From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: Nested EPT Write Protection
Date: Fri, 19 Jun 2015 08:27:07 +0200
Message-ID: <5583B63B.1080907@redhat.com>
References: <CAHqbYQvzU=U=SrNeip_zjWkQAdu2Sfwd1nPfYuJ012xPUrTKdw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
To: Hu Yaohui <loki2441@gmail.com>, kvm <kvm@vger.kernel.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-wi0-f173.google.com ([209.85.212.173]:33599 "EHLO
	mail-wi0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751418AbbFSG1K (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 19 Jun 2015 02:27:10 -0400
Received: by wilj4 with SMTP id j4so9253355wil.0
        for <kvm@vger.kernel.org>; Thu, 18 Jun 2015 23:27:09 -0700 (PDT)
In-Reply-To: <CAHqbYQvzU=U=SrNeip_zjWkQAdu2Sfwd1nPfYuJ012xPUrTKdw@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>



On 19/06/2015 03:52, Hu Yaohui wrote:
> Hi All,
> In kernel 3.14.2, the kvm uses shadow EPT(EPT02) to implement the
> nested EPT. The shadow EPT(EPT02) is a shadow of guest EPT (EPT12). If
> the L1 guest writes to the guest EPT(EPT12). How can the shadow
> EPT(EPT02) be modified according?

Because the EPT02 is write protected, writes to the EPT12 will trap to
the hypervisor.  The hypervisor will execute the write instruction
before reentering the guest and invalidate the modified parts of the
EPT02.  When the invalidated part of the EPT02 is accessed, the
hypervisor will rebuild it according to the EPT12 and the KVM memslots.

Paolo