From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Estrada, Zachary J" Subject: Re: Trying to switch EPTP for execute-protecting guest pages Date: Tue, 24 Nov 2015 08:51:14 -0600 Message-ID: <56547962.5050409@illinois.edu> References: <565348BA.4020905@illinois.edu> <56544D8C.10307@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit To: Paolo Bonzini , Return-path: Received: from massmail-relays03.cites.illinois.edu ([192.17.82.79]:44125 "EHLO massmail-relays03.cites.illinois.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753389AbbKXOvT (ORCPT ); Tue, 24 Nov 2015 09:51:19 -0500 In-Reply-To: <56544D8C.10307@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On 11/24/2015 05:44 AM, Paolo Bonzini wrote: > > > On 23/11/2015 18:11, Estrada, Zachary J wrote: >> I'm playing around with EPTs and kvm to track execution in the guest. >> I've created a separate set of EPTs (and copied the last level entries >> from the real tables, minus execute permissions) but I'm not getting >> exits where I expect. I also have code in handle_ept_violation to >> preserve those permissions for any non-execute ept violations. >> >> Here is what I am calling within a VM Exit handler: >> --- >> kvm_mmu_unload(vcpu); >> vcpu->arch.mmu.root_hpa = eptp; >> kvm_x86_ops->set_tdp_cr3(vcpu, eptp); >> kvm_mmu_load(vcpu); >> kvm_flush_remote_tlbs(vcpu->kvm); >> --- >> >> I think some of this is overkill, but am I missing something? I think I >> may need to flush the rmaps too, but I'm not exactly sure how. > > My suggestion is: > > 1) use tracing and check that kvm_mmu_get_page is being called correctly. > > 2) there is already code for write protection. Try copying that code > instead of doing a complete reimplementation. > > Paolo > 1) Will do, thanks! 2) Got it. Let's say I want to work with a copy of the extended page tables instead of the original, what would be the best way to do so? Right now I'm traversing the full tables using root_hpa, but if there's a better way using the spte interface, I would prefer that. Thanks so much! --Zak