[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH v2 17/19] heki: x86: Update permissions counters during t
From: |
Peter Zijlstra |
Subject: |
Re: [RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching |
Date: |
Wed, 6 Dec 2023 19:51:34 +0100 |
On Wed, Dec 06, 2023 at 10:37:33AM -0600, Madhavan T. Venkataraman wrote:
>
>
> On 11/30/23 05:33, Peter Zijlstra wrote:
> > On Wed, Nov 29, 2023 at 03:07:15PM -0600, Madhavan T. Venkataraman wrote:
> >
> >> Kernel Lockdown
> >> ---------------
> >>
> >> But, we must provide at least some security in V2. Otherwise, it is
> >> useless.
> >>
> >> So, we have implemented what we call a kernel lockdown. At the end of
> >> kernel
> >> boot, Heki establishes permissions in the extended page table as mentioned
> >> before. Also, it adds an immutable attribute for kernel text and kernel RO
> >> data.
> >> Beyond that point, guest requests that attempt to modify permissions on
> >> any of
> >> the immutable pages will be denied.
> >>
> >> This means that features like FTrace and KProbes will not work on kernel
> >> text
> >> in V2. This is a temporary limitation. Once authentication is in place, the
> >> limitation will go away.
> >
> > So either you're saying your patch 17 / text_poke is broken (so why
> > include it ?!?) or your statement above is incorrect. Pick one.
> >
>
> It has been included so that people can be aware of the changes.
>
> I will remove the text_poke() changes from the patchset and send it later when
> I have some authentication in place. It will make sense then.
If you know its broken then fucking say so in the Changelog instead of
wasting everybody's time.. OMG.