From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Razvan Cojocaru <rcojocaru@bitdefender.com>, xen-devel@lists.xen.org
Cc: tim@xen.org
Subject: Re: [PATCH RFC 5/9] xen: Support for VMCALL mem_events
Date: Wed, 2 Jul 2014 16:54:18 +0100 [thread overview]
Message-ID: <53B42B2A.4020907@citrix.com> (raw)
In-Reply-To: <1404308041-15461-5-git-send-email-rcojocaru@bitdefender.com>
On 02/07/14 14:33, Razvan Cojocaru wrote:
> Added support for VMCALL events (the memory introspection library
> will have the guest trigger VMCALLs, which will then be sent along
> via the mem_event mechanism).
>
> Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Am I correct in concluding that this is an escape mechanism for
something inside the guest to trap to the toolstack userspace monitoring
the guest?
> ---
> xen/arch/x86/hvm/hvm.c | 8 ++++++++
> xen/arch/x86/hvm/vmx/vmx.c | 15 ++++++++++++++-
> xen/include/asm-x86/hvm/hvm.h | 1 +
> xen/include/public/hvm/params.h | 4 +++-
> xen/include/public/mem_event.h | 1 +
> 5 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index f65a5f5..df696d1 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -6130,6 +6130,14 @@ void hvm_memory_event_msr(unsigned long msr, unsigned long value)
> value, ~value, 1, msr);
> }
>
> +void hvm_memory_event_vmcall(unsigned long rip, unsigned long eax)
> +{
> + hvm_memory_event_traps(current->domain->arch.hvm_domain
> + .params[HVM_PARAM_MEMORY_EVENT_VMCALL],
> + MEM_EVENT_REASON_VMCALL,
> + rip, ~rip, 1, eax);
> +}
> +
> int hvm_memory_event_int3(unsigned long gla)
> {
> uint32_t pfec = PFEC_page_present;
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index fed21b6..b4c12cd 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2880,8 +2880,21 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
> case EXIT_REASON_VMCALL:
> {
> int rc;
> + unsigned long eax = regs->eax;
> +
> HVMTRACE_1D(VMMCALL, regs->eax);
> - rc = hvm_do_hypercall(regs);
> +
> + if ( regs->eax != 0x494e5452 ) /* Introcore magic */
This needs to live somewhere in the public API.
> + {
> + rc = hvm_do_hypercall(regs);
> + }
> + else
> + {
> + hvm_memory_event_vmcall(guest_cpu_user_regs()->eip, eax);
> + update_guest_eip();
> + break;
> + }
> +
> if ( rc != HVM_HCALL_preempted )
> {
> update_guest_eip(); /* Safe: VMCALL */
> diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h
> index 90e69f5..67e365b 100644
> --- a/xen/include/asm-x86/hvm/hvm.h
> +++ b/xen/include/asm-x86/hvm/hvm.h
> @@ -532,6 +532,7 @@ void hvm_memory_event_cr0(unsigned long value, unsigned long old);
> void hvm_memory_event_cr3(unsigned long value, unsigned long old);
> void hvm_memory_event_cr4(unsigned long value, unsigned long old);
> void hvm_memory_event_msr(unsigned long msr, unsigned long value);
> +void hvm_memory_event_vmcall(unsigned long rip, unsigned long eax);
> /* Called for current VCPU on int3: returns -1 if no listener */
> int hvm_memory_event_int3(unsigned long gla);
>
> diff --git a/xen/include/public/hvm/params.h b/xen/include/public/hvm/params.h
> index f830bdd..ea2eee6 100644
> --- a/xen/include/public/hvm/params.h
> +++ b/xen/include/public/hvm/params.h
> @@ -148,6 +148,8 @@
> #define HVM_PARAM_IOREQ_SERVER_PFN 32
> #define HVM_PARAM_NR_IOREQ_SERVER_PAGES 33
>
> -#define HVM_NR_PARAMS 34
> +#define HVM_PARAM_MEMORY_EVENT_VMCALL 34
> +
> +#define HVM_NR_PARAMS 35
Nothing prevents the VM from writing whatever value it wishes into this
hvmparam using the setparam hypercall, which would look to stump dom0
userspace trusting the value it finds there.
The current infrastructure for hvmparams is far too lax and I have half
a patch series (which is distinctly low down my todo list in terms of
priority) which tries to tighten the restrictions. However in the
meantime all new params should have proper restrictions applied.
Having said that, this would appear to interact badly with mem_events in
PV guests, which have recently (or are planning to?) moved away from
being HVM specific. It would be preferable not to impede that.
~Andrew
>
> #endif /* __XEN_PUBLIC_HVM_PARAMS_H__ */
> diff --git a/xen/include/public/mem_event.h b/xen/include/public/mem_event.h
> index 24ac67d..5fa2858 100644
> --- a/xen/include/public/mem_event.h
> +++ b/xen/include/public/mem_event.h
> @@ -47,6 +47,7 @@
> #define MEM_EVENT_REASON_SINGLESTEP 6 /* single step was invoked: gla/gfn are RIP */
> #define MEM_EVENT_REASON_MSR 7 /* MSR was hit: gfn is MSR value, gla is MSR address;
> does NOT honour HVMPME_onchangeonly */
> +#define MEM_EVENT_REASON_VMCALL 8 /* VMCALL: gfn is RIP, gla is EAX */
>
> typedef struct mem_event_regs_st {
> uint64_t rax;
next prev parent reply other threads:[~2014-07-02 15:54 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-02 13:33 [PATCH RFC 1/9] xen: Emulate with no writes; compute current instruction length Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 2/9] xen: Optimize introspection access to guest state Razvan Cojocaru
2014-07-02 15:31 ` Andrew Cooper
2014-07-07 14:50 ` Razvan Cojocaru
2014-07-10 8:05 ` Razvan Cojocaru
2014-07-10 8:17 ` Andrew Cooper
2014-07-10 8:23 ` Razvan Cojocaru
2014-07-10 11:57 ` Razvan Cojocaru
2014-07-10 12:16 ` Razvan Cojocaru
2014-07-10 13:01 ` Andrew Cooper
2014-07-02 15:37 ` Jan Beulich
2014-07-03 8:12 ` Razvan Cojocaru
2014-07-03 8:54 ` Jan Beulich
2014-07-02 13:33 ` [PATCH RFC 3/9] xen: Force-enable relevant MSR events; optimize the number of sent MSR events Razvan Cojocaru
2014-07-02 15:35 ` Andrew Cooper
2014-07-02 15:43 ` Jan Beulich
2014-07-09 8:02 ` Razvan Cojocaru
2014-07-23 7:56 ` Jan Beulich
2014-07-23 8:03 ` Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 4/9] xenctrl: Make the headers C++ friendly Razvan Cojocaru
2014-07-02 15:37 ` Andrew Cooper
2014-07-02 13:33 ` [PATCH RFC 5/9] xen: Support for VMCALL mem_events Razvan Cojocaru
2014-07-02 15:47 ` Jan Beulich
2014-07-02 15:54 ` Razvan Cojocaru
2014-07-02 16:11 ` Jan Beulich
2014-07-02 16:23 ` Razvan Cojocaru
2014-07-03 6:28 ` Jan Beulich
2014-07-03 7:29 ` Razvan Cojocaru
2014-07-02 15:54 ` Andrew Cooper [this message]
2014-07-02 15:59 ` Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc Razvan Cojocaru
2014-07-02 15:51 ` Jan Beulich
2014-07-02 16:00 ` Andrew Cooper
2014-07-02 16:58 ` Mihai Donțu
2014-07-02 17:07 ` Andrew Cooper
2014-07-03 8:23 ` Mihai Donțu
2014-07-03 9:32 ` Andrew Cooper
2014-07-03 9:40 ` Razvan Cojocaru
2014-07-02 16:06 ` Razvan Cojocaru
2014-07-02 16:13 ` Jan Beulich
2014-07-02 13:33 ` [PATCH RFC 7/9] xen: Handle resumed instruction based on previous mem_event reply Razvan Cojocaru
2014-07-02 15:56 ` Jan Beulich
2014-07-03 8:55 ` Razvan Cojocaru
2014-07-03 9:02 ` Jan Beulich
2014-07-03 9:12 ` Razvan Cojocaru
2014-07-03 9:18 ` Andrew Cooper
2014-07-03 9:22 ` Jan Beulich
2014-07-03 9:34 ` Razvan Cojocaru
2014-07-03 10:14 ` Jan Beulich
2014-07-02 13:34 ` [PATCH RFC 8/9] xen: Generic instruction re-execution mechanism for execute faults Razvan Cojocaru
2014-07-02 16:04 ` Andrew Cooper
2014-07-02 13:34 ` [PATCH RFC 9/9] mm: mark pages that have their permissions controlled by a domain Razvan Cojocaru
2014-07-03 10:19 ` Jan Beulich
2014-07-03 11:27 ` Razvan Cojocaru
2014-07-03 12:15 ` Jan Beulich
2014-07-02 15:20 ` [PATCH RFC 1/9] xen: Emulate with no writes; compute current instruction length Andrew Cooper
2014-07-03 7:42 ` Razvan Cojocaru
2014-07-02 15:21 ` Jan Beulich
2014-07-02 15:43 ` Razvan Cojocaru
2014-07-02 16:08 ` Jan Beulich
2014-07-02 16:18 ` Razvan Cojocaru
2014-07-03 6:24 ` Jan Beulich
2014-07-03 7:38 ` Razvan Cojocaru
2014-07-03 8:05 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53B42B2A.4020907@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=rcojocaru@bitdefender.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.