Re: [Xen-devel] DMA understanding

[Abhinav Srivastava <abhinavs_iitkgp@xxxxxxxxxxx>]

Hi Konrad,

Thanks for your reply. You reply was very helpful in understanding the 
DMA mechanism. The goal of my project is to intercept all DMA requests issued 
by guest HVM domains and check for the memory regions (guest physical address) 
mentioned in those requests. This will help detect malicious DMA writes 
specified by malicious drivers. I am trying 
to achieve this without VT-d support on intel processors.

I have some follow up questions:

1. When a guest HVM domain requests DMA operations, it specifies guest physical 
addresses. Who converts guest physical to host physical addresses? Does this 
conversion happen in Dom0 or hypervisor? Which code path should I be looking at?

2. I am looking at the place where I can hook into so that I could intercept 
all DMA requests issued by the HVM guest and verify the addresses? Is there any 
place where all DMA requests come and then routed to specific devices in QEMU 
emulation code? If I could hook at the common place, it would be easier to 
intercept rather putting the check 
in each device specific files.

I really appreciate for your time.

Thanks,
Abhinav

--- On Wed, 30/6/10, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> wrote:

> From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> Subject: Re: [Xen-devel] DMA understanding
> To: "Abhinav Srivastava" <abhinavs_iitkgp@xxxxxxxxxxx>
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
> Date: Wednesday, 30 June, 2010, 9:32 PM
> On Tue, Jun 29, 2010 at 12:10:48AM
> +0530, Abhinav Srivastava wrote:
> > 
> > Hi there,
> > 
> > I am trying to understand how an HVM guest domain
> performs its DMA operations, and how this DMA operations are
> intercepted by the Xen. I wanted to understand both the code
> path with and without Vt-d support (for intel processors).
> On looking inside the Xen code, I found that iommu code is
> inside the vmx/vtd/ directory only. By seeing the code, my
> understanding is that when Vt-d is enabled, iommu.c and
> dmar.c inside the vtd directory is the place to look for DMA
> operations. However, I do not understand which code path
> inside the hypervisor is getting used in case of Vt-d is
> disabled?  How does Xen intercept guest DMA operations
> in this case? I am using Xen 3.3 version for my project (I
> admit that it is very old version).
> 
> Lets start without the Intel VT-d or AMD Vi in the
> picture.
> 
> When the QEMU boots up an HVM guest, it emulates everything
> the guest
> sees or does. Which means that when the guest decides to
> use the
> IDE controller to do DMA operations, QEMU decodes that
> operation
> (look in hw/ide.c, search for 'WIN_READDMA') and it follows
> it
> through by setting up a callback mechanism that ends up
> fetching
> the data from wherever the guest disk and then triggering
> an interrupt
> so that the guest noticies that the DMA finished.
> 
> So in essence the hypervisor does not deal with guest DMA
> at all.
> 
> When you insert an Intel VT-d or AMD Vi chipset you have
> the option
> of passing in a native PCI device to the guest. If you
> don't pass
> in a PCI device then you are still using the old
> mechanism.
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel