Confused about EPT views

[asia-makai]

I'm trying to understand how you set up page protection in the guest, so that you can exit on PFs. (E.g., you use this mechanism to track system calls.) I wanted to ask about the EPT view, that is passed to e.g., kvm_slot_page_track_add_page().

My naive thinking is that when you call kvm_slot_page_track_add_page(), you set protection in the EPT of the current guest, so that you later trap when the guest OS wants to access the gfn, so a gfn->pfn translation is needed.

However, I don't see why you need to distinguish between different EPT views? (I.e., isn't the "right" one being used now?) I must be missing something obvious...

EDIT: certainly it is possible to develop a mechanism which would use VMFUNCs for e.g., isolation. Then it may involve multiple EPTs per guest....

Thank you!

[thomasdangl]

Hi!

You can just use kvmi_set_page_access after setting up kvmi_control_events with KVMI_EVENT_PF. Then, you should receive an event when EPT violations occur. Having multiple views is mostly useful when implementing code hiding or 'safe' code injection on multi-core guests [1]. However, it is not most likely not needed for your case.

Best,
Thomas

[1] http://phrack.org/issues/69/15.html

[asia-makai]

Thank you @thomasdangl for the explanation. Great to see a confirmation that you use multiple views for "dedicated solutions" that offer isolation/hiding/*. It makes perfect sense. But I had been afraid I was missing something else.

I'll check out the phrack article. I've also come across a CCS paper using VNFUNC to hide keys or so. Cool stuff :)

Best regards