lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 8 Dec 2023 12:41:31 -0600
From: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Mickaël Salaün <mic@...ikod.net>,
 Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
 "H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
 Kees Cook <keescook@...omium.org>, Paolo Bonzini <pbonzini@...hat.com>,
 Sean Christopherson <seanjc@...gle.com>, Thomas Gleixner
 <tglx@...utronix.de>, Vitaly Kuznetsov <vkuznets@...hat.com>,
 Wanpeng Li <wanpengli@...cent.com>, Alexander Graf <graf@...zon.com>,
 Chao Peng <chao.p.peng@...ux.intel.com>,
 "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>,
 Forrest Yuan Yu <yuanyu@...gle.com>, James Gowans <jgowans@...zon.com>,
 James Morris <jamorris@...ux.microsoft.com>,
 John Andersen <john.s.andersen@...el.com>,
 Marian Rotariu <marian.c.rotariu@...il.com>,
 Mihai Donțu <mdontu@...defender.com>,
 Nicușor Cîțu <nicu.citu@...oud.com>,
 Thara Gopinath <tgopinath@...rosoft.com>,
 Trilok Soni <quic_tsoni@...cinc.com>, Wei Liu <wei.liu@...nel.org>,
 Will Deacon <will@...nel.org>, Yu Zhang <yu.c.zhang@...ux.intel.com>,
 Zahra Tarkhani <ztarkhani@...rosoft.com>,
 Ștefan Șicleru <ssicleru@...defender.com>,
 dev@...ts.cloudhypervisor.org, kvm@...r.kernel.org,
 linux-hardening@...r.kernel.org, linux-hyperv@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org,
 qemu-devel@...gnu.org, virtualization@...ts.linux-foundation.org,
 x86@...nel.org, xen-devel@...ts.xenproject.org
Subject: Re: [RFC PATCH v2 17/19] heki: x86: Update permissions counters
 during text patching



On 12/6/23 12:51, Peter Zijlstra wrote:
> On Wed, Dec 06, 2023 at 10:37:33AM -0600, Madhavan T. Venkataraman wrote:
>>
>>
>> On 11/30/23 05:33, Peter Zijlstra wrote:
>>> On Wed, Nov 29, 2023 at 03:07:15PM -0600, Madhavan T. Venkataraman wrote:
>>>
>>>> Kernel Lockdown
>>>> ---------------
>>>>
>>>> But, we must provide at least some security in V2. Otherwise, it is useless.
>>>>
>>>> So, we have implemented what we call a kernel lockdown. At the end of kernel
>>>> boot, Heki establishes permissions in the extended page table as mentioned
>>>> before. Also, it adds an immutable attribute for kernel text and kernel RO data.
>>>> Beyond that point, guest requests that attempt to modify permissions on any of
>>>> the immutable pages will be denied.
>>>>
>>>> This means that features like FTrace and KProbes will not work on kernel text
>>>> in V2. This is a temporary limitation. Once authentication is in place, the
>>>> limitation will go away.
>>>
>>> So either you're saying your patch 17 / text_poke is broken (so why
>>> include it ?!?) or your statement above is incorrect. Pick one.
>>>
>>
>> It has been included so that people can be aware of the changes.
>>
>> I will remove the text_poke() changes from the patchset and send it later when
>> I have some authentication in place. It will make sense then.
> 
> If you know its broken then fucking say so in the Changelog instead of
> wasting everybody's time.. OMG.

It is not broken. It addresses one part of the problem. The other part is WIP.

I am preparing a detailed response to your comments. I ask you to be patient until then. In fact, I would appreciate your input/suggestions on some problems we are trying to solve in this context. I will mention them in my response.

Madhavan


Powered by blists - more mailing lists