Brussels / 3 & 4 February 2018


Using KVM to sandbox firmwares from the Linux Kernel

or: How I learned to stop worrying and love EFI Runtime Services

This talk will present a proof of concept (and RFC) done on arm64 platforms to use KVM to isolate EFI Runtime Services from the Linux Kernel. Security improvements and limitations of this solution will be detailed. A strong focus will be kept on the flexibility of this approach and how it could be used on other architectures or for other types of firmwares isolation.

As part of an internship for ARM during the summer 2017, I developed hypervisor-based security solutions for the Linux kernel. One of the experiments I did there resulted in an RFC available on the Linux Kernel Mailing List. In an effort to share this experiment with the broader community, I would like to detail the observed problems that led to my patchset and the inner working of the proposed solution.

While KVM is generally used by userspace tools (such as QEMU) to create general-purpose virtual machines, the proposed patchset adds an internal API to KVM so that it can be used by the kernel itself to spawn lightweight sandboxes. This internal KVM API can then be used to sandbox EFI Runtime Services on arm64 platforms and circumvent some of the security and stability problems those firmwares could cause otherwise.


Photo of Florent Revest Florent Revest