Ok let me short circuit this meta discussion by saying that AFAIK now that the new Intel Skylake chips fixed many virtualization bugs and it's possible to efficiently nest VMs there might not be a way to discover if you are running on bare metal. I too would find it useful to be able to lock a kernel so it only runs on bare metal not a VM, but according to folks who know more about this than I do it is now very hard to do this given you can run VT inside VT, and very efficiently on Xeons.
I would be interested in any code that can knowingly break inside a VM to verify unvirtualized status, esp. on Skylake. Older processors can probably use the virtualization bugs in the hardware for this function. Cheers, --dr P.s. Also interested in code that can detect emulated UEFI. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Read, James C Sent: December 22, 2015 9:51 AM To: Theo de Raadt <[email protected]> Cc: OpenBSD general usage list <[email protected]> Subject: Re: Boot loader uses INT 13h [WAS BIOS call fallback] >> a security consideration, as far as I can see the bootloader loads >> using INT >> 13h calls. How can the kernel be sure it is really operating in ring >> 0 and not >> in some VM given that this is the case? >Hey, it looks like you are just trying to be a dick. On the assumption that you are not suggesting I would like to change my name to Richard I can only reply that I have never tried to stick my head into a warm and wet but very smelly hole for pleasure and/or to attempt to reproduce with it. >Does your mother know? Given that she is deceased I find that highly unlikely. However, insults reminiscent of primary school days aside, you may or may not be surprised to find that actually that was a genuine question.
