[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171018140715.GB28204@dazhang1-ssd.sh.intel.com>
Date: Wed, 18 Oct 2017 22:07:15 +0800
From: Yi Zhang <yi.z.zhang@...ux.intel.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: Jim Mattson <jmattson@...gle.com>, kvm list <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Radim Krčmář <rkrcmar@...hat.com>,
Alex Williamson <alex.williamson@...hat.com>
Subject: Re: [PATCH RFC 00/10] Intel EPT-Based Sub-page Write Protection
Support.
On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
> >
> > Currently, We only block the write access, As far as I know an example,
> > we now using it in a security daemon:
>
> Understood. However, I think QEMU is the wrong place to set this up.
>
> If the kernel wants to protect _itself_, it should use a hypercall. If
> an introspector appliance wants to protect the guest kernel, it should
> use the socket that connects it to the hypervisor.
>
> Paolo
>
Thanks Paolo,
Yes, that correctable, I will think about to switch the interface to a
hypercall, How about we keep these 2 interface together(hyper call +
ioctl)? think about that if VMM manager have some way could intercept
the guest kernel memory accessing, the page protection would like a
hardware watch point, is it an easy way to let VMM manager debug the
guest kernel?
Except the interface change, could you please help to review the other
patch series? just skip the ioctl patch( patch 7).
Thank you very much Paolo.
Powered by blists - more mailing lists