lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <201910291634.7993D32374@keescook>
Date:   Tue, 29 Oct 2019 16:36:15 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Rick Edgecombe <rick.p.edgecombe@...el.com>
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-mm@...ck.org, luto@...nel.org, peterz@...radead.org,
        dave.hansen@...el.com, pbonzini@...hat.com,
        sean.j.christopherson@...el.com, kristen@...ux.intel.com,
        deneen.t.dock@...el.com
Subject: Re: [RFC PATCH 13/13] x86/Kconfig: Add Kconfig for KVM based XO

On Thu, Oct 03, 2019 at 02:24:00PM -0700, Rick Edgecombe wrote:
> Add CONFIG_KVM_XO for supporting KVM based execute only memory.

I would expect this config to be added earlier in the series so that the
code being added that depends on it can be incrementally build tested...

(Also, if this is default=y, why have a Kconfig for it at all? Guests
need to know to use this already, yes?)

-Kees

> 
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
> ---
>  arch/x86/Kconfig | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 222855cc0158..3a3af2a456e8 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -802,6 +802,19 @@ config KVM_GUEST
>  	  underlying device model, the host provides the guest with
>  	  timing infrastructure such as time of day, and system time
>  
> +config KVM_XO
> +	bool "Support for KVM based execute only virtual memory permissions"
> +	select DYNAMIC_PHYSICAL_MASK
> +	select SPARSEMEM_VMEMMAP
> +	depends on KVM_GUEST && X86_64
> +	default y
> +	help
> +	  This option enables support for execute only memory for KVM guests. If
> +	  support from the underlying VMM is not detected at boot, this
> +	  capability will automatically disable.
> +
> +	  If you are unsure how to answer this question, answer Y.
> +
>  config PVH
>  	bool "Support for running PVH guests"
>  	---help---
> -- 
> 2.17.1
> 

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ