| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231206185134.GA9899@noisy.programming.kicks-ass.net> Date: Wed, 6 Dec 2023 19:51:34 +0100 From: Peter Zijlstra <peterz@...radead.org> To: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com> Cc: Mickaël Salaün <mic@...ikod.net>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>, Kees Cook <keescook@...omium.org>, Paolo Bonzini <pbonzini@...hat.com>, Sean Christopherson <seanjc@...gle.com>, Thomas Gleixner <tglx@...utronix.de>, Vitaly Kuznetsov <vkuznets@...hat.com>, Wanpeng Li <wanpengli@...cent.com>, Alexander Graf <graf@...zon.com>, Chao Peng <chao.p.peng@...ux.intel.com>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>, Forrest Yuan Yu <yuanyu@...gle.com>, James Gowans <jgowans@...zon.com>, James Morris <jamorris@...ux.microsoft.com>, John Andersen <john.s.andersen@...el.com>, Marian Rotariu <marian.c.rotariu@...il.com>, Mihai Donțu <mdontu@...defender.com>, Nicușor Cîțu <nicu.citu@...oud.com>, Thara Gopinath <tgopinath@...rosoft.com>, Trilok Soni <quic_tsoni@...cinc.com>, Wei Liu <wei.liu@...nel.org>, Will Deacon <will@...nel.org>, Yu Zhang <yu.c.zhang@...ux.intel.com>, Zahra Tarkhani <ztarkhani@...rosoft.com>, Ștefan Șicleru <ssicleru@...defender.com>, dev@...ts.cloudhypervisor.org, kvm@...r.kernel.org, linux-hardening@...r.kernel.org, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, qemu-devel@...gnu.org, virtualization@...ts.linux-foundation.org, x86@...nel.org, xen-devel@...ts.xenproject.org Subject: Re: [RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching On Wed, Dec 06, 2023 at 10:37:33AM -0600, Madhavan T. Venkataraman wrote: > > > On 11/30/23 05:33, Peter Zijlstra wrote: > > On Wed, Nov 29, 2023 at 03:07:15PM -0600, Madhavan T. Venkataraman wrote: > > > >> Kernel Lockdown > >> --------------- > >> > >> But, we must provide at least some security in V2. Otherwise, it is useless. > >> > >> So, we have implemented what we call a kernel lockdown. At the end of kernel > >> boot, Heki establishes permissions in the extended page table as mentioned > >> before. Also, it adds an immutable attribute for kernel text and kernel RO data. > >> Beyond that point, guest requests that attempt to modify permissions on any of > >> the immutable pages will be denied. > >> > >> This means that features like FTrace and KProbes will not work on kernel text > >> in V2. This is a temporary limitation. Once authentication is in place, the > >> limitation will go away. > > > > So either you're saying your patch 17 / text_poke is broken (so why > > include it ?!?) or your statement above is incorrect. Pick one. > > > > It has been included so that people can be aware of the changes. > > I will remove the text_poke() changes from the patchset and send it later when > I have some authentication in place. It will make sense then. If you know its broken then fucking say so in the Changelog instead of wasting everybody's time.. OMG.
Powered by blists - more mailing lists