I think the explanation by Ssokolow is right, whereas the phoronix article explained misleadingly in the introduction.
The ROE restriction is not the already existing one of only accessing its own memory: it's about further restricting that access, in order to further confine/obstruct a guest kernel infection.
ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory
Collapse
X
-
Originally posted by tildearrow View PostI always thought virtual machines were only able to see their own memory and nothing else? (besides having some safe channels for guest-host communication)
When a user-mode program chroots and then irreversibly drops permissions, the kernel is responsible for enforcing that. This would implement a similar mechanism where the guest kernel can irreversibly request constraints which will be enforced by the host kernel.
Leave a comment:
-
-
That's great news, what is not clear to me is when will be implemented, as i understood from article, will be not ready fpr 4.21 can i guess will be ready for 4.22?
Leave a comment:
-
-
I always thought virtual machines were only able to see their own memory and nothing else? (besides having some safe channels for guest-host communication)
Leave a comment:
-
-
ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory
Phoronix: ROE Kernel Hardening Continues To Restrict KVM VMs To Only Its Own Memory
For helping to enhance the security of servers running KVM for virtualization, there's been a ROE protection kernel hardening patch series in the works. This new addition to the kernel allows the host operating system to restrict a guest's access strictly to its own memory. It's unclear though yet if the ROE protection will make the cut in time for the upcoming Linux 4.21 kernel cycle...
Tags: None
-
Leave a comment: