Implemented rough MTRR Enable bit (MTRR defType) emulation. This is
required for Linux CPU bootstrapping code to work properly, and fixes
a CPU lockup bug that occurs when destroying a cell on some AMD boards.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
After a cell is created, Jailhouse doesn't change its VMCB much.
This means VMCB Clean Bits (APMv2, Sect. 15.15.1) have a good
potential to reduce a world switch time.
This commit introduces VMCB Clean Bits support in Jailhouse. On each
VM exit, VMCB is marked as clean (unmodified), and each function that
changes guest state in VMCB is responsible for clearing the bit.
This is an optional feature, however it is cheap and harmless even
on CPUs that don't support it. So we use it unconditionally: CPUs
that do not support VMCB State Caching will simply ignore this.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When a CPU is parked, it is halted in guest mode with interrupts off. This way,
only NMI sent from the hypervisor can "unpark" the CPU to run another cell.
AMD-V provides no VMX guest activity states equivalent, thus there is no easy way
to halt a CPU in guest mode waiting for NMI. To overcome this, when a CPU is parked,
its memory is temporarily switched to shared "parked mode NPT" which contains
"parking code" (cli; hlt) mapped at the Jailhouse custom reset vector (0xffff0).
The guest is directed to continue at this address. When NMI occurs, vcpu_reset()
restores original NPTs.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Compared to VMX, vcpu_activate_vmm() and vcpu_deativate_vmm() for AMD-V
systems have several notable differences.
First, additional MSRs (part of VMCB but not VMCS) need to be set and
restored. Then, host state area is opaque in AMD-V, so vcpu_activate_vmm()
remembers host stack pointer and essentially begins a VMRUN/#VMEXIT loop
implemented in svm-vmexit.S. Third, as RAX register is part of VMCB, it is
copied to guest_regs on each VM exit and written back before VM entry.
As Jailhouse runs with GIF set, it needs to be cleared on VMM deactivation.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds XSETBV instruction emulation. The code is almost the same as in
VMX, and is barely tested as the instruction is rarely used in real-world
scenarios.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Guest CR0 writes are intercepted if they change bits other than CR0.TS
or CR0.MP. The main purpose for this is to activate Long mode for
Jailhouse cells. As Decode Assists are optional in Jailhouse, if they
are not present the instruction is decoded manually. All current Jailhouse
inmates are first changing CR0 while they are in real mode, so having
real mode support in vcpu_get_guest_paging_structs() is essential.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
NMIs originate from the hypervisor which uses them to manage cells. As a part
of this management task, the CPU can be reset. This is performed in vcpu_reset().
Jailhouse runs with GIF set, and it needs to be cleared shortly to let the CPU
to consume pending interrupt and allow further NMIs trigger VM exits. Otherwise,
current NMI would be delivered to the guest on the next VM entry.
NMI can trigger in host mode only if Jailhouse explicitly clears the GIF to
consume the pending interrupt. There is nothing to handle in this case, so
vcpu_nmi_handler() simply prints a message that the NMI was consumed.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This completes Nested Page Fault handler introduced in the previous commit
with generic NPF handling route. The actual handling code is shared between
VMX and SVM, so we simply need to call vcpu_handle_pt_violation() and
implement the appropriate data wrapper.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jailhouse maps APIC MMIO page to cells read-only, so it only needs to handle
register writes, which are translated to Nested Page Faults. The real work is
delegated to generic apic_mmio_access(), which requires guest page tables to
work. These are obtained with vcpu_get_guest_paging_structs(), which supports
real mode cells as well.
As there is no AVIC support for any known AMD hardware, AVIC-related VM exits
are nor intercepted neither handled in Jailhouse.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
mmio_parse() can use accelerated guest memory access function, if the one
is provided in vendor-specific code. If Decode Assists are available on a
given CPU, we can avoid a costly page table walk and read guest instruction
directly from VMCB. However, since Decode Assists are optional as they may
not be advertised in nested SVM setup, a fallback route is provided as well.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Add the infrastructure required to handle VM exits. It is mostly boilerplate
code in its current state, and any VM exit will cause a CPU to dump registers
and halt.
Appropriate handlers are added in subsequent commits.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Implemented functions to map and unmap memory regions in NPT, get guest page
tables (including "fake" identity mappings if the guest runs in real mode), and
also to translate guest physical to host physical address. For TLB flush, only
mappings for the guest and not Jailhouse itself are cleaned, if possible.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Implemented functions responsible for checking AMD-V features present and
enabling/disabling SVM mode. Nested Page Tables (NPT) support is required,
and Decode Assists can optionally be used if available. For AVIC, only a
backing page is allocated.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Configure VMCB so that Linux can continue run safely on the Jailhouse-managed
CPU. This is done mostly the same way as for VMX (except CPUID is not intercepted
and only CR0 writes that change paging state are trapped). AMD-V guests can also
use ASID to tag TLB entries; as Jailhouse cells run on the same CPUs during all
their lifespan, it is assigned a static value (1).
AVIC is not present in any known AMD chip, so it is not configured yet.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: adjust overlapping entries in msrpm, add comment about x2APIC] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Extended Interrupt LVTs are vendor-specific APIC registers (0x50-0x53),
defined by AMD (see APMv2, Sect. 16.3.2). Jailhouse lists this MMIO
range as reserved, as it is not used on Intel systems. On AMD systems,
Extended Interrupt LVT is no more "privileged" than other LVT registers,
so we enable them in corresponding vcpu_init() much the same way it is
currently done for xAPIC mode. Note this also required to make
apic_reserved_bits[] non-static.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
VMX and SVM use different instructions to make a hypercall (vmcall and
vmmcall, respectively). Jailhouse abstracts hypercall instructions with
inlined functions in jailhouse_hypercall.h, and these need to be able to
differentiate between VMX and SVM. For this reason, jailhouse_use_vmcall
global variable was introduced that is stored and filled by the driver.
Inmates will require similar initialization. This is left out as inmates
do not make use of hypercalls at this point.
As jailhouse_call_*() functions are never called on a CPU without VM
extensions (the driver checks if Jailhouse is enabled before issuing a
hypercall, and inmates do not run outside cells), it is safe to assume
that the CPU without VMX support is an SVM one.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: dropped inmate initialization,
switched to bool for jailhouse_use_vmcall,
refactored init_use_vmcall_flag to init_hypercall] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This build system update brings an ability to build "jailhouse.bin"
firmware for different architecture "variants" (currently, AMD and
Intel on x86_64) simultaneously. Corresponding firmware files are
called 'jailhouse-$variant.bin'. Variants are introduced in
$(BUILD_VARIANTS) in hypervisor/Makefile and also in corresponding
arch Makefiles. Having per-variant compilation options inside one
architecture is not supported.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Introduce a set of vendor-specific headers and sources that contain stubs for
functions required to support AMD-V (SVM) in Jailhouse. As AMD IOMMU support
is not planned for now, iommu_init() does nothing more than print a warning.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
VMX-specific data members in struct cell and struct per_cpu were "unionized"
to avoid #ifdefs later, when AMD-V members will be introduced. As a part of these
changes, I/O bitmap became heap-allocated to make this field equally-sized for
both VMX and SVM.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This expresses the intention to load from gdt_ptr using CS clearer than
via the cs prefix, and it is more portable to other assemblers (namely
that of clang).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Henning Schild [Thu, 30 Oct 2014 16:29:54 +0000 (17:29 +0100)]
inmates: x86: align code after last level of page tables
The header contains the page tables but the last level (pd) contained the
code right after the first entry. Calls to map_range would actually
overwrite the inmates code.
This patch makes sure the code will start on the next page.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
As the number of external contributions to Jailhouse grows, the need
for some formal coding style to ease review process and integration
arise. This is the first attempt to summarize what's have been discussed
on jailhouse-dev@googlegroups.com mailing list so far.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: clarify include block separation] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Fri, 12 Sep 2014 17:05:31 +0000 (19:05 +0200)]
tools: config-create: rename parse_cmdline to parse_kernel_cmdline
`parse_cmdline` is quite missleading in the context of a script with
command-line parameters. Thus better name it for what it does, parse the
kernel command line.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Henning Schild [Fri, 17 Oct 2014 17:19:29 +0000 (19:19 +0200)]
pci: fix msix device list remove-code
In pci_remove_device we want to remove only one device from the list.
The current code truncates our device list and drops the tail, fix that
by just unchaining one element.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Some systems may use 32-bit PM timer (as defined by TMR_VAL_EXT feature
flag in FADT), however pm_timer_read() assumes it is always 24-bit. Where
this assumption is wrong, return value becomes incorrect, and the error
grows over time leading to obscure bugs, including lockups in the hypervisor.
To fix this, TMR_VAL_EXT is made part of platform config and is passed to
inmates in the communication region. Config generator was also adapted
to parse FADT to get TMR_VAL_EXT value for target system. pm_timer_init()
function was also introduced to the inmates framework to the overflow value.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: mark jailhouse_comm_region as packed] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When an IOAPIC redirection entry is masked, only lower half of the register
is written. This causes the upper half to contain stale data when the entry
is unmasked. On systems that don't do interrupt remapping (currently, QEMU
and AMD) this may result in interrupts being lost or delivered to the wrong
destination.
Fix this by unconditionally writing the upper half of the register when
it is unmasked.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Finally, page fault handling in guests was generalized and can now
be called for any vendor. To communicate page fault details between
vendor-specific and generic code, struct vcpu_pf_intercept was introduced,
and vcpu_get_guest_paging_structures() was made public (i.e. non-static).
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
I/O VM exit handling code can now be used for any vendor.
This implies introducing struct vcpu_io_intercept to communicate
intercepted instruction properties like the port number and access
size between vendor-specific and generic code.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Hypercall handling code can now be used for any vendor.
This implies implementing accessor to EFER, RFLAGS, CS and RIP,
(commonly referred to as "execution state") and also making
vcpu_deactivate_vmm() non-static.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Refactor generic bits of vcpu_cell_{init,exit}
vcpu_cell_init() and vcpu_cell_exit() functions contain some code that is
the same regardless virtualization technology used. So they were moved to
the newly-introduced vcpu.c, calling vcpu_vendor_cell_init() and
vcpu_vendor_cell_exit() for vendor-specific actions.
This also implies introducing the first data abstraction structure, and the
first vendor-specific data wrapper function: vcpu_vendor_get_cell_io_bitmap().
More to follow.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Switchable guest code access for mmio_parse()
mmio_parse() and related infrastructure use link-time resolved (rather
than hardcoded) static function to access guest memory. This way,
vendor-specific code can provide an accelerated implementation if available.
map_code_page() helper routine is now superseded by vcpu_get_inst_bytes() with
different call semantics. The function returns a pointer to the first byte
available and accepts the number of bytes to map (or otherwise make available)
to the hypervisor. It can adjust this value (it is now done to save an
unnecessary page table walk) as described inside the commit.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Removed direct references to VMX functions from the APIC code,
which is generic by its design. NMI handlers are now defined in
corresponding vendor-specific code (presently, only vmx.c), and
resolved at the link time.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
entry.S was split between vendor-neutral code (arch_entry, interrupt handlers),
and vendor-specific code for handling VM exists. This helps to avoid #ifdefs later,
when SVM entry point will be introduced.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In preparation to support different vendor-specific implementations for
virtualization features, public functions for VMX/VTD were renamed.
"vmx_" and "vtd_" prefixes are now superseded with "vcpu_" and "iommu_",
and new header files were introduced to hold the declarations.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Real mode certainly has no paging, but having these structures in place make
guest memory access more uniform. Future AMD code will need to read guest
instructions for cells running in real mode.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Original set_cs() implementation relied on rex64/ljmp instruction. However,
AMD64 doesn't support 64-bit offsets in far jump (there is no rex-prefixed
version), and the offset used by Jailhouse is more than 32-bit long.
An alternative method that relies on lretq is used to switch CS now. It is
known to work both on Intel and AMD.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 29 Sep 2014 06:55:24 +0000 (08:55 +0200)]
driver: Use hypervisor's version.h
Let the driver module depend on the hypervisor subdir. This allows us to
reuse the version.h generated by the hypervisor build also for the
driver. They were identical.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 20:28:46 +0000 (22:28 +0200)]
x86: Disentangle circular dependency of percpu.h and vmx.h
Move the struct vmcs to where it really belongs: vmx.h. This requires
including of the latter file from percpu.h. Enable this via a forward-
declaration of struct per_cpu in vmx.h. And now that we split things up,
we can move the vmx_state enum as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 08:11:57 +0000 (10:11 +0200)]
core: Factor out generic jailhouse/types.h
Some types in the architecture-specific header are in fact generic. Move
them into a separate header and include this one directly from now on.
Document cpu_set at this chance according to doxygen style.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds doxygen-style documentation for public parts of the page
management subsystem. Again we place documentation of architecture-
provided entities in the generic header.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:33:25 +0000 (18:33 +0200)]
core: Document PCI subsystem interfaces
Convert existing kernel-doc comments to doxygen style and add missing
functions and structure descriptions for public interfaces. Architecture
specific functions are documented in the headers to avoid duplications
at the implementation site.
No functional changes.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:30:39 +0000 (18:30 +0200)]
core: Prefix arch-specific PCI functions properly
Add the "arch_"-prefix to pci_suppress_msi, pci_update_msi and
pci_update_msix_vector. This clearly signals that those functions have
to be implemented by the architecture support.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 13:06:40 +0000 (15:06 +0200)]
Documentation: Add Doxygen infrastructure
We diverge from Linux kernel style and use Doxygen as our code
documentation generator, see [1] for the reasoning. This adds the
required build infrastructure. Run "make docs" to trigger it (not
automatically done via other targets).
inmates: pci: allow pci_find_device to discover multiple devices
Systems can have more than one PCI device with the same vendor/device
id pair. Change the discovery helper to allow searching for more than
just the first bdf.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
It turned out to break 32-bit architectures: At least core_size and
entry must be of the size the hypervisor uses for pointer, otherwise
link-time initialization of those fields fail.
We will need a more sophisticated solution if including the header in
i386 mode is really necessary.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Tue, 23 Sep 2014 16:24:10 +0000 (18:24 +0200)]
tooling: Fix gen_version_h to query git support for the correct repository
The initial git availability check ran in the kernel directory instead
of the Jailhouse source tree. Fix it by moving the cd before it. Also
quote the input path properly at this chance.
Reported-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:27 +0000 (15:08 +0200)]
core: make the jailhouse-header arch-independent
The header of jailhouse is defined with arch-dependent types such as
`unsigned long` which on linux varies in size. Because this header can
be considered the "communication"-relay with the environment, it should
be type-safe on any arch. Thus change all types into fixed-size-types.
Signed-off-by: Benjamin Block <bebl@mageta.org>
[Jan: adjusted jailhouse_entry to keep unsigned int] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Mon, 22 Sep 2014 13:08:26 +0000 (15:08 +0200)]
x86: make the x86 types-definitions work on either x86-32 and x86-64
For Intel TXT we will need to work in 32bit mode for a limited amount of
time. To make sure we can use certain headers and definitions safely in
both modes, change the definition of `u64` to use `long long` instead of
`long` (which changes its length depending on the arch).
Furthermore, the x86-header defines a macro BITS_PER_LONG, currently we
define this always as `64`. To make this usable for the TXT-stub, hide
this behind an `ifndef`. The current hypervisor-code won't be affected
by this change and we can define this for the TXT-stub with our tooling,
thus make the header usable in both modes.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
tools: config create: change the way input files are handled
Switch from automatically generated lists of input files to
hand-maintained ones. Generating the lists turned out to make the code
less readable. All the parse-functions would have to be called just to
collect theire opens.
Now we still use the input_open wrapper to prefix the opens with the
root_dir and we make sure that the file one is trying to open is listed
as an input file and will therefore be collected by the collector.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
projects / jailhouse.git / log