From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] vm_event: Implement ARM SMC events
Date: Wed, 13 Apr 2016 11:17:57 +0100
Message-ID: <570E1CD5.7000802@citrix.com>
References: <1460404042-31179-1-git-send-email-tamas@tklengyel.com>
 <570CA910.8050404@bitdefender.com>
 <CABfawhkp1BHL320WcgidN16D+J09+F_0iq2ByLrmx_c_4Sh1XA@mail.gmail.com>
 <570D2135.1040204@arm.com> <570D2AC3.2040801@bitdefender.com>
 <CABfawhkPsHnNR7SrDE_6QD7b9C5RK4uVTX-TuoQ6_5uKW1HUvg@mail.gmail.com>
 <570E0967.3070600@bitdefender.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5917506113056741205=="
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=9041b42d2=Andrew.Cooper3@citrix.com>)
 id 1aqHsZ-0003mb-By
 for xen-devel@lists.xenproject.org; Wed, 13 Apr 2016 10:18:35 +0000
In-Reply-To: <570E0967.3070600@bitdefender.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: Corneliu ZUZU <czuzu@bitdefender.com>, Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Cc: Wei Liu <wei.liu2@citrix.com>, Keir Fraser <keir@xen.org>, Razvan Cojocaru <rcojocaru@bitdefender.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>, Julien Grall <julien.grall@arm.com>, Jan Beulich <jbeulich@suse.com>, Xen-devel <xen-devel@lists.xenproject.org>
List-Id: xen-devel@lists.xenproject.org

--===============5917506113056741205==
Content-Type: multipart/alternative;
	boundary="------------040601000209070500030808"

--------------040601000209070500030808
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On 13/04/16 09:55, Corneliu ZUZU wrote:
>
>
>>
>>
>>             I would have to double check but AFAIK those instructions
>>             can't be
>>             configured to trap to the hypervisor directly. So while
>>             SMC was not
>>             intended to be a breakpoint, conceptually it's the
>>             closest thing we have
>>             an on ARM to the INT3 instruction when configured to trap
>>             to the VMM.
>>
>>
>>
>>     Please see AArch32 HDCR.TDE and AArch64 MDCR_EL2.TDE bits. Since
>>     activating this bit would imply additional (in this context
>>     -unwanted-) traps, the performance hit of having this bit set
>>     might be significant.
>>
>>
>> Right, actually I believe KVM already implemented this, I was just
>> under the impression it was only for aarch64. As for performance
>> overhead I'm not that worried about it, rather I need to make sure
>> the presence of the monitoring can remain stealthy. I know on KVM for
>> example this type of trapping renders the guest to be unable to use
>> singlestepping, which would easily reveal the presence of the
>> external monitor (see
>> https://lists.cs.columbia.edu/pipermail/kvmarm/2015-May/014589.html).
>> So this will need to be looked at carefully.
>
> That seems to apply to single-stepping only, which would be a
> different matter. As for stealthiness or not limiting the guest, IMO
> that shouldn't be a problem with BKPT/BRK, since I believe you can
> inject the breakpoint exception into the guest as if no hypervisor
> trap occured in between (of course, once you decide whether that
> breakpoint is Xen's or guest-internal). But what about X86? How is
> stealthiness achieved there? Is INT3 entirely not available for the
> guest anymore when guest-debugging is enabled or are ALL INT3's
> reported by Xen as software breakpoint vm-events?

In x86, attaching a debugger to the domain causes #DB and #BP exceptions
to be intercepted by Xen, rather than handled directly by the domain
(actually, since XSA-156, #DB is intercepted under all circumstances, to
avoid security issues).  The debugger receives all debug events, and
should filer the ones it has introduced vs the ones present from
in-guest activities.

~Andrew

(Whether this works or not is a separate matter, and largely depends on
the debugger.)

--------------040601000209070500030808
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 13/04/16 09:55, Corneliu ZUZU wrote:<br>
    </div>
    <blockquote cite="mid:570E0967.3070600@bitdefender.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <br>
      <br>
      <blockquote
cite="mid:CABfawhkPsHnNR7SrDE_6QD7b9C5RK4uVTX-TuoQ6_5uKW1HUvg@mail.gmail.com"
        type="cite">
        <div dir="ltr">
          <div class="gmail_extra">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex"><span class="">
                  <blockquote class="gmail_quote" style="margin:0px 0px
                    0px 0.8ex;border-left:1px solid
                    rgb(204,204,204);padding-left:1ex"> <br>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px 0.8ex;border-left:1px solid
                      rgb(204,204,204);padding-left:1ex"> <br>
                      I would have to double check but AFAIK those
                      instructions can't be<br>
                      configured to trap to the hypervisor directly. So
                      while SMC was not<br>
                      intended to be a breakpoint, conceptually it's the
                      closest thing we have<br>
                      an on ARM to the INT3 instruction when configured
                      to trap to the VMM.<br>
                    </blockquote>
                    <br>
                  </blockquote>
                  <br>
                </span> Please see AArch32 HDCR.TDE and AArch64
                MDCR_EL2.TDE bits. Since activating this bit would imply
                additional (in this context -unwanted-) traps, the
                performance hit of having this bit set might be
                significant.<span class=""><br>
                </span></blockquote>
              <div><br>
              </div>
              <div>Right, actually I believe KVM already implemented
                this, I was just under the impression it was only for
                aarch64. As for performance overhead I'm not that
                worried about it, rather I need to make sure the
                presence of the monitoring can remain stealthy. I know
                on KVM for example this type of trapping renders the
                guest to be unable to use singlestepping, which would
                easily reveal the presence of the external monitor (see
                <a moz-do-not-send="true"
href="https://lists.cs.columbia.edu/pipermail/kvmarm/2015-May/014589.html">https://lists.cs.columbia.edu/pipermail/kvmarm/2015-May/014589.html</a>).

                So this will need to be looked at carefully.<br>
              </div>
            </div>
          </div>
        </div>
      </blockquote>
      <br>
      That seems to apply to single-stepping only, which would be a
      different matter. As for stealthiness or not limiting the guest,
      IMO that shouldn't be a problem with BKPT/BRK, since I believe you
      can inject the breakpoint exception into the guest as if no
      hypervisor trap occured in between (of course, once you decide
      whether that breakpoint is Xen's or guest-internal). But what
      about X86? How is stealthiness achieved there? Is INT3 entirely
      not available for the guest anymore when guest-debugging is
      enabled or are ALL INT3's reported by Xen as software breakpoint
      vm-events?<br>
    </blockquote>
    <br>
    In x86, attaching a debugger to the domain causes #DB and #BP
    exceptions to be intercepted by Xen, rather than handled directly by
    the domain (actually, since XSA-156, #DB is intercepted under all
    circumstances, to avoid security issues).  The debugger receives all
    debug events, and should filer the ones it has introduced vs the
    ones present from in-guest activities.<br>
    <br>
    ~Andrew<br>
    <br>
    (Whether this works or not is a separate matter, and largely depends
    on the debugger.)
  </body>
</html>

--------------040601000209070500030808--


--===============5917506113056741205==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs
IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y
Zy94ZW4tZGV2ZWwK

--===============5917506113056741205==--