[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5] x86/emulate: Send vm_event from emulate

To: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>
From: Jan Beulich <JBeulich@xxxxxxxx>
Date: Mon, 1 Jul 2019 15:32:37 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
Cc: "kevin.tian@xxxxxxxxx" <kevin.tian@xxxxxxxxx>, "tamas@xxxxxxxxxxxxx" <tamas@xxxxxxxxxxxxx>, "jun.nakajima@xxxxxxxxx" <jun.nakajima@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Paul Durrant <Paul.Durrant@xxxxxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, "brian.woods@xxxxxxx" <brian.woods@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
Delivery-date: Mon, 01 Jul 2019 15:39:10 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thread-index: AQHVMA7WPzdd4ckrE0m6/AH0OcBhs6a11zaAgAAH7sGAAAUTAA==
Thread-topic: [PATCH v5] x86/emulate: Send vm_event from emulate

On 01.07.2019 17:13, Razvan Cojocaru wrote:
> On 7/1/19 5:45 PM, Alexandru Stefan ISAILA wrote:
>>
>>
>> On 01.07.2019 16:13, Jan Beulich wrote:
>>>>>> On 04.06.19 at 13:49, <aisaila@xxxxxxxxxxxxxxx> wrote:
>>>> This patch aims to have mem access vm events sent from the emulator.
>>>> This is useful where we want to only emulate a page walk without
>>>> checking the EPT, but we still want to check the EPT when emulating
>>>> the instruction that caused the page walk. In this case, the original
>>>> EPT fault is caused by the walk trying to set the accessed or dirty
>>>> bits, but executing the instruction itself might also cause an EPT
>>>> fault if permitted to run, and this second fault should not be lost.
>>>
>>> I'm afraid I still can't translate this into what exactly is wanted and
>>> why. While typically we don't use examples to demonstrate that is
>>> wanted in commit messages, I think this is a rather good candidate
>>> for actually using such an approach. This may then ...
>>>
>>>> We use hvmemul_map_linear_addr() to intercept r/w access and
>>>> __hvm_copy() to intercept exec access.
>>>>
>>>> First we try to send a vm event and if the event is sent then emulation
>>>> returns X86EMUL_RETRY in order to stop emulation on instructions that
>>>> use access protected pages. If the event is not sent then the
>>>> emulation goes on as expected.
>>>
>>> ... also help understanding this part, which I continue to be confused
>>> by, too.
> 
> Simply put, the introspection agent wants to treat all A/D bit writes as 
> benign. Receiving vm_events about them is a big pessimization, and we want to 
> optimize.
> 
> We'd like to filter these events out.
> 
> To this end, we're currently (in the present incarnation of the Xen code) 
> fully emulating the instruction at RIP when the hardware sees an EPT fault 
> with npfec.kind != npfec_kind_with_gla. This is, however, incorrect, because 
> the instruction at RIP might legitimately cause an EPT fault of its own 
> (while accessing a _different_ page from the original one, where A/D were 
> set).
> 
> We've tried to solve this by actually writing the A/D bits and returning from 
> p2m_mem_access_check(), however that has led to a slightly philosophical 
> discussion about the proper way to achieve our goals while taking into 
> account speculative setting of these bits. The issues raised have not been 
> satisfactorily answered in an authoritative manner to this day.
> 
> So the only option we seem to have left at this point is to perform the whole 
> emulation, _while_ ignoring EPT restrictions for the walk part, and taking 
> them into account for the "actual" emulating of the instruction @ RIP.
> 
> If we're sending out a vm_event, then we don't want the emulation to complete 
> - since in that case we won't be able to veto whatever is doing. That would 
> mean that we can't actually prevent any malicious activity that happens here, 
> instead we'd only be able to report on it.
> 
> So when we see a "send-vm_event" case while emulating, we need to do two 
> things:
> 
> 1. send the event out;
> 2. _don't_ complete the emulation (return X86EMUL_RETRY).
> 
> When 2. happens, we'll hit hvm_vm_event_do_resume() again _after_ the 
> introspection agent treats the event and resumes the guest. There, the 
> instruction at RIP will be fully emulated (with the EPT ignored) if the 
> introspection application allows it, and the guest will continue to run past 
> the instruction.
> 
> That's our plan, anyway. Hopefully we're not going in a wrong direction about 
> it (all help is very much appreciated).
> 
> I hope this has made thing clearer.

I think so, yes, and I'm getting the impression that in reply to an
earlier version you've already once explained this. The thing is -
the explanation needs to come _with_ the patch, not _after_ it.

Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- Re: [Xen-devel] [PATCH v5] x86/emulate: Send vm_event from emulate
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v5] x86/emulate: Send vm_event from emulate
  - From: Alexandru Stefan ISAILA
- Re: [Xen-devel] [PATCH v5] x86/emulate: Send vm_event from emulate
  - From: Razvan Cojocaru

Prev by Date: Re: [Xen-devel] [PATCH v2 01/10] AMD/IOMMU: restrict feature logging
Next by Date: Re: [Xen-devel] [PATCH 13/60] xen/sched: move some per-vcpu items to struct sched_unit
Previous by thread: Re: [Xen-devel] [PATCH v5] x86/emulate: Send vm_event from emulate
Next by thread: Re: [Xen-devel] [PATCH v1] x86/mm: Clean IOMMU flags from p2m-pt code
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.