On common operating systems, one powerful way to bypass security policies is to exploit the kernel. Linux kernel vulnerabilities are common and exploited. Among other things, kernel self-protection mechanisms include control-register pinning and memory page protection restrictions that help harden systems. Unfortunately, none is bullet proof because they are implemented at the same level as the vulnerabilities they try to protect against. To get a more effective defense, we propose to move (or copy) some of these protection mechanisms out of the kernel thanks to virtualization.
Linux Virtualization Based Security (LVBS) is an umbrella term under which we can offer various hypervisor backed kernel protection solutions. This is a common hypervisor agnostic extendable architecture in Linux kernel that can be used by any hypervisor to implement and extend Linux kernel protections. Different hypervisor frameworks (Hyper-V as an example of type-1 hypervisor and KVM as an example of type-2 hypervisor) can plug into the common layer to harden the Linux kernel.
Open Source Summit 2024 talk: Booting a Linux Kernel in a Higher Privilege Level
Linux Security Summit 2024 talk: Linux Virtualization Based Security
Heki is a proof-of-concept that implements new KVM features (extended page tracking, MBEC support, CR pinning) and defines a new API to protect guest VMs. It is designed to be merged with the mainline project. It is inspired from other private implementations currently in use (e.g. Windows's Virtual Secure Mode), but our approach is tailored to Linux specificities.
The LVBS Hyper-V implementation leverages the existing Hyper-V's VTL mechanism. Our implementation includes the guest kernel changes (VTL0) and the secure kernel (VTL1).