From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: KVM hook for code integrity checking Date: Thu, 06 May 2010 12:04:08 +0300 Message-ID: <4BE28608.4010202@redhat.com> References: <4BDAEF05.1030507@tum.de> <4BE134C1.1020009@redhat.com> <4BE24AE9.6040102@tum.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: kvm@vger.kernel.org To: Suen Chun Hui Return-path: Received: from mx1.redhat.com ([209.132.183.28]:43403 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756257Ab0EFJEN (ORCPT ); Thu, 6 May 2010 05:04:13 -0400 In-Reply-To: <4BE24AE9.6040102@tum.de> Sender: kvm-owner@vger.kernel.org List-ID: On 05/06/2010 07:51 AM, Suen Chun Hui wrote: > Hi, > > Thanks for the reply. > > On 05/05/2010 11:05 AM, Avi Kivity wrote: > >> On 04/30/2010 05:53 PM, Suen Chun Hui wrote: >> >>> Dear KVM developers, >>> >>> I'm currently working on an open source security patch to use KVM to >>> implement code verification on a guest VM in runtime. Thus, it would be >>> very helpful if someone can point to me the right function or place to >>> look at for adding 2 hooks into the KVM paging code to: >>> >>> 1. Detect a new guest page (which I assume will imply a new pte and >>> imply a new spte). >>> Currently, I'm considering putting a hook in the function >>> mmu_set_spte(), but may there is a better place. >>> This hook will be used as the main entry point into the code >>> verification function >>> >>> >> This is in general not possible. Hosts with npt or ept will not see >> new guest ptes. >> >> > Yes, I was only considering the case of using shadow paging. Would this > be possible then, since the walker would have to parse gpte anyway? > It's possible, but it's not a good idea to require shadow paging. It's slow and doesn't scale well. -- error compiling committee.c: too many arguments to function