Dear friends, great thanks! To summarize: we are trying to monitor VCPU IDT changes that are done by external parties (e.g. rootkits) and not by intra-KVM machinery. Are there parameters that witness such changes ?
Best Regards, The KVM Israeli team On Thu 13 Mar 17:15 2014 Paolo Bonzini wrote: > Il 13/03/2014 13:59, Alexander Binun ha scritto: > > Dear Friends, > > > > Thanks for your assistance! > > > > We would like to ask you a question about the KVM internals. > > > > Our module includes a timer which (once in every second) fetches the IDT > > value of every online VCPU in the system using the kvm_x86_ops->get_idt ; > > the code looks like: > > > > struct kvm_vcpu *curr_vcpu; > > struct desc_ptr dt; > > > > list_for_each_entry(kvm, vms_list, vm_list) > > { > > for (i = 0; i < kvm->online_vcpus.counter; i++) > > { > > curr_vcpu = kvm->vcpus[i]; > > kvm_x86_ops->get_idt(curr_vcpu, &dt); > > } > > } > > > > We have noticed that get_idt returns DIFFERENT values for the same > > VCPU (i.e. for the same value of i that refers to a given VCPU). We > > cannot understand this issue; could you explain ? > > > > It is very strange since nobody changes the IDT value (as , for example, > > rootkits do). > > At the very least, running nested virtualization would lead to different > IDT values. > > But more simply, on Intel you can hardly do anything with kvm_x86_ops or > kvm_vcpu except on the same physical CPU that is in vcpu->cpu. The > state is not in memory, it is cached inside the physical CPU. > > There is no easy solution to this without modifying KVM. You can add a > request bit to KVM's vcpu->requests field, kick the vcpu and do the > check in vcpu_enter_guest. > > Paolo >