On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote: > On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote: > > Could you mind to provide more information and history about your > > investigation? > > We are using VMI to secure certain parts of a guest kernel in memory > (like prevent a certain data structure from being overriten). However, > it sometimes happens for that part to be placed in the same page with > other data, of no interest to us, that gets written frequently. This > makes using the EPT problematic (a 4k page is just too big and > generates too many violations). However, SPP (with its 128 bytes > granularity) is ideal here. > > > > Also, if Intel doesn't have a specific use case for it that requires > > > separate access to SPP control, then maybe we can fold it into the VMI > > > API we are working on? > > > > That's totally Excellent as we really don't have a specific user case at > > this time. > > OK. We will spend some time thinking at a proper way of exposing SPP > with the VMI API. > > For example, we now work on implementing something similar to this: > > kvm_set_page_access( struct kvm *kvm, gfn_t gfn, u8 access ); > > The simplest approach would be to add something like: > > kvm_set_sub_page_access( struct kvm *kvm, gfn_t gfn, u32 mask ); > > where every bit from 'mask' indicates the write-allowed state of every > 128-byte subpage. Got it, seems very compatible with current implementation by us. > > > BTW, I have already submit the SPP implementation draft in Xen side. > > when you got some time, you can take a look at if that match your > > requirement. > > I believe my colleague Răzvan Cojocaru has already commented on that > patch set. :-) Oh, yes, pls send my best thanks to him. > > -- > Mihai Donțu >
