Received: by 10.223.164.221 with SMTP id h29csp2796316wrb;
        Wed, 18 Oct 2017 07:07:20 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QBb4Ru5OtuwMWQwLxRs2EYOY837mTF0/FzfBeIc8/XmQ7BFFbVYrs1HgDaJkLoKL4PIYQ01
X-Received: by 10.98.7.218 with SMTP id 87mr14888217pfh.271.1508335640758;
        Wed, 18 Oct 2017 07:07:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508335640; cv=none;
        d=google.com; s=arc-20160816;
        b=nIzu59v3Gb6jGruLfl5VHw2UV2O4D2IDGZA1Sy1NGMlMpq/Z9OeNIr9Yyx7o78oMbQ
         YI6xYCzaxqZSm93UD3k8QVgHXW0fLILH/Oh6XRn+FO8bHEBnJKVojWyCGSrXrzhh26RR
         lfzNVpUemPnz7yCZqAyALyZzmr7ap2zctgbshOlw6PkubINpsOTfZIa36+Am/Ok2RRvy
         2alK+mmnNYgz1iOc/f0/JQqyOjU2JE2GJmd26zy3xsFgBkTDyxUtQMzyXL57gFnmcKMB
         +6OuEwAtZR7LbxgwdPUKbFROGB6tFFo3RTSrT/32kUp1tcEpFCDkUtGboETo5Eybd8sB
         yBww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=Or3ELp5/ycfpQdgYiU32mK4afW5pSwqfqcFJFLQrKhE=;
        b=Hp3r2kG5MbBXIbMCMiYYo2Con7G0MblxhDCUVJgVrYs9DvM7InOZeGa/4XbH9w4Qlh
         vcXZF0mO1PcPXd1XzIF7ndzZUvdwOUGS6E9QnwifmGKAuzDiwRiXTC2UajR9ddBvFetZ
         hgdxTzino/kCihyg8k8c1PcEsmyYzcsFNMzECCZuj6iH8d3s3r4UykhAOLOrHqSyJlLb
         j/HoauB36bCUmu5cUnxri1mSJ0mI7BCBo08XVZecmnCi8LptaN0jZwMWBazjYR6HBocw
         +7/w7ccF4W2r1Yd99AiosRT9WYP/Hz2dD4D9hfE3241oq5ur0iOGCX9NvtnjVIjKMlDh
         n/RQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e89si405068plb.196.2017.10.18.07.07.06;
        Wed, 18 Oct 2017 07:07:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751615AbdJROGo (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Wed, 18 Oct 2017 10:06:44 -0400
Received: from mga03.intel.com ([134.134.136.65]:56644 "EHLO mga03.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750829AbdJROGl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Oct 2017 10:06:41 -0400
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2017 07:06:40 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.43,397,1503385200"; 
   d="scan'208";a="161904660"
Received: from linux.intel.com ([10.54.29.200])
  by orsmga005.jf.intel.com with ESMTP; 18 Oct 2017 07:06:40 -0700
Received: from dazhang1-ssd.sh.intel.com (unknown [10.239.48.55])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by linux.intel.com (Postfix) with ESMTPS id 2D63B58033A;
        Wed, 18 Oct 2017 07:06:39 -0700 (PDT)
Date:   Wed, 18 Oct 2017 22:07:15 +0800
From:   Yi Zhang <yi.z.zhang@linux.intel.com>
To:     Paolo Bonzini <pbonzini@redhat.com>
Cc:     Jim Mattson <jmattson@google.com>, kvm list <kvm@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Alex Williamson <alex.williamson@redhat.com>
Subject: Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection
 Support.
Message-ID: <20171018140715.GB28204@dazhang1-ssd.sh.intel.com>
Mail-Followup-To: Paolo Bonzini <pbonzini@redhat.com>,
        Jim Mattson <jmattson@google.com>, kvm list <kvm@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Alex Williamson <alex.williamson@redhat.com>
References: <cover.1506559196.git.yi.z.zhang@linux.intel.com>
 <CALMp9eRroi5m_t8oVfiJWBLUWchF2pUt8Lenh_JEsAdiR5fWcA@mail.gmail.com>
 <250725286.12444082.1507929205754.JavaMail.zimbra@redhat.com>
 <20171016000841.GB66870@dazhang1-ssd.sh.intel.com>
 <96efaece-306c-cde3-06d6-553505612136@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <96efaece-306c-cde3-06d6-553505612136@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
> >
> > Currently,  We only block the write access, As far as I know an example,
> > we now using it in a security daemon:
> 
> Understood.  However, I think QEMU is the wrong place to set this up.
> 
> If the kernel wants to protect _itself_, it should use a hypercall.  If
> an introspector appliance wants to protect the guest kernel, it should
> use the socket that connects it to the hypervisor.
> 
> Paolo
> 

Thanks Paolo,

Yes, that correctable, I will think about to switch the interface to a
hypercall,  How about we keep these 2 interface together(hyper call +
ioctl)? think about that if VMM manager have some way could intercept
the guest kernel memory accessing, the page protection would like a
hardware watch point, is it an easy way to let VMM manager debug the
guest kernel?

Except the interface change, could you please help to review the other
patch series? just skip the ioctl patch( patch 7). 
Thank you very much Paolo.

From 1581604522824994312@xxx Wed Oct 18 14:06:52 +0000 2017
X-GM-THRID: 1581152810958355510
X-Gmail-Labels: Inbox,Category Forums