search for: vmfunc

...mmunicate to, guest gets full control of its security, from > > mapping all memory (like with current vhost-user) to only > > mapping buffers used for networking (like ivshmem) to > > transient mappings for the duration of data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. Interesting. There are two points to make here: 1. To create transient mappings, VMFUNC isn't strictly required. Instead, mappings can be created when first access by VM2 within BAR triggers a page fault. I guess VMFUNC could remove this first pagefault by hy...

...mmunicate to, guest gets full control of its security, from > > mapping all memory (like with current vhost-user) to only > > mapping buffers used for networking (like ivshmem) to > > transient mappings for the duration of data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. Interesting. There are two points to make here: 1. To create transient mappings, VMFUNC isn't strictly required. Instead, mappings can be created when first access by VM2 within BAR triggers a page fault. I guess VMFUNC could remove this first pagefault by hy...

...diff --git a/Documentation/virt/kvm/kvmi.rst b/Documentation/virt/kvm/kvmi.rst index 62138fa4b65c..234eacec4db1 100644 --- a/Documentation/virt/kvm/kvmi.rst +++ b/Documentation/virt/kvm/kvmi.rst @@ -263,11 +263,13 @@ For x86 struct kvmi_features { __u8 singlestep; - __u8 padding[7]; + __u8 vmfunc; + __u8 eptp; + __u8 padding[5]; }; Returns the introspection API version and some of the features supported -by the hardware. +by the hardware (eg. alternate EPT views). This command is always allowed and successful. diff --git a/arch/x86/include/uapi/asm/kvmi.h b/arch/x86/include/uapi...

...atches 31-34 extend the VM introspection API with #VE related commands. Adalbert Laz?r (2): KVM: x86: mmu: reindent to avoid lines longer than 80 chars KVM: introspection: mask out non-rwx flags when reading/writing from/to the internal database Marian Rotariu (5): KVM: x86: export .get_vmfunc_status() KVM: x86: export .get_eptp_switching_status() KVM: x86: mmu: add support for EPT switching KVM: x86: add .set_ept_view() KVM: x86: vmx: add support for virtualization exceptions Sean Christopherson (2): KVM: VMX: Define EPT suppress #VE bit (bit 63 in EPT leaf entries) KVM: VM...

From: Marian Rotariu <marian.c.rotariu at gmail.com> The introspection tool uses this function to check the hardware support for VMFUNC, which can be used either to singlestep vCPUs on a unprotected EPT view or to use #VE in order to filter out VM-exits caused by EPT violations. Signed-off-by: Marian Rotariu <marian.c.rotariu at gmail.com> Co-developed-by: ?tefan ?icleru <ssicleru at bitdefender.com> Signed-off-by: ?te...

...; communicate to, guest gets full control of its security, from >> mapping all memory (like with current vhost-user) to only >> mapping buffers used for networking (like ivshmem) to >> transient mappings for the duration of data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. > >> This also allows use of VFIO within guests, for improved >> security. >> >> vhost user would need to be extended to send the >> mappings programmed by guest IOMMU. > > Right. We need to think about cases where other VMs (V...

...; communicate to, guest gets full control of its security, from >> mapping all memory (like with current vhost-user) to only >> mapping buffers used for networking (like ivshmem) to >> transient mappings for the duration of data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. > >> This also allows use of VFIO within guests, for improved >> security. >> >> vhost user would need to be extended to send the >> mappings programmed by guest IOMMU. > > Right. We need to think about cases where other VMs (V...

...> > to, guest gets full control of its security, from mapping all memory > > (like with current vhost-user) to only mapping buffers used for > > networking (like ivshmem) to transient mappings for the duration of > > data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. > > > This also allows use of VFIO within guests, for improved security. > > > > vhost user would need to be extended to send the mappings programmed > > by guest IOMMU. > > Right. We need to think about cases where other VMs (VM3,...

...> > to, guest gets full control of its security, from mapping all memory > > (like with current vhost-user) to only mapping buffers used for > > networking (like ivshmem) to transient mappings for the duration of > > data transfer only. > > And I think that we can use VMFUNC to have such transient mappings. > > > This also allows use of VFIO within guests, for improved security. > > > > vhost user would need to be extended to send the mappings programmed > > by guest IOMMU. > > Right. We need to think about cases where other VMs (VM3,...

...t kvmi_error_code; + struct kvmi_vcpu_get_ept_view_reply { + __u16 view; + __u16 padding1; + __u32 padding2; + }; + +Returns the EPT ``view`` the provided vCPU operates on. + +Before getting EPT views, the introspection tool should use +*KVMI_GET_VERSION* to check if the hardware has support for VMFUNC and +EPTP switching mechanism (see **KVMI_GET_VERSION**). If the hardware +does not provide support for these features, the returned EPT view will +be zero. + +* -KVM_EINVAL - the selected vCPU is invalid +* -KVM_EINVAL - the padding is not zero +* -KVM_EAGAIN - the selected vCPU can't be intr...

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VMs (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VMs (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VM-s (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VM-s (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place