From mboxrd@z Thu Jan 1 00:00:00 1970 From: valdis.kletnieks@vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2018 17:10:30 -0400 Subject: How to change page permission from inside the kernel? In-Reply-To: References: <107393.1530902545@turing-police.cc.vt.edu> Message-ID: <121598.1530911430@turing-police.cc.vt.edu> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Fri, 06 Jul 2018 21:29:40 +0200, you said: > Implementing some kernel protection against subset of rootkits that > manipulates kernel static data (memory pages as well as their > mappings) by having them enforced by hypervisor which is KVM in our Can you give an actual example of a case where *all* of the following are true? 1) It's a page that's safe to make R/O out from under the code that uses that page. 2) It's a kernel static data that's R/W (Hint: stuff known to be R/O is already set to R/O at boot or module load time, so if it's R/W it probably *needs* to be that...) 3) the rootkit *is* able to screw with kernel pages, but somehow *is not* able to disable your protection (remember, all it takes is one NOP or BRANCH opcode in the right place). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 486 bytes Desc: not available URL: