From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: QEMU and hypervisor DMA understanding. Want to track
	DMA operations on QEMU devices.
Date: Thu, 1 Jul 2010 10:51:20 -0400
Message-ID: <20100701145120.GB31947@phenom.dumpdata.com>
References: <20100630160222.GC5100@phenom.dumpdata.com>
	<127686.1993.qm@web7905.mail.in.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <127686.1993.qm@web7905.mail.in.yahoo.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Abhinav Srivastava <abhinavs_iitkgp@yahoo.co.in>, George.Dunlap@eu.citrix.com, Ian.Campbell@citrix.com
Cc: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Thu, Jul 01, 2010 at 11:38:31AM +0530, Abhinav Srivastava wrote:
> Hi Konrad,
>=20
> Thanks for your reply. You reply was very helpful in understanding the=20
> DMA mechanism. The goal of my project is to intercept all DMA requests =
issued by guest HVM domains and check for the memory regions (guest physi=
cal address) mentioned in those requests. This will help detect malicious=
 DMA writes specified by malicious drivers. I am trying=20
> to achieve this without VT-d support on intel processors.
>=20
> I have some follow up questions:
>=20
> 1. When a guest HVM domain requests DMA operations, it specifies guest =
physical addresses. Who converts guest physical to host physical addresse=
s? Does this conversion happen in Dom0 or hypervisor? Which code path sho=
uld I be looking at?

Hypervisor. Shadow page table. George might have a document tucked away
explaining how the shadow page table works.

>=20
> 2. I am looking at the place where I can hook into so that I could inte=
rcept all DMA requests issued by the HVM guest and verify the addresses? =
Is there any place where all DMA requests come and then routed to specifi=
c devices in QEMU emulation code? If I could hook at the common place, it=
 would be easier to intercept rather putting the check=20
> in each device specific files.

Ian might know this better..
>=20
> I really appreciate for your time.
>=20
> Thanks,
> Abhinav
>=20
> --- On Wed, 30/6/10, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wro=
te:
>=20
> > From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> > Subject: Re: [Xen-devel] DMA understanding
> > To: "Abhinav Srivastava" <abhinavs_iitkgp@yahoo.co.in>
> > Cc: xen-devel@lists.xensource.com
> > Date: Wednesday, 30 June, 2010, 9:32 PM
> > On Tue, Jun 29, 2010 at 12:10:48AM
> > +0530, Abhinav Srivastava wrote:
> > >=20
> > > Hi there,
> > >=20
> > > I am trying to understand how an HVM guest domain
> > performs its DMA operations, and how this DMA operations are
> > intercepted by the Xen. I wanted to understand both the code
> > path with and without Vt-d support (for intel processors).
> > On looking inside the Xen code, I found that iommu code is
> > inside the vmx/vtd/ directory only. By seeing the code, my
> > understanding is that when Vt-d is enabled, iommu.c and
> > dmar.c inside the vtd directory is the place to look for DMA
> > operations. However, I do not understand which code path
> > inside the hypervisor is getting used in case of Vt-d is
> > disabled?=A0 How does Xen intercept guest DMA operations
> > in this case? I am using Xen 3.3 version for my project (I
> > admit that it is very old version).
> >=20
> > Lets start without the Intel VT-d or AMD Vi in the
> > picture.
> >=20
> > When the QEMU boots up an HVM guest, it emulates everything
> > the guest
> > sees or does. Which means that when the guest decides to
> > use the
> > IDE controller to do DMA operations, QEMU decodes that
> > operation
> > (look in hw/ide.c, search for 'WIN_READDMA') and it follows
> > it
> > through by setting up a callback mechanism that ends up
> > fetching
> > the data from wherever the guest disk and then triggering
> > an interrupt
> > so that the guest noticies that the DMA finished.
> >=20
> > So in essence the hypervisor does not deal with guest DMA
> > at all.
> >=20
> > When you insert an Intel VT-d or AMD Vi chipset you have
> > the option
> > of passing in a native PCI device to the guest. If you
> > don't pass
> > in a PCI device then you are still using the old
> > mechanism.
> >=20
> >=20
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
> >=20
>=20
>=20