diff mbox series

[V6,3/8] KVM: Document Memory ROE

Message ID 20181104171124.5717-4-ahmedsoliman0x666@gmail.com
State New, archived
Headers show
Series KVM: X86: Introducing ROE Protection Kernel Hardening | expand

Commit Message

Ahmed Soliman Nov. 4, 2018, 5:11 p.m. UTC
ROE version documented here is implemented in the next 2 patches

Signed-off-by: Ahmed Abd El Mawgood <ahmedsoliman0x666@gmail.com>
 Documentation/virtual/kvm/hypercalls.txt | 31 ++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
diff mbox series


diff --git a/Documentation/virtual/kvm/hypercalls.txt b/Documentation/virtual/kvm/hypercalls.txt
index da24c138c8d1..8af64d826f03 100644
--- a/Documentation/virtual/kvm/hypercalls.txt
+++ b/Documentation/virtual/kvm/hypercalls.txt
@@ -141,3 +141,34 @@  a0 corresponds to the APIC ID in the third argument (a2), bit 1
 corresponds to the APIC ID a2+1, and so on.
 Returns the number of CPUs to which the IPIs were delivered successfully.
+Architecture: x86
+Status: active
+Purpose: Hypercall used to apply Read-Only Enforcement to guest memory and
+Usage 1:
+     a0: ROE_VERSION
+Returns non-signed number that represents the current version of ROE
+implementation current version.
+Usage 2:
+     a0: ROE_MPROTECT	(requires version >= 1)
+     a1: Start address aligned to page boundary.
+     a2: Number of pages to be protected.
+This configuration lets a guest kernel have part of its read/write memory
+converted into read-only.  This action is irreversible.
+Upon successful run, the number of pages protected is returned.
+Error codes:
+	-KVM_ENOSYS: system call being triggered from ring 3 or it is not
+	implemented.
+	-EINVAL: error based on given parameters.
+Notes: KVM_HC_ROE can not be triggered from guest Ring 3 (user mode). The
+reason is that user mode malicious software can make use of it to enforce read
+only protection on an arbitrary memory page thus crashing the kernel.