From: Zhang Yi <yi.z.zhang@linux.intel.com>
To: xen-devel@lists.xenproject.org
Cc: kevin.tian@intel.com, tamas@tklengyel.com, wei.liu2@citrix.com,
jun.nakajima@intel.com, rcojocaru@bitdefender.com,
george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com,
ian.jackson@eu.citrix.com,
Zhang Yi Z <yi.z.zhang@linux.intel.com>,
jbeulich@suse.com
Subject: [PATCH RFC 00/14] Intel EPT-Based Sub-page Write Protection Support.
Date: Thu, 19 Oct 2017 16:04:51 +0800 [thread overview]
Message-ID: <cover.1508397860.git.yi.z.zhang@linux.intel.com> (raw)
From: Zhang Yi Z <yi.z.zhang@linux.intel.com>
Hi All,
Here is a patch-series which adding EPT-Based Sub-page Write Protection Support. You can get It's software developer manuals from:
https://software.intel.com/sites/default/files/managed/c5/15/architecture-instruction-set-extensions-programming-reference.pdf
In Chapter 4 EPT-BASED SUB-PAGE PERMISSIONS.
Introduction:
EPT-Based Sub-page Write Protection referred to as SPP, it is a capability which allow Virtual Machine Monitors(VMM) to specify write-permission for guest physical memory at a sub-page(128 byte) granularity. When this capability is utilized, the CPU enforces write-access permissions for sub-page regions of 4K pages as specified by the VMM. EPT-based sub-page permissions is intended to enable fine-grained memory write enforcement by a VMM for security(guest OS monitoring) and usages such as device virtualization and memory check-point.
How SPP Works:
SPP is active when the "sub-page write protection" VM-execution control is 1. A new 4-level paging structure named SPP page table(SPPT) is introduced, SPPT will look up the guest physical addresses to derive a 64 bit "sub-page permission" value containing sub-page write permissions. The lookup from guest-physical addresses to the sub-page region permissions is determined by a set of this SPPT paging structures.
The SPPT is used to lookup write permission bits for the 128 byte sub-page regions containing in the 4KB guest physical page. EPT specifies the 4KB page level privileges that software is allowed when accessing the guest physical address, whereas SPPT defines the write permissions for software at the 128 byte granularity regions within a 4KB page. Write accesses prevented due to sub-page permissions looked up via SPPT are reported as EPT violation VM exits. Similar to EPT, a logical processor uses SPPT to lookup sub-page region write permissions for guest-physical addresses only when those addresses are used to access memory.
Guest write access --> GPA --> Walk EPT --> EPT leaf entry -┐
┌-----------------------------------------------------------┘
└-> if VMexec_control.spp && ept_leaf_entry.spp_bit (bit 61)
|
└-> <false> --> EPT legacy behavior
|
|
└-> <true> --> if ept_leaf_entry.writable
|
└-> <true> --> Ignore SPP
|
└-> <false> --> GPA --> Walk SPP 4-level table--┐
|
┌------------<----------get-the-SPPT-point-from-VMCS-filed-----<------┘
|
Walk SPP L4E table
|
└┐--> entry misconfiguration ------------>----------┐<----------------┐
| | |
else | |
| | |
| ┌------------------SPP VMexit<-----------------┘ |
| | |
| └-> exit_qualification & sppt_misconfig --> sppt misconfig |
| | |
| └-> exit_qualification & sppt_miss --> sppt miss |
└--┐ |
| |
walk SPPT L3E--┐--> if-entry-misconfiguration------------>------------┘
| |
else |
| |
| |
walk SPPT L2E --┐--> if-entry-misconfiguration-------->-------┘
| |
else |
| |
| |
walk SPPT L1E --┐-> if-entry-misconfiguration--->----┘
|
else
|
└-> if sub-page writable
└-> <true> allow, write access
└-> <false> disallow, EPT violation
Patch-sets Description:
Patch 1: Documentations.
Patch 2: this patch adds reporting SPP capability from VMX Procbased MSR, according to the definition of hardware spec, bit 23 is the control of the SPP capability.
Patch 3: Add new secondary processor-based VM-execution control bit which defined as "sub-page write permission", same as VMX Procbased MSR, bit 23 is the enable bit of SPP.
Also we introduced a kernel parameter "enable_ept_spp", now SPP is active when the "Sub-page Write Protection" in Secondary VM-Execution Control is set and enable the kernel parameter by "enable_ept_spp=1".
Patch 4: Introduced the spptp and spp page table.
The sub-page permission table is referenced via a 64-bit control field called Sub-Page Permission Table Pointer (SPPTP) which contains a 4K-aligned physical address. The index and encoding for this VMCS field if defined 0x2030 at this time. The format of SPPTP is shown in below figure:
---------------------------------------------------------------|
| Bit | Contents |
:--------------------------------------------------------------|
| 11:0 | Reserved (0) |
| N-1:12 | Physical address of 4KB aligned SPPT L4E Table |
| 51:N | Reserved (0) |
| 63:52 | Reserved (0) |
---------------------------------------------------------------|
This patch also introduced the Spp paging structures, which root page will created at p2m_alloc_table.
Patch 5: Introduced the SPP-Induced VM exit and it's handle.
Accesses using guest-physical addresses may cause SPP-induced VM exits due to an SPPT misconfiguration or an SPPT miss. The basic VM exit reason code reported for SPP-induced VM exits is 66.
Also Introduced the new exit qualification for SPPT-induced vmexits.
| Bit | Contents |
| :---- | :---------------------------------------------------------------- |
| 10:0 | Reserved (0). |
| 11 | SPPT VM exit type. Set for SPPT Miss, cleared for SPPT Misconfig. |
| 12 | NMI unblocking due to IRET |
| 63:13 | Reserved (0) |
Patch 7 ~ Patch 8: Setup spp page table and update the EPT leaf entry indicated with the SPP enable bit.
If the sub-page write permission VM-execution control is set, treatment of write accesses to guest-physical accesses depends on the state of the accumulated write-access bit (position 1) and sub-page permission bit (position 61) in the EPT leaf paging-structure.
Software will update the EPT leaf entry sub-page permission bit while xen_set_subpage(patch 7). If the EPT write-access bit set to 0 and the SPP bit set to 1 in the leaf EPT paging-structure entry that maps a 4KB page, then the hardware will look up a VMM-managed Sub-Page Permission Table (SPPT), which will be prepared by setup xen_set_subpage(patch 8).
The hardware uses the guest-physical address and bits 11:7 of the address accessed to lookup the SPPT to fetch a write permission bit for the 128 byte wide sub-page region being accessed within the 4K guest-physical page. If the sub-page region write permission bit is set, the write is allowed, otherwise the write is disallowed and results in an EPT violation.
Guest-physical pages mapped via leaf EPT-paging-structures for which the accumulated write-access bit and the SPP bits are both clear (0) generate EPT violations on memory writes accesses. Guest-physical pages mapped via EPT-paging-structure for which the accumulated write-access bit is set (1) allow writes, effectively ignoring the SPP bit on the leaf EPT-paging structure.
Software will setup the spp page table level4,3,2 as well as EPT page structure, and fill the level1 page via the 32 bit bitmaps per a single 4K page. Now it could be divided to 32 x 128 sub-pages.
The SPP L4E L3E L2E is defined as below figure.
| Bit | Contents |
| :----- | :--------------------------------------------------------------------- |
| 0 | Valid entry when set; indicates whether the entry is present |
| 11:1 | Reserved (0) |
| N-1:12 | Physical address of 4K aligned SPPT LX-1 Table referenced by the entry |
| 51:N | Reserved (0) |
| 63:52 | Reserved (0) |
Note: N is the physical address width supported by the processor, X is the page level
The SPP L1E format is defined as below figure.
| Bit | Contents |
| :---- | :---------------------------------------------------------------- |
| 0+2i | Write permission for i-th 128 byte sub-page region. |
| 1+2i | Reserved (0). |
Note: `0<=i<=31`
Patch 9 ~ Patch 10: Introduced a hyper call to set subpage protection.
The new Xen Hypercall is HVMOP_set_subpage.
The Interface's parameters is defined as
struct xen_hvm_subpage {
domid_t domid;
uint32_t access_map;
uint64_t gfn;
}
Patch 11: Added a handle of EPT subpage write protection fault.
A control bit in EPT leaf paging-structure entries is defined as “Sub-Page Permission” (SPP bit). The bit position is 61; it is chosen from among the bits that are currently ignored by the processor and available to software.
While hardware walking the SPP page table, If the sub-page region write permission bit is set, the write is allowed, else the write is disallowed and results an EPT violation.
We need peek this case in EPT violation handler.
Patch 13 ~ Patch 14: Implement a user tool to set subpage protection.
It is a tool could set a 4K page corresponding a 32 bit bitmap: xen-subpage -m [domid] set [gfn] [bitmap]
Zhang Yi Z (14):
xen: vmx: Added EPT based Subpage Write Protection Doc.
xen: vmx: Added VMX SPP feature flags and VM-Execution Controls.
xen: vmx: Introduce the SPPTP and SPP page table.
xen: vmx: Introduce SPP-Induced vm exit and it's handle.
xen: vmx: Disable the 2M/1G superpage when SPP enabled
xen: vmx: Added SPP flags in EPT leaf entry.
xen: vmx: Update the EPT leaf entry indicated with the SPP enable bit.
xen: vmx: Added setup spp page structure.
xen: vmx: Introduce a Hyper call to set subpage
xen: vmx: Implement the Hypercall p2m_set_subpage
xen: vmx: Added handle of SPP write protection fault
xen: vmx: Support for clear EPT SPP write Protect bit
xen: tools: Introduce the set-subpage into xenctrl
xen: tools: Added xen-subpage tool.
docs/txt/misc/spp_xen.txt | 259 ++++++++++++++++++++++++++++++++++
tools/libxc/include/xenctrl.h | 2 +
tools/libxc/xc_mem_paging.c | 20 +++
tools/tests/xen-subpage/Makefile | 30 ++++
tools/tests/xen-subpage/xen-subpage.c | 125 ++++++++++++++++
xen/arch/x86/hvm/hvm.c | 21 +++
xen/arch/x86/hvm/vmx/vmcs.c | 20 +++
xen/arch/x86/hvm/vmx/vmx.c | 40 ++++++
xen/arch/x86/mm/mem_access.c | 80 +++++++++++
xen/arch/x86/mm/p2m-ept.c | 152 ++++++++++++++++++++
xen/arch/x86/mm/p2m.c | 12 +-
xen/include/asm-x86/hvm/hvm.h | 2 +
xen/include/asm-x86/hvm/vmx/vmcs.h | 14 ++
xen/include/asm-x86/hvm/vmx/vmx.h | 26 +++-
xen/include/asm-x86/p2m.h | 13 +-
xen/include/public/hvm/hvm_op.h | 9 ++
xen/include/xen/mem_access.h | 3 +
17 files changed, 824 insertions(+), 4 deletions(-)
create mode 100644 docs/txt/misc/spp_xen.txt
create mode 100644 tools/tests/xen-subpage/Makefile
create mode 100644 tools/tests/xen-subpage/xen-subpage.c
--
2.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next reply other threads:[~2017-10-19 8:04 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 8:04 Zhang Yi [this message]
2017-10-19 8:08 ` [PATCH RFC 01/14] xen: vmx: Added EPT based Subpage Write Protection Doc Zhang Yi
2017-10-19 8:08 ` [PATCH RFC 02/14] xen: vmx: Added VMX SPP feature flags and VM-Execution Controls Zhang Yi
2017-10-19 8:09 ` [PATCH RFC 03/14] xen: vmx: Introduce the SPPTP and SPP page table Zhang Yi
2017-10-19 8:10 ` [PATCH RFC 04/14] xen: vmx: Introduce SPP-Induced vm exit and it's handle Zhang Yi
2017-10-19 8:11 ` [PATCH RFC 05/14] xen: vmx: Disable the 2M/1G superpage when SPP enabled Zhang Yi
2017-10-19 18:17 ` Tamas K Lengyel
2017-10-20 8:44 ` Yi Zhang
2017-10-24 17:43 ` Tamas K Lengyel
2017-10-25 15:32 ` Yi Zhang
2017-10-25 15:12 ` Tamas K Lengyel
2017-10-19 8:11 ` [PATCH RFC 06/14] xen: vmx: Added SPP flags in EPT leaf entry Zhang Yi
2017-10-19 8:12 ` [PATCH RFC 07/14] xen: vmx: Update the EPT leaf entry indicated with the SPP enable bit Zhang Yi
2017-10-19 8:12 ` [PATCH RFC 08/14] xen: vmx: Added setup spp page structure Zhang Yi
2017-10-19 18:26 ` Tamas K Lengyel
2017-10-20 8:43 ` Yi Zhang
2017-10-19 8:13 ` [PATCH RFC 09/14] xen: vmx: Introduce a Hyper call to set subpage Zhang Yi
2017-10-19 18:34 ` Tamas K Lengyel
2017-10-20 8:41 ` Yi Zhang
2017-10-19 8:13 ` [PATCH RFC 10/14] xen: vmx: Implement the Hypercall p2m_set_subpage Zhang Yi
2017-10-19 8:14 ` [PATCH RFC 11/14] xen: vmx: Added handle of SPP write protection fault Zhang Yi
2017-10-19 8:15 ` [PATCH RFC 12/14] xen: vmx: Support for clear EPT SPP write Protect bit Zhang Yi
2017-10-19 8:15 ` [PATCH RFC 13/14] xen: tools: Introduce the set-subpage into xenctrl Zhang Yi
2017-10-19 8:37 ` Razvan Cojocaru
2017-10-20 8:40 ` Yi Zhang
2017-10-19 8:16 ` [PATCH RFC 14/14] xen: tools: Added xen-subpage tool Zhang Yi
2017-10-19 8:42 ` Razvan Cojocaru
2017-10-20 8:39 ` Yi Zhang
2017-10-19 9:07 ` [PATCH RFC 00/14] Intel EPT-Based Sub-page Write Protection Support Razvan Cojocaru
2017-10-20 8:37 ` Yi Zhang
2017-10-20 8:39 ` Razvan Cojocaru
2017-10-20 8:39 ` Razvan Cojocaru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1508397860.git.yi.z.zhang@linux.intel.com \
--to=yi.z.zhang@linux.intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@eu.citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=rcojocaru@bitdefender.com \
--cc=tamas@tklengyel.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.