[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] different IDTs of the same VCPU
From: |
Alexander Binun |
Subject: |
Re: [Qemu-devel] different IDTs of the same VCPU |
Date: |
Mon, 17 Mar 2014 13:54:45 +0200 (IST) |
Dear friends, great thanks!
To summarize: we are trying to monitor VCPU IDT changes that are done by
external parties (e.g. rootkits) and not by intra-KVM machinery. Are there
parameters that witness such changes ?
Best Regards,
The KVM Israeli team
On Thu 13 Mar 17:15 2014 Paolo Bonzini wrote:
> Il 13/03/2014 13:59, Alexander Binun ha scritto:
> > Dear Friends,
> >
> > Thanks for your assistance!
> >
> > We would like to ask you a question about the KVM internals.
> >
> > Our module includes a timer which (once in every second) fetches the IDT
> > value of every online VCPU in the system using the kvm_x86_ops->get_idt ;
> > the code looks like:
> >
> > struct kvm_vcpu *curr_vcpu;
> > struct desc_ptr dt;
> >
> > list_for_each_entry(kvm, vms_list, vm_list)
> > {
> > for (i = 0; i < kvm->online_vcpus.counter; i++)
> > {
> > curr_vcpu = kvm->vcpus[i];
> > kvm_x86_ops->get_idt(curr_vcpu, &dt);
> > }
> > }
> >
> > We have noticed that get_idt returns DIFFERENT values for the same
> > VCPU (i.e. for the same value of i that refers to a given VCPU). We
> > cannot understand this issue; could you explain ?
> >
> > It is very strange since nobody changes the IDT value (as , for example,
> > rootkits do).
>
> At the very least, running nested virtualization would lead to different
> IDT values.
>
> But more simply, on Intel you can hardly do anything with kvm_x86_ops or
> kvm_vcpu except on the same physical CPU that is in vcpu->cpu. The
> state is not in memory, it is cached inside the physical CPU.
>
> There is no easy solution to this without modifying KVM. You can add a
> request bit to KVM's vcpu->requests field, kick the vcpu and do the
> check in vcpu_enter_guest.
>
> Paolo
>
- [Qemu-devel] kill /destroy a VM - help, Alexander Binun, 2014/03/05
- Re: [Qemu-devel] kill /destroy a VM - help, Stefan Hajnoczi, 2014/03/06
- Re: [Qemu-devel] kill /destroy a VM - help, Alexander Binun, 2014/03/06
- Re: [Qemu-devel] kill /destroy a VM - help, Paolo Bonzini, 2014/03/06
- Re: [Qemu-devel] kill /destroy a VM - still hangs!, Alexander Binun, 2014/03/06
- [Qemu-devel] trying to kill a VM, Alexander Binun, 2014/03/09
- [Qemu-devel] different IDTs of the same VCPU, Alexander Binun, 2014/03/13
- Re: [Qemu-devel] different IDTs of the same VCPU, Paolo Bonzini, 2014/03/13
- Re: [Qemu-devel] different IDTs of the same VCPU,
Alexander Binun <=
- Re: [Qemu-devel] different IDTs of the same VCPU, Paolo Bonzini, 2014/03/17