On Tue, Nov 26, 2024 at 11:52 PM David Hildenbrand <da...@redhat.com> wrote:
> On 26.11.24 16:31, Wei Chen wrote: > > > How can you be sure (IOW trigger) that the system will store > > > "important data" like EPTs? > > > > We cannot, but we have designed the attack (see below) to improve the > > possibility. > > > > > So is one magic bit really that for your experiments, one needs a > > > viommu? > > > > Admittedly the way we accomplish a VM escape is a bit arcane. > > That's what I imagined :) > > > > > We require device passthrough because it pins the VM's memory down and > > converts them to MIGRATE_UNMOVABLE. > > Interesting, that's news to me. Can you share where GUP in the kernel > would do that? > In /drivers/vfio/vfio_iommu_type1.c, there is a function called vfio_iommu_type1_pin_pages where VM's memory is pinned down. > > > Hotplugged memory will also be > > converted to MIGRATE_UNMOVABLE. > > But that's in the VM? Because we don't hotplug memory in the hypervisor. > Yes, the virtio-mem driver in the VM is modified to actively release memory vulnerable to Rowhammer. For more details, would you be interested in reading our paper? It was recently submitted to ASPLOS for publication and we are happy to share it with you. Regards, Zhi Zhang
