Using VMFunc #8
Comments
|
we don't use and test VMFUNC now in this open source project. so not sure what's your exact problem here.... do you want to do something related to security protection on Linux guest? |
|
Yes, I'm using iKGT as a reference monitor to protect data confidentiality and integrity. Specifically, using EPT/VMFunc to switch memory views. My machine does have a serial port, is there anyway I could use an emulator (e.g., QEMU) to test and enable VMFunc functionality. Thanks! |
|
ok, pretty make sense. our ikgt team ever invented VMFUNC exactly for this purpose around 8 years ago..... but you may need some changes to make it work and probably you may consider using #VE as well. does Qemu support emulate VMFUNC? i'm not sure. you can also use vmware player to run ikgt, i ever tried that before (some yrs ago, but not recently). vmware support nested VT, but again i'm not sure if VMWare emulates VMFUNC. |
|
Are you getting a #ud? Ifvmfunc is not enabled or the leaf0 is not enabled you may be getting that
Ravi
Sent from my cell phone. Pardon the brevity.
… On May 29, 2020, at 11:44 AM, Ashish Bijlani ***@***.***> wrote:
Hi,
I'm trying to use VMFunc (switch view functionality) in iKGT. To test, I simply switch to the same EPT. (mov rax, 0; mov rcx, 0; vmfunc). However, this results in kernel panic. I'd deeply appreciate your insights on enabling VMFunc functionality. Thanks!
-Ashish
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
"mov rax, 0; mov rcx, 0; vmfunc" results is illegal instruction. |
|
Right- is it enabled by the vmm in the vmcs controls?
Sent from my cell phone. Pardon the brevity.
… On May 31, 2020, at 7:17 PM, Ashish Bijlani ***@***.***> wrote:
"mov rax, 0; mov rcx, 0; vmfunc" results is illegal instruction.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
I assumed it was. Will check that and update here. Thanks! |
|
Thanks @rsahita for pointing out that.. @ashishbijlani, i believe ikgt by default doesn't enable that. if your hardware or virtual hardware platform supports VMFUNC, #UD should be triggered when hypervisor doesn't enable it in vmcs. (more info for IA exceptions should be checked in IA SDM manual doc) |
|
Does iKGT auto-detect hardware support for VMFUNC in fvs_is_eptp_switching_supported() and call fvs_guest_vmfunc_enable() to enable VMFunc or it has to be enabled explicitly? If the latter, I'd appreciate any pointers in the code to do so. Thanks! |
Hi,
I'm trying to use VMFunc (switch view functionality) in iKGT. To test, I simply switch to the same EPT. (mov rax, 0; mov rcx, 0; vmfunc). However, this results in kernel panic. I'd deeply appreciate your insights on enabling VMFunc functionality. Thanks!
-Ashish
The text was updated successfully, but these errors were encountered: