read-only pagetable entries

read-only pagetable entries

[Srujan Kotikela]

[-- Attachment #1.1: Type: text/plain, Size: 843 bytes --]

Hi,

I am trying to mark certain page-table entries (pte) of a guest as read-only
by the guest operating system (complete control by xen). If this pte is
ever to be changed to READ/WRITE, it should be done by  a custom hypercall
(called only by a special process). The guest os's request to mark this pte
READ/WRITE should be denied/ignored by xen.

The approach I am planning is, obtain the (guest) virtual address from the
process and pass to xen through hypercall, obtain cr3 from the vcpu, compute
PDE (page directory entry), obtain PT (Page Table) base address, compute
PTE's (guest) physical address. Then translate PFN to MFN and update the
entries to READ-ONLY.

However, I feel this process is not sufficient to restrict the OS from
changing it. So I would like to know your suggestions/changes in my
approach.

--
Srujan D. Kotikela

[-- Attachment #1.2: Type: text/html, Size: 965 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: read-only pagetable entries

[Tim Deegan]

Hi, 

At 21:29 -0500 on 19 Jun (1308518969), Srujan Kotikela wrote:
> I am trying to mark certain page-table entries (pte) of a guest as read-only
> by the guest operating system (complete control by xen). If this pte is
> ever to be changed to READ/WRITE, it should be done by  a custom hypercall
> (called only by a special process). The guest os's request to mark this pte
> READ/WRITE should be denied/ignored by xen.
> 
> The approach I am planning is, obtain the (guest) virtual address from the
> process and pass to xen through hypercall, obtain cr3 from the vcpu, compute
> PDE (page directory entry), obtain PT (Page Table) base address, compute
> PTE's (guest) physical address. Then translate PFN to MFN and update the
> entries to READ-ONLY.
> 
> However, I feel this process is not sufficient to restrict the OS from
> changing it.

It's certainly not enough to stop the OS from changing it by itself.
You'd need to make that PTE read-only _and_ make all mappings of the PTE
itself read-only _and_ make sure there are no new r/w mappings of it.

I think the right thing to do is to translate the VA you start with into
a PFN and then just call p2m_change_type to mark that PFN read-only.
That way, the PTE the guest sees will still be r/w but all writes to the
address will be dropped.  (That assumes this is a HVM guest, by the
way).

Cheers,

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

Re: read-only pagetable entries

[Tim Deegan]

Hi, 

Please don't take discussions off-list.  Cc'ing xen-devel again. 

At 12:58 +0100 on 20 Jun (1308574721), Srujan Kotikela wrote:
> Hi,
> 
> Thanks for the prompt reply. Can you tell me how to achieve the same
> in PV guests?

In PV guests you could try turning on shadow paging and enforcing the same
read-only idea (but PV guests don't have a p2m table so that will be
messy; you might be able to hook gmfn_to_mfn?).  Or you could update the
PV pagetable interface to require the guest to make the PTE read-only
(by hooking adjust_guest_l1e or similar).  That would have much better
performance but might need changes to the guest kernel to cope with its
PTEs being read-only. 

> Also is there any standard/official documentation for
> Xen's memory management?

Not really, no.  The basic ideas are laid out in the original Xen papers
and in some of the Xen books that have been published but there's no 
technical documentation for the code except what's in comments and HG
log entries. 

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

Re: read-only pagetable entries

[Srujan Kotikela]

[-- Attachment #1.1: Type: text/plain, Size: 1343 bytes --]

Sorry,

Clicked reply instead of reply-to-all.

--
Srujan D. Kotikela


On Mon, Jun 20, 2011 at 7:10 AM, Tim Deegan <Tim.Deegan@citrix.com> wrote:

> Hi,
>
> Please don't take discussions off-list.  Cc'ing xen-devel again.
>
> At 12:58 +0100 on 20 Jun (1308574721), Srujan Kotikela wrote:
> > Hi,
> >
> > Thanks for the prompt reply. Can you tell me how to achieve the same
> > in PV guests?
>
> In PV guests you could try turning on shadow paging and enforcing the same
> read-only idea (but PV guests don't have a p2m table so that will be
> messy; you might be able to hook gmfn_to_mfn?).  Or you could update the
> PV pagetable interface to require the guest to make the PTE read-only
> (by hooking adjust_guest_l1e or similar).  That would have much better
> performance but might need changes to the guest kernel to cope with its
> PTEs being read-only.
>
> > Also is there any standard/official documentation for
> > Xen's memory management?
>
> Not really, no.  The basic ideas are laid out in the original Xen papers
> and in some of the Xen books that have been published but there's no
> technical documentation for the code except what's in comments and HG
> log entries.
>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>

[-- Attachment #1.2: Type: text/html, Size: 1915 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: read-only pagetable entries

[Srujan Kotikela]

[-- Attachment #1.1: Type: text/plain, Size: 2788 bytes --]

On Mon, Jun 20, 2011 at 3:27 AM, Tim Deegan <Tim.Deegan@citrix.com> wrote:

> Hi,
>
> At 21:29 -0500 on 19 Jun (1308518969), Srujan Kotikela wrote:
> > I am trying to mark certain page-table entries (pte) of a guest as
> read-only
> > by the guest operating system (complete control by xen). If this pte is
> > ever to be changed to READ/WRITE, it should be done by  a custom
> hypercall
> > (called only by a special process). The guest os's request to mark this
> pte
> > READ/WRITE should be denied/ignored by xen.
> >
> > The approach I am planning is, obtain the (guest) virtual address from
> the
> > process and pass to xen through hypercall, obtain cr3 from the vcpu,
> compute
> > PDE (page directory entry), obtain PT (Page Table) base address, compute
> > PTE's (guest) physical address. Then translate PFN to MFN and update the
> > entries to READ-ONLY.
> >
> > However, I feel this process is not sufficient to restrict the OS from
> > changing it.
>
> It's certainly not enough to stop the OS from changing it by itself.
> You'd need to make that PTE read-only _and_ make all mappings of the PTE
> itself read-only _and_ make sure there are no new r/w mappings of it.
>
> I think the right thing to do is to translate the VA you start with into
> a PFN and then just call p2m_change_type to mark that PFN read-only.
> That way, the PTE the guest sees will still be r/w but all writes to the
> address will be dropped.  (That assumes this is a HVM guest, by the
> way).


> Cheers,
>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>



   Hi,

   I am trying to see the working of "p2m_change_type". For this I am
passing the PFN of a variable (computed using virt_to_pfn(&variable)) in a
kernel module. Then this PFN is being passed to VMM through a hypercall
(from a HVM guest). In the hypercall handler, I have the following code
(where PFN == GFN) :

   struct vcpu *v = current;
>    struct domain *d = v->domain;
>
>     p2m_type_t ot;
>     mfn_t mfn;
>
>
    mfn = gfn_to_mfn(d, gfn , &ot);        //find the old type of the gfn
>     printk("MFN  : %lx\n", mfn);
>     printk("OT   : %d\n", ot);
>
>     p2m_change_type(d, gfn, ot, p2m_ram_ro);
>

   After this I tried to assign a new value to variable (to test if the
write request is being dropped).  But, the DomU hangs within the kernel
module (insmod      command is never being completed).

   I assume this is because I am doing it within a kernel module. Now I am
going to try passing a user process' variable's address to kernel module and
pass it further to hypervisor  and repeat the above process. Before that, I
just want to make sure that I am going in the right direction.

  Thanks,
   _SDK

[-- Attachment #1.2: Type: text/html, Size: 3922 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: read-only pagetable entries

[Tim Deegan]

Hi, 

At 12:54 -0500 on 28 Jun (1309265682), Srujan Kotikela wrote:
>    I am trying to see the working of "p2m_change_type". For this I am
> passing the PFN of a variable (computed using virt_to_pfn(&variable)) in a
> kernel module. Then this PFN is being passed to VMM through a hypercall
> (from a HVM guest). In the hypercall handler, I have the following code
> (where PFN == GFN) :
> 
>    struct vcpu *v = current;
> >    struct domain *d = v->domain;
> >
> >     p2m_type_t ot;
> >     mfn_t mfn;
> >
> >
>     mfn = gfn_to_mfn(d, gfn , &ot);        //find the old type of the gfn
> >     printk("MFN  : %lx\n", mfn);
> >     printk("OT   : %d\n", ot);
> >
> >     p2m_change_type(d, gfn, ot, p2m_ram_ro);

You might want to check the return value of p2m_change_type; it does
an atomic compare-exchange so it might not have changed the type if
another CPU changed the p2m entry under your feet.

>    After this I tried to assign a new value to variable (to test if the
> write request is being dropped).  But, the DomU hangs within the kernel
> module (insmod      command is never being completed).
> 
>    I assume this is because I am doing it within a kernel module. Now I am
> going to try passing a user process' variable's address to kernel module and
> pass it further to hypervisor  and repeat the above process. Before that, I
> just want to make sure that I am going in the right direction.

Yes, that looks basically OK to me.  I don't think there's any reason
why being in the kernel would make a difference.  Did you make sure that
no other variables are on the same page as the one you're protecting?

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)