Announcement

Collapse
No announcement yet.

ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory

    Phoronix: ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory

    For helping to enhance the security of servers running KVM for virtualization, there's been a ROE protection kernel hardening patch series in the works. This new addition to the kernel allows the host operating system to restrict a guest's access strictly to its own memory. It's unclear though yet if the ROE protection will make the cut in time for the upcoming Linux 4.21 kernel cycle...

    http://www.phoronix.com/scan.php?pag...l-Hardening-V7

  • #2
    I always thought virtual machines were only able to see their own memory and nothing else? (besides having some safe channels for guest-host communication)

    Comment


    • #3
      That's great news, what is not clear to me is when will be implemented, as i understood from article, will be not ready fpr 4.21 can i guess will be ready for 4.22?

      Comment


      • #4
        Originally posted by tildearrow View Post
        I always thought virtual machines were only able to see their own memory and nothing else? (besides having some safe channels for guest-host communication)
        As the quoted text explains, ROE is about protecting guest kernels from "gain root, then manipulate kernel memory" attacks by allowing the guest to give up certain permissions in such a way that only rebooting the VM can restore them.

        When a user-mode program chroots and then irreversibly drops permissions, the kernel is responsible for enforcing that. This would implement a similar mechanism where the guest kernel can irreversibly request constraints which will be enforced by the host kernel.

        Comment


        • #5
          I think the explanation by Ssokolow is right, whereas the phoronix article explained misleadingly in the introduction.
          The ROE restriction is not the already existing one of only accessing its own memory: it's about further restricting that access, in order to further confine/obstruct a guest kernel infection.

          Comment

          Working...
          X