On 2018-12-03 at 05:56:13 +0200, Mihai Donțu wrote: > Hi Paolo, > > On Fri, 2018-11-30 at 11:07 +0100, Paolo Bonzini wrote: > > On 30/11/18 08:52, Zhang Yi wrote: > > > Here is a patch-series which adding EPT-Based Sub-page Write Protection > > > Support. > > > > > > Introduction: > > > > > > EPT-Based Sub-page Write Protection referred to as SPP, it is a > > > capability which > > > allow Virtual Machine Monitors(VMM) to specify write-permission for guest > > > physical memory at a sub-page(128 byte) granularity. When this > > > capability is > > > utilized, the CPU enforces write-access permissions for sub-page regions > > > of 4K > > > pages as specified by the VMM. EPT-based sub-page permissions is intended > > > to > > > enable fine-grained memory write enforcement by a VMM for security(guest > > > OS > > > monitoring) and usages such as device virtualization and memory > > > check-point. > > > > > > SPPT is active when the "sub-page write protection" VM-execution control > > > is 1. > > > SPPT looks up the guest physical addresses to derive a 64 bit "sub-page > > > permission" value containing sub-page write permissions. The lookup from > > > guest-physical addresses to the sub-page region permissions is determined > > > by a > > > set of SPPT paging structures. > > > > > > When the "sub-page write protection" VM-execution control is 1, the SPPT > > > is used > > > to lookup write permission bits for the 128 byte sub-page regions > > > containing in > > > the 4KB guest physical page. EPT specifies the 4KB page level privileges > > > that > > > software is allowed when accessing the guest physical address, whereas > > > SPPT > > > defines the write permissions for software at the 128 byte granularity > > > regions > > > within a 4KB page. Write accesses prevented due to sub-page permissions > > > looked > > > up via SPPT are reported as EPT violation VM exits. Similar to EPT, a > > > logical > > > processor uses SPPT to lookup sub-page region write permissions for > > > guest-physical addresses only when those addresses are used to access > > > memory. > > > > Hi, > > > > I think the right thing to do here would be to first get VM > > introspection in KVM, as SPP is mostly an introspection feature and it > > should be controller by the introspector rather than the KVM userspace. > > > > Mihai, if you resubmit, I promise that I will look at it promptly. Thanks review, Paolo, What do u think we cook some user-cases for qemu or some kvmtools? even with some other kernel hyper-calls?
SPP is not only an introspection depended features. > > I'm currently traveling until Wednesday, but when I'll get into the > office I will see about preparing a new patch set and send it to the > list before Christmas. Thanks Mihai, please include me in the new VMI patch set. > > Regards, > > -- > Mihai Donțu >
