On 07/07/2017 16:34, Adalbert Lazar wrote: > One bit of code that has passed (maybe) unnoticed in the RFC is a new > function added to Linux' mm called vm_replace_page() which, much like KSM's > replace_page(), gets two processes to share a page (read-write, no-COW): > > https://marc.info/?l=kvm&m=149762056518799&w=2 > > This is used to quickly scan and patch the guest software. Thanks for pointing this out. In my review of patch 1 I suggested using only read/write, but it's slow. I think we need to figure out a safe way to map foreign memory, as I'm worried of TOC/TOU races for obvious reasons. One thing I was thinking about (but didn't have much time to completely think through) is a special /dev/kvmmem device, where you could do kvmmem_fd = open("/dev/kvmmem", O_RDWR); ptr = ioctl(kvmmem_fd, KVMMEM_MAP_MEMORY, { token, size }); ioctl(kvmmem_fd, KVMMEM_UNMAP_MEMORY, { ptr, size }); The map/unmap memory operation would be a hypercall, not a socket command, but the random "token" would be returned on the socket via some KVMI_MAP_PHYSICAL_PAGE_TO_GUEST command (or more accurately, a replacement accepting {gpa, size} instead of {gpa, gfn_dest}). Handles can be short lived, e.g. you could have at most a small number tokens per host created (and passed back via KVMI) but not yet used by the hypercall. Once it's used by the hypercall, the token is not needed anymore, so this is not a strong limitation. After KVMMEM_MAP_MEMORY, you'd get a SIGSEGV if the guest memory layout changes (userfaultfd can be used by the introspector to simplify the handling and retry). You'd have to re-map the memory explicitly. Alas I have no idea how to verify the handle securely on the host, since the host is not supposed to know which guests are introspectors and which host got which token. But maybe if the token namespace is big enough (256 bits?) and random, it's okay to ignore the possibility that a guest tries to guess. (This idea is roughly based on how SCSI offloaded copies work). Andy, does it look like utter BS or could it have some merit? Paolo
