>> Some context: We are doing VM-based tracing in the FreeBSD kernel. For >> that, we observe parts of the kernel memory (allocations, accesses,...). >> Before 12.0 we simply knew that kernel addresses that we logged were >> unique. Moreover, when a memory access to a region of interest happened >> we knew that could only be kernel memory. >> We know have to ensure that we only record memory accesses that happen >> within the kernel. >> Our approach is to record the kernels value for the CR3 register, and >> record memory accesses if the CR3 registers holds the aforementioned value. > You must use CPL to see if the current operation mode is user or kernel. > If user, nothing should be done (this would avoid vm86). If kernel, you > need to compare current %cr3 with IdlePTD (IdlePTDP for PAE case). > Thanks for the advice! We'll include that in our toolchain. Do you use PLs other than 0(=kernel) and 3(=user)?
- Alex -- Technische Universität Dortmund Alexander Lochmann PGP key: 0xBC3EF6FD Otto-Hahn-Str. 16 phone: +49.231.7556141 D-44227 Dortmund fax: +49.231.7556116 http://ess.cs.tu-dortmund.de/Staff/al
signature.asc
Description: OpenPGP digital signature
