From: Paolo Bonzini <pbonzini@redhat.com>
To: "Mihai Donțu" <mdontu@bitdefender.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>,
"Adalbert Lazar" <alazar@bitdefender.com>,
kvm@vger.kernel.org
Subject: Re: [RFC PATCH 08/19] kvm: Add the introspection subsystem
Date: Wed, 21 Jun 2017 14:57:48 +0200 [thread overview]
Message-ID: <e5f95fac-3bb3-c740-0f44-233bcc701e49@redhat.com> (raw)
In-Reply-To: <1498048592.24580.29.camel@bitdefender.com>
On 21/06/2017 14:36, Mihai Donțu wrote:
> The entire mechanism for altering spte-s will need a separate
> discussion, because right now it interferes with other mmu features
> like dirty page logging and possibly other that I might not be aware
> of.
Okay, this is the stuff that should be put in the cover letter. The
current cover letter instead is an attempt at documentation that should,
of course, be in Documentation/ instead. :)
I think the right way to do it is to rebuild the MMU when the radix tree
is modified, with KVM_REQ_MMU_SYNC (or maybe even kvm_mmu_reset_context
is enough, I am not sure). kvm_mmu_get_page can modify role.access
according to the result of the radix tree lookup. When you make the
page read-only, the role (which is part of the hash key) changes and the
EPT tables will also be made read-only.
Paolo
> The present code merely illustrates what we're really trying to
> achieve: control the page permissions in the shadow page tables. The
> mechanics are quite simple: while a VCPU is paused the introspection
> tool creates a list of all spte's it wants to alter and then it
> unpauses the VCPU which, on its wait back into the guest, walks the
> list and applies the changes. This list-based approach is used because
> sometimes accessing spte-s requires access to qemu's address space
> which is tricky to do when the introspection tool runs as a separate
> process. We tried using something on top of switch_mm() but it proved
> unreliable. It also requires exporting some very deep x86-specific data
> in order to build kvm-intel.ko.
>
>> How does this work when multiple VCPUs are running with different MMU
>> roles? One VCPU is emptying the access_list for all, but
>> kvm_mmu_set_spte is using for_each_shadow_entry per-VCPU.
> Indeed, here we assume all VCPU-s' spt pointers are loaded with the
> same address. A correct approach would iterate over all vCPU-s and I
> suspect it would need to be a bit more complex with Intel's multiple
> EPT views.
>
next prev parent reply other threads:[~2017-06-21 12:57 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-16 13:43 [RFC PATCH 00/19] Guest introspection Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 01/19] kvm: x86: mmu: Add kvm_mmu_get_spte() and kvm_mmu_set_spte() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 02/19] kvm: x86: Add kvm_arch_vcpu_set_regs() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 03/19] mm: Add vm_replace_page() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 04/19] kvm: Add kvm_enum() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 05/19] kvm: Add uuid member in struct kvm + support for KVM_CAP_VM_UUID Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 06/19] kvm: Add kvm_vm_shutdown() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 07/19] kvm: x86: Add kvm_arch_msr_intercept() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 08/19] kvm: Add the introspection subsystem Adalbert Lazar
2017-06-21 11:54 ` Paolo Bonzini
2017-06-21 12:36 ` Mihai Donțu
2017-06-21 12:57 ` Paolo Bonzini [this message]
2017-06-16 13:43 ` [RFC PATCH 09/19] kvm: Hook in kvmi on VM on/off events Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 10/19] kvm: vmx: Hook in kvmi_page_fault() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 11/19] kvm: x86: Hook in kvmi_breakpoint_event() Adalbert Lazar
2017-06-21 11:48 ` Paolo Bonzini
2017-06-21 12:37 ` Mihai Donțu
2017-06-16 13:43 ` [RFC PATCH 12/19] kvm: x86: Hook in kvmi_trap_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 13/19] kvm: x86: Hook in kvmi_cr_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 14/19] kvm: x86: Hook in kvmi_xsetbv_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 15/19] kvm: x86: Hook in kvmi_msr_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 16/19] kvm: x86: Change the emulation context Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 17/19] kvm: x86: Hook in kvmi_vmcall_event() Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 18/19] kvm: x86: Set the new spte flags before entering the guest Adalbert Lazar
2017-06-16 13:43 ` [RFC PATCH 19/19] kvm: x86: Handle KVM_REQ_INTROSPECTION Adalbert Lazar
2017-06-16 14:45 ` [RFC PATCH 00/19] Guest introspection Jan Kiszka
2017-06-16 15:18 ` Mihai Donțu
2017-06-16 15:34 ` Jan Kiszka
2017-06-16 15:59 ` Mihai Donțu
2017-06-19 9:39 ` Stefan Hajnoczi
2017-06-20 14:58 ` alazar
2017-06-20 15:03 ` Jan Kiszka
2017-06-21 11:04 ` Stefan Hajnoczi
2017-06-21 13:25 ` Paolo Bonzini
2017-06-27 16:12 ` Mihai Donțu
2017-06-27 16:23 ` Paolo Bonzini
2017-06-16 17:05 ` Paolo Bonzini
2017-06-16 17:27 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e5f95fac-3bb3-c740-0f44-233bcc701e49@redhat.com \
--to=pbonzini@redhat.com \
--cc=alazar@bitdefender.com \
--cc=kvm@vger.kernel.org \
--cc=mdontu@bitdefender.com \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox