similar to: [RFC PATCH v7 00/78] VM introspection

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VMs (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

This patch series is based on the VM introspection patches (https://lore.kernel.org/kvm/20200721210922.7646-1-alazar at bitdefender.com/), extending the introspection API with EPT Views and Virtualization Exceptions (#VE) support. The purpose of this series is to get an initial feedback and to see if we are on the right track, especially because the changes made to add the EPT views are not small

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VM-s (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

The KVM introspection subsystem provides a facility for applications running on the host or in a separate VM, to control the execution of other VM-s (pause, resume, shutdown), query the state of the vCPUs (GPRs, MSRs etc.), alter the page access bits in the shadow page tables (only for the hardware backed ones, eg. Intel's EPT) and receive notifications when events of interest have taken place

On Fri, Aug 09, 2019 at 06:59:16PM +0300, Adalbert Laz?r wrote: > diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig > index 72fa955f4a15..f70a6a1b6814 100644 > --- a/arch/x86/kvm/Kconfig > +++ b/arch/x86/kvm/Kconfig > @@ -96,6 +96,13 @@ config KVM_MMU_AUDIT > This option adds a R/W kVM module parameter 'mmu_audit', which allows > auditing of KVM MMU events

This event is send by the vCPU thread and has a low priority. It will be sent after any other vCPU introspection event and when no vCPU introspection command is queued. Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 23 ++- arch/x86/kvm/kvmi.c | 53 ++++++ include/linux/kvmi_host.h

From: Mihai Don?u <mdontu at bitdefender.com> Using the KVMI_VCPU_CONTROL_CR command, the introspection tool subscribes to KVMI_EVENT_CR events that will be sent when CR{0,3,4} is going to be changed. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com>

From: Mihai Don?u <mdontu at bitdefender.com> This event is sent on a specific user hypercall. It is used by the code residing inside the introspected guest to call the introspection tool and to report certain details about its operation. For example, a classic antimalware remediation tool can report what it has found during a scan. Signed-off-by: Mihai Don?u <mdontu at

From: Nicu?or C??u <ncitu at bitdefender.com> This event is sent when the current instruction has been single stepped with or without success. Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 28

From: Mihai Don?u <mdontu at bitdefender.com> This command sets the spte access bits (rwx) for an array of guest physical addresses (through the page tracking subsystem). These GPAs, with the requested access bits, are also kept in a radix tree in order to filter out the #PF events which are of no interest to the introspection tool. The access restrictions for pages that are not visible

Every vCPU has a lock-protected list in which (mostly) the receiving worker places the jobs that has to be done by the vCPU once it is kicked (KVM_REQ_INTROSPECTION) out of guest. A job is defined by a "do" function, a "free" function and a pointer (context). Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at

On Fri, Aug 09, 2019 at 07:00:19PM +0300, Adalbert Laz?r wrote: > From: Nicu?or C??u <ncitu at bitdefender.com> > > This would be used either if the introspection tool request it as a > reply to a KVMI_EVENT_PF event or to cope with instructions that cannot > be handled by the x86 emulator during the handling of a VMEXIT. In > these situations, all other vCPU-s are kicked

From: Nicu?or C??u <ncitu at bitdefender.com> This commit also ensures that only the userspace or the introspection tool can control the #BP interception exclusively at one time. Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- arch/x86/include/asm/kvm_host.h | 3 + arch/x86/include/asm/kvmi_host.h | 22

From: Nicu?or C??u <ncitu at bitdefender.com> This event is sent after each instruction when the singlestep has been enabled for a vCPU. Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 31

From: Mihai Don?u <mdontu at bitdefender.com> This command enables/disables vCPU introspection events. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 45 +++++++++- include/linux/kvmi_host.h

From: Nicu?or C??u <ncitu at bitdefender.com> This command is extremely useful for debuggers. Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Co-developed-by: Adalbert Laz?r <alazar at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> --- Documentation/virt/kvm/kvmi.rst | 31 ++++++ arch/x86/kvm/kvmi.c

From: Mihai Don?u <mdontu at bitdefender.com> The introspection requests (KVM_REQ_INTROSPECTION) are checked before entering guest or when the vCPU is halted. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Mircea C?rjaliu <mcirjaliu at bitdefender.com> Signed-off-by: Mircea C?rjaliu <mcirjaliu at bitdefender.com> Co-developed-by: Adalbert Laz?r

From: Mihai Don?u <mdontu at bitdefender.com> This event is sent when the extended control register XCR0 is going to be changed. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Adalbert Laz?r <alazar at bitdefender.com> ---

From: Mihai Don?u <mdontu at bitdefender.com> >From preread, prewrite and preexec callbacks we will send the KVMI_EVENT_PF events caused by access rights enforced by the introspection tool. Signed-off-by: Mihai Don?u <mdontu at bitdefender.com> Co-developed-by: Nicu?or C??u <ncitu at bitdefender.com> Signed-off-by: Nicu?or C??u <ncitu at bitdefender.com>

From: Mihai Don?u <mdontu at bitdefender.com> This command is used to enable/disable introspection for a specific MSR. The KVMI_EVENT_MSR event is send when the tracked MSR is going to be changed. The introspection tool can respond by allowing the guest to continue with normal execution or by discarding the change. This is meant to prevent malicious changes to MSRs such as