Xen project Mailing List

Re: [Xen-devel] [PATCH v13] x86/emulate: Send vm_event from emulate

To: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>

Date: Mon, 23 Sep 2019 15:30:21 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RGi8HE1llaQw7JgghiPzaUjJQpUhmqutn+jRD8zNPWA=; b=X1PIYIaA/aX9buvv8Un8dr9dgCsLEqahzehPTFcp+rjBq52Z5YOch+FctarTRBQjsNe/XccZUF/Nis/4+ykdAzxfmX+quJCm8Zm7F+1EzPgLo7kdtEirgVZ2c8GB+b1sowCdYTZKx0nYPuDMRJomAhv1SHd+cdTt/qfZZ6e7g3OXrNGafdm8aVGAQGOn2S4sbMBvsE2SN9wGX/wInwOwYcQlQ86uCEbeCItUd8Hb1yzb8MwOauqDamQWxwwEOmVohr178f5tGfxvr7iTlAru5ERXcxiIeoFHolhrKV2oHZQ1EE96BAVaQLhcCToqXusgMW7h4FV6p8Wo3elld5/Cog==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nfgav1M0XYT3Qd+TRi46fbjQ2W2xMqBCY+UyQf40vEzhk3UDXTArvtk2+MgBqfj77E00+pu/+czdERw3CechKi0ts1WH6rxGacSQ6Bn14YV+Bm34BxyVodfobeVy9u13orGrCtmRm9AYHwiY0wow/Pxfe0NtJmxieAmWe85RixRHzUiQ5dPoAUE7ts7sEu3qWfXqaH9kfFypuFAtAZMS7pd98RRo5UY9ktTpXhc9WZa+wn+Zyj2NK6nNI/DTUyrGuD/B+50lcU8+VNdeE9E7bLDsF7FTC/2PVlIgyvZ/tsgxN9FKabcq2VIDnlR+ZgedTIGjdm1nOg1kFVNfKGt8Mw==

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=rcojocaru@xxxxxxxxxxxxxxx;

Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, "tamas@xxxxxxxxxxxxx" <tamas@xxxxxxxxxxxxx>, "wl@xxxxxxx" <wl@xxxxxxx>, "george.dunlap@xxxxxxxxxxxxx" <george.dunlap@xxxxxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "paul.durrant@xxxxxxxxxx" <paul.durrant@xxxxxxxxxx>, "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>

Delivery-date: Mon, 23 Sep 2019 15:30:31 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVcgc/RjZRGBRqJUWCjIFeFraK9Kc5Y4oA

Thread-topic: [PATCH v13] x86/emulate: Send vm_event from emulate

On 9/23/19 3:05 PM, Alexandru Stefan ISAILA wrote: > A/D bit writes (on page walks) can be considered benign by an introspection > agent, so receiving vm_events for them is a pessimization. We try here to > optimize by filtering these events out. > Currently, we are fully emulating the instruction at RIP when the hardware > sees > an EPT fault with npfec.kind != npfec_kind_with_gla. This is, however, > incorrect, because the instruction at RIP might legitimately cause an > EPT fault of its own while accessing a_different_ page from the original one, > where A/D were set. > The solution is to perform the whole emulation, while ignoring EPT > restrictions > for the walk part, and taking them into account for the "actual" emulating of > the instruction at RIP. When we send out a vm_event, we don't want the > emulation > to complete, since in that case we won't be able to veto whatever it is doing. > That would mean that we can't actually prevent any malicious activity, instead > we'd only be able to report on it. > When we see a "send-vm_event" case while emulating, we need to first send the > event out and then suspend the emulation (return X86EMUL_RETRY). > After the emulation stops we'll call hvm_vm_event_do_resume() again after the > introspection agent treats the event and resumes the guest. There, the > instruction at RIP will be fully emulated (with the EPT ignored) if the > introspection application allows it, and the guest will continue to run past > the instruction. > > A common example is if the hardware exits because of an EPT fault caused by a > page walk, p2m_mem_access_check() decides if it is going to send a vm_event. > If the vm_event was sent and it would be treated so it runs the instruction > at RIP, that instruction might also hit a protected page and provoke a > vm_event. > > Now if npfec.kind == npfec_kind_in_gpt and > d->arch.monitor.inguest_pagefault_disabled > is true then we are in the page walk case and we can do this emulation > optimization > and emulate the page walk while ignoring the EPT, but don't ignore the EPT > for the > emulation of the actual instruction. > > In the first case we would have 2 EPT events, in the second case we would have > 1 EPT event if the instruction at the RIP triggers an EPT event. > > We use hvmemul_map_linear_addr() to intercept write access and > __hvm_copy() to intercept exec, read and write access. > > A new return type was added, HVMTRANS_need_retry, in order to have all > the places that consume HVMTRANS* return X86EMUL_RETRY. > > hvm_emulate_send_vm_event() can return false if there was no violation, > if there was an error from monitor_traps() or p2m_get_mem_access(). > -ESRCH from p2m_get_mem_access() is treated as restricted access. > > NOTE: hvm_emulate_send_vm_event() assumes the caller will enable/disable > arch.vm_event->send_event > > Signed-off-by: Alexandru Isaila<aisaila@xxxxxxxxxxxxxxx> FWIW, Acked-by: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.