From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53633)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <valerio@aimale.com>) id 1ZmsCW-0000ma-Jo
	for qemu-devel@nongnu.org; Thu, 15 Oct 2015 19:44:49 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <valerio@aimale.com>) id 1ZmsCT-00016Y-Bs
	for qemu-devel@nongnu.org; Thu, 15 Oct 2015 19:44:48 -0400
Received: from smtp.aimale.com ([166.78.138.199]:42863)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <valerio@aimale.com>) id 1ZmsCT-0000zB-4Z
	for qemu-devel@nongnu.org; Thu, 15 Oct 2015 19:44:45 -0400
From: valerio@aimale.com
Date: Thu, 15 Oct 2015 17:44:02 -0600
Message-Id: <1444952643-5033-1-git-send-email-valerio@aimale.com>
Subject: [Qemu-devel] QEMU patch to allow VM introspection via libvmi
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: armbru@redhat.com, ehabkost@redhat.com, lcapitulino@redhat.com


All-

I've produced a patch for the current QEMU HEAD, for libvmi to introspect QEMU/KVM VMs.

Libvmi has patches for the old qeum-kvm fork, inside its source tree: https://github.com/libvmi/libvmi/tree/master/tools/qemu-kvm-patch

This patch adds a hmp and a qmp command, "pmemaccess". When the commands is invoked with a string arguments (a filename), it will open a UNIX socket and spawn a listening thread.

The client writes binary commands to the socket, in the form of a c structure:

struct request {
     uint8_t type;   // 0 quit, 1 read, 2 write, ... rest reserved
     uint64_t address;   // address to read from OR write to
     uint64_t length;    // number of bytes to read OR write
};

The client receives as a response, either (length+1) bytes, if it is a read operation, or 1 byte ifit is a write operation.

The last bytes of a read operation response indicates success (1 success, 0 failure). The single byte returned for a write operation indicates same (1 success, 0 failure).
The socket API was written by the libvmi author and it works the with current libvmi version. The libvmi client-side implementation is at:

https://github.com/libvmi/libvmi/blob/master/libvmi/driver/kvm/kvm.c

As many use kvm VM's for introspection, malware and security analysis, it might be worth thinking about making the pmemaccess a permanent hmp/qmp command, as opposed to having to produce a patch at each QEMU point release.

Also, the pmemsave commands QAPI should be changed to be usable with 64bit VM's

in qapi-schema.json

from

---
{ 'command': 'pmemsave',
  'data': {'val': 'int', 'size': 'int', 'filename': 'str'} }
---

to

---
{ 'command': 'pmemsave',
  'data': {'val': 'int64', 'size': 'int64', 'filename': 'str'} }
---

hmp-commands.hx and qmp-commands.hx should be edited accordingly. I did not make the above pmemsave changes part of my patch.

Let me know if you have any questions,

Valerio