You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to understand how you set up page protection in the guest, so that you can exit on PFs. (E.g., you use this mechanism to track system calls.) I wanted to ask about the EPT view, that is passed to e.g., kvm_slot_page_track_add_page().
My naive thinking is that when you call kvm_slot_page_track_add_page(), you set protection in the EPT of the current guest, so that you later trap when the guest OS wants to access the gfn, so a gfn->pfn translation is needed.
However, I don't see why you need to distinguish between different EPT views? (I.e., isn't the "right" one being used now?) I must be missing something obvious...
EDIT: certainly it is possible to develop a mechanism which would use VMFUNCs for e.g., isolation. Then it may involve multiple EPTs per guest....
Thank you!
The text was updated successfully, but these errors were encountered:
You can just use kvmi_set_page_access after setting up kvmi_control_events with KVMI_EVENT_PF. Then, you should receive an event when EPT violations occur. Having multiple views is mostly useful when implementing code hiding or 'safe' code injection on multi-core guests [1]. However, it is not most likely not needed for your case.
Thank you @thomasdangl for the explanation. Great to see a confirmation that you use multiple views for "dedicated solutions" that offer isolation/hiding/*. It makes perfect sense. But I had been afraid I was missing something else.
I'll check out the phrack article. I've also come across a CCS paper using VNFUNC to hide keys or so. Cool stuff :)
I'm trying to understand how you set up page protection in the guest, so that you can exit on PFs. (E.g., you use this mechanism to track system calls.) I wanted to ask about the EPT view, that is passed to e.g., kvm_slot_page_track_add_page().
My naive thinking is that when you call kvm_slot_page_track_add_page(), you set protection in the EPT of the current guest, so that you later trap when the guest OS wants to access the gfn, so a gfn->pfn translation is needed.
However, I don't see why you need to distinguish between different EPT views? (I.e., isn't the "right" one being used now?) I must be missing something obvious...
EDIT: certainly it is possible to develop a mechanism which would use VMFUNCs for e.g., isolation. Then it may involve multiple EPTs per guest....
Thank you!
The text was updated successfully, but these errors were encountered: