At 01:32 +0000 on 05 Nov (1288920725), ding baozeng wrote:
> I want to create another address space for security analysis. In this
> address space, we could access all the kernel address space, but the
> kernel address space could not access some memory of it.
I'm not sure shadow pagetables are the right place to do this - have you
thought about having your security code in another VM? Otherwise you
need to stop the kernel mapping the secure memory in its own pagetables,
granting it to other VMs, DMAing to it, &c. Also what if you want to
use EPT/NPT?
> So this
> address space need to create its own shadow pages. In the shadow
> pages, they contain all the mapping that kernel shadow pages have, and
> also contains some mapping for the memory that the kernel could not
> access. The shadow pages are always in memory. So there would be two
> shadows, one for kernel, one for this address space.
If this address space is identified by its own %CR3 value then there
already are - all you need to do is modify guest_walk_tables to add the
extra mappings whenever %CR3 holds the right value and everything will
work out.
Cheers,
Tim.
> First, I want to
> copy the kernel shadow pages and then make some change to create the
> shadow pages we need. As we know, the kernel shadow pages is built
> dynamically, then how to copy it and make it in memory always?
--
Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|