From patchwork Thu Jul 19 21:38:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ahmed Soliman X-Patchwork-Id: 10535385 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 81E62600F4 for ; Thu, 19 Jul 2018 21:40:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 822942975F for ; Thu, 19 Jul 2018 21:40:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 763D5297C6; Thu, 19 Jul 2018 21:40:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id AEDA82975F for ; Thu, 19 Jul 2018 21:40:37 +0000 (UTC) Received: (qmail 9947 invoked by uid 550); 19 Jul 2018 21:40:25 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 9784 invoked from network); 19 Jul 2018 21:40:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=327HyreSIU3t0NMMhgDmYnEhDe3Fqqif+MFaxPpE3IA=; b=pTTZgt3WWYSD1cnhH1tbigj1uZbPava28SvCUHh0lSyAZ27ssAOm9uB72/U/HwadP3 pEXVMX3khROmPr2/uyiutGVFN14rAJSTJEFbJ8ngDVaSbM8nGMmbWy5jdZopDRIoNkY+ sukUOJYvSkEptqGF04VOgO6aeaPv+Qxp3uK7ny1cBE08kXMq5YYCEHhMMIDA7p0+jVvV R+XVaESxEDGdUSLWGOdrSvfFO986ZY/vvVkvg+SMrfeIDwy1c202bEQP684Hme6IMxfn Q21pRiKmoLEsjLg8Wo91mQYwQFMK2azEW+C3y4GaZFRXjqBGiLC9ezwruhDO+qymWMFt Y2/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=327HyreSIU3t0NMMhgDmYnEhDe3Fqqif+MFaxPpE3IA=; b=frComklvQNPYFhWUSP/f12Yz9lb/RvvFWdVwm8L1zCxDfefmo5N+kByDy1Fw7IHJkx 7x8fXcHnta8EXRLXwwbEIrJ7bXRT//dxdAk7NiRvEr+eQy+HLVcjR55pvf4rNqyYealb S3XDD1jk5MW1TPxnCgngNZA6TJuXvXCWIZ5DShiKP8AUUNJiyYNPkpbVLWwYXzQxtRzq 3LzyNnWZueHCvb3lGTeVnpocE5StdG/V0t7pJTZ5mXY/hIZ1+Dro2EJSBgrsoBqY+0ur RwRNdqu7M/MP/YJ4NjHgMS58ihpJT2tq8eM3DFrZFMykiUhALIKI8ZBjh12KPruVEdst nlnA== X-Gm-Message-State: AOUpUlFt9UQJIgrUiuVOW+AGUx14tDMs6CSf4UA3fsTeTPV+O4Iw2nsF p3Pyxlqja4KiiyD4g0StD5A= X-Google-Smtp-Source: AAOMgpend3XzDS2qgeiYqEeKZKyg/J+bJT0ey+yB4+M83MbGdt6zs7ci6LrCQe4gU8iQMPMmojpwCA== X-Received: by 2002:a50:aba3:: with SMTP id u32-v6mr12879218edc.69.1532036410589; Thu, 19 Jul 2018 14:40:10 -0700 (PDT) From: Ahmed Abd El Mawgood To: kvm@vger.kernel.org, Kernel Hardening , virtualization@lists.linux-foundation.org, linux-doc@vger.kernel.org, x86@kernel.org Cc: Paolo Bonzini , rkrcmar@redhat.com, nathan Corbet , Thomas Gleixner , Ingo Molnar , hpa@zytor.com, Kees Cook , Ard Biesheuvel , David Hildenbrand , Boris Lukashev , David Vrabel , nigel.edwards@hpe.com, Rik van Riel , Ahmed Abd El Mawgood Subject: [PATCH 1/3] [RFC V3] KVM: X86: Memory ROE documentation Date: Thu, 19 Jul 2018 23:38:00 +0200 Message-Id: <20180719213802.17161-2-ahmedsoliman0x666@gmail.com> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20180719213802.17161-1-ahmedsoliman0x666@gmail.com> References: <20180719213802.17161-1-ahmedsoliman0x666@gmail.com> X-Virus-Scanned: ClamAV using ClamSMTP Following up with my previous threads on KVM assisted Anti rootkit protections. The current version doesn't address the attacks involving pages remapping. It is still design in progress, nevertheless, it will be in my later patch sets. Signed-off-by: Ahmed Abd El Mawgood --- Documentation/virtual/kvm/hypercalls.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Documentation/virtual/kvm/hypercalls.txt b/Documentation/virtual/kvm/hypercalls.txt index a890529c63ed..a9db68adb7c9 100644 --- a/Documentation/virtual/kvm/hypercalls.txt +++ b/Documentation/virtual/kvm/hypercalls.txt @@ -121,3 +121,17 @@ compute the CLOCK_REALTIME for its clock, at the same instant. Returns KVM_EOPNOTSUPP if the host does not use TSC clocksource, or if clock type is different than KVM_CLOCK_PAIRING_WALLCLOCK. + +7. KVM_HC_HMROE +---------------- +Architecture: x86 +Status: active +Purpose: Hypercall used to apply Read-Only Enforcement to guest pages +Usage: + a0: start address of page that should be protected. + +This hypercall lets a guest kernel to have part of its read/write memory +converted into read-only. This action is irreversible. KVM_HC_HMROE can +not be triggered from guest Ring 3 (user mode). The reason is that user +mode malicious software can make use of it enforce read only protection on +an arbitrary memory page thus crashing the kernel.