Auditing io_uring

Posted Jun 4, 2021 20:05 UTC (Fri) by Nahor (subscriber, #51583)
In reply to: Auditing io_uring by zlynx
Parent article: Auditing io_uring

I was thinking that with patching out disallowed, the kernel could be made read-only by the bootloader, but I guess people who care about auditing could still make the kernel RO anyway, while other keep the kernel RW and can patch out the auditing code.

to post comments

Auditing io_uring

Posted Jun 4, 2021 20:46 UTC (Fri) by zlynx (guest, #2285) [Link] (1 responses)

I am not sure about all other hardware but on x86 I am fairly sure that the only way to make kernel memory truly read-only is with a hypervisor enforcing it. Otherwise anything running at the kernel level can set it read-write again.

This is what Windows does with the Core Isolation setting, which uses Hyper-V to protect the kernel and selected drivers even from other driver code.

So I suppose that if you have a boot loader which can set up and configure a virtual machine to load the kernel into then you could have a read-only kernel image.

Auditing io_uring

Posted Jun 4, 2021 20:54 UTC (Fri) by Nahor (subscriber, #51583) [Link]

An article about making x86 trustworthy was just mentioned yesterday in the LWN weekly edition (https://mjg59.dreamwidth.org/57199.html).

But I'm guessing the issue of audit an io_uring is not specific to x86 anyway.