[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] AD bits in traditional PV mode

On 21/02/2018 00:42, Andres Lagar Cavilla wrote:
> Hello everyone,
> I was thinking of the traditional Xen PV mode in which page table
> pages are write protected from guest meddling and PTE
> modifications are audited by the hypervisor (ptwr_emulated_update()
> these days, still?).

Something like that, yes.  Alternatively, via explicit hypercall which
is faster than the trap&emulate path.

> Without software shadows or paging to e.g. an EPT, native PV loads the
> actual CR3 pointing to a write protected page table tree.

Unfortunately, I've lost you here.  There is no such thing as a
write-protected pagetable tree in the traditional PV sense.

> When the cr3 is loaded, the hardware walker will want to set A and D
> bits in PTEs -- is this action immune to the write protection in the
> page table pages themselves? Or do we take emulation faults on these
> updates as well?

The protection that Xen enforces on PV guests is that an L1 PTE mapping
a pagetable frame must never be writeable.  This protection happens at
the linear address level.  When the CPU pagewalker tries to set A/D
bits, it issues an atomic update to the physical address of the
pagetable entry which needs updating.

As with everything, there are complicating factors.  With EPT/NPT for
HVM guests these days, the hypervisor can also apply permissions to
guest physical addresses, as part of their translation to host physical
addresses.  The hardware pagewalker, when attempting to set an A/D bit
of the HVM guests regular pagetables, issues an EPT/NPT write (well -
RMW strictly) to set the bits.

Therefore, if the hypervisor marks an HVM guest's pagetable as
read-only, then the hardware pagewalker trying to set A/D bits will
vmexit with an EPT/NPT permissions violation.  This is one major
performance limiting factor of introspection technology at the moment.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.