Thanks for the rapid answer ! On Thu 06 Mar 12:22 2014 Stefan Hajnoczi wrote: > On Wed, Mar 05, 2014 at 06:35:18PM +0200, Alexander Binun wrote: > > Now we encountered yet one problem: Our security module (which is a LKM) > > performs security check and, when suspecting malicious activity at a VCPU, > > must suspend or even kill this VM. The problem is: how to suspend/kill a > > VCPU ? > > > > We have taken the following approach: > > 1. Accessing the VM list (struct list_head vms_list ) through the > > kallsyms interface > > 2. Iterating through VMs, reaching every VCPU (as a structure struct > > kvm_vcpu *vcpu) > > 3. Running security check on every such structure. That is we were > > seeking for a function like cpu_reset(struct kvm_vcpu*vcpu) > > > > The following "reset funtions" were so far tried (taken from kvm_host.h) > > 1. kvm_vcpu_uninit and kvm_x86_ops->vcpu_free. These cause the whole > > system (both host and guest OSs) hang. > > 2. kvm_vcpu_reset and kvm_arch_vcpu_free lead to the linker error > > "Warning! Function undefined". > > > > Which "reset function" could you recommend ? > > The simplest thing to kill a VM is to send SIGTERM to the QEMU process > (the process that contains the vcpu thread).
Then - more questions : 1. How can I access the Qemu process (relevant to a given VM) from within in the kernel context (being in a kernel module) ? 2. Should I uninitialize some internal structures for the VM being killed ? 3. My module detects malicious activities at a VCPU. How can one get the VM owning this VCPU ? Thanks, the team > Stefan >