Open Ariel08081214 opened 2 weeks ago
@Ariel08081214
The Hyperenclave paper does not explain why the RustMonitor can run in the most privileged level.
As stated in the paper:
After RustMonitor is loaded, the execution continues at the pre-defined entry. RustMonitor sets up its own running context (such as the stack, page table, IDT, etc.) and prepares the virtual CPU (vCPU) configurations for each CPU. Then RustMonitor launches the normal VM and demotes the primary OS to the normal mode.
RustMonitor sets up the normal VM's VMCS/VMCB, then launch the normal VM. So the normal VM runs in guest mode and RustMonitor runs in the most privileged mode.
Is Memory isolation enforced by MMU or RustMonitor?
Memory isolation is enforced by MMU. It is the RustMonitor's responsibility to correctly configure the MMU by setting the page table.
@Bonjourz
RustMonitor sets up the normal VM's VMCS/VMCB, then launch the normal VM. So the normal VM runs in guest mode and RustMonitor runs in the most privileged mode.
RustMonitor should run on the main OS,right? So,I can't understand the paper's statment about the privilege levels.
Memory isolation is enforced by MMU. It is the RustMonitor's responsibility to correctly configure the MMU by setting the page table.
So Hyperenclave's memory isolation is logical isolation rather than encrypted isolation, right?
@Ariel08081214
RustMonitor should run on the main OS,right? So,I can't understand the paper's statment about the privilege levels.
Take Intel as an example, RustMonitor runs in VMX Root Ring 0, and Primary OS runs in the VMX Non-Root Ring 0 after RustMonitor is loaded.
So Hyperenclave's memory isolation is logical isolation rather than encrypted isolation, right?
For memory attacks originated from software, HyperEnclave configures the MMU by setting the page tables for Normal VM, Enclave VM and device.
For hardware attacks, as stated in the paper:
To thwart physical memory attacks, such as cold boot and bus snooping attacks
HyperEnclave use memory encryption feature provided by hardware to defend some physical memory attacks.
Take Intel as an example, RustMonitor runs in VMX Root Ring 0, and Primary OS runs in the VMX Non-Root Ring 0 after RustMonitor is loaded.
@Bonjourz Does this permission mechanism done by configuration?
Hi, @Ariel08081214 , take Intel as an example, how RustMonitor configures VMCS for Primary OS can be found here:
https://github.com/asterinas/hyperenclave/blob/master/src/arch/x86_64/intel/vcpu.rs#L199-L206,
Hai. The Hyperenclave paper does not explain why the RustMonitor can run in the most privileged level.
Is Memory isolation enforced by MMU or RustMonitor? Waiting for your reply. ^^