I am attempting to monitor all writes to system RAM with the aim of detecting malicious programs, using a independent co-processor. To prototype this I will be using an Intel Stratix 10 GX FPGA connected to the CPU over the PCIe bus. How can I duplicate all memory writes along the memory bus and send them along the PCIe bus (packaging them as necessary) for analysis by the FPGA, i.e. snoop the memory bus or Memory Management Unit?
I have looked into the DMA capabilities of PCIe devices but have only found ways to perform specific reads of select memory address. My design relies on being able to continuously analyse all memory writes that are sent to main memory (at least for the section of memory that contains the kernel). I have found no kernel facilities that would allow this behaviour. I had the idea of writing a kernel module that could hook into the memory management unit in the OS and copy writes but I think too much of the memory writes are handled by hardware for that to be useful. I am now exploring the ability for the Intel Processor Trace to capture this data but I don't believe this will lead to success either.
Alternatively, is it possible to have the CPU use the FPGA's onboard RAM as the main system RAM?
- Application Acceleration With FPGAs
- FPGA Intellectual Property
- FPGA SoC And CPLD Boards And Kits
In this case, the FPGA is the PCIe endpoint, so the communication between onboard RAM is with the PCIe endpoint. I don't see this is possible to use the onboard RAM as the main system memory that requires to work with root port (host CPU).
I have not too sure about your requirement, but you may refer to the PCIe DMA design example, which allows you to move data back and forth between PCIe domain and the local domain (application). There is a descriptor that you need to configure the source address, destination address, and size.