Re: [Qemu-devel] QEMU-KVM and hardened (GRSEC/PaX) kernel

[Blue Swirl]

2011/4/17 Антон Кочков <address@hidden>:
> Good day!
> I'm trying to make working qemu-kvm with hardened gentoo on hardened kernel.
> When i'm using CONFIG_PAX_KERNPAGEXEC and CONFIG_PAX_MEM_UNDEREF qemu just 
> start
> and go to infinite loop and take 100% of one of my CPU core. adn it
> even can't be killed.
> Also it is dont give answer for qemu monitor/remote gdb.
> When I'm changed these two values as disabled, qemu-kvm now start, and
> stop (i mean qemu monitor show that virtual machine is running, but no
> any activity/output). Also it's load about 0%.
> See details in bug http://bugs.gentoo.org/show_bug.cgi?id=363713

Given this description
http://grsecurity.net/~spender/uderef.txt
I'd say the problem is PaX vs. KVM (kernel module part of it). UDEREF
should be overridden for the process in question, which obviously
defeats security. Maybe CONFIG_GRKERNSEC_HARDENED_VIRTUALIZATION
suggested in the bug thread already does this, I don't know. It's not
possible to virtualize for example guests using self-modifying code if
the kernel protections are in the way. The alternative is to use only
guests, which never violate W^X, if they exist.