EAC has an explicit linux support that valve worked on them with, it’s not full kernel AC. same with battleye and GG those are not full kernel root anti cheat implementations. I can’t point at any specific documents unfortunately but the wine/proton irc channels are public and lurking let’s you learn a lot as they talk through issues with games and anticheat.
In order for linux to support kernel level AC a module for the Linux kernel would be needed. And i doubt Linus will ever allow that lol
In order for linux to support kernel level AC a module for the Linux kernel would be needed. And i doubt Linus will ever allow that lol
This is… correct. That in order to support kernel level anti-cheat on Linux, you need a kernel module. But that statement is a tautology.
An NT kernel AC running through Wine, and whether or not it “works” doesn’t predicate on a Linux kernel module being loaded. All it needs is the correct handling of whatever the NT kernel would communicate to the running game, and handle whatever that callback is through some other mechanism that passes the checks.
Most AC software have Linux native clients, and that’s what this “some other mechanism”. And whatever that is in practice, should, with enough reverse engineering, be technically possible for proton/wine to do as well. It’s all running on userland after all. I assume that this is not an easy task to do at all, which is why the only realistic approach is for AC developers to actually be on board, and instead just compromise on the weaker level of anti-cheat protection, compared to what you’d get with a kernel module. As far as I understand, this is the case for GG, BattlEye and EAC. Not all games work, because it depends on the developers “allowing it”.
And as for what the future might bring. I expect that with Linux gaming becoming more popular, it’s only a matter of time before a Linux AC is implemented as a kernel module. Also, neither Linus, nor anyone, need to whitelist a kernel module for it to be loaded. The only one that has an ultimate say there is you, the user.
I mean sure they could make it a dkms module and have the user install it along with the headers but it’s never going to be out of the box supported on linux was what I meant by that
As for the rest, there is a limit to what can be emulated within user space. There are are certain calls in NT ring -1 that would require similar privilege on the Linux side to translate which i doubt wine would ever do for a vast multitude of reasons
There are are certain calls in NT ring -1 that would require similar privilege on the Linux side to translate
Why would that be the case? I have to look this up and read more about it, because I don’t see why that needs to be the case. I’m also not sure if this is still in the context of AC “rootkits”. Because if so, I imagine the security model goes something like this
AC RootKit: Can observe app processes and all memory usage, and modify anything at any time. It observers processes for known cheats, and reports this to the game, either with a callback the game registers, or by directly modifying the game memory.
Wine: Runs in userland. Syscalls are “intercepted” as with all other windows API calls. The NT kernel doesn’t exist here. Wine just tries to answer those calls as if it did.
Game executable: Has some mechanism to talk to-from the rootkit. Likely that the RK itself, since it monitors processes, hooks straight into the game exectuable by either manipulating the memory required for the game to say “ait, RK said you’re cool”, or something like that.
Game executable running in Wine: Runs in userland, and wine has already talked to the Linux kernel and allocated memory. To the loaded game executable running through wine, the memory can be manipulated the same as a rootkit could, because after all, the wine process is the parent process of that memory range.
So, what mechanism is it that an AC RK does, that, from the perspective of a user process running on Wine, cannot be done unless actually coming from the Linux kernel? I honestly cannot think of anything.
Or rather… only possible way I can think of is a “cryptographic guarantee”, in some secureboot based signature and communicating with a remote service in order to authenticate the RK , which the game executable also confirms. Something like that. But this isn’t the case for any of the AC RKs afaik
EAC has an explicit linux support that valve worked on them with, it’s not full kernel AC. same with battleye and GG those are not full kernel root anti cheat implementations. I can’t point at any specific documents unfortunately but the wine/proton irc channels are public and lurking let’s you learn a lot as they talk through issues with games and anticheat.
In order for linux to support kernel level AC a module for the Linux kernel would be needed. And i doubt Linus will ever allow that lol
This is… correct. That in order to support kernel level anti-cheat on Linux, you need a kernel module. But that statement is a tautology.
An NT kernel AC running through Wine, and whether or not it “works” doesn’t predicate on a Linux kernel module being loaded. All it needs is the correct handling of whatever the NT kernel would communicate to the running game, and handle whatever that callback is through some other mechanism that passes the checks.
Most AC software have Linux native clients, and that’s what this “some other mechanism”. And whatever that is in practice, should, with enough reverse engineering, be technically possible for proton/wine to do as well. It’s all running on userland after all. I assume that this is not an easy task to do at all, which is why the only realistic approach is for AC developers to actually be on board, and instead just compromise on the weaker level of anti-cheat protection, compared to what you’d get with a kernel module. As far as I understand, this is the case for GG, BattlEye and EAC. Not all games work, because it depends on the developers “allowing it”.
And as for what the future might bring. I expect that with Linux gaming becoming more popular, it’s only a matter of time before a Linux AC is implemented as a kernel module. Also, neither Linus, nor anyone, need to whitelist a kernel module for it to be loaded. The only one that has an ultimate say there is you, the user.
I mean sure they could make it a dkms module and have the user install it along with the headers but it’s never going to be out of the box supported on linux was what I meant by that
As for the rest, there is a limit to what can be emulated within user space. There are are certain calls in NT ring -1 that would require similar privilege on the Linux side to translate which i doubt wine would ever do for a vast multitude of reasons
Why would that be the case? I have to look this up and read more about it, because I don’t see why that needs to be the case. I’m also not sure if this is still in the context of AC “rootkits”. Because if so, I imagine the security model goes something like this
AC RootKit: Can observe app processes and all memory usage, and modify anything at any time. It observers processes for known cheats, and reports this to the game, either with a callback the game registers, or by directly modifying the game memory.
Wine: Runs in userland. Syscalls are “intercepted” as with all other windows API calls. The NT kernel doesn’t exist here. Wine just tries to answer those calls as if it did.
Game executable: Has some mechanism to talk to-from the rootkit. Likely that the RK itself, since it monitors processes, hooks straight into the game exectuable by either manipulating the memory required for the game to say “ait, RK said you’re cool”, or something like that.
Game executable running in Wine: Runs in userland, and wine has already talked to the Linux kernel and allocated memory. To the loaded game executable running through wine, the memory can be manipulated the same as a rootkit could, because after all, the wine process is the parent process of that memory range.
So, what mechanism is it that an AC RK does, that, from the perspective of a user process running on Wine, cannot be done unless actually coming from the Linux kernel? I honestly cannot think of anything.
Or rather… only possible way I can think of is a “cryptographic guarantee”, in some secureboot based signature and communicating with a remote service in order to authenticate the RK , which the game executable also confirms. Something like that. But this isn’t the case for any of the AC RKs afaik