Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-11-10 at 16:39:27 +0100, Paolo Bonzini wrote: > On 04/11/2017 17:54, Paolo Bonzini wrote: > > On 04/11/2017 01:12, Yi Zhang wrote: > >>> > >> Adding Ravi, > >> > >> Does anyone have further comments on current implementation, it is a > >> important feature in our next generation chip-set.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-11-10 at 16:39:27 +0100, Paolo Bonzini wrote: > On 04/11/2017 17:54, Paolo Bonzini wrote: > > On 04/11/2017 01:12, Yi Zhang wrote: > >>> > >> Adding Ravi, > >> > >> Does anyone have further comments on current implementation, it is a > >> important feature in our next generation chip-set.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 04/11/2017 17:54, Paolo Bonzini wrote: > On 04/11/2017 01:12, Yi Zhang wrote: >>> >> Adding Ravi, >> >> Does anyone have further comments on current implementation, it is a >> important feature in our next generation chip-set. > > What matters is not the feature, but the use case; without a

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 04/11/2017 17:54, Paolo Bonzini wrote: > On 04/11/2017 01:12, Yi Zhang wrote: >>> >> Adding Ravi, >> >> Does anyone have further comments on current implementation, it is a >> important feature in our next generation chip-set. > > What matters is not the feature, but the use case; without a

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 04/11/2017 01:12, Yi Zhang wrote: >> > Adding Ravi, > > Does anyone have further comments on current implementation, it is a > important feature in our next generation chip-set. What matters is not the feature, but the use case; without a use case, there is no point in including code for SPP

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 04/11/2017 01:12, Yi Zhang wrote: >> > Adding Ravi, > > Does anyone have further comments on current implementation, it is a > important feature in our next generation chip-set. What matters is not the feature, but the use case; without a use case, there is no point in including code for SPP

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-14 at 07:11:28 +0800, Zhang Yi wrote: > From: Zhang Yi Z > > Hi All, > > Here is a patch-series which adding EPT-Based Sub-page Write Protection > Support. You can get It's software developer manuals from: > >

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-14 at 07:11:28 +0800, Zhang Yi wrote: > From: Zhang Yi Z > > Hi All, > > Here is a patch-series which adding EPT-Based Sub-page Write Protection > Support. You can get It's software developer manuals from: > >

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote: > On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote: > > Could you mind to provide more information and history about your > > investigation? > > We are using VMI to secure certain parts of a guest kernel in memory > (like prevent a certain data

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote: > On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote: > > Could you mind to provide more information and history about your > > investigation? > > We are using VMI to secure certain parts of a guest kernel in memory > (like prevent a certain data

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote: > On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote: > > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > > > On 16/10/2017 02:08, Yi Zhang wrote: > > > > > And the introspection facility by Mihai uses a completely > > > > > different

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote: > On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote: > > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > > > On 16/10/2017 02:08, Yi Zhang wrote: > > > > > And the introspection facility by Mihai uses a completely > > > > > different

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-19 at 13:57:12 +0200, Paolo Bonzini wrote: > > I would leave out the ioctl without a use case. It's always tricky to > add APIs without a user, as the risk of bit rot is high. But if > somebody comes up with a matching useful patch for QEMU or kvmtool, it's > fine. That's fine,

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-19 at 13:57:12 +0200, Paolo Bonzini wrote: > > I would leave out the ioctl without a use case. It's always tricky to > add APIs without a user, as the risk of bit rot is high. But if > somebody comes up with a matching useful patch for QEMU or kvmtool, it's > fine. That's fine,

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote: > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > > On 16/10/2017 02:08, Yi Zhang wrote: > > > > And the introspection facility by Mihai uses a completely > > > > different API for the introspector, based on sockets rather than ioctls.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote: > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > > On 16/10/2017 02:08, Yi Zhang wrote: > > > > And the introspection facility by Mihai uses a completely > > > > different API for the introspector, based on sockets rather than ioctls.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 18/10/2017 16:07, Yi Zhang wrote: > On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote: >>> >>> Currently, We only block the write access, As far as I know an example, >>> we now using it in a security daemon: >> >> Understood. However, I think QEMU is the wrong place to set this up. >> >>

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 18/10/2017 16:07, Yi Zhang wrote: > On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote: >>> >>> Currently, We only block the write access, As far as I know an example, >>> we now using it in a security daemon: >> >> Understood. However, I think QEMU is the wrong place to set this up. >> >>

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > On 16/10/2017 02:08, Yi Zhang wrote: > > > And the introspection facility by Mihai uses a completely > > > different API for the introspector, based on sockets rather than ioctls. > > > So I'm not sure this is the right API at all. > > > >

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote: > On 16/10/2017 02:08, Yi Zhang wrote: > > > And the introspection facility by Mihai uses a completely > > > different API for the introspector, based on sockets rather than ioctls. > > > So I'm not sure this is the right API at all. > > > >

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote: > > > > Currently, We only block the write access, As far as I know an example, > > we now using it in a security daemon: > > Understood. However, I think QEMU is the wrong place to set this up. > > If the kernel wants to protect _itself_,

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote: > > > > Currently, We only block the write access, As far as I know an example, > > we now using it in a security daemon: > > Understood. However, I think QEMU is the wrong place to set this up. > > If the kernel wants to protect _itself_,

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 00:09:36 -0700, Christoph Hellwig wrote: > > We introduced 2 ioctls to let user application to set/get subpage write > > protection bitmap per gfn, each gfn corresponds to a bitmap. > > The user application, qemu, or some other security control daemon. will set > > the

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 2017-10-18 at 00:09:36 -0700, Christoph Hellwig wrote: > > We introduced 2 ioctls to let user application to set/get subpage write > > protection bitmap per gfn, each gfn corresponds to a bitmap. > > The user application, qemu, or some other security control daemon. will set > > the

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 16/10/2017 02:08, Yi Zhang wrote: >> And the introspection facility by Mihai uses a completely >> different API for the introspector, based on sockets rather than ioctls. >> So I'm not sure this is the right API at all. > > Currently, We only block the write access, As far as I know an

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

On 16/10/2017 02:08, Yi Zhang wrote: >> And the introspection facility by Mihai uses a completely >> different API for the introspector, based on sockets rather than ioctls. >> So I'm not sure this is the right API at all. > > Currently, We only block the write access, As far as I know an

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

> We introduced 2 ioctls to let user application to set/get subpage write > protection bitmap per gfn, each gfn corresponds to a bitmap. > The user application, qemu, or some other security control daemon. will set > the protection bitmap via this ioctl. > the API defined as: > struct

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

> We introduced 2 ioctls to let user application to set/get subpage write > protection bitmap per gfn, each gfn corresponds to a bitmap. > The user application, qemu, or some other security control daemon. will set > the protection bitmap via this ioctl. > the API defined as: > struct

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

Thanks for your quick response Paolo. On 2017-10-13 at 17:13:25 -0400, Paolo Bonzini wrote: > > > I'll ask before Paolo does: Can you please add kvm-unit-tests to > > exercise all of this new code? > > More specifically it should be the api/ unit tests because this code > can only be triggered

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

Thanks for your quick response Paolo. On 2017-10-13 at 17:13:25 -0400, Paolo Bonzini wrote: > > > I'll ask before Paolo does: Can you please add kvm-unit-tests to > > exercise all of this new code? > > More specifically it should be the api/ unit tests because this code > can only be triggered

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

Thanks for your review Jim. On 2017-10-13 at 09:57:45 -0700, Jim Mattson wrote: > I'll ask before Paolo does: Can you please add kvm-unit-tests to > exercise all of this new code? it is should be a API/ioctl tools rather than a kvm-unit-test. Actually, I have prepared a draft version of tools

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

Thanks for your review Jim. On 2017-10-13 at 09:57:45 -0700, Jim Mattson wrote: > I'll ask before Paolo does: Can you please add kvm-unit-tests to > exercise all of this new code? it is should be a API/ioctl tools rather than a kvm-unit-test. Actually, I have prepared a draft version of tools

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

> I'll ask before Paolo does: Can you please add kvm-unit-tests to > exercise all of this new code? More specifically it should be the api/ unit tests because this code can only be triggered by specific code in the host. However, as things stand I'm not sure about how userspace would use it.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

> I'll ask before Paolo does: Can you please add kvm-unit-tests to > exercise all of this new code? More specifically it should be the api/ unit tests because this code can only be triggered by specific code in the host. However, as things stand I'm not sure about how userspace would use it.

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

I'll ask before Paolo does: Can you please add kvm-unit-tests to exercise all of this new code? BTW, what generation of hardware do we need to exercise this code ourselves? On Fri, Oct 13, 2017 at 4:11 PM, Zhang Yi wrote: > From: Zhang Yi Z

Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection Support.

I'll ask before Paolo does: Can you please add kvm-unit-tests to exercise all of this new code? BTW, what generation of hardware do we need to exercise this code ourselves? On Fri, Oct 13, 2017 at 4:11 PM, Zhang Yi wrote: > From: Zhang Yi Z > > Hi All, > > Here is a patch-series which adding