search for: kvmi_event

In certain situations (when the guest has to be paused, suspended, migrated, etc.), userspace will use the KVM_INTROSPECTION_PREUNHOOK ioctl in order to trigger the KVMI_EVENT_UNHOOK. If the event is sent successfully (the VM has an active introspection channel), userspace should delay the action (pause/suspend/...) to give the introspection tool the chance to remove its hooks (eg. breakpoints) while the guest is still running. Once a timeout is reached or the introspect...

In certain situations (when the guest has to be paused, suspended, migrated, etc.), the device manager will use the KVM_INTROSPECTION_PREUNHOOK ioctl in order to trigger the KVMI_EVENT_UNHOOK event. If the event is sent successfully (the VM has an active introspection channel), the device manager should delay the action (pause/suspend/...) to give the introspection tool the chance to remove its hooks (eg. breakpoints) while the guest is still running. Once a timeout is reached or...

With this command the introspection tool enables/disables VM events (ie. KVMI_EVENT_UNHOOK), because no event (neither VM event, nor vCPU event) will be sent to the introspection tool unless enabled/requested. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 44 +++++++++++++++-- include/linux/kvmi_host.h...

...commands coming from an introspection tool compiled with older or newer versions of KVMI API. However, it will only accept smaller replies (coming from older versions), but not the bigger/newer ones (this should make the kernel code simpler). TODO: Not quite true. An event reply has a common part (kvmi_event_reply) and an event specific part (eg. the new value for MSR x). If the common part is smaller, the event will be rejected. The code from handle_event_reply(): common = sizeof(struct kvmi_vcpu_hdr) + sizeof(*reply); if (unlikely(msg->size < common)) goto out; should be changed to min...

...irt/kvm/kvmi.rst index ba01b9a249a2..8bf9b8f6dd7c 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -548,6 +548,27 @@ On x86 the structure looks like this:: It contains information about the vCPU state at the time of the event. +The reply to events uses the *KVMI_EVENT_REPLY* message id and begins +with two common structures:: + + struct kvmi_vcpu_hdr; + struct kvmi_event_reply { + __u8 action; + __u8 event; + __u16 padding1; + __u32 padding2; + }; + +All events accept the KVMI_EVENT_ACTION_CRASH action, which stops the +guest ungracefully, but as soon as pos...

By default, all introspection VM events are disabled. The introspection tool must explicitly enable the VM events it wants to receive. With this command (KVMI_VM_CONTROL_EVENTS) it can enable/disable any VM event (e.g. KVMI_EVENT_UNHOOK) if allowed by the device manager. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 44 +++++++++++++-- include/linux/kvmi_host.h | 2 + include/uapi/linux/kvmi.h | 16 ++++-- .../te...

...| 39 +++++++++ 7 files changed, 158 insertions(+) diff --git a/Documentation/virt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index c1badcde1662..8b43e0f80f77 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -534,6 +534,7 @@ the following events:: KVMI_EVENT_CR KVMI_EVENT_HYPERCALL KVMI_EVENT_TRAP + KVMI_EVENT_XSETBV When an event is enabled, the introspection tool is notified and it must reply with: continue, retry, crash, etc. (see **Events** below). @@ -999,3 +1000,28 @@ took place and the introspection has been enabled for this event ``kvm...

...| 1 + 8 files changed, 184 insertions(+) diff --git a/Documentation/virt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index 7da8efd18b89..283e9a2dfda1 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -552,6 +552,7 @@ the following events:: KVMI_EVENT_BREAKPOINT KVMI_EVENT_CR KVMI_EVENT_HYPERCALL + KVMI_EVENT_XSETBV When an event is enabled, the introspection tool is notified and must reply with: continue, retry, crash, etc. (see **Events** below). @@ -1053,3 +1054,35 @@ other vCPU introspection event. ``kvmi_event``, exception/interrup...

From: Mihai Don?u <mdontu at bitdefender.com> The KVMI_CONTROL_MSR is used to enable/disable introspection for a specific MSR. The KVMI_EVENT_MSR is send when the tracked MSR is going to be changed. The introspection tool can respond by allowing the guest to continue with normal execution or by discarding the change. This is meant to prevent malicious changes to MSR-s such as MSR_IA32_SYSENTER_EIP. Signed-off-by: Mihai Don?u <mdontu...

...vmi.rst index 8bf9b8f6dd7c..c48abc8f5c97 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -504,13 +504,56 @@ Use *KVMI_VM_CHECK_EVENT* first. * -KVM_EAGAIN - the selected vCPU can't be introspected yet * -KVM_EBUSY - the selected vCPU has too many queued *KVMI_EVENT_PAUSE_VCPU* events +10. KVMI_VCPU_CONTROL_EVENTS +---------------------------- + +:Architectures: all +:Versions: >= 1 +:Parameters: + +:: + + struct kvmi_vcpu_hdr; + struct kvmi_vcpu_control_events { + __u16 event_id; + __u8 enable; + __u8 padding1; + __u32 padding2; + }; + +:Returns: + +...

From: Mihai Don?u <mdontu at bitdefender.com> Using the KVMI_VCPU_CONTROL_CR command, the introspection tool subscribes to KVMI_EVENT_CR events that will be sent when CR{0,3,4} is going to be changed. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst...

From: Mihai Don?u <mdontu at bitdefender.com> This command is used to enable/disable introspection for a specific MSR. The KVMI_EVENT_MSR event is sent when the tracked MSR is going to be changed. The introspection tool can respond by allowing the guest to continue with normal execution or by discarding the change. This is meant to prevent malicious changes to MSRs such as MSR_IA32_SYSENTER_EIP. Signed-off-by: Mihai Don?u <m...

...s KVM: introspection: add hook/unhook ioctls KVM: introspection: add permission access ioctls KVM: introspection: add the read/dispatch message function KVM: introspection: add KVMI_GET_VERSION KVM: introspection: add KVMI_VM_CHECK_COMMAND and KVMI_VM_CHECK_EVENT KVM: introspection: add KVMI_EVENT_UNHOOK KVM: introspection: add KVMI_VM_CONTROL_EVENTS KVM: introspection: add a jobs list to every introspected vCPU KVM: introspection: add KVMI_VCPU_PAUSE KVM: introspection: add KVMI_EVENT_PAUSE_VCPU KVM: introspection: extend KVMI_GET_VERSION with struct kvmi_features KVM: introspec...

...) KVM: introspection: add hook/unhook ioctls KVM: introspection: add permission access ioctls KVM: introspection: add the read/dispatch message function KVM: introspection: add KVMI_GET_VERSION KVM: introspection: add KVMI_VM_CHECK_COMMAND and KVMI_VM_CHECK_EVENT KVM: introspection: add KVMI_EVENT_UNHOOK KVM: introspection: add KVMI_VM_CONTROL_EVENTS KVM: introspection: add a jobs list to every introspected vCPU KVM: introspection: add KVMI_VCPU_PAUSE KVM: introspection: add KVMI_EVENT_PAUSE_VCPU KVM: introspection: add KVMI_VM_CONTROL_CLEANUP KVM: introspection: add KVMI_VCPU_GE...

From: Mihai Don?u <mdontu at bitdefender.com> This command is used to enable/disable introspection for a specific MSR. The KVMI_EVENT_MSR event is send when the tracked MSR is going to be changed. The introspection tool can respond by allowing the guest to continue with normal execution or by discarding the change. This is meant to prevent malicious changes to MSRs such as MSR_IA32_SYSENTER_EIP. Signed-off-by: Mihai Don?u <m...

...| 1 + 7 files changed, 177 insertions(+), 9 deletions(-) diff --git a/Documentation/virt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index ffa183745722..3515fea1eb75 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -547,6 +547,7 @@ the following events:: KVMI_EVENT_HYPERCALL KVMI_EVENT_MSR KVMI_EVENT_PF + KVMI_EVENT_SINGLESTEP KVMI_EVENT_TRAP KVMI_EVENT_XSETBV @@ -1352,3 +1353,30 @@ The *CONTINUE* action will continue the page fault handling via emulation. The *RETRY* action is used by the introspection tool to retry the execution of the current i...

...rt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index 0a07ef101302..3c481c1b2186 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -576,6 +576,7 @@ because these are sent as a result of certain commands (but they can be disallowed by the device manager) :: KVMI_EVENT_PAUSE_VCPU + KVMI_EVENT_SINGLESTEP KVMI_EVENT_TRAP The VM events (e.g. *KVMI_EVENT_UNHOOK*) are controlled with @@ -1075,8 +1076,12 @@ Enables/disables singlestep for the selected vCPU. The introspection tool should use *KVMI_GET_VERSION*, to check if the hardware supports singlestep (see **...

...ntrospection/kvmi_int.h +++ b/virt/kvm/introspection/kvmi_int.h @@ -57,5 +57,12 @@ int kvmi_cmd_vcpu_pause(struct kvm_vcpu *vcpu, bool wait); int kvmi_arch_cmd_vcpu_get_info(struct kvm_vcpu *vcpu, struct kvmi_vcpu_get_info_reply *rpl); void kvmi_arch_setup_event(struct kvm_vcpu *vcpu, struct kvmi_event *ev); +int kvmi_arch_check_get_registers_req(const struct kvmi_msg_hdr *msg, + const struct kvmi_vcpu_get_registers *req); +int kvmi_arch_cmd_vcpu_get_registers(struct kvm_vcpu *vcpu, + const struct kvmi_msg_hdr *msg, + const struct kvmi_vcpu_get_registers *req, + struct kvmi_vcpu_get_r...

...ocumentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -527,7 +527,10 @@ Use *KVMI_VM_CHECK_EVENT* first. struct kvmi_error_code -Enables/disables vCPU introspection events. +Enables/disables vCPU introspection events. This command can be used with +the following events:: + + KVMI_EVENT_HYPERCALL When an event is enabled, the introspection tool is notified and it must reply with: continue, retry, crash, etc. (see **Events** below). @@ -764,3 +767,34 @@ This event is sent in response to a *KVMI_VCPU_PAUSE* command. This event has a low priority. It will be sent after any oth...

From: Mihai Don?u <mdontu at bitdefender.com> >From preread, prewrite and preexec callbacks we will send the KVMI_EVENT_PF events caused by access rights enforced by the introspection tool. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Co-developed-by: Marian Rotariu <marian....