@ -297,6 +297,7 @@ config X86 >>> select FUNCTION_ALIGNMENT_4B >>> imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI >>> select HAVE_DYNAMIC_FTRACE_NO_PATCHABLE >>> + select ARCH_SUPPORTS_HEKI if X86_64 >> >> Why is there a restriction on X86_64? >> > > We want to get the PoC working and reviewed on X64 first. We have tested this only on X64 so far. X86_64 includes Intel CPUs, which can support EPT and MBEC, which are a requirement for Heki. ARM might have similar features but we're focused on x86 for now. As a side note, I only have access to an Intel machine, which means that I cannot work on AMD support. However, I'll be pleased to implement such support if I get access to a machine with a recent AMD CPU. > >>> >>> config INSTRUCTION_DECODER >>> def_bool y >>> diff --git a/arch/x86/include/asm/sections.h b/arch/x86/include/asm/sections.h >>> index a6e8373a5170..42ef1e33b8a5 100644 >>> --- a/arch/x86/include/asm/sections.h >>> +++ b/arch/x86/include/asm/sections.h >> [...] >>> >>> +#ifdef CONFIG_HEKI >>> + >>> +/* >>> + * Gather all of the statically defined sections so heki_late_init() can >>> + * protect these sections in the host page table. >>> + * >>> + * The sections are defined under "SECTIONS" in vmlinux.lds.S >>> + * Keep this array in sync with SECTIONS. >>> + */ >> >> This seems a bit fragile, because it requires constant attention from >> people who care about this functionality. Can this table be >> automatically generated? >> > > We realize that. But I don't know of a way this can be automatically generated. Also, the permissions for > each section is specific to the use of that section. The developer who introduces a new section is the > one who will know what the permissions should be. > > If any one has any ideas of how we can generate this table automatically or even just add a build time check > of some sort, please let us know. One clean solution might be to parse the vmlinux.lds.S file, extract section and their permission, and fill that into an automatically generated header file. Another way to do it would be to extract sections and associated permissions with objdump, but that could be an issue because of longer build time. A better solution would be to extract such sections and associated permissions at boot time. I guess the kernel already has such helpers used in early boot.