>> Some context: We are doing VM-based tracing in the FreeBSD kernel. For >> that, we observe parts of the kernel memory (allocations, accesses,...). >> Before 12.0 we simply knew that kernel addresses that we logged were >> unique. Moreover, when a memory access to a region of interest happened >> we knew that could only be kernel memory. >> We know have to ensure that we only record memory accesses that happen >> within the kernel. >> Our approach is to record the kernels value for the CR3 register, and >> record memory accesses if the CR3 registers holds the aforementioned value. > You must use CPL to see if the current operation mode is user or kernel. > If user, nothing should be done (this would avoid vm86). If kernel, you > need to compare current %cr3 with IdlePTD (IdlePTDP for PAE case). >Thanks for the advice! We'll include that in our toolchain. Do you use PLs other than 0(=kernel) and 3(=user)? - Alex -- Technische Universit?t Dortmund Alexander Lochmann PGP key: 0xBC3EF6FD Otto-Hahn-Str. 16 phone: +49.231.7556141 D-44227 Dortmund fax: +49.231.7556116 http://ess.cs.tu-dortmund.de/Staff/al -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20181218/cad35aff/attachment.sig>
On Tue, Dec 18, 2018 at 11:22:53AM +0100, Alexander Lochmann wrote:> > >> Some context: We are doing VM-based tracing in the FreeBSD kernel. For > >> that, we observe parts of the kernel memory (allocations, accesses,...). > >> Before 12.0 we simply knew that kernel addresses that we logged were > >> unique. Moreover, when a memory access to a region of interest happened > >> we knew that could only be kernel memory. > >> We know have to ensure that we only record memory accesses that happen > >> within the kernel. > >> Our approach is to record the kernels value for the CR3 register, and > >> record memory accesses if the CR3 registers holds the aforementioned value. > > You must use CPL to see if the current operation mode is user or kernel. > > If user, nothing should be done (this would avoid vm86). If kernel, you > > need to compare current %cr3 with IdlePTD (IdlePTDP for PAE case). > > > Thanks for the advice! We'll include that in our toolchain. > Do you use PLs other than 0(=kernel) and 3(=user)?No, only 0 and 3. But be careful with vm86 (I am not sure how your VM reports it to your instrumentation).