Hi, I am trying to mark certain page-table entries (pte) of a guest as read-only by the guest operating system (complete control by xen). If this pte is ever to be changed to READ/WRITE, it should be done by a custom hypercall (called only by a special process). The guest os''s request to mark this pte READ/WRITE should be denied/ignored by xen. The approach I am planning is, obtain the (guest) virtual address from the process and pass to xen through hypercall, obtain cr3 from the vcpu, compute PDE (page directory entry), obtain PT (Page Table) base address, compute PTE''s (guest) physical address. Then translate PFN to MFN and update the entries to READ-ONLY. However, I feel this process is not sufficient to restrict the OS from changing it. So I would like to know your suggestions/changes in my approach. -- Srujan D. Kotikela _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Hi, At 21:29 -0500 on 19 Jun (1308518969), Srujan Kotikela wrote:> I am trying to mark certain page-table entries (pte) of a guest as read-only > by the guest operating system (complete control by xen). If this pte is > ever to be changed to READ/WRITE, it should be done by a custom hypercall > (called only by a special process). The guest os''s request to mark this pte > READ/WRITE should be denied/ignored by xen. > > The approach I am planning is, obtain the (guest) virtual address from the > process and pass to xen through hypercall, obtain cr3 from the vcpu, compute > PDE (page directory entry), obtain PT (Page Table) base address, compute > PTE''s (guest) physical address. Then translate PFN to MFN and update the > entries to READ-ONLY. > > However, I feel this process is not sufficient to restrict the OS from > changing it.It''s certainly not enough to stop the OS from changing it by itself. You''d need to make that PTE read-only _and_ make all mappings of the PTE itself read-only _and_ make sure there are no new r/w mappings of it. I think the right thing to do is to translate the VA you start with into a PFN and then just call p2m_change_type to mark that PFN read-only. That way, the PTE the guest sees will still be r/w but all writes to the address will be dropped. (That assumes this is a HVM guest, by the way). Cheers, Tim. -- Tim Deegan <Tim.Deegan@citrix.com> Principal Software Engineer, Xen Platform Team Citrix Systems UK Ltd. (Company #02937203, SL9 0BG) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Hi, Please don''t take discussions off-list. Cc''ing xen-devel again. At 12:58 +0100 on 20 Jun (1308574721), Srujan Kotikela wrote:> Hi, > > Thanks for the prompt reply. Can you tell me how to achieve the same > in PV guests?In PV guests you could try turning on shadow paging and enforcing the same read-only idea (but PV guests don''t have a p2m table so that will be messy; you might be able to hook gmfn_to_mfn?). Or you could update the PV pagetable interface to require the guest to make the PTE read-only (by hooking adjust_guest_l1e or similar). That would have much better performance but might need changes to the guest kernel to cope with its PTEs being read-only.> Also is there any standard/official documentation for > Xen''s memory management?Not really, no. The basic ideas are laid out in the original Xen papers and in some of the Xen books that have been published but there''s no technical documentation for the code except what''s in comments and HG log entries. Tim. -- Tim Deegan <Tim.Deegan@citrix.com> Principal Software Engineer, Xen Platform Team Citrix Systems UK Ltd. (Company #02937203, SL9 0BG) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Sorry, Clicked reply instead of reply-to-all. -- Srujan D. Kotikela On Mon, Jun 20, 2011 at 7:10 AM, Tim Deegan <Tim.Deegan@citrix.com> wrote:> Hi, > > Please don''t take discussions off-list. Cc''ing xen-devel again. > > At 12:58 +0100 on 20 Jun (1308574721), Srujan Kotikela wrote: > > Hi, > > > > Thanks for the prompt reply. Can you tell me how to achieve the same > > in PV guests? > > In PV guests you could try turning on shadow paging and enforcing the same > read-only idea (but PV guests don''t have a p2m table so that will be > messy; you might be able to hook gmfn_to_mfn?). Or you could update the > PV pagetable interface to require the guest to make the PTE read-only > (by hooking adjust_guest_l1e or similar). That would have much better > performance but might need changes to the guest kernel to cope with its > PTEs being read-only. > > > Also is there any standard/official documentation for > > Xen''s memory management? > > Not really, no. The basic ideas are laid out in the original Xen papers > and in some of the Xen books that have been published but there''s no > technical documentation for the code except what''s in comments and HG > log entries. > > Tim. > > -- > Tim Deegan <Tim.Deegan@citrix.com> > Principal Software Engineer, Xen Platform Team > Citrix Systems UK Ltd. (Company #02937203, SL9 0BG) >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On Mon, Jun 20, 2011 at 3:27 AM, Tim Deegan <Tim.Deegan@citrix.com> wrote:> Hi, > > At 21:29 -0500 on 19 Jun (1308518969), Srujan Kotikela wrote: > > I am trying to mark certain page-table entries (pte) of a guest as > read-only > > by the guest operating system (complete control by xen). If this pte is > > ever to be changed to READ/WRITE, it should be done by a custom > hypercall > > (called only by a special process). The guest os''s request to mark this > pte > > READ/WRITE should be denied/ignored by xen. > > > > The approach I am planning is, obtain the (guest) virtual address from > the > > process and pass to xen through hypercall, obtain cr3 from the vcpu, > compute > > PDE (page directory entry), obtain PT (Page Table) base address, compute > > PTE''s (guest) physical address. Then translate PFN to MFN and update the > > entries to READ-ONLY. > > > > However, I feel this process is not sufficient to restrict the OS from > > changing it. > > It''s certainly not enough to stop the OS from changing it by itself. > You''d need to make that PTE read-only _and_ make all mappings of the PTE > itself read-only _and_ make sure there are no new r/w mappings of it. > > I think the right thing to do is to translate the VA you start with into > a PFN and then just call p2m_change_type to mark that PFN read-only. > That way, the PTE the guest sees will still be r/w but all writes to the > address will be dropped. (That assumes this is a HVM guest, by the > way).> Cheers, > > Tim. > > -- > Tim Deegan <Tim.Deegan@citrix.com> > Principal Software Engineer, Xen Platform Team > Citrix Systems UK Ltd. (Company #02937203, SL9 0BG) >Hi, I am trying to see the working of "p2m_change_type". For this I am passing the PFN of a variable (computed using virt_to_pfn(&variable)) in a kernel module. Then this PFN is being passed to VMM through a hypercall (from a HVM guest). In the hypercall handler, I have the following code (where PFN == GFN) : struct vcpu *v = current;> struct domain *d = v->domain; > > p2m_type_t ot; > mfn_t mfn; > >mfn = gfn_to_mfn(d, gfn , &ot); //find the old type of the gfn> printk("MFN : %lx\n", mfn); > printk("OT : %d\n", ot); > > p2m_change_type(d, gfn, ot, p2m_ram_ro); >After this I tried to assign a new value to variable (to test if the write request is being dropped). But, the DomU hangs within the kernel module (insmod command is never being completed). I assume this is because I am doing it within a kernel module. Now I am going to try passing a user process'' variable''s address to kernel module and pass it further to hypervisor and repeat the above process. Before that, I just want to make sure that I am going in the right direction. Thanks, _SDK _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Hi, At 12:54 -0500 on 28 Jun (1309265682), Srujan Kotikela wrote:> I am trying to see the working of "p2m_change_type". For this I am > passing the PFN of a variable (computed using virt_to_pfn(&variable)) in a > kernel module. Then this PFN is being passed to VMM through a hypercall > (from a HVM guest). In the hypercall handler, I have the following code > (where PFN == GFN) : > > struct vcpu *v = current; > > struct domain *d = v->domain; > > > > p2m_type_t ot; > > mfn_t mfn; > > > > > mfn = gfn_to_mfn(d, gfn , &ot); //find the old type of the gfn > > printk("MFN : %lx\n", mfn); > > printk("OT : %d\n", ot); > > > > p2m_change_type(d, gfn, ot, p2m_ram_ro);You might want to check the return value of p2m_change_type; it does an atomic compare-exchange so it might not have changed the type if another CPU changed the p2m entry under your feet.> After this I tried to assign a new value to variable (to test if the > write request is being dropped). But, the DomU hangs within the kernel > module (insmod command is never being completed). > > I assume this is because I am doing it within a kernel module. Now I am > going to try passing a user process'' variable''s address to kernel module and > pass it further to hypervisor and repeat the above process. Before that, I > just want to make sure that I am going in the right direction.Yes, that looks basically OK to me. I don''t think there''s any reason why being in the kernel would make a difference. Did you make sure that no other variables are on the same page as the one you''re protecting? Tim. -- Tim Deegan <Tim.Deegan@citrix.com> Principal Software Engineer, Xen Platform Team Citrix Systems UK Ltd. (Company #02937203, SL9 0BG) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel