search for: introspect

In certain situations (when the guest has to be paused, suspended, migrated, etc.), userspace will use the KVM_INTROSPECTION_PREUNHOOK ioctl in order to trigger the KVMI_EVENT_UNHOOK. If the event is sent successfully (the VM has an active introspection channel), userspace should delay the action (pause/suspend/...) to give the introspection tool the chance to remove its hooks (eg. breakpoints) while the guest is stil...

These commands can be used by the introspection tool to check what introspection commands and events are supported (by KVMi) and allowed (by userspace). The introspection tool will get one of the following error codes: * -KVM_ENOSYS (unsupported command/event) * -KVM_PERM (disallowed command/event) * -KVM_EINVAL (the padding space, use...

Every vCPU has a lock-protected list in which (mostly) the receiving worker places the jobs that has to be done by the vCPU once it is kicked (KVM_REQ_INTROSPECTION) out of guest. A job is defined by a "do" function, a "free" function and a pointer (context). Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender...

This command should be used by the introspection tool to identify the commands/events supported by the KVMi subsystem and, most important, what messages must be used for event replies. These messages might be extended in future versions. The kernel side will accept smaller/older or bigger/newer command messages, but not bigger/newer event repl...

With this command the introspection tool enables/disables VM events (ie. KVMI_EVENT_UNHOOK), because no event (neither VM event, nor vCPU event) will be sent to the introspection tool unless enabled/requested. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 44 +...

In certain situations (when the guest has to be paused, suspended, migrated, etc.), the device manager will use the KVM_INTROSPECTION_PREUNHOOK ioctl in order to trigger the KVMI_EVENT_UNHOOK event. If the event is sent successfully (the VM has an active introspection channel), the device manager should delay the action (pause/suspend/...) to give the introspection tool the chance to remove its hooks (eg. breakpoints) while th...

By default, all introspection VM events are disabled. The introspection tool must explicitly enable the VM events it wants to receive. With this command (KVMI_VM_CONTROL_EVENTS) it can enable/disable any VM event (e.g. KVMI_EVENT_UNHOOK) if allowed by the device manager. Signed-off-by: Adalbert Laz?r <alazar at bitdefend...

This is used by the introspection tool to check the hardware support for single step. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 13 ++++++++++++- arch/x86/include/uapi/asm/kvmi.h | 5 +++++ arch/x86/kvm/kvmi.c |...

From: Mihai Don?u <mdontu at bitdefender.com> This command enables/disables vCPU introspection events. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 45 +++++++++- include/linux/kvmi_host.h...

The connection of the introspection socket with the introspection tool is initialized by userspace/QEMU. Once the handshake is done, the file descriptor is passed to KVMi using the KVM_INTROSPECTION_HOOK ioctl. A new thread will be created to handle/dispatch all introspection commands or replies to introspection events. This threa...

These commands are used to check what introspection commands and events are supported (kernel) and allowed (device manager). These are alternative methods to KVMI_GET_VERSION in checking if the introspection supports a specific command/event. As with the KVMI_GET_VERSION command, these two commands can never be disallowed by the device manager....

From: Mihai Don?u <mdontu at bitdefender.com> This event is sent on a specific user hypercall. It is used by the code residing inside the introspected guest to call the introspection tool and to report certain details about its operation. For example, a classic antimalware remediation tool can report what it has found during a scan. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitde...

From: ?tefan ?icleru <ssicleru at bitdefender.com> The introspection tool uses this function to check the hardware support for EPT switching, which can be used either to singlestep vCPUs on a unprotected EPT view or to use #VE in order to avoid filter out VM-exits caused by EPT violations. Signed-off-by: ?tefan ?icleru <ssicleru at bitdefender.com> Signed-...

I''m pleased to announce a new project called XenAccess. The project goals are to provide a full featured introspection library for Xen. Introspection is a technique where applications in one domain can view memory from another domain. For example, you can run an application in dom0 to list the processes or LKMs in a domU. More information is available on the website: http://xenaccess.sourceforge.net/...

This helps the introspection tool with the VGA to GPA translations without the need to monitor the guest page tables. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 31 +++++++++++++++++++ arch/x86/kvm/kvmi.c | 4 +++ include/u...

From: ?tefan ?icleru <ssicleru at bitdefender.com> The introspection tool can use this to set access restrictions for a wide range of guest addresses. Signed-off-by: ?tefan ?icleru <ssicleru at bitdefender.com> Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Adalbert...

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VMs (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. In...

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VMs (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. In...

...st | 36 +++++++++++++++++++ arch/x86/include/uapi/asm/kvmi.h | 12 +++++++ arch/x86/kvm/kvmi.c | 19 ++++++++++ include/uapi/linux/kvmi.h | 1 + .../testing/selftests/kvm/x86_64/kvmi_test.c | 34 ++++++++++++++++++ virt/kvm/introspection/kvmi_int.h | 3 ++ virt/kvm/introspection/kvmi_msg.c | 15 ++++++++ 7 files changed, 120 insertions(+) diff --git a/Documentation/virt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index bd35002c3254..fc2e8c756191 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Docu...

KVM_INTROSPECTION_COMMAND and KVM_INTROSPECTION_EVENTS ioctls should be used by userspace to allow access for specific (or all) introspection commands and events. By default, all the introspection events and almost all the introspection commands are disallowed. Some commands are always allowed, those querying th...