nestedkernel / perspicuos Goto Github PK

so I cloned the PerspicuOS github repo and built the nk directory,
(which apparently succeeded). However, when trying to build the FreeBSD9 directory, it gave me this error (I used "make buildworld"):

Error: No such file: "opt_sva_mmu.h"
In file included from /root/PerspicuOS/FreeBSD9/lib/libc/stdlib/malloc.c:177:/usr/obj/root/PerspicuOS/FreeBSD9/tmp/usr/include/machine/cpufunc.h:44:25: error mkdep: compile failed
*** Error code 1
Stop in /root/PerspicuOS/FreeBSD9/lib/libc

placeholder for discussion

Hi there,
first of all, congrats for this nice work, I love the idea of not using expensive hardware virtualization support, to get more secure execution for a small performance penalty.
However, I had a quick look at the code and I am a bit concerned with the sva_load_cr0 intrinsic implemented in nk/lib/mmu.c.
As far as I understand it serves outer kernel needs to modify cr0 while ensuring that WP bit stay set. What if a compromised outer kernel locates the sva_load_cr0_secure function at runtime and directly calls to the cr0 move instruction (when such a call is possible) ? When it succeed invariant I8 won't be enforced anymore and the nk will become unprotected.
Is this a potential vulnerability or did I missed something ?

Hi friends. I have successfully compiled the NestedKernel in FreeBSD9.0
This kernel can run in a virtual machine but cannot in a physical machine. So I write to ask for your suggestions. The following is a screenshot of the hanging point.

https://www.dropbox.com/s/gxf5asncfd7nnf4/webwxgetmsgimg.jpeg?dl=0
https://www.dropbox.com/s/1a2fkjilwjp3wxj/Screenshot%20from%202019-03-13%2022-19-50.png?dl=0
Thanks!

Hi,

I am trying to understand the code based on your excellent paper. However, the APIs declared in the paper(nk_declare, nk_alloc, etc.) seem not to be called by the kernel? For example, I search the function pt_update_is_valid, and the result shows that it appears only once(in nk/lib/mmu.c#.L259), it is not even referenced.
----- Update: Sorry for my mistake before, the github default search functionality seems not good enough, pt_update_is_valid is referenced in the __update_mapping function.

I compared the difference between FreeBSD9 and FreeBSD9-orig directory, trying to find out the modification. I find two possible functions in FreeBSD9/sys/kern/kern_sva.c, provideSVAMemory and releaseSVAMemory, both of which are referenced in the nk lib. However, the first line of provideSVAMemory is panic("Don't call this!");!

Now I'm a little confused, where and how is the nk library being used? Did I miss anything?

Thanks.