From mboxrd@z Thu Jan 1 00:00:00 1970 From: ahmedsoliman0x666@gmail.com (Ahmed Soliman) Date: Fri, 6 Jul 2018 21:29:40 +0200 Subject: How to change page permission from inside the kernel? In-Reply-To: <107393.1530902545@turing-police.cc.vt.edu> References: <107393.1530902545@turing-police.cc.vt.edu> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org > So there's two questions here: > from inside KVM lkm (/virt/kvm and arch/x86/kvm ) > 1) Why does the page's protection need to be changed? Implementing some kernel protection against subset of rootkits that manipulates kernel static data (memory pages as well as their mappings) by having them enforced by hypervisor which is KVM in our case (it is one way enforcement only reset by reboot). For the sake of the question what is going here is guest virtual address -> guest frame number -> host virtual address and then something that behaves like mprotect but inside a loadable kernel module the protection request is done via hypercall, so KVM should handle that internally. The point is all memory used by KVM for virtualization is mmapped at userspace and then passed to KVM using an IOCTL and kvm assumed to be free to do whatever it wants with that memory area. > 2) And why from inside the kernel? Because this needs to be done from inside KVM. Note: I am aware that this won't be effective against rootkits that live in userspace, rootkits that target kernel dynamic data, files on disk, as well as VMM escapes, but I believe if the attack surface is reduced by just a little bit, it is not that bad, so please lets not discuss that :P. Thanks.