From patchwork Sun Nov 4 17:11:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ahmed Soliman X-Patchwork-Id: 10666929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 50D7D13A4 for ; Sun, 4 Nov 2018 17:12:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 34C40295AE for ; Sun, 4 Nov 2018 17:12:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 27B1E295CB; Sun, 4 Nov 2018 17:12:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 0013E295AE for ; Sun, 4 Nov 2018 17:12:25 +0000 (UTC) Received: (qmail 28189 invoked by uid 550); 4 Nov 2018 17:12:24 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28171 invoked from network); 4 Nov 2018 17:12:23 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=DeS07TTmXkJZQ8k98odPH96R+5MTvypdpg+3pUY5Uig=; b=c/bDr0P/317rEypuPrUjXfzxSKkdxlsfemJSewyr0ZqULqaKztTywGwUu7ZR571rXM cVTE/pS3tCTazZPFDcJX0EokjMk+sfKkmxXhaDKiDjCoUFcec64DCugtWlfmfe2zz/jE gVrJgyIsZhmZvro8S/BkQjAqqG4z+F8uguhOI6qMNYuGy8aTVl2RFkgY5xT4lnIVB+e5 Gqv5E1NUXSanYl8cWWCoq6foFZjSXPRQRM7MFaQUSBmThLmAUvsA/g7RsOnqxgu292/h 3Tww1FG73Og0D8ZjcNIHSfapL7/bilTUu9zfaj6l7otnPbNMql4ekonmHljuoaqIxrw+ +GGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=DeS07TTmXkJZQ8k98odPH96R+5MTvypdpg+3pUY5Uig=; b=aDpzYw1ZyF1UTPUqqdopqmSuiuVHOYteGKIE424Qc48oBJ8PTSYoiBd4NUT4e8wvI4 uyQbiV0gIb1bcS/GxJYfQMQKZ0z25YKwr9p1LahYPDjI+hyTHmD+TekbVD7mJg8Yp1wu y53YtpxAPLDsy2iR4T8M/FSTXa+oNPs8Tfp+ny/yUVPMnyZhumZqfe9cejjUv6C6biNS BkTGBjb6n/GGE/6LZELvbPRMFI4toIkNUxUHIZBt6q1cMUWlC0LHkreN9ufpcz0v2ca1 3oNBEAP9+cBa2vEpy5ooLnnXrLiu2tVXn+mpGZGuwjxNXthZ43v+Fv2Fz47qMQOStgAp mz8A== X-Gm-Message-State: AGRZ1gL6hdWgqOAqmzY+6/184p4Z7nUjHhXLMxbrAA1K2uruNBclGniW 8E3Z/nj29WcROlAI88UdH9CTGB6Vk00= X-Google-Smtp-Source: AJdET5eOHDFGS8O+9g+rCxWM6XYEWP62Q3YlcJB0jiZgdkAtHMftHHQl3y+MeBNhglYos0igAWaENg== X-Received: by 2002:a1c:1dcf:: with SMTP id d198-v6mr3929169wmd.46.1541351531806; Sun, 04 Nov 2018 09:12:11 -0800 (PST) From: Ahmed Abd El Mawgood To: Paolo Bonzini , rkrcmar@redhat.com, Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , hpa@zytor.com, x86@kernel.org, kvm@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, ahmedsoliman0x666@gmail.com, ovich00@gmail.com, kernel-hardening@lists.openwall.com, nigel.edwards@hpe.com, Boris Lukashev , Hossam Hassan <7ossam9063@gmail.com>, "Ahmed Lotfy igor . stoppa @ gmail . com" Subject: [PATCH V6 0/8] KVM: X86: Introducing ROE Protection Kernel Hardening Date: Sun, 4 Nov 2018 19:11:16 +0200 Message-Id: <20181104171124.5717-1-ahmedsoliman0x666@gmail.com> X-Mailer: git-send-email 2.18.1 X-Virus-Scanned: ClamAV using ClamSMTP -- Summary -- ROE is a hypercall that enables host operating system to restrict guest's access to its own memory. This will provide a hardening mechanism that can be used to stop rootkits from manipulating kernel static data structures and code. Once a memory region is protected the guest kernel can't even request undoing the protection. Memory protected by ROE should be non-swapable because even if the ROE protected page got swapped out, It won't be possible to write anything in its place. ROE hypercall should be capable of either protecting a whole memory frame or parts of it. With these two, it should be possible for guest kernel to protect its memory and all the page table entries for that memory inside the page table. I am still not sure whether this should be part of ROE job or the guest's job. The reason why it would be better to implement this from inside kvm: instead of (host) user space is the need to access SPTEs to modify the permissions, while mprotect() from user space can work in theory. It will become a big performance hit to vmexit and switch to user space mode on each fault, on the other hand, having the permission handled by EPT should make some remarkable performance gain. Our model assumes that an attacker got full root access to a running guest and his goal is to manipulate kernel code/data (hook syscalls, overwrite IDT ..etc). There is future work in progress to also put some sort of protection on the page table register CR3 and other critical registers that can be intercepted by KVM. This way it won't be possible for an attacker to manipulate any part of the guests page table. -- Change log V5 -> V6 -- - Make CONFIG_KVM_ROE=y the default so it can reach distros faster. - Remove Obsolete description for Memory ROE documentation patch. - Reorder the patches in more sensible manner (first are the helper patches, then the documentation, finally the real implementation). - Add patch to log ROE via system log. - Use affirmative mode in commits title. - Get rid of the many #ifdefs. - Factor most of the code out of arch/x86/kvm and place it into virt/kvm. The previous version (V5) of the patch set can be found at [1] -- links -- [1] https://lkml.org/lkml/2018/10/26/604 -- List of patches -- [PATCH V6 1/8] KVM: State whether memory should be freed in [PATCH V6 2/8] KVM: X86: Add arbitrary data pointer in kvm memslot [PATCH V6 3/8] KVM: Document Memory ROE [PATCH V6 4/8] KVM: Create architecture independent ROE skeleton [PATCH V6 5/8] KVM: X86: Enable ROE for x86 [PATCH V6 6/8] KVM: Add support for byte granular memory ROE [PATCH V6 7/8] KVM: X86: Port ROE_MPROTECT_CHUNK to x86 [PATCH V6 8/8] KVM: Log ROE violations in system log -- Difstat -- Documentation/virtual/kvm/hypercalls.txt | 40 ++++ arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/Kconfig | 8 + arch/x86/kvm/Makefile | 4 +- arch/x86/kvm/mmu.c | 106 +++++---- arch/x86/kvm/mmu.h | 40 +++- arch/x86/kvm/roe.c | 109 +++++++++ arch/x86/kvm/roe_arch.h | 50 +++++ arch/x86/kvm/x86.c | 11 +- include/kvm/roe.h | 23 ++ include/linux/kvm_host.h | 29 +++ include/uapi/linux/kvm_para.h | 5 + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 4 +- virt/kvm/kvm_main.c | 55 ++++- virt/kvm/roe.c | 342 +++++++++++++++++++++++++++++ virt/kvm/roe_generic.h | 46 ++++ 16 files changed, 797 insertions(+), 77 deletions(-) Signed-off-by: Ahmed Abd El Mawgood