Monitoring access to a guest page?

Monitoring access to a guest page?

[Brendan Dolan-Gavitt]

Hi,

I'm working on a patch to let me monitor reads and writes to a  
particular guest page. The overall strategy is:
1. Mark the guest page as non-present.
2. In the PF handler, if the access is to the monitored page, log,  
and emulate the instruction.

When I asked about this in #kvm, some kind folks pointed out that  
this is how MMIO is handled. So after looking through the MMIO code,  
the new plan is:
1. Create a new MMIO handler (a kvm_io_device) that will shadow a  
guest page.
2. Copy the page to be monitored from the guest and store it in the  
private region of the new IO device. (using kvm_read_guest).  
Basically, create a shadow copy of the page.
3. Mark the page as non-present.
4. Register the IO device, have its in_range check whether the  
address is in the page being watched.
5. In the IO device's read/write handler, service reads and writes  
from the shadow copy, and log.

So I have two questions:
1. Does this all seem reasonably correct?
2. What's the best way to accomplish step 3? I can't seem to find a  
function in mmu.c that will do this, but it seems overly complicated  
to use kvm_guest_write to modify the PTE by hand.

Thanks in advance,
Brendan Dolan-Gavitt
PhD Student, GTISC (Georgia Tech)

Re: Monitoring access to a guest page?

[Avi Kivity]

Brendan Dolan-Gavitt wrote:
> Hi,
>
> I'm working on a patch to let me monitor reads and writes to a 
> particular guest page. The overall strategy is:
> 1. Mark the guest page as non-present.
> 2. In the PF handler, if the access is to the monitored page, log, and 
> emulate the instruction.
>
> When I asked about this in #kvm, some kind folks pointed out that this 
> is how MMIO is handled. So after looking through the MMIO code, the 
> new plan is:
> 1. Create a new MMIO handler (a kvm_io_device) that will shadow a 
> guest page.
> 2. Copy the page to be monitored from the guest and store it in the 
> private region of the new IO device. (using kvm_read_guest). 
> Basically, create a shadow copy of the page.
> 3. Mark the page as non-present.
> 4. Register the IO device, have its in_range check whether the address 
> is in the page being watched.
> 5. In the IO device's read/write handler, service reads and writes 
> from the shadow copy, and log.
>
> So I have two questions:
> 1. Does this all seem reasonably correct?
> 2. What's the best way to accomplish step 3? I can't seem to find a 
> function in mmu.c that will do this, but it seems overly complicated 
> to use kvm_guest_write to modify the PTE by hand.

It's the other way round.  All pages are not-present unless made present 
by the mmu.

All you have to do is _not_ register a memory slot that contains your 
page.  When the guest accesses this memory, the mmu will _not_ 
instantiate a present pte, and will forward all accesses to your mmio 
handler.

It's going to be slow, though.

-- 
error compiling committee.c: too many arguments to function