Hi Paolo, On Fri, 2018-11-30 at 11:07 +0100, Paolo Bonzini wrote: > On 30/11/18 08:52, Zhang Yi wrote: > > Here is a patch-series which adding EPT-Based Sub-page Write Protection > > Support. > > > > Introduction: > > > > EPT-Based Sub-page Write Protection referred to as SPP, it is a capability > > which > > allow Virtual Machine Monitors(VMM) to specify write-permission for guest > > physical memory at a sub-page(128 byte) granularity. When this capability > > is > > utilized, the CPU enforces write-access permissions for sub-page regions of > > 4K > > pages as specified by the VMM. EPT-based sub-page permissions is intended to > > enable fine-grained memory write enforcement by a VMM for security(guest OS > > monitoring) and usages such as device virtualization and memory check-point. > > > > SPPT is active when the "sub-page write protection" VM-execution control is > > 1. > > SPPT looks up the guest physical addresses to derive a 64 bit "sub-page > > permission" value containing sub-page write permissions. The lookup from > > guest-physical addresses to the sub-page region permissions is determined > > by a > > set of SPPT paging structures. > > > > When the "sub-page write protection" VM-execution control is 1, the SPPT is > > used > > to lookup write permission bits for the 128 byte sub-page regions > > containing in > > the 4KB guest physical page. EPT specifies the 4KB page level privileges > > that > > software is allowed when accessing the guest physical address, whereas SPPT > > defines the write permissions for software at the 128 byte granularity > > regions > > within a 4KB page. Write accesses prevented due to sub-page permissions > > looked > > up via SPPT are reported as EPT violation VM exits. Similar to EPT, a > > logical > > processor uses SPPT to lookup sub-page region write permissions for > > guest-physical addresses only when those addresses are used to access > > memory. > > Hi, > > I think the right thing to do here would be to first get VM > introspection in KVM, as SPP is mostly an introspection feature and it > should be controller by the introspector rather than the KVM userspace. > > Mihai, if you resubmit, I promise that I will look at it promptly.
I'm currently traveling until Wednesday, but when I'll get into the office I will see about preparing a new patch set and send it to the list before Christmas. Regards, -- Mihai Donțu
