[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH v3 1/5] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki)

To: Borislav Petkov <bp@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, "H . Peter Anvin" <hpa@xxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Sean Christopherson <seanjc@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Wanpeng Li <wanpengli@xxxxxxxxxxx>
From: Mickaël Salaün <mic@xxxxxxxxxxx>
Date: Fri, 3 May 2024 15:19:06 +0200
Cc: Mickaël Salaün <mic@xxxxxxxxxxx>, "Edgecombe, Rick P" <rick.p.edgecombe@xxxxxxxxx>, Alexander Graf <graf@xxxxxxxxxx>, Angelina Vu <angelinavu@xxxxxxxxxxxxxxxxxxx>, Anna Trikalinou <atrikalinou@xxxxxxxxxxxxx>, Chao Peng <chao.p.peng@xxxxxxxxxxxxxxx>, Forrest Yuan Yu <yuanyu@xxxxxxxxxx>, James Gowans <jgowans@xxxxxxxxxx>, James Morris <jamorris@xxxxxxxxxxxxxxxxxxx>, John Andersen <john.s.andersen@xxxxxxxxx>, "Madhavan T . Venkataraman" <madvenka@xxxxxxxxxxxxxxxxxxx>, Marian Rotariu <marian.c.rotariu@xxxxxxxxx>, Mihai Donțu <mdontu@xxxxxxxxxxxxxxx>, Nicușor Cîțu <nicu.citu@xxxxxxxxxx>, Thara Gopinath <tgopinath@xxxxxxxxxxxxx>, Trilok Soni <quic_tsoni@xxxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Will Deacon <will@xxxxxxxxxx>, Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx>, Ștefan Șicleru <ssicleru@xxxxxxxxxxxxxxx>, dev@xxxxxxxxxxxxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, x86@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 03 May 2024 13:19:28 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Madhavan T. Venkataraman <madvenka@xxxxxxxxxxxxxxxxxxx>

Hypervisor Enforced Kernel Integrity (Heki) is a feature that will use
the hypervisor to enhance guest virtual machine security.

Implement minimal code to introduce Heki:

- Define the config variables.

- Define a kernel command line parameter "heki" to turn the feature
  on or off. By default, Heki is on.

- Define heki_early_init() and call it in start_kernel(). Currently,
  this function only prints the value of the "heki" command
  line parameter.

Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: H. Peter Anvin <hpa@xxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Cc: Wanpeng Li <wanpengli@xxxxxxxxxxx>
Co-developed-by: Mickaël Salaün <mic@xxxxxxxxxxx>
Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
Signed-off-by: Madhavan T. Venkataraman <madvenka@xxxxxxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20240503131910.307630-2-mic@xxxxxxxxxxx
---

Changes since v2:
* Move CONFIG_HEKI under a new CONFIG_HEKI_MENU to group it with the
  test configuration (see following patches).
* Hide CONFIG_ARCH_SUPPORS_HEKI from users.

Changes since v1:
* Shrinked this patch to only contain the minimal common parts.
* Moved heki_early_init() to start_kernel().
* Use kstrtobool().
---
 Kconfig              |  2 ++
 arch/x86/Kconfig     |  1 +
 include/linux/heki.h | 31 +++++++++++++++++++++++++++++++
 init/main.c          |  2 ++
 mm/mm_init.c         |  1 +
 virt/Makefile        |  1 +
 virt/heki/Kconfig    | 25 +++++++++++++++++++++++++
 virt/heki/Makefile   |  3 +++
 virt/heki/common.h   | 16 ++++++++++++++++
 virt/heki/main.c     | 33 +++++++++++++++++++++++++++++++++
 10 files changed, 115 insertions(+)
 create mode 100644 include/linux/heki.h
 create mode 100644 virt/heki/Kconfig
 create mode 100644 virt/heki/Makefile
 create mode 100644 virt/heki/common.h
 create mode 100644 virt/heki/main.c

diff --git a/Kconfig b/Kconfig
index 745bc773f567..0c844d9bcb03 100644
--- a/Kconfig
+++ b/Kconfig
@@ -29,4 +29,6 @@ source "lib/Kconfig"
 
 source "lib/Kconfig.debug"
 
+source "virt/heki/Kconfig"
+
 source "Documentation/Kconfig"
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 928820e61cb5..d2fba63c289b 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -34,6 +34,7 @@ config X86_64
        select SWIOTLB
        select ARCH_HAS_ELFCORE_COMPAT
        select ZONE_DMA32
+       select ARCH_SUPPORTS_HEKI
 
 config FORCE_DYNAMIC_FTRACE
        def_bool y
diff --git a/include/linux/heki.h b/include/linux/heki.h
new file mode 100644
index 000000000000..4c18d2283392
--- /dev/null
+++ b/include/linux/heki.h
@@ -0,0 +1,31 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Hypervisor Enforced Kernel Integrity (Heki) - Definitions
+ *
+ * Copyright © 2023 Microsoft Corporation
+ */
+
+#ifndef __HEKI_H__
+#define __HEKI_H__
+
+#include <linux/types.h>
+#include <linux/cache.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+
+#ifdef CONFIG_HEKI
+
+extern bool heki_enabled;
+
+void heki_early_init(void);
+
+#else /* !CONFIG_HEKI */
+
+static inline void heki_early_init(void)
+{
+}
+
+#endif /* CONFIG_HEKI */
+
+#endif /* __HEKI_H__ */
diff --git a/init/main.c b/init/main.c
index 5dcf5274c09c..bec2c8d939aa 100644
--- a/init/main.c
+++ b/init/main.c
@@ -102,6 +102,7 @@
 #include <linux/randomize_kstack.h>
 #include <linux/pidfs.h>
 #include <linux/ptdump.h>
+#include <linux/heki.h>
 #include <net/net_namespace.h>
 
 #include <asm/io.h>
@@ -1059,6 +1060,7 @@ void start_kernel(void)
        uts_ns_init();
        key_init();
        security_init();
+       heki_early_init();
        dbg_late_init();
        net_ns_init();
        vfs_caches_init();
diff --git a/mm/mm_init.c b/mm/mm_init.c
index 549e76af8f82..89d9f97bd471 100644
--- a/mm/mm_init.c
+++ b/mm/mm_init.c
@@ -27,6 +27,7 @@
 #include <linux/swap.h>
 #include <linux/cma.h>
 #include <linux/crash_dump.h>
+#include <linux/heki.h>
 #include "internal.h"
 #include "slab.h"
 #include "shuffle.h"
diff --git a/virt/Makefile b/virt/Makefile
index 1cfea9436af9..856b5ccedb5a 100644
--- a/virt/Makefile
+++ b/virt/Makefile
@@ -1,2 +1,3 @@
 # SPDX-License-Identifier: GPL-2.0-only
 obj-y  += lib/
+obj-$(CONFIG_HEKI_MENU) += heki/
diff --git a/virt/heki/Kconfig b/virt/heki/Kconfig
new file mode 100644
index 000000000000..66e73d212856
--- /dev/null
+++ b/virt/heki/Kconfig
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Hypervisor Enforced Kernel Integrity (Heki)
+
+config ARCH_SUPPORTS_HEKI
+       bool
+       # An architecture should select this when it can successfully build
+       # and run with CONFIG_HEKI. That is, it should provide all of the
+       # architecture support required for the HEKI feature.
+
+menuconfig HEKI_MENU
+       bool "Virtualization hardening"
+
+if HEKI_MENU
+
+config HEKI
+       bool "Hypervisor Enforced Kernel Integrity (Heki)"
+       depends on ARCH_SUPPORTS_HEKI
+       help
+         This feature enhances guest virtual machine security by taking
+         advantage of security features provided by the hypervisor for guests.
+         This feature is helpful in maintaining guest virtual machine security
+         even after the guest kernel has been compromised.
+
+endif
diff --git a/virt/heki/Makefile b/virt/heki/Makefile
new file mode 100644
index 000000000000..8b10e73a154b
--- /dev/null
+++ b/virt/heki/Makefile
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+obj-$(CONFIG_HEKI) += main.o
diff --git a/virt/heki/common.h b/virt/heki/common.h
new file mode 100644
index 000000000000..edd98fc650a8
--- /dev/null
+++ b/virt/heki/common.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Hypervisor Enforced Kernel Integrity (Heki) - Common header
+ *
+ * Copyright © 2023 Microsoft Corporation
+ */
+
+#ifndef _HEKI_COMMON_H
+
+#ifdef pr_fmt
+#undef pr_fmt
+#endif
+
+#define pr_fmt(fmt) "heki-guest: " fmt
+
+#endif /* _HEKI_COMMON_H */
diff --git a/virt/heki/main.c b/virt/heki/main.c
new file mode 100644
index 000000000000..25c25f5700f7
--- /dev/null
+++ b/virt/heki/main.c
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Hypervisor Enforced Kernel Integrity (Heki) - Common code
+ *
+ * Copyright © 2023 Microsoft Corporation
+ */
+
+#include <linux/heki.h>
+#include <linux/kstrtox.h>
+
+#include "common.h"
+
+bool heki_enabled __ro_after_init = true;
+
+/*
+ * Must be called after kmem_cache_init().
+ */
+__init void heki_early_init(void)
+{
+       if (!heki_enabled) {
+               pr_warn("Heki is not enabled\n");
+               return;
+       }
+       pr_warn("Heki is enabled\n");
+}
+
+static int __init heki_parse_config(char *str)
+{
+       if (kstrtobool(str, &heki_enabled))
+               pr_warn("Invalid option string for heki: '%s'\n", str);
+       return 1;
+}
+__setup("heki=", heki_parse_config);
-- 
2.45.0

References:
- [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning
  - From: Mickaël Salaün

Prev by Date: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Next by Date: [RFC PATCH v3 2/5] KVM: x86: Add new hypercall to lock control registers
Previous by thread: Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Next by thread: [RFC PATCH v3 2/5] KVM: x86: Add new hypercall to lock control registers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.