[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Blocking CR and MSR writes via mem_access?

On 10/03/14 19:22, Tamas K Lengyel wrote:
> On Fri, Oct 3, 2014 at 2:37 PM, Andrew Cooper <andrew.cooper3@xxxxxxxxxx
> <mailto:andrew.cooper3@xxxxxxxxxx>> wrote:
>     On 03/10/14 13:32, Tamas K Lengyel wrote:
>>     On Thu, Oct 2, 2014 at 12:49 PM, Razvan Cojocaru
>>     <rcojocaru@xxxxxxxxxxxxxxx <mailto:rcojocaru@xxxxxxxxxxxxxxx>> wrote:
>>         Hello,
>>         Currently hvm_memory_event_cr3() and the other
>>         hvm_memory_event_*()
>>         functions in hvm.c can pause the VCPU and send a mem_event
>>         with the new
>>         value of the respective register, but especially in the case of CR
>>         events (as opposed to MSR events), this is done _after_ the
>>         value is set
>>         (please see hvm_set_cr3() in hvm.c).
>>         It would be interesting from a memory introspection
>>         application's point
>>         of view to be able to receive a mem_event _before_ the value
>>         is set, and
>>         important to be able to veto the change.
>>         A few questions:
>>         1. Would it be acceptable to move the CR3 event sending code
>>         so that a
>>         mem_access client would receive the event _before_ the write takes
>>         place? Is this likely to break other mem_event clients that
>>         might rely
>>         on the event being received _after_ the value has been set?
>>     Yes, it would break existing applications.
>>         2. I see that mem_event responses from all these cases (EPT
>>         violations,
>>         CR, MSR) are handled in p2m.c's p2m_mem_access_resume() (seems
>>         to be
>>         confirmed by testing). Is this correct?
>>         3. What would be the sanest, most elegant way to modify Xen so
>>         that
>>         after a mem_event reply is being received for one of these
>>         cases (CR,
>>         MSR), the write will then be rejected? I'm asking because, as
>>         always,
>>         ideally this would also benefit other Xen users and an elegant
>>         patch is
>>         always more likely to find its way into mainline than a quick
>>         hack.
>>     You can already block such writes with the existing post-write
>>     event delivery. If you are continuously watching for writes, you
>>     know what the previous value was (for CR events it is actually
>>     delivered to you by Xen as well as per my recent patch). If you
>>     don't like a particular new value that was set, just reset it to
>>     the value you had / want.
>>     Tamas
>     That doesn't work if you join an event listener between the previous
>     MSR write and one you wish to veto.
> Yes, that's correct. That's why I said it works if you continuously
> monitor for writes. I think that's a reasonable assumption. We could
> also make the MSR write events deliver the previous value as well
> similar to how the CR events do it. Anyway, AFAIU the hardware traps
> always happen before the write so technically both approaches are
> pre-write from the guest's perspective.

It is a reasonable assumption in our case too, so at least for now
Tamas' suggestion should work for CR post-write events.

It would indeed be better if the previous value would be sent for MSR
events, the difference being that the MSR event is being sent in
hvm_msr_write_intercept() where the old value is not immediately
available (this is why I've implemented this event as not honouring
HVMPME_onchangeonly when I've initially submitted the patch a few years

Razvan Cojocaru

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.