Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Enter Hypervisor Mode on ARMv7 through Kernel Module

Tags:

c

arm

virtualization

hypervisor

openwrt

I am working on a project where I have a router with ARMv7 processor (Cortex A15) and OpenWRT OS. I have a shell on the router and can load kernel modules with insmod.

My goal is to write a kernel module in C which changes the HVBAR register and then executes the hvc instruction to get the processor in the hyp mode. This is a scientific project where I want to check if I can place my own hypervisor on a running system. But before I start to write my own hypervisor I want to check if and how I can bring the processor in the hyp mode.

According to this picture take from armv7-a manual B.9.3.4 the system must be in insecure mode, not in user mode and the SCR.HCE bit must be set to 1.

enter image description here

My question is how I can prepare the processor with a C kernel module and inline assembly and then execute the hvc instruction. I want to do this with a kernel module because then I start in PL1. This pseudocode describes what I want to achieve:

  1. call smc // to get in monitor mode
  2. set SRC.HCE to 1 // to enable hvc instruction
  3. set SRC.NS to 1 // to set the system to not secure
  4. call hvc #0 // call the hvc instruction to produce a hypervisor exception
like image 238
Coder Avatar asked Nov 24 '25 14:11

Coder

1 Answers

The easiest way to elevate privilege is to start off in the needed privilege mode already: You've a root shell. Is the boot chain verified? Could you replace bootloader or kernel, so your code naturally runs in PL2 (HYP) mode? If so, that's probably the easiest way to do it.

If you can't replace the relevant part of the boot chain, the details of writing the rootkit depend a lot on information about your system left out: In which mode is Linux started? Is KVM support enabled and active? Was PL2 initialized? Was it locked? Is there "secure" firmware you can exploit?

The objective is always the same: have HVBAR point at some code you can control and do a hvc. Depending on your environment, solutions may range from spraying as much RAM as possible with your code and hope (perhaps after some reboots) an uninitialized HVBAR would point at an instruction you control to inhibiting KVM from running and accessing the early hypervisor stub to install yourself instead.

Enumerating such exploits is a bit out of scope for a StackOverflow answer; this is rather dissertation material. Indeed, there's a doctoral thesis exactly on this topic:

Strengthening system security on the ARMv7 processor architecture with hypervisor-based security mechanisms

like image 115
a3f Avatar answered Nov 26 '25 04:11

a3f
Sign in to Comment

Related questions

writing a glibc api for a system call [duplicate]
How to set alternate setting for the USB device using libusb
Faster inequalities in C
Overwrite single line in txt file
Dynamic linking in Visual Studio
feof() in C file handling
Performance of fopen vs stat
Reliable portability for C code without relying on the preprocessor
How to resolve include file names conflicts in GCC?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!