Re: [PATCH V7 0/10] KVM: X86: Introducing ROE Protection Kernel Hardening

From: Stecklina, Julian
Date: Thu Dec 13 2018 - 08:36:37 EST


On Fri, 2018-12-07 at 14:47 +0200, Ahmed Abd El Mawgood wrote:
> The reason why it would be better to implement this from inside kvm: instead
> of
> (host) user space is the need to access SPTEs to modify the permissions, while
> mprotect() from user space can work in theory. It will become a big
> performance
> hit to vmexit and switch to user space mode on each fault, on the other hand,
> having the permission handled by EPT should make some remarkable performance
> gain.

Given that writes to these areas should be exceptional occurrences, I don't
understand why this path needs to be optimized. To me it seems, a straight-
forward userspace implementation with no additional code in the kernel achieves
the same feature. Can you elaborate?


Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B