Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Tue, 24 Oct 2017 15:52:33 +0800
From:   Yi Zhang <yi.z.zhang@linux.intel.com>
To:     Mihai =?utf-8?B?RG9uyJt1?= <mdontu@bitdefender.com>
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        Jim Mattson <jmattson@google.com>,
        kvm list <kvm@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Alex Williamson <alex.williamson@redhat.com>
Subject: Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection
 Support.
Message-ID: <20171024075232.GA34879@dazhang1-ssd.sh.intel.com>
Mail-Followup-To: Mihai =?utf-8?B?RG9uyJt1?= <mdontu@bitdefender.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Jim Mattson <jmattson@google.com>, kvm list <kvm@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Alex Williamson <alex.williamson@redhat.com>
References: <cover.1506559196.git.yi.z.zhang@linux.intel.com>
 <CALMp9eRroi5m_t8oVfiJWBLUWchF2pUt8Lenh_JEsAdiR5fWcA@mail.gmail.com>
 <250725286.12444082.1507929205754.JavaMail.zimbra@redhat.com>
 <20171016000841.GB66870@dazhang1-ssd.sh.intel.com>
 <96efaece-306c-cde3-06d6-553505612136@redhat.com>
 <1508335998.3230.118.camel@bitdefender.com>
 <20171020084715.GG88002@dazhang1-ssd.sh.intel.com>
 <1508519207.29329.67.camel@bitdefender.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1508519207.29329.67.camel@bitdefender.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote:
> On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote:
> > Could you mind to provide more information and history about your
> > investigation?
> 
> We are using VMI to secure certain parts of a guest kernel in memory
> (like prevent a certain data structure from being overriten). However,
> it sometimes happens for that part to be placed in the same page with
> other data, of no interest to us, that gets written frequently. This
> makes using the EPT problematic (a 4k page is just too big and
> generates too many violations). However, SPP (with its 128 bytes
> granularity) is ideal here.
> 

> > > Also, if Intel doesn't have a specific use case for it that requires
> > > separate access to SPP control, then maybe we can fold it into the VMI 
> > > API we are working on?
> > 
> > That's totally Excellent as we really don't have a specific user case at
> > this time.
> 
> OK. We will spend some time thinking at a proper way of exposing SPP
> with the VMI API.
> 
> For example, we now work on implementing something similar to this:
> 
>   kvm_set_page_access( struct kvm *kvm, gfn_t gfn, u8 access );
> 
> The simplest approach would be to add something like:
> 
>   kvm_set_sub_page_access( struct kvm *kvm, gfn_t gfn, u32 mask );
> 
> where every bit from 'mask' indicates the write-allowed state of every
> 128-byte subpage.

Got it, seems very compatible with current implementation by us. 
> 
> > BTW, I have already submit the SPP implementation draft in Xen side.
> > when you got some time, you can take a look at if that match your
> > requirement.
> 
> I believe my colleague Răzvan Cojocaru has already commented on that
> patch set. :-)

Oh, yes, pls send my best thanks to him. 

> 
> -- 
> Mihai Donțu
> 

From 1581797115103788402@xxx Fri Oct 20 17:08:02 +0000 2017
X-GM-THRID: 1581152810958355510
X-Gmail-Labels: Inbox,Category Forums