From mboxrd@z Thu Jan  1 00:00:00 1970
From: Suen Chun Hui <chunhui.suen@tum.de>
Subject: Re: KVM hook for code integrity checking
Date: Thu, 06 May 2010 06:51:53 +0200
Message-ID: <4BE24AE9.6040102@tum.de>
References: <4BDAEF05.1030507@tum.de> <4BE134C1.1020009@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
To: kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mailrelay1.lrz-muenchen.de ([129.187.254.106]:59133 "EHLO
	mailrelay1.lrz-muenchen.de" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750916Ab0EFEwE (ORCPT
	<rfc822;kvm@vger.kernel.org>); Thu, 6 May 2010 00:52:04 -0400
Received: from [129.187.105.6] ([129.187.105.6] [129.187.105.6]) by mailout.lrz-muenchen.de with ESMTP for kvm@vger.kernel.org; Thu, 6 May 2010 06:51:53 +0200
In-Reply-To: <4BE134C1.1020009@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Hi,

Thanks for the reply.

On 05/05/2010 11:05 AM, Avi Kivity wrote:
> On 04/30/2010 05:53 PM, Suen Chun Hui wrote:
>> Dear KVM developers,
>>
>> I'm currently working on an open source security patch to use KVM to
>> implement code verification on a guest VM in runtime. Thus, it would be
>> very helpful if someone can point to me the right function or place to
>> look at for adding 2 hooks into the KVM paging code to:
>>
>> 1. Detect a new guest page (which I assume will imply a new pte and
>> imply a new spte).
>> Currently, I'm considering putting a hook in the function
>> mmu_set_spte(), but may there is a better place.
>> This hook will be used as the main entry point into the code
>> verification function
>>    
>
> This is in general not possible.  Hosts with npt or ept will not see
> new guest ptes.
>

Yes, I was only considering the case of using shadow paging. Would this
be possible then, since the walker would have to parse gpte anyway?

> It could be done with physical pages, but you'll have no way of
> knowing if the pages are used in userspace, the kernel, or both.
>
>> 2. Detect a write fault to a read-only spte (eg. for the case of
>> updating the dirty bit back to the guest pte)
>> Unfortunately, I'm unable to find an appropriate place where this
>> actually takes place after reading the code many times.
>> This hook will be used to prevent a secondary "peek" page from modifying
>> an existing verified code page.
>>    
>
> set_spte() or mmu_set_spte() may work.
>