Re: [Qemu-devel] different IDTs of the same VCPU
Dear friends, great thanks!
To summarize: we are trying to monitor VCPU IDT changes that are done by
external parties (e.g. rootkits) and not by intra-KVM machinery. Are there
parameters that witness such changes ?
Best Regards,
The KVM Israeli team
On Thu 13 Mar 17:15 2014 Paolo Bonzini wrote:
Il 13/03/2014 13:59, Alexander Binun ha scritto:
Dear Friends,
Thanks for your assistance!
We would like to ask you a question about the KVM internals.
Our module includes a timer which (once in every second) fetches the IDT
value of every online VCPU in the system using the kvm_x86_ops-get_idt ;
the code looks like:
struct kvm_vcpu *curr_vcpu;
struct desc_ptr dt;
list_for_each_entry(kvm, vms_list, vm_list)
{
for (i = 0; i kvm-online_vcpus.counter; i++)
{
curr_vcpu = kvm-vcpus[i];
kvm_x86_ops-get_idt(curr_vcpu, dt);
}
}
We have noticed that get_idt returns DIFFERENT values for the same
VCPU (i.e. for the same value of i that refers to a given VCPU). We
cannot understand this issue; could you explain ?
It is very strange since nobody changes the IDT value (as , for example,
rootkits do).
At the very least, running nested virtualization would lead to different
IDT values.
But more simply, on Intel you can hardly do anything with kvm_x86_ops or
kvm_vcpu except on the same physical CPU that is in vcpu-cpu. The
state is not in memory, it is cached inside the physical CPU.
There is no easy solution to this without modifying KVM. You can add a
request bit to KVM's vcpu-requests field, kick the vcpu and do the
check in vcpu_enter_guest.
Paolo
Re: [Qemu-devel] different IDTs of the same VCPU
Il 17/03/2014 12:54, Alexander Binun ha scritto: Dear friends, great thanks! To summarize: we are trying to monitor VCPU IDT changes that are done by external parties (e.g. rootkits) and not by intra-KVM machinery. Are there parameters that witness such changes ? There is no way to intercept changes to the interrupt descriptor table. You can: * look at the IDTR values on every vmexit, including before injecting an interrupt, but that won't protect from hijacking software interrupts such as int $0x80; * protect the IDT from writing using KVM's page table mechanisms, but that won't catch the case when the IDT is changed to a whole new page. Paolo
Re: [Qemu-devel] different IDTs of the same VCPU
Il 13/03/2014 13:59, Alexander Binun ha scritto:
Dear Friends,
Thanks for your assistance!
We would like to ask you a question about the KVM internals.
Our module includes a timer which (once in every second) fetches the IDT value of
every online VCPU in the system using the kvm_x86_ops-get_idt ; the code looks
like:
struct kvm_vcpu *curr_vcpu;
struct desc_ptr dt;
list_for_each_entry(kvm, vms_list, vm_list)
{
for (i = 0; i kvm-online_vcpus.counter; i++)
{
curr_vcpu = kvm-vcpus[i];
kvm_x86_ops-get_idt(curr_vcpu, dt);
}
}
We have noticed that get_idt returns DIFFERENT values for the same
VCPU (i.e. for the same value of i that refers to a given VCPU). We
cannot understand this issue; could you explain ?
It is very strange since nobody changes the IDT value (as , for example,
rootkits do).
At the very least, running nested virtualization would lead to different
IDT values.
But more simply, on Intel you can hardly do anything with kvm_x86_ops or
kvm_vcpu except on the same physical CPU that is in vcpu-cpu. The
state is not in memory, it is cached inside the physical CPU.
There is no easy solution to this without modifying KVM. You can add a
request bit to KVM's vcpu-requests field, kick the vcpu and do the
check in vcpu_enter_guest.
Paolo
