2011/4/17 Антон Кочков <anton.koch...@gmail.com>: > Good day! > I'm trying to make working qemu-kvm with hardened gentoo on hardened kernel. > When i'm using CONFIG_PAX_KERNPAGEXEC and CONFIG_PAX_MEM_UNDEREF qemu just > start > and go to infinite loop and take 100% of one of my CPU core. adn it > even can't be killed. > Also it is dont give answer for qemu monitor/remote gdb. > When I'm changed these two values as disabled, qemu-kvm now start, and > stop (i mean qemu monitor show that virtual machine is running, but no > any activity/output). Also it's load about 0%. > See details in bug http://bugs.gentoo.org/show_bug.cgi?id=363713
Given this description http://grsecurity.net/~spender/uderef.txt I'd say the problem is PaX vs. KVM (kernel module part of it). UDEREF should be overridden for the process in question, which obviously defeats security. Maybe CONFIG_GRKERNSEC_HARDENED_VIRTUALIZATION suggested in the bug thread already does this, I don't know. It's not possible to virtualize for example guests using self-modifying code if the kernel protections are in the way. The alternative is to use only guests, which never violate W^X, if they exist.