From: Adalbert Lazar <alazar@bitdefender.com>
To: kvm@vger.kernel.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
alazar@bitdefender.com, mdontu@bitdefender.com
Subject: [RFC PATCH 00/19] Guest introspection
Date: Fri, 16 Jun 2017 16:43:29 +0300 [thread overview]
Message-ID: <20170616134348.17725-1-alazar@bitdefender.com> (raw)
This patch series proposes an interface that will allow a guest
introspection tool to monitor and control other guests, in order to
protect them against different forms of exploits. This type of interface
is already present in the XEN hypervisor.
With the current implementation, the introspection tool connects to
the KVMi (the introspection subsystem from KVM) using a vsock socket,
establishes a main communication channel, used for a few messages
(KVMI_EVENT_GUEST_ON, KVMI_EVENT_GUEST_OFF, KVMI_GET_GUESTS and
KVMI_GET_VERSION).
Every KVMI_EVENT_GUEST_ON notification, makes the introspection tool
establish a new connection, used to monitor and control that guest.
In order to control the guests, we found that the following list
of introspection commands/events is required:
Commands - messages sent from introspection tool to KVMi
========
- KVMI_GET_GUEST_INFO
Get the number of online VCPUs and the TSC speed.
- KVMI_PAUSE_GUEST, KVMI_UNPAUSE_GUEST
Pause/unpause all VCPUs.
- KVMI_SHUTDOWN_GUEST
- KVMI_GET_REGISTERS
Get general purpose, special and a small subset of MSRs
(the ones controlling the syscall behaviour).
- KVMI_SET_REGISTERS
Set the general purpose registers.
- KVMI_GET_MTRR_TYPE
Get the guest memory type for a specific physical address.
- KVMI_GET_MTRRS
Get MSR_IA32_CR_PAT, MSR_MTRRcap and MSR_MTRRdefType.
- KVMI_GET_XSAVE_INFO
Get vcpu->arch.guest_xstate_size.
- KVMI_GET_PAGE_ACCESS, KVMI_SET_PAGE_ACCESS
Get/set the spte flags (rwx - present, write & user).
- KVMI_INJECT_PAGE_FAULT, KVMI_INJECT_BREAKPOINT
Used to instruct the OS to do a page in
- KVMI_READ_PHYSICAL, KVMI_WRITE_PHYSICAL
- KVMI_MAP_PHYSICAL_PAGE_TO_SVA, KVMI_UNMAP_PHYSICAL_PAGE_FROM_SVA
A faster alternative to read/write messages (above).
- KVMI_EVENT_CONTROL
Enable event reports (see the event list bellow).
- KVMI_CR_CONTROL, KVMI_MSR_CONTROL
Filter VCPUs events regarding CR and MSR registers
(if enabled with KVMI_EVENT_CONTROL).
Events - messages sent from KVMi to introspection tool
======
- KVMI_EVENT_GUEST_ON, KVMI_EVENT_GUEST_OFF
Send the guest UUID.
On KVMI_EVENT_GUEST_ON, the introspection tool connects back with the UUID,
in order to establish a control channel for this guest.
- KVMI_EVENT_VCPU
This message is used to send one of the following events (if
enabled with KVMI_EVENT_CONTROL - see above), together with
the registers (see KVMI_GET_REGISTERS). The introspection tool
can reply with the KVMI_EVENT_SET_REGS flag set and provide new
values for the registers, as with the KVMI_SET_REGISTERS command.
- KVMI_EVENT_CR
A CR register was modified. If the event reporting for this
specific CR was enabled with KVMI_CR_CONTROL, send a message to
the introspection tool with the CR number, the old value, the
new value, and wait for a reply with one or more actions/flags:
+ KVMI_EVENT_ALLOW (allow the new value to be set)
+ KVMI_EVENT_SET_REGS (override the registers)
otherwise, block this modification.
- KVMI_EVENT_MSR
Similar with KVMI_EVENT_CR. Filtered with KVMI_MSR_CONTROL.
- KVMI_EVENT_XSETBV
An extended control register was modified. Send the value.
The introspection tool can reply with KVMI_EVENT_SET_REGS.
- KVMI_EVENT_BREAKPOINT
A breakpoint was reached. Send the guest address.
The introspection tool can reply with KVMI_EVENT_SET_REGS
and KVMI_EVENT_ALLOW.
- KVMI_EVENT_USER_CALL
User hypercall.
The introspection tool can reply with KVMI_EVENT_SET_REGS.
- KVMI_EVENT_TRAP
A trap will be delivered to the guest (#PF, INT3 etc.).
The introspection tool can reply with KVMI_EVENT_SET_REGS.
- KVMI_EVENT_PAGE_FAULT
A hypervisor page fault was encountered.
The introspection tool can reply with:
+ KVMI_EVENT_ALLOW (otherwise EMULATE_FAIL will be returned)
+ KVMI_EVENT_NOEMU (EMULATE_DONE)
+ KVMI_EVENT_SET_REGS
+ KVMI_EVENT_SET_CTX (change the emulation context)
The control channels are handled by workqueue jobs, receiving messages
from the introspection tool and signaling the proper VCPU threads to
act on the message.
Currently, all the commands will pause/unpause the guest, but we will like
to avoid this when possible.
This patch series is not complete. Your input would be greatly appreciated.
Adalbert Lazar (2):
kvm: Add the introspection subsystem
kvm: x86: Handle KVM_REQ_INTROSPECTION
Mihai Dontu (17):
kvm: x86: mmu: Add kvm_mmu_get_spte() and kvm_mmu_set_spte()
kvm: x86: Add kvm_arch_vcpu_set_regs()
mm: Add vm_replace_page()
kvm: Add kvm_enum()
kvm: Add uuid member in struct kvm + support for KVM_CAP_VM_UUID
kvm: Add kvm_vm_shutdown()
kvm: x86: Add kvm_arch_msr_intercept()
kvm: Hook in kvmi on VM on/off events
kvm: vmx: Hook in kvmi_page_fault()
kvm: x86: Hook in kvmi_breakpoint_event()
kvm: x86: Hook in kvmi_trap_event()
kvm: x86: Hook in kvmi_cr_event()
kvm: x86: Hook in kvmi_xsetbv_event()
kvm: x86: Hook in kvmi_msr_event()
kvm: x86: Change the emulation context
kvm: x86: Hook in kvmi_vmcall_event()
kvm: x86: Set the new spte flags before entering the guest
arch/x86/include/asm/kvm_host.h | 11 +-
arch/x86/kvm/Kconfig | 2 +
arch/x86/kvm/Makefile | 1 +
arch/x86/kvm/mmu.c | 126 ++-
arch/x86/kvm/mmu.h | 3 +
arch/x86/kvm/svm.c | 10 +
arch/x86/kvm/vmx.c | 79 +-
arch/x86/kvm/x86.c | 148 ++-
include/linux/kvm_host.h | 36 +
include/linux/mm.h | 1 +
include/uapi/linux/kvm.h | 2 +
include/uapi/linux/kvm_para.h | 4 +
include/uapi/linux/kvmi.h | 263 +++++
mm/memory.c | 69 ++
virt/kvm/kvm_main.c | 81 ++
virt/kvm/kvmi.c | 2252 +++++++++++++++++++++++++++++++++++++++
virt/kvm/kvmi.h | 42 +
virt/kvm/kvmi_socket.c | 412 +++++++
virt/kvm/kvmi_socket.h | 33 +
19 files changed, 3566 insertions(+), 9 deletions(-)
create mode 100644 include/uapi/linux/kvmi.h
create mode 100644 virt/kvm/kvmi.c
create mode 100644 virt/kvm/kvmi.h
create mode 100644 virt/kvm/kvmi_socket.c
create mode 100644 virt/kvm/kvmi_socket.h
--
2.12.2
next reply other threads:[~2017-06-16 13:42 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-16 13:43 Adalbert Lazar [this message]
2017-06-16 13:43 ` [RFC PATCH 01/19] kvm: x86: mmu: Add kvm_mmu_get_spte() and kvm_mmu_set_spte() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 02/19] kvm: x86: Add kvm_arch_vcpu_set_regs() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 03/19] mm: Add vm_replace_page() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 04/19] kvm: Add kvm_enum() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 05/19] kvm: Add uuid member in struct kvm + support for KVM_CAP_VM_UUID Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 06/19] kvm: Add kvm_vm_shutdown() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 07/19] kvm: x86: Add kvm_arch_msr_intercept() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 08/19] kvm: Add the introspection subsystem Adalbert Lazar
2017-06-21 11:54 ` Paolo Bonzini
2017-06-21 12:36 ` Mihai Donțu
2017-06-21 12:57 ` Paolo Bonzini
2017-06-16 13:43 ` [RFC PATCH 09/19] kvm: Hook in kvmi on VM on/off events Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 10/19] kvm: vmx: Hook in kvmi_page_fault() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 11/19] kvm: x86: Hook in kvmi_breakpoint_event() Adalbert Lazar
2017-06-21 11:48 ` Paolo Bonzini
2017-06-21 12:37 ` Mihai Donțu
2017-06-16 13:43 ` [RFC PATCH 12/19] kvm: x86: Hook in kvmi_trap_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 13/19] kvm: x86: Hook in kvmi_cr_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 14/19] kvm: x86: Hook in kvmi_xsetbv_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 15/19] kvm: x86: Hook in kvmi_msr_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 16/19] kvm: x86: Change the emulation context Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 17/19] kvm: x86: Hook in kvmi_vmcall_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 18/19] kvm: x86: Set the new spte flags before entering the guest Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 19/19] kvm: x86: Handle KVM_REQ_INTROSPECTION Adalbert Lazar
2017-06-16 14:45 ` [RFC PATCH 00/19] Guest introspection Jan Kiszka
2017-06-16 15:18 ` Mihai Donțu
2017-06-16 15:34 ` Jan Kiszka
2017-06-16 15:59 ` Mihai Donțu
2017-06-19 9:39 ` Stefan Hajnoczi
2017-06-20 14:58 ` alazar
2017-06-20 15:03 ` Jan Kiszka
2017-06-21 11:04 ` Stefan Hajnoczi
2017-06-21 13:25 ` Paolo Bonzini
2017-06-27 16:12 ` Mihai Donțu
2017-06-27 16:23 ` Paolo Bonzini
2017-06-16 17:05 ` Paolo Bonzini
2017-06-16 17:27 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170616134348.17725-1-alazar@bitdefender.com \
--to=alazar@bitdefender.com \
--cc=kvm@vger.kernel.org \
--cc=mdontu@bitdefender.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox