[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Xen-devel] VCPU Structure
Hi Satyajeet –
I’m still not quite sure I understand, though your
description is getting better.
A hypercall executes on a VCPU on a PCPU. One can’t
transfer control to a VCPU structure; a VCPU structure contains data. Are
you doing a different memory integrity hash block for each VCPU in each guest?
Or one for each guest? Or is it one for the entire physical system?
If it is one for each VCPU in each guest, yes, you will need to store the
pre-defined range and the results of the hash in the VCPU structure and your “compute
hash” hypercall would store those values and your “check hash”
hypercall would verify the value (and return success or failure). If this
is what you plan to do, you do not need a trap/exception/fault as the hypercall
replaces that.
Dan
From: Nimgaonkar,
Satyajeet [mailto:SatyajeetNimgaonkar@xxxxxxxxxx]
Sent: Tuesday, November 09, 2010 10:07 AM
To: Nimgaonkar, Satyajeet; Dan Magenheimer; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
Hi Dan,
I have created a custom hypercall,
would it be possible to transfert the control from the hypercall handler to the
VCPU structure. With regards to modifying the VCPU, can you please redirect me
to any code examples containing trapping/exception/faulting the CPU. Also for
the memory integrity hash block that I wish to add to the VCPU, I will compute
the hash for a pre-defined range of memory and match it every day i.e. 24
hours.
Thank you very
much.
Regards,
Satyajeet
From:
xen-devel-bounces@xxxxxxxxxxxxxxxxxxx [xen-devel-bounces@xxxxxxxxxxxxxxxxxxx]
on behalf of Nimgaonkar, Satyajeet [SatyajeetNimgaonkar@xxxxxxxxxx]
Sent: Monday, November 08, 2010 11:58 AM
To: Dan Magenheimer; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
Hi Dan,
I want to compute the hash for a
specific memory range and not all the memory. Also I havent decided the
frequency of calculating the hash and matching it. But I wonder how will that
affect the functionality and modification that I intend to do?
Thanks.
Regards,
Satyajeet
From: Dan
Magenheimer [dan.magenheimer@xxxxxxxxxx]
Sent: Monday, November 08, 2010 10:59 AM
To: Nimgaonkar, Satyajeet; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
Hi Satyajeet –
No, you still will need to be much more precise. Computing a hash of ALL
memory on the system will take a very long time, and SOME memory is almost
certain to change (perhaps even while computing the hash) if anything at all is
running on the system, whether or not an attack is performed. Do you want
to compute a hash of some specific range of memory? Or all guest memory
for some specific guest? And memory is not specific to one VCPU, so it is
not something that you add to a VCPU. How frequently do you want to
compute the hash? And how frequently do you want to check for a
match? And how do you determine when you want to cause the hash to be
taken or checked? And do you need to store multiple values for different
ranges/guests?
Systems programming (in Xen or Linux or anywhere) is very
complex and it is important that you describe a very precise detailed plan for
what you want to do – flow chart, cause and effect, etc – before it
is possible to help you.
From: Nimgaonkar, Satyajeet [mailto:SatyajeetNimgaonkar@xxxxxxxxxx]
Sent: Monday, November 08, 2010 9:31 AM
To: Dan Magenheimer; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
Hi Dan,
A memory integrity block is a simple
hash function that computes the hash of all the memory at prticular instant of
time and stores it in a secure memory location. This allows to detect an attack
from an adversary who is trying to alter the memory values. At a lter instant
of time, the hash of memory is again computed and if the two hash values match
then we conclude that no attack was performed and they don't match we conclude
that an attack has been performed.
I hope that
explains the functionality that I want to add to the VCPU. Can you please tell
me where should I add the trapping code with in the VPCU, I mean which file
should I look at. Also please can you tell me where exactly with in xen should
I add the special code. I see the VCPU structure is present in xen/include/xen/sched.h. Is it the
correct place to look for.
Thanks.
Regards,
Satyajeet
From: Dan
Magenheimer [dan.magenheimer@xxxxxxxxxx]
Sent: Monday, November 08, 2010 7:42 AM
To: Nimgaonkar, Satyajeet; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
I’m not asking you to describe the Xen
functionality. I am asking you to describe in more detail the
modification to the processor functionality/behavior that you are trying to
achieve. I don’t know what a “simple memory integrity
block” does and searching for it doesn’t find anything helpful.
Nearly all instructions in the VCPU are executed directly in hardware (by the
physical CPU == PCPU). The only way to change the VCPU behavior is to
cause some kind of trap or fault or exception to occur on the PCPU, which gets
intercepted by the processor and then control is turned over to privileged
software (in this case Xen). Xen has a lot of code that handles many many
different kinds of traps/faults/exceptions. Your VCPU will need to
execute an instruction that causes a trap or fault or exception and then you
will need to add code to Xen to recognize your special one and do something
special with it.
Does that help?
Dan
From: Nimgaonkar, Satyajeet [mailto:SatyajeetNimgaonkar@xxxxxxxxxx]
Sent: Sunday, November 07, 2010 10:14 PM
To: Dan Magenheimer; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
Hi,
I am sorry if I have not provided provided enough information
about the functionality that I want to implement. But my problem is that even I
new to Xen and trying to understand my way around it. With regards to the
functionality that I want to implement, I wish to modify the behavior of the
VCPU in xen. As a starting point, I just want to add simple memory integrity
block within the VCPU. I am really not sure what would be the best way to do
this so I need some suggestions on that too.
Thanks. I hope that helps too.
Regards,
Satyajeet
From: Dan
Magenheimer [dan.magenheimer@xxxxxxxxxx]
Sent: Thursday, November 04, 2010 7:25 PM
To: Nimgaonkar, Satyajeet; Xen Devel
Subject: RE: [Xen-devel] VCPU Structure
I think nobody is responding because you haven’t provided
enough information about what it is you are trying to do... and resending the
same message doesn’t help.
For example, if you are “extending” the instruction set (e.g. using
an illegal opcode to do something useful), that would be very different than
trapping memory accesses that meet a certain criteria.
From: Nimgaonkar, Satyajeet [mailto:SatyajeetNimgaonkar@xxxxxxxxxx]
Sent: Thursday, November 04, 2010 2:52 PM
To: Xen Devel; Dan Magenheimer
Subject: [Xen-devel] VCPU Structure
Hi,
I want to modify the VCPU structure to implement memory integrity
functionality (i.e. memory hash function), such that the VCPU functionality
incorporates memory integrity. Also once this is done, I want make sure that
the VMs i create (Dom0 and Domu) run on this modified VCPU itself.
Can anyone please tell me where should I look for to
implement this.
Thank you very much.
Regards,
Satyajeet
|
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|