Re: [Question] Intercept CR3 access in EPT

R <19890121wr@xxxxxxxxx> · Tue, 9 Oct 2012 09:21:42 +0800

Hi,

Actually, I know that disabling EPT would work. But thank U anyway.
What I interesting in is why would it fail when EPT is enable.

Thank U for answering.

2012/10/9 Marcelo Tosatti <mtosatti@xxxxxxxxxx>:
> On Mon, Oct 08, 2012 at 04:15:57PM +0800, R wrote:
>> Hi,
>>
>> I am a student. And my teacher told me to monitor every process in guest.
>> So, I try to intercept every Cr3 access. However, if kvm is loaded
>> with EPT enable, Acesses to  Cr3  would not cause VM-exit.
>
> Disable EPT by loading kvm-intel.ko module with enable_ept=0 parameter.
> Then, CR3 accesses will trap.
>
>> I modified the code to change vmcs configuration.
>> To be specific, these functions are rewirted.
>> static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
>>                                       unsigned long cr0,
>>                                       struct kvm_vcpu *vcpu)
>> {
>>             ....
>>                 } else if (!is_paging(vcpu)) {
>>               /* From nonpaging to paging */
>>               vmcs_write32(CPU_BASED_VM_EXEC_CONTROL,
>>                            vmcs_read32(CPU_BASED_VM_EXEC_CONTROL) &
>> -                          ~(CPU_BASED_CR3_LOAD_EXITING |
>> +                           ~(    //   CPU_BASED_CR3_LOAD_EXITING|
>>                              CPU_BASED_CR3_STORE_EXITING));
>>           ....
>> }
>>
>> static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
>> {
>>          ...
>>                 if (_cpu_based_2nd_exec_control & SECONDARY_EXEC_ENABLE_EPT) {
>>               /* CR3 accesses and invlpg don't need to cause VM Exits when EPT
>>                  enabled */
>> -             _cpu_based_exec_control &= ~(CPU_BASED_CR3_LOAD_EXITING |
>> +              _cpu_based_exec_control &= ~(     //
>> CPU_BASED_CR3_LOAD_EXITING |
>>                                            CPU_BASED_CR3_STORE_EXITING |
>>                                            CPU_BASED_INVLPG_EXITING);
>>         ....
>> }
>>
>> I though it can force every Cr3 access to be trapped with EPT enable.
>> However, VM seems to fail to boot when it changes from nonpaging to
>> paging.
>> Do U guys have any idea? Or Can someone tell me how can I intercept
>> Cr3 access and why can not it work?
>>
>> Thank U for answering.
>
>>
>> --
>> Thanks
>> Rui Wu
>> --
>> To unsubscribe from this list: send the line "unsubscribe kvm" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Thanks
Rui Wu
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html