Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Nov 2018 21:25:37 +0100
From: Paolo Bonzini <>
To: Ahmed Abd El Mawgood <>,,
 Jonathan Corbet <>, Thomas Gleixner <>,
 Ingo Molnar <>, Borislav Petkov <>,,,,,,,,,
 Boris Lukashev <>,
 Hossam Hassan <>,
 "Ahmed Lotfy igor . stoppa @ gmail . com" <>
Subject: Re: [PATCH V6 0/8] KVM: X86: Introducing ROE Protection Kernel

On 04/11/2018 18:11, Ahmed Abd El Mawgood wrote:
> Our model assumes that an attacker got full root access to a running guest and
> his goal is to manipulate kernel code/data (hook syscalls, overwrite IDT ..etc).
> There is future work in progress to also put some sort of protection on the page
> table register CR3 and other critical registers that can be intercepted by KVM.
> This way it won't be possible for an attacker to manipulate any part of the
> guests page table.

Do you have patches that enable usage of ROE in the kernel?
Alternatively you can write testcases in tools/testing/selftests/kvm to
test how guests should use it.

I would remove CONFIG_KVM_ROE altogether.  You can enable it

I will continue reviewing the patches soon.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.