Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct
From: Matthew Wilcox
Date: Fri Nov 06 2020 - 16:13:21 EST
On Fri, Nov 06, 2020 at 11:43:59AM -0600, Dr. Greg wrote:
> The 900 pound primate in the room, that no one is acknowledging, is
> that this technology was designed to not allow the operating system to
> have any control over what it is doing. In the mindset of kernel
> developers, the operating system is the absolute authority on
> security, so we find ourselves in a situation where the kernel needs
> to try and work around this fact so any solutions will be imperfect at
> best.
>
> As I've noted before, this is actually a primary objective of enclave
> authors, since one of the desires for 'Confidential Computing' is to
> hide things like proprietary algorithms from the platform owners. I
> think the driver needs to acknowledge this fact and equip platform
> owners with the simplest and most effective security solutions that
> are available.
Or we need to not merge "technology" that subverts the owner of
the hardware. Remember: root kit authors are inventive buggers.