From: Yi Zhang <yi.z.zhang@linux.intel.com>
To: "Mihai Donțu" <mdontu@bitdefender.com>
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
rkrcmar@redhat.com, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, "Nicusor CITU" <ncitu@bitdefender.com>,
"Adalbert Lazăr" <alazar@bitdefender.com>
Subject: Re: [RFC PATCH V2 00/11] Intel EPT-Based Sub-page Protection Support
Date: Tue, 4 Dec 2018 14:35:34 +0800 [thread overview]
Message-ID: <20181204063533.GA73736@tiger-server> (raw)
In-Reply-To: <1543809373.23880.17.camel@bitdefender.com>
On 2018-12-03 at 05:56:13 +0200, Mihai Donțu wrote:
> Hi Paolo,
>
> On Fri, 2018-11-30 at 11:07 +0100, Paolo Bonzini wrote:
> > On 30/11/18 08:52, Zhang Yi wrote:
> > > Here is a patch-series which adding EPT-Based Sub-page Write Protection Support.
> > >
> > > Introduction:
> > >
> > > EPT-Based Sub-page Write Protection referred to as SPP, it is a capability which
> > > allow Virtual Machine Monitors(VMM) to specify write-permission for guest
> > > physical memory at a sub-page(128 byte) granularity. When this capability is
> > > utilized, the CPU enforces write-access permissions for sub-page regions of 4K
> > > pages as specified by the VMM. EPT-based sub-page permissions is intended to
> > > enable fine-grained memory write enforcement by a VMM for security(guest OS
> > > monitoring) and usages such as device virtualization and memory check-point.
> > >
> > > SPPT is active when the "sub-page write protection" VM-execution control is 1.
> > > SPPT looks up the guest physical addresses to derive a 64 bit "sub-page
> > > permission" value containing sub-page write permissions. The lookup from
> > > guest-physical addresses to the sub-page region permissions is determined by a
> > > set of SPPT paging structures.
> > >
> > > When the "sub-page write protection" VM-execution control is 1, the SPPT is used
> > > to lookup write permission bits for the 128 byte sub-page regions containing in
> > > the 4KB guest physical page. EPT specifies the 4KB page level privileges that
> > > software is allowed when accessing the guest physical address, whereas SPPT
> > > defines the write permissions for software at the 128 byte granularity regions
> > > within a 4KB page. Write accesses prevented due to sub-page permissions looked
> > > up via SPPT are reported as EPT violation VM exits. Similar to EPT, a logical
> > > processor uses SPPT to lookup sub-page region write permissions for
> > > guest-physical addresses only when those addresses are used to access memory.
> >
> > Hi,
> >
> > I think the right thing to do here would be to first get VM
> > introspection in KVM, as SPP is mostly an introspection feature and it
> > should be controller by the introspector rather than the KVM userspace.
> >
> > Mihai, if you resubmit, I promise that I will look at it promptly.
Thanks review, Paolo, What do u think we cook some user-cases for qemu or
some kvmtools? even with some other kernel hyper-calls?
SPP is not only an introspection depended features.
>
> I'm currently traveling until Wednesday, but when I'll get into the
> office I will see about preparing a new patch set and send it to the
> list before Christmas.
Thanks Mihai, please include me in the new VMI patch set.
>
> Regards,
>
> --
> Mihai Donțu
>
next prev parent reply other threads:[~2018-12-04 6:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-30 7:52 [RFC PATCH V2 00/11] Intel EPT-Based Sub-page Protection Support Zhang Yi
2018-11-30 8:07 ` [RFC PATCH V2 01/11] Documentation: Added EPT Subpage Protection Documentation Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 02/11] x86/cpufeature: Add intel Sub-Page Protection to CPU features Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 03/11] KVM: VMX: Added VMX SPP feature flags and VM-Execution Controls Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 04/11] KVM: VMX: Introduce the SPPTP and SPP page table Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 05/11] KVM: VMX: Write the SPPTP to VMCS area Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 06/11] KVM: VMX: Introduce SPP-Induced vm exit and it's handle Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 07/11] KVM: VMX: Added handle of SPP write protection fault Zhang Yi
2018-11-30 8:08 ` [RFC PATCH V2 08/11] KVM: VMX: Introduce ioctls to set/get Sub-Page Write Protection Zhang Yi
2018-11-30 8:09 ` [RFC PATCH V2 09/11] KVM: VMX: Update the EPT leaf entry indicated with the SPP enable bit Zhang Yi
2018-11-30 8:09 ` [RFC PATCH V2 10/11] KVM: VMX: Added setup spp page structure Zhang Yi
2018-11-30 8:09 ` [RFC PATCH V2 11/11] KVM: VMX: implement setup SPP page structure in spp miss Zhang Yi
2018-11-30 10:07 ` [RFC PATCH V2 00/11] Intel EPT-Based Sub-page Protection Support Paolo Bonzini
2018-12-03 3:56 ` Mihai Donțu
2018-12-04 6:35 ` Yi Zhang [this message]
2018-12-04 10:37 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181204063533.GA73736@tiger-server \
--to=yi.z.zhang@linux.intel.com \
--cc=alazar@bitdefender.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mdontu@bitdefender.com \
--cc=ncitu@bitdefender.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.