Re: [PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers

[RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-05
[PATCH v1 1/9] KVM: x86: Add kvm_x86_ops.fault_gva() · Mickaël Salaün <mic@digikod.net> · 2023-05-05
[PATCH v1 2/9] KVM: x86/mmu: Add support for prewrite page tracking · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 2/9] KVM: x86/mmu: Add support for prewrite page tracking · Sean Christopherson <seanjc@google.com> · 2023-05-05
Re: [PATCH v1 2/9] KVM: x86/mmu: Add support for prewrite page tracking · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 2/9] KVM: x86/mmu: Add support for prewrite page tracking · Sean Christopherson <seanjc@google.com> · 2023-05-05
Re: [PATCH v1 2/9] KVM: x86/mmu: Add support for prewrite page tracking · Madhavan T. Venkataraman <hidden> · 2023-05-24
[PATCH v1 4/9] KVM: x86: Add new hypercall to set EPT permissions · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 4/9] KVM: x86: Add new hypercall to set EPT permissions · Sean Christopherson <seanjc@google.com> · 2023-05-05
Re: [PATCH v1 4/9] KVM: x86: Add new hypercall to set EPT permissions · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 4/9] KVM: x86: Add new hypercall to set EPT permissions · Sean Christopherson <seanjc@google.com> · 2023-05-05
[PATCH v1 3/9] virt: Implement Heki common code · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 3/9] virt: Implement Heki common code · Wei Liu <wei.liu@kernel.org> · 2023-05-08
Re: [PATCH v1 3/9] virt: Implement Heki common code · Madhavan T. Venkataraman <hidden> · 2023-05-17
Re: [PATCH v1 3/9] virt: Implement Heki common code · Mickaël Salaün <mic@digikod.net> · 2023-05-29
[PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers · Wei Liu <wei.liu@kernel.org> · 2023-05-08
Re: [PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers · Mickaël Salaün <mic@digikod.net> · 2023-05-29
Re: [PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers · Kees Cook <hidden> · 2023-05-30
[PATCH v1 6/9] KVM: x86: Add Heki hypervisor support · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [PATCH v1 6/9] KVM: x86: Add Heki hypervisor support · Wei Liu <wei.liu@kernel.org> · 2023-05-08
Re: [PATCH v1 6/9] KVM: x86: Add Heki hypervisor support · Mickaël Salaün <mic@digikod.net> · 2023-05-26
[PATCH v1 7/9] KVM: VMX: Add MBEC support · Mickaël Salaün <mic@digikod.net> · 2023-05-05
[PATCH v1 9/9] virt: Add Heki KUnit tests · Mickaël Salaün <mic@digikod.net> · 2023-05-05
[PATCH v1 8/9] KVM: x86/mmu: Enable guests to lock themselves thanks to MBEC · Mickaël Salaün <mic@digikod.net> · 2023-05-05
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Trilok Soni <hidden> · 2023-05-24
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Trilok Soni <hidden> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-30
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-05-24
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Trilok Soni <hidden> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Sean Christopherson <seanjc@google.com> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-05-25
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-26
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · Mickaël Salaün <mic@digikod.net> · 2023-05-26
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2023-05-30
Re: [RFC PATCH v1 0/9] Hypervisor-Enforced Kernel Integrity · James Morris <hidden> · 2023-05-26

From: Wei Liu <wei.liu@kernel.org>
Date: 2023-05-08 21:11:58
Also in: kvm, linux-hardening, linux-hyperv, lkml, qemu-devel, xen-devel

On Fri, May 05, 2023 at 05:20:42PM +0200, Mickaël Salaün wrote:

This enables guests to lock their CR0 and CR4 registers with a subset of
X86_CR0_WP, X86_CR4_SMEP, X86_CR4_SMAP, X86_CR4_UMIP, X86_CR4_FSGSBASE
and X86_CR4_CET flags.

The new KVM_HC_LOCK_CR_UPDATE hypercall takes two arguments.  The first
is to identify the control register, and the second is a bit mask to
pin (i.e. mark as read-only).

These register flags should already be pinned by Linux guests, but once
compromised, this self-protection mechanism could be disabled, which is
not the case with this dedicated hypercall.

Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <redacted>
Cc: Madhavan T. Venkataraman <redacted>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Thomas Gleixner <redacted>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Wanpeng Li <redacted>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20230505152046.6575-6-mic@digikod.net (local)

[...]

quoted hunk ↗ jump to hunk

 	hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE);
 	if (is_unrestricted_guest(vcpu))

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ffab64d08de3..a529455359ac 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c

@@ -7927,11 +7927,77 @@ static unsigned long emulator_get_cr(struct x86_emulate_ctxt *ctxt, int cr)
 	return value;
 }
 
+#ifdef CONFIG_HEKI
+
+extern unsigned long cr4_pinned_mask;
+

Can this be moved to a header file?

+static int heki_lock_cr(struct kvm *const kvm, const unsigned long cr,
+			unsigned long pin)
+{
+	if (!pin)
+		return -KVM_EINVAL;
+
+	switch (cr) {
+	case 0:
+		/* Cf. arch/x86/kernel/cpu/common.c */
+		if (!(pin & X86_CR0_WP))
+			return -KVM_EINVAL;
+
+		if ((read_cr0() & pin) != pin)
+			return -KVM_EINVAL;
+
+		atomic_long_or(pin, &kvm->heki_pinned_cr0);
+		return 0;
+	case 4:
+		/* Checks for irrelevant bits. */
+		if ((pin & cr4_pinned_mask) != pin)
+			return -KVM_EINVAL;
+

It is enforcing the host mask on the guest, right? If the guest's set is a
super set of the host's then it will get rejected.

+		/* Ignores bits not present in host. */
+		pin &= __read_cr4();
+		atomic_long_or(pin, &kvm->heki_pinned_cr4);
+		return 0;
+	}
+	return -KVM_EINVAL;
+}
+
+int heki_check_cr(const struct kvm *const kvm, const unsigned long cr,
+		  const unsigned long val)
+{
+	unsigned long pinned;
+
+	switch (cr) {
+	case 0:
+		pinned = atomic_long_read(&kvm->heki_pinned_cr0);
+		if ((val & pinned) != pinned) {
+			pr_warn_ratelimited(
+				"heki-kvm: Blocked CR0 update: 0x%lx\n", val);

I think if the message contains the VM and VCPU identifier it will
become more useful.

Thanks,
Wei.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help