* [Question] Switching VCPU CPL from the hypervisor ?
@ 2015-12-15 16:20 Yacine HEBBAL
2015-12-15 16:53 ` Paolo Bonzini
0 siblings, 1 reply; 5+ messages in thread
From: Yacine HEBBAL @ 2015-12-15 16:20 UTC (permalink / raw)
To: kvm
Hi,
I working on an application in which I control an arbitrary process to
execute an a given code (injected code for example). I want the process I'm
controlling to execute my code with root privilege. Is it possible to
arbitrary switch vcpu cpl to 0 from the hypervisor level (process is in user
mode) ? I'm aware that I can do this using some hacks and emulation or by
controlling the process just after it enters or just before it quits kernel
mode (but I need to wait and intercept these events). Is there a
straightforward technique to switch vcpu cpl from the hypervisor level at
demand ?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Question] Switching VCPU CPL from the hypervisor ?
2015-12-15 16:20 [Question] Switching VCPU CPL from the hypervisor ? Yacine HEBBAL
@ 2015-12-15 16:53 ` Paolo Bonzini
2015-12-15 17:12 ` Yacine HEBBAL
[not found] ` <CACEoar5vk6mzeWYwcDsBFVxYfcYm3fyBufwA+BM1ZvP3PL5aVw@mail.gmail.com>
0 siblings, 2 replies; 5+ messages in thread
From: Paolo Bonzini @ 2015-12-15 16:53 UTC (permalink / raw)
To: Yacine HEBBAL, kvm
On 15/12/2015 17:20, Yacine HEBBAL wrote:
> Hi,
> I working on an application in which I control an arbitrary process to
> execute an a given code (injected code for example). I want the process I'm
> controlling to execute my code with root privilege. Is it possible to
> arbitrary switch vcpu cpl to 0 from the hypervisor level (process is in user
> mode) ? I'm aware that I can do this using some hacks and emulation or by
> controlling the process just after it enters or just before it quits kernel
> mode (but I need to wait and intercept these events). Is there a
> straightforward technique to switch vcpu cpl from the hypervisor level at
> demand ?
Would a hypercall do? VMCALL can be executed from CPL 3.
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Question] Switching VCPU CPL from the hypervisor ?
2015-12-15 16:53 ` Paolo Bonzini
@ 2015-12-15 17:12 ` Yacine HEBBAL
[not found] ` <CACEoar5vk6mzeWYwcDsBFVxYfcYm3fyBufwA+BM1ZvP3PL5aVw@mail.gmail.com>
1 sibling, 0 replies; 5+ messages in thread
From: Yacine HEBBAL @ 2015-12-15 17:12 UTC (permalink / raw)
To: kvm
>
> Would a hypercall do? VMCALL can be executed from CPL 3.
>
> Paolo
> --
>
>
What I want to do is: when a controlled process is in user mode, i change
its cpl to 0, force it to execute a code that is injected in the VM, set
back its cpl to 3 and let it run like if nothing happened
Yacine
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Question] Switching VCPU CPL from the hypervisor ?
[not found] ` <CACEoar5vk6mzeWYwcDsBFVxYfcYm3fyBufwA+BM1ZvP3PL5aVw@mail.gmail.com>
@ 2015-12-16 17:48 ` Paolo Bonzini
2015-12-17 15:58 ` Yacine HEBBAL
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2015-12-16 17:48 UTC (permalink / raw)
To: Hebbal Yacine; +Cc: kvm
On 15/12/2015 18:02, Hebbal Yacine wrote:
> What I want to do is: when a controlled process is in user mode, i
> change its cpl to 0, force it to execute a code that is injected in the
> VM, set back its cpl to 3 and let it run like if nothing happened
Could you inject an SMI and place your code in the guest firmware's SMM
handler? What input is needed by this CPL=0 code?
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Question] Switching VCPU CPL from the hypervisor ?
2015-12-16 17:48 ` Paolo Bonzini
@ 2015-12-17 15:58 ` Yacine HEBBAL
0 siblings, 0 replies; 5+ messages in thread
From: Yacine HEBBAL @ 2015-12-17 15:58 UTC (permalink / raw)
To: kvm
Paolo Bonzini <pbonzini <at> redhat.com> writes:
> On 15/12/2015 18:02, Hebbal Yacine wrote:
> > What I want to do is: when a controlled process is in user mode, i
> > change its cpl to 0, force it to execute a code that is injected in the
> > VM, set back its cpl to 3 and let it run like if nothing happened
>
> Could you inject an SMI and place your code in the guest firmware's SMM
> handler? What input is needed by this CPL=0 code?
>
> Paolo
I think the the solution follows this logic, meaning we inject an interrupt,
intercept execution of its handler (cpl is 0), save cpu context, execute the
code we want, push a return address, and force the process to execute IRET
instruction which will complete the cleaning, restore cpl to 3 and let the
process resume its normal execution. I'll continue to dig this to see if
there is any better approach, thanks for your help :)
Yacine
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-12-17 15:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-15 16:20 [Question] Switching VCPU CPL from the hypervisor ? Yacine HEBBAL
2015-12-15 16:53 ` Paolo Bonzini
2015-12-15 17:12 ` Yacine HEBBAL
[not found] ` <CACEoar5vk6mzeWYwcDsBFVxYfcYm3fyBufwA+BM1ZvP3PL5aVw@mail.gmail.com>
2015-12-16 17:48 ` Paolo Bonzini
2015-12-17 15:58 ` Yacine HEBBAL
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).