lkrg
lkrg copied to clipboard
lkrg-org
VirtualBox host software compatibility
Could you please consider either,
A) introducing a loader which sets the required lkrg module parameters to be compatible with the VirtualBox host software
Example loader: https://github.com/Whonix/lkrg/blob/old-master/debian/lkrg-loader
OR,
B) a more sophisticated solution
Quote @solardiz https://github.com/openwall/lkrg/pull/68#issuecomment-823252264
Is there a (strong) technical reason to have this inside LKRG itself and not in a loader script?
Another reason is what condition we check. Right now, Whonix' loader script checks whether VirtualBox is installed, not whether it's in use. This makes sense if the check is only done proactively and only once. LKRG itself could instead check for VirtualBox host's module being inserted into the kernel, so it'd only weaken LKRG protection if and when this happens. Optionally, it could also revert the weakening when the module is removed from the kernel.
if command -v vboxmanage &>/dev/null ; then
## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
## https://www.openwall.com/lists/lkrg-users/2020/01/25/2
lkrg_opts="msr_validate=0 pcfi_validate=1 $lkrg_opts"
elif command -v kvm &>/dev/null ; then
## Adam:
## For other hypervisors like KVM/qemu you can keep pcfi_validate=2 and only set
## msr_validate=0 (This hypervisor don't do such nasty calls like VirtualBox).
lkrg_opts="msr_validate=0 $lkrg_opts"
## check if there is any binary in /usr/bin matching 'qemu*'
elif dpkg-query --show "qemu-system" &>/dev/null ; then
lkrg_opts="msr_validate=0 $lkrg_opts"
fi
msr_validate=0 / lkrg.msr_validate = 0 is already the default. Therefore no more special code for KVM required.
For the VirtualBox host software the only settings required are
-
lkrg.pcfi_validate=1 -
lkrg.profile_validate=2
according to /etc/sysctl.d/30-lkrg-dkms.conf.
For the VirtualBox host software the only settings required are
* `lkrg.pcfi_validate=1` * `lkrg.profile_validate=2`
One of these settings is required for VirtualBox host, not both. You should use either custom configuration or profiles. No reason to first customize the configuration and then override that with a preset profile.
One of these settings is required for VirtualBox host, not both.
Specifically, if you want to make the minimal change required for VirtualBox host, use only lkrg.pcfi_validate=1. Setting the entire profile weakens LKRG a bit more than is absolutely required for VirtualBox host.
Well, since I opened this issue I am biased to wish this to be implemented. :)
How come? https://github.com/adrelanos/security-misc/commit/7e128636b3a4ea7fe5dfa12018685ab7b5dda706 is a hack. It works for Kicksecure / Whonix users which has security-misc installed by default but not for LKRG by itself which would still be incompatible with the VirtualBox host software.
As per https://github.com/lkrg-org/lkrg/issues/82#issuecomment-886188999 LKRG would have to lkrg.pcfi_validate=1 for VirtualBox host software compatibility.
@adrelanos @solardiz should we close this issue?
I think no, ideally we'd implement automatic detection of VirtualBox and adjust LKRG's default lkrg.pcfi_validate accordingly.