Linux Security Summit Europe 2025

Linux Security Module Framework provides a mechanism to extend kernel's security promises and enforce access control policies. In this talk we aim to examine how various pieces of LSM framework can benefit from an extra layer of protection through Linux Virtualization Based Security (LVBS) which is a security feature that implements kernel integrity via hardware virtualization features and hypervisors.

Linux Virtualization based Security (LVBS) is a security feature that leverages hypervisors to a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the guest kernel gets compromised by creating an isolated environment that runs at a higher trust level than the normal operating environment. A key kernel integrity feature of LVBS is to ensure that kernel memory protections (read-only, W^X) are backed up by this trusted environment using Second Level Page Tables so that even if the guest kernel is compromised, the kernel memory cannot be tampered with.
One of the challenges in enabling hypervisor-enforced kernel memory protection is that the Linux kernel inherently supports features that either modify existing kernel code or inject code into the kernel memory space. In this talk, we aim to examine a comprehensive list of such kernel features (which are inherently easier exploit surfaces) and then discuss how these features can be hardened via LVBS to ensure that the integrity and authenticity of patched code, even if the kernel is compromised. Finally, we present the status of our work in implementing these hardenings.

Protecting the kernel from data-only attacks is a growing concern that is increasingly addressed through hypervisor-based solutions. A lightweight alternative may be found in protection keys (pkeys), a hardware mechanism that provides a per-thread and easily switchable view of memory. While pkeys are currently available to userspace on supported architectures, their potential for enhancing kernel security remains unused.

This talk demonstrates how pkeys can be leveraged within the kernel to protect critical data structures, such as page tables and credentials. We will show how this approach can be implemented and present an evaluation of its performance impact on arm64, illustrating its feasibility for real-world deployment.

Attendees will leave with a deeper understanding of how pkeys can enhance kernel security, the trade-offs involved, and the potential for adoption in future Linux hardening efforts.

Integrity Measurement Architecture (IMA) was originally designed and developed by IBM Research to extend the trusted
boot chain of measurements to the running system. Subsequently, support for extending secure boot up to the running system (IMA-appraisal) was added and, with it, support for writing audit messages in the system logs.

For good and for bad, IMA-measurement and IMA-appraisal needed to be flexible to work in different environments from embedded/IoT to large systems. The original concepts of extending both trusted and secure boot have not changed, but some of the methods/designs could be improved.

This talk proposes a few kernel improvements based on our work in user space. First, it proposes a new design change to serialize and store the measurement list in a memory area shared between primary and secondary kernel, so that nothing needs to be done on kexec, as opposed to carrying out measurements from one kernel to another.

Second, it proposes a new testing tool for verifying that IMA reported a violation when a file is opened for read and
subsequently opened as write or vice-versa. Building on that, the talk also discusses a few alternatives on how to detect
such violations.

Finally, it proposes a new debugging technique, allowing to run a large number of integration tests without rebooting the
kernel.