from:"Mickaël Salaün"

Re: security/landlock/ruleset.c:96:9: warning: 'memcpy' accessing 4294967295 bytes at offsets 20 and 0 overlaps 6442450943 bytes at offset -2147483648

2025-01-06 Thread Mickaël Salaün

I guess the GCC warning is a false positive? See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116494 On Sat, Jan 04, 2025 at 07:26:27AM +0800, kernel test robot wrote: > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > master > head: 0bc21e701a6ffacfdde7f04f87d664d82

Re: CVE-2024-40938: landlock: Fix d_parent walk

2024-07-15 Thread Mickaël Salaün

On Mon, Jul 15, 2024 at 09:11:35AM -0700, Kees Cook wrote: > On Mon, Jul 15, 2024 at 02:20:59PM +0200, Mickaël Salaün wrote: > > On Mon, Jul 15, 2024 at 01:16:38PM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Jul 15, 2024 at 12:37:53PM +0200, Mickaël Salaün wr

Re: CVE-2024-40938: landlock: Fix d_parent walk

2024-07-15 Thread Mickaël Salaün

On Mon, Jul 15, 2024 at 01:16:38PM +0200, Greg Kroah-Hartman wrote: > On Mon, Jul 15, 2024 at 12:37:53PM +0200, Mickaël Salaün wrote: > > Hello, > > > > AFAIK, commit 88da52ccd66e ("landlock: Fix d_parent walk") doesn't fix a > > security issue but an un

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-06-03 Thread Mickaël Salaün

On Wed, May 15, 2024 at 01:32:24PM -0700, Sean Christopherson wrote: > On Tue, May 14, 2024, Mickaël Salaün wrote: > > On Fri, May 10, 2024 at 10:07:00AM +, Nicolas Saenz Julienne wrote: > > > Development happens > > > https://github.com/vianpl/{linux,qemu,kvm-u

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-05-14 Thread Mickaël Salaün

On Fri, May 10, 2024 at 10:07:00AM +, Nicolas Saenz Julienne wrote: > On Tue May 7, 2024 at 4:16 PM UTC, Sean Christopherson wrote: > > > If yes, that would indeed require a *lot* of work for something we're not > > > sure will be accepted later on. > > > > Yes and no. The AWS folks are pursui

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-05-14 Thread Mickaël Salaün

On Tue, May 07, 2024 at 09:16:06AM -0700, Sean Christopherson wrote: > On Tue, May 07, 2024, Mickaël Salaün wrote: > > > Actually, potential bad/crazy idea. Why does the _host_ need to define > > > policy? > > > Linux already knows what assets it wants to

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-05-07 Thread Mickaël Salaün

On Mon, May 06, 2024 at 06:34:53PM GMT, Sean Christopherson wrote: > On Mon, May 06, 2024, Mickaël Salaün wrote: > > On Fri, May 03, 2024 at 07:03:21AM GMT, Sean Christopherson wrote: > > > > --- > > > > > > > > Changes since v1: > > > > *

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-05-06 Thread Mickaël Salaün

On Fri, May 03, 2024 at 07:03:21AM GMT, Sean Christopherson wrote: > On Fri, May 03, 2024, Mickaël Salaün wrote: > > Add an interface for user space to be notified about guests' Heki policy > > and related violations. > > > > Extend the KVM_ENABLE_CAP IOCTL

[RFC PATCH v3 5/5] virt: Add Heki KUnit tests

2024-05-03 Thread Mickaël Salaün

ule: heki_test 1..1 ok 1 test_cr_disable_smep ok 1 heki_x86 Link: https://lore.kernel.org/r/20240229170409.365386-2-...@digikod.net [1] Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240503131910.307630-6-...@digikod.net --- Changes since v2: * Make tests standalo

[RFC PATCH v3 4/5] heki: Lock guest control registers at the end of guest kernel init

2024-05-03 Thread Mickaël Salaün

Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Madhavan T. Venkataraman Signed-off-by: Madhavan T. Venkataraman Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240503131910.307630-5-...@digikod.net --- Changes since v2

[RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

2024-05-03 Thread Mickaël Salaün

van T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240503131910.307630-4-...@digikod.net --- Changes since v1: * New patch. Making user space aware of Heki propertie

[RFC PATCH v3 2/5] KVM: x86: Add new hypercall to lock control registers

2024-05-03 Thread Mickaël Salaün

related features. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r

[RFC PATCH v3 1/5] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki)

2024-05-03 Thread Mickaël Salaün

Kees Cook Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün Signed-off-by: Madhavan T. Venkataraman Link: https://lore.kernel.org/r/20240503131910.307630-2-...@digikod.net --- Chan

[RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning

2024-05-03 Thread Mickaël Salaün

ikod.net v1: https://lore.kernel.org/r/20230505152046.6575-1-...@digikod.net Regards, Madhavan T. Venkataraman (1): virt: Introduce Hypervisor Enforced Kernel Integrity (Heki) Mickaël Salaün (4): KVM: x86: Add new hypercall to lock control registers KVM: x86: Add notifications for Heki poli

Re: [PATCH v3 7/7] kunit: Add tests for fault

2024-04-22 Thread Mickaël Salaün

On Fri, Apr 19, 2024 at 04:38:01PM -0700, Guenter Roeck wrote: > On Fri, Apr 19, 2024 at 03:33:49PM -0700, Guenter Roeck wrote: > > Hi, > > > > On Tue, Mar 19, 2024 at 11:48:57AM +0100, Mickaël Salaün wrote: > > > Add a test case to check NULL pointer dere

Re: [PATCH v4 0/7] Handle faults in KUnit tests

2024-04-05 Thread Mickaël Salaün

On Fri, Apr 05, 2024 at 10:08:00AM -0600, Shuah Khan wrote: > On 3/26/24 03:51, Mickaël Salaün wrote: > > Hi, > > > > This patch series teaches KUnit to handle kthread faults as errors, and > > it brings a few related fixes and improvements. > > > > Shuah,

[PATCH v4 4/7] kunit: Handle test faults

2024-03-26 Thread Mickaël Salaün

by: David Gow Tested-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-5-...@digikod.net --- Changes since v3: * Export kthread_exit() for KUnit tests built as module, as suggested by David. Changes since v2: * s/-EFAULT/-EINTR/ in commit message

[PATCH v4 2/7] kunit: Fix kthread reference

2024-03-26 Thread Mickaël Salaün

eviewed-by: David Gow Reviewed-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-3-...@digikod.net --- Changes since v2: * Add Fixes tag as suggested by David. * Add David's and Rae's Reviewed-by. Changes since v1: * Add Kees's Review

[PATCH v4 7/7] kunit: Add tests for fault

2024-03-26 Thread Mickaël Salaün

/testing/kunit/kunit.py run --arch arm64 \ --cross_compile=aarch64-linux-gnu- kunit_fault Cc: Brendan Higgins Cc: Rae Moar Cc: Shuah Khan Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-8-...@digikod.net --- Changes since v2: * Add

[PATCH v4 6/7] kunit: Print last test location on fault

2024-03-26 Thread Mickaël Salaün

Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-7-...@digikod.net --- Changes since v3: * Improve the try-fault error message as suggested by David. Changes since v2: * Extend the commit message according to discussion with David. Changes

[PATCH v4 5/7] kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests

2024-03-26 Thread Mickaël Salaün

Fix KUNIT_SUCCESS() calls to pass a test argument. This is a no-op for now because this macro does nothing, but it will be required for the next commit. Cc: Brendan Higgins Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https

[PATCH v4 0/7] Handle faults in KUnit tests

2024-03-26 Thread Mickaël Salaün

org/r/20240229170409.365386-1-...@digikod.net Regards, Mickaël Salaün (7): kunit: Handle thread creation error kunit: Fix kthread reference kunit: Fix timeout message kunit: Handle test faults kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests kunit: Print last test location on fault kunit

[PATCH v4 3/7] kunit: Fix timeout message

2024-03-26 Thread Mickaël Salaün

The exit code is always checked, so let's properly handle the -ETIMEDOUT error code. Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: David Gow Reviewed-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-4-...@digiko

[PATCH v4 1/7] kunit: Handle thread creation error

2024-03-26 Thread Mickaël Salaün

ernal error occurred...". Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: Rae Moar Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-2-...@digikod.net --- Changes since v2: * Add Rae's and Davi

Re: [PATCH v3 4/7] kunit: Handle test faults

2024-03-26 Thread Mickaël Salaün

On Sat, Mar 23, 2024 at 03:37:21PM +0800, David Gow wrote: > On Tue, 19 Mar 2024 at 18:49, Mickaël Salaün wrote: > > > > Previously, when a kernel test thread crashed (e.g. NULL pointer > > dereference, general protection fault), the KUnit test hanged for 30 > > second

[PATCH v3 5/7] kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests

2024-03-19 Thread Mickaël Salaün

Fix KUNIT_SUCCESS() calls to pass a test argument. This is a no-op for now because this macro does nothing, but it will be required for the next commit. Cc: Brendan Higgins Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https

Re: [PATCH v2 1/2] landlock: Extend documentation for kernel support

2024-03-19 Thread Mickaël Salaün

On Mon, Mar 18, 2024 at 10:50:42AM +0100, Alejandro Colomar wrote: > Hi Mickaël, Günther, > > Sorry for the delay! > > On Thu, Mar 07, 2024 at 11:21:57AM +0100, Mickaël Salaün wrote: > > CCing Alejandro > > > > On Tue, Feb 27, 2024 at 05:32:20PM +0100, Günther

[PATCH v3 4/7] kunit: Handle test faults

2024-03-19 Thread Mickaël Salaün

it clear. Fix the -EINTR error message, which couldn't be reached until now. This is tested with a following patch. Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: David Gow Tested-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/2024031

[PATCH v3 3/7] kunit: Fix timeout message

2024-03-19 Thread Mickaël Salaün

The exit code is always checked, so let's properly handle the -ETIMEDOUT error code. Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: David Gow Reviewed-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240319104857.70783-4-...@digiko

[PATCH v3 7/7] kunit: Add tests for fault

2024-03-19 Thread Mickaël Salaün

/testing/kunit/kunit.py run --arch arm64 \ --cross_compile=aarch64-linux-gnu- kunit_fault Cc: Brendan Higgins Cc: Rae Moar Cc: Shuah Khan Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240319104857.70783-8-...@digikod.net --- Changes since v2: * Add

[PATCH v3 6/7] kunit: Print last test location on fault

2024-03-19 Thread Mickaël Salaün

Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240319104857.70783-7-...@digikod.net --- Changes since v2: * Extend the commit message according to discussion with David. Changes since v1: * Add Kees's Reviewed-by. --- include/kunit/test.h

[PATCH v3 0/7] Handle faults in KUnit tests

2024-03-19 Thread Mickaël Salaün

org/r/20240229170409.365386-1-...@digikod.net Regards, Mickaël Salaün (7): kunit: Handle thread creation error kunit: Fix kthread reference kunit: Fix timeout message kunit: Handle test faults kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests kunit: Print last test location on fault kunit

[PATCH v3 2/7] kunit: Fix kthread reference

2024-03-19 Thread Mickaël Salaün

eviewed-by: David Gow Reviewed-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240319104857.70783-3-...@digikod.net --- Changes since v2: * Add Fixes tag as suggested by David. * Add David's and Rae's Reviewed-by. Changes since v1: * Add Kees's Review

[PATCH v3 1/7] kunit: Handle thread creation error

2024-03-19 Thread Mickaël Salaün

ernal error occurred...". Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Reviewed-by: Rae Moar Reviewed-by: David Gow Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240319104857.70783-2-...@digikod.net --- Changes since v2: * Add Rae's and David's R

Re: [PATCH v2 6/7] kunit: Print last test location on fault

2024-03-12 Thread Mickaël Salaün

On Tue, Mar 12, 2024 at 12:54:48PM +0800, David Gow wrote: > On Sat, 2 Mar 2024 at 03:40, Mickaël Salaün wrote: > > > > This helps identify the location of test faults. > > > > Cc: Brendan Higgins > > Cc: David Gow > > Cc: Rae Moar > > Cc: Shuah Kha

Re: [PATCH v2 4/7] kunit: Handle test faults

2024-03-12 Thread Mickaël Salaün

On Tue, Mar 12, 2024 at 01:05:37PM +0800, David Gow wrote: > On Sat, 2 Mar 2024 at 03:40, Mickaël Salaün wrote: > > > > Previously, when a kernel test thread crashed (e.g. NULL pointer > > dereference, general protection fault), the KUnit test hanged for 30 > > second

Re: [PATCH v2 4/7] kunit: Handle test faults

2024-03-12 Thread Mickaël Salaün

On Mon, Mar 11, 2024 at 05:21:11PM -0400, Rae Moar wrote: > On Fri, Mar 1, 2024 at 2:40 PM Mickaël Salaün wrote: > > > > Previously, when a kernel test thread crashed (e.g. NULL pointer > > dereference, general protection fault), the KUnit test hanged for 30 > > second

Re: [PATCH v2 1/2] landlock: Extend documentation for kernel support

2024-03-07 Thread Mickaël Salaün

CCing Alejandro On Tue, Feb 27, 2024 at 05:32:20PM +0100, Günther Noack wrote: > On Tue, Feb 27, 2024 at 12:05:49PM +0100, Mickaël Salaün wrote: > > Extend the kernel support section with one subsection for build time > > configuration and another for boot time configuration. >

[PATCH v2 6/7] kunit: Print last test location on fault

2024-03-01 Thread Mickaël Salaün

This helps identify the location of test faults. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240301194037.532117-7-...@digikod.net --- Changes since v1: * Added Kees's Review

[PATCH v2 7/7] kunit: Add tests for fault

2024-03-01 Thread Mickaël Salaün

/testing/kunit/kunit.py run --arch arm64 \ --cross_compile=aarch64-linux-gnu- kunit_fault Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240301194037.532117-8-...@digikod.net --- Changes since v1: * Removed the rodata

[PATCH v2 5/7] kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests

2024-03-01 Thread Mickaël Salaün

Fix KUNIT_SUCCESS() calls to pass a test argument. This is a no-op for now because this macro does nothing, but it will be required for the next commit. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https

[PATCH v2 4/7] kunit: Handle test faults

2024-03-01 Thread Mickaël Salaün

make it clear. Fix the -EINTR error message, which couldn't be reached until now. This is tested with a following patch. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/2024030119

[PATCH v2 0/7] Handle faults in KUnit tests

2024-03-01 Thread Mickaël Salaün

case check NULL pointer dereference, which wasn't possible before. This is useful to test current kernel self-protection mechanisms or future ones such as Heki: https://github.com/heki-linux Previous version: v1: https://lore.kernel.org/r/20240229170409.365386-1-...@digikod.net Regards, Mickaël

[PATCH v2 3/7] kunit: Fix timeout message

2024-03-01 Thread Mickaël Salaün

The exit code is always checked, so let's properly handle the -ETIMEDOUT error code. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240301194037.532117-4-...@digikod.net --- Changes

[PATCH v2 2/7] kunit: Fix kthread reference

2024-03-01 Thread Mickaël Salaün

There is a race condition when a kthread finishes after the deadline and before the call to kthread_stop(), which may lead to use after free. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r

[PATCH v2 1/7] kunit: Handle thread creation error

2024-03-01 Thread Mickaël Salaün

ernal error occurred...". Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Reviewed-by: Kees Cook Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240301194037.532117-2-...@digikod.net --- Changes since v1: * Added Kees's Reviewed-by. --- lib/kunit/

Re: [PATCH v1 0/8] Run KUnit tests late and handle faults

2024-03-01 Thread Mickaël Salaün

On Fri, Mar 01, 2024 at 03:15:08PM +0800, David Gow wrote: > On Fri, 1 Mar 2024 at 01:04, Mickaël Salaün wrote: > > > > Hi, > > > > Thanks very much. I think there's a lot going on in this series, and > it'd probably be easier to address if it were broke

Re: [PATCH v1 8/8] kunit: Add tests for faults

2024-03-01 Thread Mickaël Salaün

On Thu, Feb 29, 2024 at 10:28:18AM -0800, Kees Cook wrote: > On Thu, Feb 29, 2024 at 06:04:09PM +0100, Mickaël Salaün wrote: > > The first test checks NULL pointer dereference and make sure it would > > result as a failed test. > > > > The second and third tests c

Re: [PATCH v1 5/8] kunit: Handle test faults

2024-03-01 Thread Mickaël Salaün

On Thu, Feb 29, 2024 at 10:24:19AM -0800, Kees Cook wrote: > On Thu, Feb 29, 2024 at 06:04:06PM +0100, Mickaël Salaün wrote: > > Previously, when a kernel test thread crashed (e.g. NULL pointer > > dereference, general protection fault), the KUnit test hanged for 30 > > seco

Re: [PATCH v1 1/8] kunit: Run tests when the kernel is fully setup

2024-03-01 Thread Mickaël Salaün

On Fri, Mar 01, 2024 at 03:14:49PM +0800, David Gow wrote: > On Fri, 1 Mar 2024 at 01:04, Mickaël Salaün wrote: > > > > Run all the KUnit tests just before the first userspace code is > > launched. This makes it it possible to write new tests that check the > > ke

[PATCH v1 8/8] kunit: Add tests for faults

2024-02-29 Thread Mickaël Salaün

-x86 native architecture. It is then skipped on UML because such test would result to a kernel panic. Tested with: ./tools/testing/kunit/kunit.py run --arch x86_64 kunit_x86_fault Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- lib/kunit/kunit

[PATCH v1 6/8] kunit: Fix KUNIT_SUCCESS() calls in iov_iter tests

2024-02-29 Thread Mickaël Salaün

Fix KUNIT_SUCCESS() calls to pass a test argument. This is a no-op for now because this macro does nothing, but it will be required for the next commit. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- lib/kunit_iov_iter.c | 18

[PATCH v1 5/8] kunit: Handle test faults

2024-02-29 Thread Mickaël Salaün

make it clear. Fix the -EINTR error message, which couldn't be reached until now. This is tested with a following patch. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- include/kunit/try-catch.h | 3 --- lib/kunit/try-catch.c | 14

[PATCH v1 2/8] kunit: Handle thread creation error

2024-02-29 Thread Mickaël Salaün

ernal error occurred...". Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- lib/kunit/try-catch.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c index f7825991d576..a5cb2ef70a25 100644 --- a

[PATCH v1 7/8] kunit: Print last test location on fault

2024-02-29 Thread Mickaël Salaün

This helps identify the location of test faults. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- include/kunit/test.h | 24 +--- lib/kunit/try-catch.c | 10 +++--- 2 files changed, 28 insertions(+), 6 deletions

[PATCH v1 1/8] kunit: Run tests when the kernel is fully setup

2024-02-29 Thread Mickaël Salaün

Cook Cc: Luis Chamberlain Cc: Marco Pagani Cc: Rae Moar Cc: Shuah Khan Cc: Stephen Boyd Signed-off-by: Mickaël Salaün --- init/main.c | 4 +- lib/bitfield_kunit.c| 8 +-- lib/checksum_kunit.c| 2 +- lib/kunit/executor.c

[PATCH v1 4/8] kunit: Fix timeout message

2024-02-29 Thread Mickaël Salaün

The exit code is always checked, so let's properly handle the -ETIMEDOUT error code. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- lib/kunit/try-catch.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/kuni

[PATCH v1 3/8] kunit: Fix kthread reference

2024-02-29 Thread Mickaël Salaün

There is a race condition when a kthread finishes after the deadline and before the call to kthread_stop(), which may lead to use after free. Cc: Brendan Higgins Cc: David Gow Cc: Rae Moar Cc: Shuah Khan Signed-off-by: Mickaël Salaün --- lib/kunit/try-catch.c | 9 ++--- 1 file changed

[PATCH v1 0/8] Run KUnit tests late and handle faults

2024-02-29 Thread Mickaël Salaün

, and it brings a few related fixes and improvements. New tests check NULL pointer dereference and read-only memory, which wasn't possible before. This is useful to test current kernel self-protection mechanisms or future ones such as Heki: https://github.com/heki-linux Regards, Mickaël Sala

[PATCH v2 1/2] landlock: Extend documentation for kernel support

2024-02-27 Thread Mickaël Salaün

Extend the kernel support section with one subsection for build time configuration and another for boot time configuration. Extend the boot time subsection with a concrete example. Update the journalctl command to include the boot option. Cc: Günther Noack Cc: Kees Cook Signed-off-by: Mickaël

[PATCH v2 2/2] landlock: Warn once if a Landlock action is requested while disabled

2024-02-27 Thread Mickaël Salaün

with outdated "lsm" kernel's command-line parameter. Cc: sta...@vger.kernel.org Fixes: 265885daf3e5 ("landlock: Add syscall implementations") Reviewed-by: Kees Cook Reviewed-by: Günther Noack Signed-off-by: Mickaël Salaün --- Changes since v1: * Add Kees's

Re: [PATCH] landlock: Warn once if a Landlock action is requested while disabled

2024-02-26 Thread Mickaël Salaün

On Mon, Feb 19, 2024 at 01:07:48PM -0800, Kees Cook wrote: > On Mon, Feb 19, 2024 at 08:18:04PM +0100, Mickaël Salaün wrote: > > Because sandboxing can be used as an opportunistic security measure, > > user space may not log unsupported features. Let the system > > adm

Re: [PATCH] landlock: Warn once if a Landlock action is requested while disabled

2024-02-26 Thread Mickaël Salaün

On Wed, Feb 21, 2024 at 10:35:50PM +0100, Günther Noack wrote: > Hello! > > I think this is a good idea. > Some minor implementation remarks below. > > On Mon, Feb 19, 2024 at 08:18:04PM +0100, Mickaël Salaün wrote: > > Because sandboxing can be used as an opport

[PATCH] landlock: Warn once if a Landlock action is requested while disabled

2024-02-19 Thread Mickaël Salaün

with outdated "lsm" kernel's command-line parameter. Cc: Günther Noack Cc: sta...@vger.kernel.org Fixes: 265885daf3e5 ("landlock: Add syscall implementations") Signed-off-by: Mickaël Salaün --- security/landlock/syscalls.c | 18 +++--- 1 file changed, 15 inser

[PATCH] landlock: Fix asymmetric private inodes referring

2024-02-19 Thread Mickaël Salaün

e required access rights. Cc: Arnd Bergmann Cc: Christian Brauner Cc: Günther Noack Cc: Jann Horn Cc: Shervin Oloumi Cc: sta...@vger.kernel.org Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") Signed-off-by: Mickaël Salaün --- securi

[RFC PATCH v2 19/19] virt: Add Heki KUnit tests

2023-11-12 Thread Mickaël Salaün

er to understand what is going on. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün --- Ch

[RFC PATCH v2 18/19] heki: x86: Protect guest kernel memory using the KVM hypervisor

2023-11-12 Thread Mickaël Salaün

read-only. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün

[RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching

2023-11-12 Thread Mickaël Salaün

modify the instructions in that page. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by

[RFC PATCH v2 16/19] heki: x86: Update permissions counters when guest page permissions change

2023-11-12 Thread Mickaël Salaün

From: Madhavan T. Venkataraman When permissions are changed on an existing mapping, update the permissions counters. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean

[RFC PATCH v2 15/19] heki: x86: Initialize permissions counters for pages in vmap()/vunmap()

2023-11-12 Thread Mickaël Salaün

Cook Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Madhavan T. Venkataraman --- Changes since v1: * New patch --- include/linux/heki.h | 11 ++- mm/vmalloc.c | 7 +++ virt/heki

[RFC PATCH v2 14/19] heki: x86: Initialize permissions counters for pages mapped into KVA

2023-11-12 Thread Mickaël Salaün

from tampering by the guest kernel itself. We should note that walking through all mappings might be slow if KASAN is enabled. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean

[RFC PATCH v2 13/19] heki: Implement a kernel page table walker

2023-11-12 Thread Mickaël Salaün

: Kees Cook Cc: Madhavan T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün Signed-off-by: Madhavan T. Venkataraman --- Change since v1: * New patch and new file: virt

[RFC PATCH v2 12/19] x86: Implement the Memory Table feature to store arbitrary per-page data

2023-11-12 Thread Mickaël Salaün

rsion thanks to extra mem_table_ops's merge() and split() operations. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuz

[RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions

2023-11-12 Thread Mickaël Salaün

: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Mickaël Salaün Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Madhavan T. Venkataraman Signed-off-by: Madhavan T. Venkataraman Signed-off-by

[RFC PATCH v2 11/19] KVM: x86: Add new hypercall to set EPT permissions

2023-11-12 Thread Mickaël Salaün

Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün Signed-off-by: Madhavan T. Venkataraman --- Changes since v1: The original hypercall cont

[RFC PATCH v2 09/19] KVM: x86: Extend kvm_range_has_memory_attributes() with match_all

2023-11-12 Thread Mickaël Salaün

This enables to check if an attribute is tied to any memory page in a range. This will be useful in a folling commit to check for KVM_MEMORY_ATTRIBUTE_HEKI_IMMUTABLE. Cc: Chao Peng Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Sean Christopherson Cc: Yu Zhang Signed-off-by: Mickaël Salaün

[RFC PATCH v2 05/19] KVM: VMX: Add MBEC support

2023-11-12 Thread Mickaël Salaün

topherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün --- Changes since v1: * Import the MMU tracepoint changes from the v1's "Enable guests to lock themselves thanks to MBEC" patch. --- arch/x86/include/asm/vmx.h | 11 +-- arc

[RFC PATCH v2 07/19] KVM: x86: Make memory attribute helpers more generic

2023-11-12 Thread Mickaël Salaün

butes() KVM_MEMORY_ATTRIBUTE_PRIVATE optimizations. Cc: Chao Peng Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Sean Christopherson Cc: Yu Zhang Signed-off-by: Mickaël Salaün --- Changes since v1: * New patch --- arch/x86/kvm/mmu/mmu.c | 23 --- include/linux/kvm_host.h | 2 ++ vir

[RFC PATCH v2 06/19] KVM: x86: Add kvm_x86_ops.fault_gva()

2023-11-12 Thread Mickaël Salaün

Cîțu Signed-off-by: Nicușor Cîțu Signed-off-by: Mickaël Salaün --- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h| 2 ++ arch/x86/kvm/svm/svm.c | 9 + arch/x86/kvm/vmx/vmx.c | 10 ++ 4 files changed, 22 insertions

[RFC PATCH v2 08/19] KVM: x86: Extend kvm_vm_set_mem_attributes() with a mask

2023-11-12 Thread Mickaël Salaün

Enable to only update a subset of attributes. This is needed to be able to use the XArray for different use cases and make sure they don't interfere (see a following commit). Cc: Chao Peng Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Sean Christopherson Cc: Yu Zhang Signed-off-by: Mi

[RFC PATCH v2 02/19] KVM: x86: Add new hypercall to lock control registers

2023-11-12 Thread Mickaël Salaün

related features. Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Kees Cook Cc: Madhavan T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün --- Changes since v1: * Guard

[RFC PATCH v2 04/19] heki: Lock guest control registers at the end of guest kernel init

2023-11-12 Thread Mickaël Salaün

Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Madhavan T. Venkataraman Signed-off-by: Madhavan T. Venkataraman Signed-off-by: Mickaël Salaün --- Changes since v1: * Shrinked the patch to only manage the CR pinning. --- arch/x86

[RFC PATCH v2 01/19] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki)

2023-11-12 Thread Mickaël Salaün

Kees Cook Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün Signed-off-by: Madhavan T. Venkataraman --- Changes since v1: * Shrinked this patch to only contain the minimal c

[RFC PATCH v2 00/19] Hypervisor-Enforced Kernel Integrity

2023-11-12 Thread Mickaël Salaün

s for pages in vmap()/vunmap() heki: x86: Update permissions counters when guest page permissions change heki: x86: Update permissions counters during text patching heki: x86: Protect guest kernel memory using the KVM hypervisor Mickaël Salaün (10): KVM: x86: Add new hypercall to lo

[RFC PATCH v2 03/19] KVM: x86: Add notifications for Heki policy configuration and violation

2023-11-12 Thread Mickaël Salaün

van T. Venkataraman Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Thomas Gleixner Cc: Vitaly Kuznetsov Cc: Wanpeng Li Signed-off-by: Mickaël Salaün --- Changes since v1: * New patch. Making user space aware of Heki properties was requested by Sean Christopherson. --- arch/x86/kvm/vmx/vmx.c

Re: Isolating abstract sockets

2023-11-02 Thread Mickaël Salaün

On Wed, Nov 01, 2023 at 05:23:12PM +0100, Jann Horn wrote: > On Wed, Nov 1, 2023 at 11:57 AM Mickaël Salaün wrote: > > On Tue, Oct 31, 2023 at 09:40:59PM +0100, Stefan Bavendiek wrote: > > > On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote: > > > > I

Re: Isolating abstract sockets

2023-11-01 Thread Mickaël Salaün

On Tue, Oct 31, 2023 at 09:40:59PM +0100, Stefan Bavendiek wrote: > On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote: > > In 2005, before namespaces were upstreamed, I posted the 'bsdjail' LSM, > > which briefly made it into the -mm kernel, but was eventually rejected as > > being an

Re: Isolating abstract sockets

2023-10-25 Thread Mickaël Salaün

On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote: > On Tue, Oct 24, 2023 at 10:29:17AM -0400, Paul Moore wrote: > > On Tue, Oct 24, 2023 at 10:18 AM Serge E. Hallyn wrote: > > > On Tue, Oct 24, 2023 at 10:14:29AM -0400, Paul Moore wrote: > > > > On Tue, Oct 24, 2023 at 9:46 AM Serge

88 matches

Mail list logo