Message ID | 20190814070403.6588-1-weijiang.yang@intel.com (mailing list archive) |
---|---|
Headers | show |
Series | Enable Sub-page Write Protection Support | expand |
On 14/08/19 09:03, Yang Weijiang wrote: > EPT-Based Sub-Page write Protection(SPP)is a HW capability which allows > Virtual Machine Monitor(VMM) to specify write-permission for guest > physical memory at a sub-page(128 byte) granularity. When this > capability is enabled, the CPU enforces write-access check for sub-pages > within a 4KB page. > > The feature is targeted to provide fine-grained memory protection for > usages such as device virtualization, memory check-point and VM > introspection etc. > > SPP is active when the "sub-page write protection" (bit 23) is 1 in > Secondary VM-Execution Controls. The feature is backed with a Sub-Page > Permission Table(SPPT), SPPT is referenced via a 64-bit control field > called Sub-Page Permission Table Pointer (SPPTP) which contains a > 4K-aligned physical address. > > Right now, only 4KB physical pages are supported for SPP. To enable SPP > for certain physical page, we need to first make the physical page > write-protected, then set bit 61 of the corresponding EPT leaf entry. > While HW walks EPT, if bit 61 is set, it traverses SPPT with the guset > physical address to find out the sub-page permissions at the leaf entry. > If the corresponding bit is set, write to sub-page is permitted, > otherwise, SPP induced EPT violation is generated. Still no testcases? Paolo
On Wed, Aug 14, 2019 at 02:36:30PM +0200, Paolo Bonzini wrote: > On 14/08/19 09:03, Yang Weijiang wrote: > > EPT-Based Sub-Page write Protection(SPP)is a HW capability which allows > > Virtual Machine Monitor(VMM) to specify write-permission for guest > > physical memory at a sub-page(128 byte) granularity. When this > > capability is enabled, the CPU enforces write-access check for sub-pages > > within a 4KB page. > > > > The feature is targeted to provide fine-grained memory protection for > > usages such as device virtualization, memory check-point and VM > > introspection etc. > > > > SPP is active when the "sub-page write protection" (bit 23) is 1 in > > Secondary VM-Execution Controls. The feature is backed with a Sub-Page > > Permission Table(SPPT), SPPT is referenced via a 64-bit control field > > called Sub-Page Permission Table Pointer (SPPTP) which contains a > > 4K-aligned physical address. > > > > Right now, only 4KB physical pages are supported for SPP. To enable SPP > > for certain physical page, we need to first make the physical page > > write-protected, then set bit 61 of the corresponding EPT leaf entry. > > While HW walks EPT, if bit 61 is set, it traverses SPPT with the guset > > physical address to find out the sub-page permissions at the leaf entry. > > If the corresponding bit is set, write to sub-page is permitted, > > otherwise, SPP induced EPT violation is generated. > > Still no testcases? > > Paolo Hi, Paolo, The testcases are included in selftest: https://lkml.org/lkml/2019/6/18/1197
On 14/08/19 16:02, Yang Weijiang wrote: > On Wed, Aug 14, 2019 at 02:36:30PM +0200, Paolo Bonzini wrote: >> On 14/08/19 09:03, Yang Weijiang wrote: >>> EPT-Based Sub-Page write Protection(SPP)is a HW capability which allows >>> Virtual Machine Monitor(VMM) to specify write-permission for guest >>> physical memory at a sub-page(128 byte) granularity. When this >>> capability is enabled, the CPU enforces write-access check for sub-pages >>> within a 4KB page. >>> >>> The feature is targeted to provide fine-grained memory protection for >>> usages such as device virtualization, memory check-point and VM >>> introspection etc. >>> >>> SPP is active when the "sub-page write protection" (bit 23) is 1 in >>> Secondary VM-Execution Controls. The feature is backed with a Sub-Page >>> Permission Table(SPPT), SPPT is referenced via a 64-bit control field >>> called Sub-Page Permission Table Pointer (SPPTP) which contains a >>> 4K-aligned physical address. >>> >>> Right now, only 4KB physical pages are supported for SPP. To enable SPP >>> for certain physical page, we need to first make the physical page >>> write-protected, then set bit 61 of the corresponding EPT leaf entry. >>> While HW walks EPT, if bit 61 is set, it traverses SPPT with the guset >>> physical address to find out the sub-page permissions at the leaf entry. >>> If the corresponding bit is set, write to sub-page is permitted, >>> otherwise, SPP induced EPT violation is generated. >> >> Still no testcases? >> >> Paolo > > Hi, Paolo, > The testcases are included in selftest: https://lkml.org/lkml/2019/6/18/1197 > Good, thanks! Paolo