On 25.03.19 14:45, Sean Christopherson wrote: > On Mon, Mar 25, 2019 at 10:35:28AM +0100, David Hildenbrand wrote: >> On 21.03.19 23:52, Steve Rutherford wrote: >>> Not that I know of. >>> >>> This is surprisingly hard to implement correctly in KVM. On Intel x86 >>> it could be done with MTF (monitor trap fault), but you would need to >>> VMEXIT at each instruction boundary, and getting the behavior right >>> for other traps/faults is pretty hard when running around with MTF >>> enabled on every instruction. It could be done somewhat inaccurately >>> using perf counters (setup interrupt on overflow for the per-thread >>> instruction count, and set the base value for that counter really >>> high), but I'm not even sure what the current state of KVM's Perf >>> support is, or if this trick would work well in practice since this >>> isn't really what perf counters were built for. >>> >>> >>> >>> On Wed, Mar 20, 2019 at 9:33 PM liushuyu <liushuyu@xxxxxxx> wrote: >>>> >>>> Hi there, >>>> >>>> I am new to KVM API and I have a question: Is there a way to stop/kick vCPU >>>> after it executes a specific number of instructions? I have searched online, >>>> read the documentation in the Linux kernel source code, searched through the >>>> archives of this mailing list and I couldn't find the answer. >>>> >>>> Thanks very much for your attention. >> >> There is a very hacky way to stop/kick a VCPU on every branch using the >> BTS buffer and EPT, however it requires guest interaction. Most probably >> not what you are looking for. > > Out of curiosity, why not do EFLAGS.TF=1 && MSR_IA32_DEBUGCTLMSR.BTF=1 > (and VM-Exit on #DBs) to stop on branches? > For the BTS way, the guest has to do is 1. Setup a valid DS area and BTS buffer (have to be valid addresses in guest virtual address space) 2. Tell the hypervisor about the DS area address Guest interaction is required as BTS expects valid addresses in guest virtual address space. That is hard to fake from the hypervisor. The hypervisor can than write-protect the DS area and force BTS on (configuring proper DS) when entering the guest. Whenever a branch is executed, the BTS is updated by HW (at index 0). When trying to update the index in the DS area, an EPT violation is triggered. However, the instruction itself has already been executed and the EPT violation can simply be ignored. Therefore, the index in the DS area will always be 0 and the BTS buffer never be full. This is pretty much undocumented HW behavior. So apart from the initial setup in the guest, no further handling is required. Assuming of course, that the guest won't make use of BTS itself (which should right now be the case if I remember correctly). We used that hack in a rootkit development course at my University, in the context of virtual machine introspection. No instructions have to be emulated (were already executed) and e.g. the eflags won't have to be modified ever, including not having to worry about the guest disabling TF. That is the main benefit over using EFLAGS I guess? But I am no expert on that :) -- Thanks, David / dhildenb
