[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi
|
From: |
Markus Armbruster |
|
Subject: |
Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi |
|
Date: |
Fri, 16 Oct 2015 10:15:17 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
address@hidden writes:
> All-
>
> I've produced a patch for the current QEMU HEAD, for libvmi to
> introspect QEMU/KVM VMs.
>
> Libvmi has patches for the old qeum-kvm fork, inside its source tree:
> https://github.com/libvmi/libvmi/tree/master/tools/qemu-kvm-patch
>
> This patch adds a hmp and a qmp command, "pmemaccess". When the
> commands is invoked with a string arguments (a filename), it will open
> a UNIX socket and spawn a listening thread.
>
> The client writes binary commands to the socket, in the form of a c
> structure:
>
> struct request {
> uint8_t type; // 0 quit, 1 read, 2 write, ... rest reserved
> uint64_t address; // address to read from OR write to
> uint64_t length; // number of bytes to read OR write
> };
>
> The client receives as a response, either (length+1) bytes, if it is a
> read operation, or 1 byte ifit is a write operation.
>
> The last bytes of a read operation response indicates success (1
> success, 0 failure). The single byte returned for a write operation
> indicates same (1 success, 0 failure).
So, if you ask to read 1 MiB, and it fails, you get back 1 MiB of
garbage followed by the "it failed" byte?
> The socket API was written by the libvmi author and it works the with
> current libvmi version. The libvmi client-side implementation is at:
>
> https://github.com/libvmi/libvmi/blob/master/libvmi/driver/kvm/kvm.c
>
> As many use kvm VM's for introspection, malware and security analysis,
> it might be worth thinking about making the pmemaccess a permanent
> hmp/qmp command, as opposed to having to produce a patch at each QEMU
> point release.
Related existing commands: memsave, pmemsave, dump-guest-memory.
Can you explain why these won't do for your use case?
> Also, the pmemsave commands QAPI should be changed to be usable with
> 64bit VM's
>
> in qapi-schema.json
>
> from
>
> ---
> { 'command': 'pmemsave',
> 'data': {'val': 'int', 'size': 'int', 'filename': 'str'} }
> ---
>
> to
>
> ---
> { 'command': 'pmemsave',
> 'data': {'val': 'int64', 'size': 'int64', 'filename': 'str'} }
> ---
In the QAPI schema, 'int' is actually an alias for 'int64'. Yes, that's
confusing.
> hmp-commands.hx and qmp-commands.hx should be edited accordingly. I
> did not make the above pmemsave changes part of my patch.
>
> Let me know if you have any questions,
>
> Valerio
- [Qemu-devel] QEMU patch to allow VM introspection via libvmi, valerio, 2015/10/16
- [Qemu-devel] [PATCH] QEMU patch for libvmi to introspect QEMU/kvm virtual machines. Usually this patch is distributed with libvmi, but, it might be more useful to have it in the QEMU source permanently., valerio, 2015/10/16
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi,
Markus Armbruster <=
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Valerio Aimale, 2015/10/16
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Markus Armbruster, 2015/10/19
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Valerio Aimale, 2015/10/19
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Markus Armbruster, 2015/10/21
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Valerio Aimale, 2015/10/22
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Markus Armbruster, 2015/10/22
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Valerio Aimale, 2015/10/22
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Markus Armbruster, 2015/10/23
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Valerio Aimale, 2015/10/22
- Re: [Qemu-devel] QEMU patch to allow VM introspection via libvmi, Eric Blake, 2015/10/22