From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Alexander Graf <agraf@csgraf.de>
Cc: "Mihai Donțu" <mdontu@bitdefender.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
kvm@vger.kernel.org, "KarimAllah Ahmed" <karahmed@amazon.de>
Subject: Re: #VE support for VMI
Date: Mon, 20 May 2019 11:33:31 -0700 [thread overview]
Message-ID: <20190520183331.GD28482@linux.intel.com> (raw)
In-Reply-To: <80e0baaf-150b-0966-6920-b36d23a6cdef@csgraf.de>
On Mon, May 20, 2019 at 11:10:51AM -0700, Alexander Graf wrote:
> On 20.05.19 08:48, Mihai Donțu wrote:
> > Hi Paolo,
> >
> > We are looking at adding #VE support to the VMI subsystem we are
> > working on. Its purpose is to suppress VMEXIT-s caused by the page
> > table walker when the guest page tables are write-protected. A very
> > small in-guest agent (protected by the hypervisor) will receive the EPT
> > violation events, handle PT-walk writes and turn the rest into VMCALL-
> > s.
> >
> > A brief presentation of similar work on Xen can be found here:
> > https://www.slideshare.net/xen_com_mgr/xpdss17-hypervisorbased-security-bringing-virtualized-exceptions-into-the-game-mihai-dontu-bitdefender
> >
> > There is a bit of an issue with using #VE on KVM, though: because the
> > EPT is built on-the-fly (as the guest runs), when we enable #VE in
> > VMCS, all EPT violations become virtualized, because all EPTE-s have
> > bit 63 zero (0: convert to #VE, 1: generate VMEXIT). At the moment, I
>
> Are you 100% sure? Last time I played with #VE, it only triggered on
> misconfigurations/permission checks (lack of R/W/X, but P=1), not on P=0
> pages.
#VEs trigger on RWX=0, but not misconfigurations, i.e. any and all
EPT_VIOLATION exits (reason 48) are convertible, and EPT_MISCONFIG exits
(reason 49) are never convertible. The reasoning behind the logic is
that an EPT_MISCONFIG is the result of a VMM bug (or in KVM's case, MMIO
trickery), whereas a RWX=0 EPT_VIOLATION could be a malicious entity in
the guest probing non-existent pages or pages it doesn't have access to.
next prev parent reply other threads:[~2019-05-20 18:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-20 15:48 #VE support for VMI Mihai Donțu
2019-05-20 18:10 ` Alexander Graf
2019-05-20 18:33 ` Sean Christopherson [this message]
2019-05-20 20:49 ` Alexander Graf
2019-05-20 18:22 ` Sean Christopherson
2019-05-20 19:55 ` Mihai Donțu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190520183331.GD28482@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=agraf@csgraf.de \
--cc=karahmed@amazon.de \
--cc=kvm@vger.kernel.org \
--cc=mdontu@bitdefender.com \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox