On Wed, Mar 05, 2014 at 06:35:18PM +0200, Alexander Binun wrote: > Now we encountered yet one problem: Our security module (which is a LKM) > performs security check and, when suspecting malicious activity at a VCPU, > must suspend or even kill this VM. The problem is: how to suspend/kill a VCPU > ? > > We have taken the following approach: > 1. Accessing the VM list (struct list_head vms_list ) through the > kallsyms interface > 2. Iterating through VMs, reaching every VCPU (as a structure struct > kvm_vcpu *vcpu) > 3. Running security check on every such structure. That is we were > seeking for a function like cpu_reset(struct kvm_vcpu*vcpu) > > The following "reset funtions" were so far tried (taken from kvm_host.h) > 1. kvm_vcpu_uninit and kvm_x86_ops->vcpu_free. These cause the whole > system (both host and guest OSs) hang. > 2. kvm_vcpu_reset and kvm_arch_vcpu_free lead to the linker error > "Warning! Function undefined". > > Which "reset function" could you recommend ?
The simplest thing to kill a VM is to send SIGTERM to the QEMU process (the process that contains the vcpu thread). Stefan
