Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confused about EPT views #55

Open
asia-makai opened this issue Oct 25, 2022 · 2 comments
Open

Confused about EPT views #55

asia-makai opened this issue Oct 25, 2022 · 2 comments

Comments

@asia-makai
Copy link

asia-makai commented Oct 25, 2022

I'm trying to understand how you set up page protection in the guest, so that you can exit on PFs. (E.g., you use this mechanism to track system calls.) I wanted to ask about the EPT view, that is passed to e.g., kvm_slot_page_track_add_page().

My naive thinking is that when you call kvm_slot_page_track_add_page(), you set protection in the EPT of the current guest, so that you later trap when the guest OS wants to access the gfn, so a gfn->pfn translation is needed.

However, I don't see why you need to distinguish between different EPT views? (I.e., isn't the "right" one being used now?) I must be missing something obvious...

EDIT: certainly it is possible to develop a mechanism which would use VMFUNCs for e.g., isolation. Then it may involve multiple EPTs per guest....

Thank you!

@thomasdangl
Copy link

Hi!

You can just use kvmi_set_page_access after setting up kvmi_control_events with KVMI_EVENT_PF. Then, you should receive an event when EPT violations occur. Having multiple views is mostly useful when implementing code hiding or 'safe' code injection on multi-core guests [1]. However, it is not most likely not needed for your case.

Best,
Thomas

[1] http://phrack.org/issues/69/15.html

@asia-makai
Copy link
Author

asia-makai commented Oct 25, 2022

Thank you @thomasdangl for the explanation. Great to see a confirmation that you use multiple views for "dedicated solutions" that offer isolation/hiding/*. It makes perfect sense. But I had been afraid I was missing something else.

I'll check out the phrack article. I've also come across a CCS paper using VNFUNC to hide keys or so. Cool stuff :)

Best regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants