Wednesday, December 25, 2013

test

struct kvm_memory_slot {
 gfn_t base_gfn;
 unsigned long npages;
 unsigned long *dirty_bitmap;
 struct kvm_arch_memory_slot arch;
 unsigned long userspace_addr;
 u32 flags;
 short id;
};

Tuesday, August 13, 2013

Some tricks of GIT

Add local branch to remote: git push -u origin new_branch
Delete remote branch: git push -u origin :del_branch

Saturday, August 10, 2013

Feedback after weekly sync

There are some feedback from Jan after sync of this weekend.

  1. Preemption timer: Currently "save preemption timer value on exit" is not supported, so preempt exit from L2->L0 cannot trace its preemption timer value and preemption timer value is reset when L0->L2. But L2->L0->L1 is not one case of L2->L1 exit, so preemption timer value should be kept.
    1. Write test case for this bug.
    2. Write "save preemption timer value on exit" support for KVM and nested KVM.
  2. Instruction interception: Refine the codes using table-driven structure.
  3. CR0/4 shadowing has some big problems
    1. Some of flags are "owned" by L1 and some are shadowed. Check owned flags with vcpu->arch.cr0_guest_owned_bits and vcpu->arch.cr4_guest_owned_bits.
    2. Write a test where in once case L1 shadows the bit and in the other it leave it to L2.
    3. For CR0, we can test TS (owned by L1) and MP (shadow); for CR4, we can test DE (owned by L1) and TSD (shadow).
  4. PAT and EFER looks good
  5. For I/O bitmap: Needs to change the test cases totally.
    1. Test low parts and high parts
    2. Test in and out
    3. Test access width
    4. Test pass and trap, and "partial" pass or trap
    5. Test corner cases: 0x0, 0x7FFF, 0x8000, 0xFFFF, overruns (4-bytes on address 0x7FFF, and 0xFFFF)

Saturday, July 27, 2013

Plan for next milestone

So after the final (I hope it is the final one) version of VMX hypervisor patch is commited, we need another plan for the next milestone. The next one is about test cases for control bits in VM-Execution Control Fields and VM-Exit/VM-Entry Control Fields.


  1. Save and restore IA32_PAT and IA32_EFER in VM-Exit and VM-Entry. These two bits are defined in Intel SDM, bit 18-21 in Table 24-10 and bit 14-15 in Table 24-12. IA32_EFER should be tested separately in and out of IA32e mode.
  2. Test for VMX preemption timer. See details in Intel SDM "25.5.1 VMX-Preemption Timer", and bit 6 of Table 24-5.
  3. I/O bitmaps and exception bitmaps. Test if they act right.
  4. CR0/4 shadowing. See details in Intel SDM "24.6.6 Guest/Host Masks and Read Shadows for CR0 and CR4". CRx shadowing needs Haswell host, so as APICv and posted interrupts. Some related VMCS field is "CR0 guest/host mask", "CR4 guest/host mask", "CR0 read shadow" and "CR4 read shadow".
  5. Instruction intercepts. Test instruction intercepts of VMX ans their exit codes and information. See Table 24-6 and 24-7, as well as chapter Chapter 27.2 which describes the information when VM exit. Some instructions maybe host capabilities.
The test cases cited above needs to be put in some separate files, all basic tests are so simple that they can live in the same file, maybe in instruction_intercepts.c, entry-exit-control.c. I'd prefer to put them all in a sub-directory named nvmx.

All the relevant patches should be committed after the framework patch is in, but I will keep developing in my tree.

Saturday, July 13, 2013

Finally finished the first vmx hypervisor

I finally finished my first vmx hypervisor!

Mini-Hypervisor Milestone 2013/07/13

The job is too trivial to debug!!!

Now the VM can run and the VMCALL can call to vmx_entry and get the right VMEXIT reason. But calling to printf in VM fails and the VM blocks in someplace I don't know.

Well, goto sleep first :)

Checking and Loading Guest State When VMLAUNCH/VMRESUME

If all checks on the VMX controls and the host-state area pass, the following checks will take place in any order. Because VMX is entering Guest now, it will cause VMEXIT by loading host state fields in VMCS. So some exit reasons can be retrieved from VMCS exit reason.

I. Checks on Guest State Area

1. Checks on Guest Control Registers, Debug Registers and MSRs


  • CR0 should be set correctly except:
    • CR0.PE (bit 0) and CR0.PG (bit 31) are not checked if "unrestricted guest" VM-execution control is 1 (Bit 7 of Secondary Processor-Based VM-Execution Controls)
    • CR0.NW (bit 29) and CR0.CD (bit 30) are never checked.
  • If bit 31 in the CR0 field (corresponding to PG) is 1, bit 0 in that field (PE) must also be 1.
  • The CR4 field must not set any bit to a value not supported in VMX operation
  • If the “load debug controls” (Bit 2 of VM-Entry Controls) VM-entry control is 1, bits reserved in the IA32_DEBUGCTL MSR must be 0 in the field for that register.
  • The following checks are performed on processors that support Intel 64 architecture:
    • If the “IA-32e mode guest” (Bit 9 of VM-Entry Controls) VM-entry control is 1, bit 31 in the CR0 field (corresponding to CR0.PG) and bit 5 in the CR4 field (corresponding to CR4.PAE) must each be 1.
    • If the “IA-32e mode guest” (Bit 9 of VM-Entry Controls) VM-entry control is 0, bit 17 in the CR4 field (corresponding to CR4.PCIDE) must each be 0.
    • The CR3 field must be such that bits 63:52 and bits in the range 51:32 beyond the processor’s physicaladdress width are 0.
    • If the “load debug controls” (Bit 2 of VM-Entry Controls) VM-entry control is 1, bits 63:32 in the DR7 field must be 0.
    • The IA32_SYSENTER_ESP field and the IA32_SYSENTER_EIP field must each contain a canonical address.
  • If the “load IA32_PERF_GLOBAL_CTRL” (Bit 13 of VM-Entry Controls) VM-entry control is 1, bits reserved in the IA32_PERF_GLOBAL_CTRL MSR must be 0 in the field for that register. (See Intel SDM Volumn 3B, Figure 18-3)
    • If the “load IA32_PAT” (Bit 14 of VM-Entry Controls) VM-entry control is 1, the value of the field for the IA32_PAT MSR must be one that could be written by WRMSR without fault at CPL 0. Specifically, each of the 8 bytes in the field must have one of the values 0 (UC), 1 (WC), 4 (WT), 5 (WP), 6 (WB), or 7 (UC-).
      • If the “load IA32_EFER” (Bit 15 of VM-Entry Controls) VM-entry control is 1, the following checks are performed on the field for the IA32_EFER MSR :
        • Bits reserved in the IA32_EFER MSR must be 0.(See Intel SDM Volumn 3A, 2.2.1, Figure 2-4, Table 2-1)
        • Bit 10 (corresponding to IA32_EFER.LMA) must equal the value of the “IA-32e mode guest” (bit 9 of VM-Entry Controls) VM-exit control. It must also be identical to bit 8 (LME) if bit 31 in the CR0 field (corresponding to CR0.PG) is 1.

      2. Checks on Guest Segment Registers


      This section specific the checks on the fields for CS, SS, DS, ES, FS, GS, TR, and LDTR.

      The following terms will be checked first:

      • The guest will be virtual-8086 if the VM flag (bit 17) is 1 in the RFLAGS field in the guest-state area.
      • The guest will be IA-32e mode if the “IA-32e mode guest” VM-entry control (Bit 9 of VM-Entry Controls) is 1. (This is possible only on processors that support Intel 64 architecture.)
      • Any one of these registers is said to be usable if the unusable bit (bit 16) is 0 in the access-rights field for that register.
      Then the following checks on segment registers:
      • Selector fields
        • TR. The TI flag (bit 2) must be 0.
        • LDTR. If LDTR is usable, the TI flag (bit 2) must be 0.
        • SS. If the guest will not be virtual-8086 and the “unrestricted guest” VM-execution control is 0, the RPL (bits 1:0) must equal the RPL of the selector field for CS.
      • Base-address fields.
        • CS, SS, DS, ES, FS, GS. If the guest will be virtual-8086, the address must be the selector field shifted left 4 bits (multiplied by 16).
        • The following checks are performed on processors that support Intel 64 architecture:
          • TR, FS, GS. The address must be canonical
          • LDTR. If LDTR is usable, the address must be canonical
          • CS. Bits 63:32 of the address must be zero
          • SS, DS, ES. If the register is usable, bits 63:32 of the address must be zero.
      • Limit fields for CS, SS, DS, ES, FS, GS. If the guest will be virtual-8086, the field must be 0000FFFFH.
      • Access-rights fields.
        • CS, SS, DS, ES, FS, GS.
          • If the guest will be virtual-8086, the field must be 000000F3H. This implies the following:
            • Bits 3:0 (Type) must be 3, indicating an expand-up read/write accessed data segment.
            • Bit 4 (S) must be 1.
            • Bits 6:5 (DPL) must be 3.
            • Bit 7 (P) must be 1.
            • Bits 11:8 (reserved), bit 12 (software available), bit 13 (reserved/L), bit 14 (D/B), bit 15 (G), bit 16 (unusable), and bits 31:17 (reserved) must all be 0.
          • If the guest will not be virtual-8086, the different sub-fields are considered separately:
            • Bits 3:0 (Type).
              • CS. The values allowed depend on the setting of the “unrestricted guest” VM-execution control (Bit 7 of Secondary Processor-Based VM-Execution Controls):
                • If the control is 0, the Type must be 9, 11, 13, or 15 (accessed code segment).
                • If the control is 1, the Type must be either 3 (read/write accessed expand-up data segment) or one of 9, 11, 13, and 15 (accessed code segment).
              • SS. If SS is usable, the Type must be 3 or 7 (read/write, accessed data segment).
              • DS, ES, FS, GS. The following checks apply if the register is usable:
                • Bit 0 of the Type must be 1 (accessed).
                • If bit 3 of the Type is 1 (code segment), then bit 1 of the Type must be 1 (readable).
            • Bit 4 (S). If the register is CS or if the register is usable, S must be 1.
            • Bits 6:5 (DPL).
              • CS.
                • If the Type is 3 (read/write accessed expand-up data segment), the DPL must be 0. The Type can be 3 only if the “unrestricted guest” VM-execution control is 1.
                • If the Type is 9 or 11 (non-conforming code segment), the DPL must equal the DPL in the access-rights field for SS.
                • If the Type is 13 or 15 (conforming code segment), the DPL cannot be greater than the DPL in the access-rights field for SS.
              • SS.
                • If the “unrestricted guest” VM-execution control is 0, the DPL must equal the RPL from the selector field.
                • The DPL must be 0 either if the Type in the access-rights field for CS is 3 (read/write accessed expand-up data segment) or if bit 0 in the CR0 field (corresponding to CR0.PE) is 0.
              • DS, ES, FS, GS. The DPL cannot be less than the RPL in the selector field if (1) the “unrestricted guest” VM-execution control is 0; (2) the register is usable; and (3) the Type in the access-rights field is in the range 0 – 11 (data segment or non-conforming code segment).
            • Bit 7 (P). If the register is CS or if the register is usable, P must be 1.
            • Bits 11:8 (reserved). If the register is CS or if the register is usable, these bits must all be 0.
            • Bit 14 (D/B). For CS, D/B must be 0 if the guest will be IA-32e mode and the L bit (bit 13) in the access-rights field is 1.
            • Bit 15 (G). The following checks apply if the register is CS or if the register is usable:
              • If any bit in the limit field in the range 11:0 is 0, G must be 0.
              • If any bit in the limit field in the range 31:20 is 1, G must be 1.
            • Bits 31:17 (reserved). If the register is CS or if the register is usable, these bits must all be 0.
        • TR. The different sub-fields are considered separately:
          • Bits 3:0 (Type).
            • If the guest will not be IA-32e mode, the Type must be 3 (16-bit busy TSS) or 11 (32-bit busy TSS).
            • If the guest will be IA-32e mode, the Type must be 11 (64-bit busy TSS).
          • Bit 4 (S). S must be 0.
          • Bit 7 (P). P must be 1.
          • Bits 11:8 (reserved). These bits must all be 0.
          • Bit 15 (G).
            • If any bit in the limit field in the range 11:0 is 0, G must be 0.
            • If any bit in the limit field in the range 31:20 is 1, G must be 1.
          • Bit 16 (Unusable). The unusable bit must be 0.
          • Bits 31:17 (reserved). These bits must all be 0.
        • LDTR. The following checks on the different sub-fields apply only if LDTR is usable:
          • Bits 3:0 (Type). The Type must be 2 (LDT).
          • Bit 4 (S). S must be 0.
          • Bit 7 (P). P must be 1.
          • Bits 11:8 (reserved). These bits must all be 0.
          • Bit 15 (G).
            • If any bit in the limit field in the range 11:0 is 0, G must be 0.
            • If any bit in the limit field in the range 31:20 is 1, G must be 1.
          • Bits 31:17 (reserved). These bits must all be 0.

      3. Checks on Guest Descriptor-Table Registers


      The following checks are performed on the fields for GDTR and IDTR:

      • On processors that support Intel 64 architecture, the base-address fields must contain canonical addresses.
      • Bits 31:16 of each limit field must be 0.

      4. Checks on Guest RIP and RFLAGS



      • RIP. The following checks are performed on processors that support Intel 64 architecture:
        • Bits 63:32 must be 0 if the “IA-32e mode guest” (Bit 9 of VM-Entry Controls) VM-entry control is 0 or if the L bit (bit 13) in the access rights field for CS is 0.
        • If the processor supports N < 64 linear-address bits, bits 63:N must be identical if the “IA-32e mode guest” VM-entry control is 1 and the L bit in the access-rights field for CS is 1.
      • RFLAGS.
        • Reserved bits 63:22 (bits 31:22 on processors that do not support Intel 64 architecture), bit 15, bit 5 and bit 3 must be 0 in the field, and reserved bit 1 must be 1.
        • The VM flag (bit 17) must be 0 either if the “IA-32e mode guest” VM-entry control is 1 or if bit 0 in the CR0 field (corresponding to CR0.PE) is 0.
        • The IF flag (RFLAGS[bit 9]) must be 1 if the valid bit (bit 31) in the VM-entry interruption-information field is 1 and the interruption type (bits 10:8) is external interrupt. (See Intel SDM, Volumn 3C, 24.8.3 VM-Entry Controls for Event Injection)