Exercise: EPT

Read Chapter 5: x86-64: MMU Virtualization with Extended Page Tables of the textbook before proceeding.

An evil guest

For simplicity, the physical memory layout of lvisor & lv6 is the following:

  • lv6 (guest) starts at guest- & host-physical address 0x00100000 (1MB);
  • lvisor (VMM) starts at host-physical address 0x10000000 (256M).

Also see the constants defined in include/asm/setup.h and how they are used in source code.

As for safety, a malicious guest should not be able to directly modify the VMM. Let’s see what prevents this from happening.

First, let’s try to make an “evil” lv6 that tries to directly write to lvisor at 0x10000000:

--- a/tests/lv6/main.c
+++ b/tests/lv6/main.c
@@ -38,7 +38,7 @@ static noreturn void user_init(void)
         pt[0] = __pa(user_data) | PTE_PRESENT | PTE_RW | PTE_USER;
 
         /* load user code */
-        memcpy(user_data, user_start, user_end - user_start);
+        memcpy((void *)0x10000000, user_start, user_end - user_start);
 
         /* start user space with given register values & user page table */
         return_to_usermode(&regs, __pa(upml4));

You should see that lvisor stops execution with “vmx: unexpected exit reason 48” in the output.

Question

Look up the exit reason in the Intel SDM. What’s exit reason 48?

Now let’s find out the details. Skim Section 28.2: The Extended Page Table Mechanism (EPT) of the Intel SDM. Compare the format of EPTs (Figure 28-1) with the format of page tables you have seen in CSE 451 (see also Figure 4-11 in Section 4.5).

Question

Are the two formats identical? If not, briefly describe one difference.

Question

Read the source code of construct_tdp() in lvisor. Briefly describe how this particular EPT prevents the write to lvisor (at 0x10000000) by the “evil” lv6. Be specific.

Challenge: a small EPT

Now let’s modify this EPT a little bit. Particularly, define a new array (2MB or larger) and modify construct_tdp() (and other necessary places) to construct an EPT that maps the guest memory to this array only. See if you can make lv6 boot using this EPT.

Challenge: on-demand EPT

Remove the function construct_tdp() (and any call to the function). Now you will get EPT-related VM-exits. Add a VM-exit handler to construct the EPT lazily.

What to submit

This completes the exercise. In answers.txt, write up your answers to the questions (no need to submit the code). Upload the file through Canvas.

If you have done any of the challenge problems, include a diff in answers.txt highlighting your changes to lvisor.