[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Tracking guest code execution with EPT violations


At 14:09 +0000 on 23 Jan (1422018568), Kevin.Mayer@xxxxxxxx wrote:
> My idea was that when a guest wants to access a new page (let`s say
> a guest wants to start a new process and therefore needs to copy the
> code into the memory) then an EPT-violation should be raised because
> the corresponding EPTE for this new page isn`t there since the page
> was now accessed for the first time.  This does not happen though.

OK, I think there's some confusion about what a 'new' page means here.
From Xen's point of view (leaving aside PoD, paging, ballooning, &c
for now) the guest is given a fixed pool of memory when it boots,
which looks just like the RAM in a real PC.

The guest then allocates that memory internally: typically it will put
pages in a free pool and then assign them to new processes.  But Xen
doesn't see that assignment - it happens entirely inside the guest.
Xen only cares about when the memory is accessed.  Typically the first
access to the page will be at OS boot time, when the guest OS zeros
out all its memory.

> Then I wanted to see if I could get only the EPT_VIOLATIONS of let`s say 
> Firefox (or any new process). So I let my guest-OS boot up, changed the 
> default_access to read+write with the help of
> xc_hvm_set_mem_access(xch, domid, HVMMEM_access_rw,~0ull, 0);
> as shown in xen-access.c (I didn`t want to get any EPT_VIOLATIONS
> for pages that are already present, i.e. the OS so I didn't set the
> existing pages to access_rw) and then started Firefox in the guest.

That sets the default for new mappings, but doesn't change any
existing mappings.  You need to explicitly set the permissions for the
particular pages you're interested in. 

> I suspect that the default_access gets used to initialize the domain
> and then some initialized value gets used instead of the
> p2m->default_access.

Yes.  Any existing mappings will have been established with whatever
the default was at the time.

> Another possibility is that my idea of how the
> memory is accessed is flawed or that all pages the OS uses for
> Firefox are already initialized.

Also yes: the OS will have touched them when it scrubbed memory on boot.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.