Re: [Qemu-devel] different IDTs of the same VCPU

[Alexander Binun]

Dear friends, great thanks!

To summarize: we are trying to monitor VCPU IDT changes that are done by 
external parties (e.g. rootkits) and not by intra-KVM machinery. Are there 
parameters that witness such changes ?

Best Regards, 
   The KVM Israeli team


On Thu 13 Mar 17:15 2014 Paolo Bonzini wrote:
> Il 13/03/2014 13:59, Alexander Binun ha scritto:
> > Dear Friends,
> >
> >    Thanks for your assistance!
> >
> > We would like to ask you a question about the KVM internals.
> >
> > Our module includes a timer which (once in every second) fetches the IDT 
> > value of every online VCPU in the system using the kvm_x86_ops->get_idt ; 
> > the code looks like:
> >
> >   struct kvm_vcpu *curr_vcpu;
> >   struct desc_ptr dt;
> >
> >   list_for_each_entry(kvm, vms_list, vm_list)
> >   {
> >     for (i = 0; i < kvm->online_vcpus.counter; i++)
> >        {
> >        curr_vcpu = kvm->vcpus[i];
> >        kvm_x86_ops->get_idt(curr_vcpu, &dt);
> >     }
> >   }
> >
> > We have noticed that get_idt returns DIFFERENT values for the same
> > VCPU (i.e. for the same value of i that refers to a given VCPU). We
> > cannot understand this issue; could you explain ?
> >
> > It is very strange since nobody changes the IDT value (as , for example, 
> > rootkits do).
> 
> At the very least, running nested virtualization would lead to different 
> IDT values.
> 
> But more simply, on Intel you can hardly do anything with kvm_x86_ops or 
> kvm_vcpu except on the same physical CPU that is in vcpu->cpu.  The 
> state is not in memory, it is cached inside the physical CPU.
> 
> There is no easy solution to this without modifying KVM.  You can add a 
> request bit to KVM's vcpu->requests field, kick the vcpu and do the 
> check in vcpu_enter_guest.
> 
> Paolo
>