Benjamin Block [Fri, 7 Nov 2014 17:57:10 +0000 (18:57 +0100)]
tools: config-create: drop line numbers in parse_iomem_tree()
Previously we defined the children of a MemRegion-Tree as set. This
caused the order of the children to be undefined as soon as they got
added to this structure. But the using function of parse_iomem_tree()
wanted the list of regions returned to be sorted like in the file, so we
had to maintain a separate list of line numbers.
By changing the set to a list, the order is always maintained and
because parse_iomem_tree() only adds to his private regions-list and
never inserts or reorders, this private structure will also always have
the same order as in the file. With this we can remove the
line numbers list. This structure was never use for anything else, so it
will make the code more readable.
Signed-off-by: Benjamin Block <bebl@mageta.org> Reviewed-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
There is no point in clearing host-side MSRs in vcpu_activate_vmm()
(svm.c version), as they get restored as soon as vmload is executed
few lines below.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jailhouse relies on the caller to define and initialize jailhouse_use_vmcall
global variable for hypercalls to work properly. As no inmates currently use
hypercalls, the code was stripped from the original patch.
This patch re-introduces jailhouse_use_vmcall initialization, this time with
hypercall_init() function, which should be called during inmate initialization
the same way other *_init() function are called. This way, inmates that don't
need hypercalls (or timers) can skip initializing them.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 5 Nov 2014 08:18:29 +0000 (09:18 +0100)]
x86: Privatize names of static vendor-specific functions
vcpu_set_cell_config, vcpu_reset, vcpu_vendor_get_io_intercept and
vcpu_vendor_get_pf_intercept - they share the same parameters across the
vendor-specific implementations, but they are invoked only locally. So
rename them to something which is prefixed by vmx and svm, respectively,
so that they can be locally refactored as desired with risking confusion
that they might have to usable in a cross-vendor fashion.
CC: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 1 Oct 2014 15:51:57 +0000 (17:51 +0200)]
core: Move mmio_parse and struct mmio_instruction into arch header
There will be no need for and implementation of this service outside of
x86 in the foreseeable future. So make it arch-private until we have
more users.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 1 Oct 2014 15:33:49 +0000 (17:33 +0200)]
core: Refactor struct mmio_access to mmio_instruction
The current mmio_access rather contains information about the accessing
instruction. ARM's mmio_access will hold data about the actual access.
To clarify the meaning and free the namespace, rework the preexisting
struct to mmio_instruction.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 6 Nov 2014 19:32:23 +0000 (20:32 +0100)]
x86: vtd: Drop bogus checks in iommu_get_remapped_root_int
These checks make no sense: At this stage, we actually don't care if
there is a corresponding entry in the hypervisor remapping table for the
device. And the check of the vector number is actually comparing apples
(hypervisor-side base_index) to onions (guest-side irt_entries).
Finally, the tuple of device_id and vector stored in this function will
be validated by iommu_map_interrupt before use in case it gets forwarded
to it.
So drop this code. This will also make the function directly usable for
virtual devices that have no corresponding entry in the hypervisor's
interrupt remapping table.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 6 Nov 2014 16:25:27 +0000 (17:25 +0100)]
core: Clarify usage constraints of strcmp
Using strcmp quickly attracts the attention of reviews: Is this really
safe regarding buffer overflows? It is, but that's not obvious. So
document what enables the safe usage of strcmp in this case.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Thu, 6 Nov 2014 16:00:10 +0000 (17:00 +0100)]
core/tools: Protect result of ARRAY_SIZE
Prevent any operator prioritization issues when embedding ARRAY_SIZE
into an expression by protecting the result with braces. This is a
defensive measure, no current user was affected by it.
Do not convert all the generated or copy&pasted ARRAY_SIZE defines in
the config files as long as they are not affected by the issue.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Outline Jailhouse AMD-V system requirements and nested SVM setup instructions
in the qemu-vm.cell config and README file. As Linux 3.17 is already released,
reflect this in aforementioned files as well.
Also remove "AMD-V support" item from the TODO list and add AMD IOMMU to it.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: raise host-kernel requirement to 3.18 for AMD] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Implemented rough MTRR Enable bit (MTRR defType) emulation. This is
required for Linux CPU bootstrapping code to work properly, and fixes
a CPU lockup bug that occurs when destroying a cell on some AMD boards.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
After a cell is created, Jailhouse doesn't change its VMCB much.
This means VMCB Clean Bits (APMv2, Sect. 15.15.1) have a good
potential to reduce a world switch time.
This commit introduces VMCB Clean Bits support in Jailhouse. On each
VM exit, VMCB is marked as clean (unmodified), and each function that
changes guest state in VMCB is responsible for clearing the bit.
This is an optional feature, however it is cheap and harmless even
on CPUs that don't support it. So we use it unconditionally: CPUs
that do not support VMCB State Caching will simply ignore this.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When a CPU is parked, it is halted in guest mode with interrupts off. This way,
only NMI sent from the hypervisor can "unpark" the CPU to run another cell.
AMD-V provides no VMX guest activity states equivalent, thus there is no easy way
to halt a CPU in guest mode waiting for NMI. To overcome this, when a CPU is parked,
its memory is temporarily switched to shared "parked mode NPT" which contains
"parking code" (cli; hlt) mapped at the Jailhouse custom reset vector (0xffff0).
The guest is directed to continue at this address. When NMI occurs, vcpu_reset()
restores original NPTs.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Compared to VMX, vcpu_activate_vmm() and vcpu_deativate_vmm() for AMD-V
systems have several notable differences.
First, additional MSRs (part of VMCB but not VMCS) need to be set and
restored. Then, host state area is opaque in AMD-V, so vcpu_activate_vmm()
remembers host stack pointer and essentially begins a VMRUN/#VMEXIT loop
implemented in svm-vmexit.S. Third, as RAX register is part of VMCB, it is
copied to guest_regs on each VM exit and written back before VM entry.
As Jailhouse runs with GIF set, it needs to be cleared on VMM deactivation.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This adds XSETBV instruction emulation. The code is almost the same as in
VMX, and is barely tested as the instruction is rarely used in real-world
scenarios.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Guest CR0 writes are intercepted if they change bits other than CR0.TS
or CR0.MP. The main purpose for this is to activate Long mode for
Jailhouse cells. As Decode Assists are optional in Jailhouse, if they
are not present the instruction is decoded manually. All current Jailhouse
inmates are first changing CR0 while they are in real mode, so having
real mode support in vcpu_get_guest_paging_structs() is essential.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
NMIs originate from the hypervisor which uses them to manage cells. As a part
of this management task, the CPU can be reset. This is performed in vcpu_reset().
Jailhouse runs with GIF set, and it needs to be cleared shortly to let the CPU
to consume pending interrupt and allow further NMIs trigger VM exits. Otherwise,
current NMI would be delivered to the guest on the next VM entry.
NMI can trigger in host mode only if Jailhouse explicitly clears the GIF to
consume the pending interrupt. There is nothing to handle in this case, so
vcpu_nmi_handler() simply prints a message that the NMI was consumed.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This completes Nested Page Fault handler introduced in the previous commit
with generic NPF handling route. The actual handling code is shared between
VMX and SVM, so we simply need to call vcpu_handle_pt_violation() and
implement the appropriate data wrapper.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jailhouse maps APIC MMIO page to cells read-only, so it only needs to handle
register writes, which are translated to Nested Page Faults. The real work is
delegated to generic apic_mmio_access(), which requires guest page tables to
work. These are obtained with vcpu_get_guest_paging_structs(), which supports
real mode cells as well.
As there is no AVIC support for any known AMD hardware, AVIC-related VM exits
are nor intercepted neither handled in Jailhouse.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
mmio_parse() can use accelerated guest memory access function, if the one
is provided in vendor-specific code. If Decode Assists are available on a
given CPU, we can avoid a costly page table walk and read guest instruction
directly from VMCB. However, since Decode Assists are optional as they may
not be advertised in nested SVM setup, a fallback route is provided as well.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Add the infrastructure required to handle VM exits. It is mostly boilerplate
code in its current state, and any VM exit will cause a CPU to dump registers
and halt.
Appropriate handlers are added in subsequent commits.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Implemented functions to map and unmap memory regions in NPT, get guest page
tables (including "fake" identity mappings if the guest runs in real mode), and
also to translate guest physical to host physical address. For TLB flush, only
mappings for the guest and not Jailhouse itself are cleaned, if possible.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Implemented functions responsible for checking AMD-V features present and
enabling/disabling SVM mode. Nested Page Tables (NPT) support is required,
and Decode Assists can optionally be used if available. For AVIC, only a
backing page is allocated.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Configure VMCB so that Linux can continue run safely on the Jailhouse-managed
CPU. This is done mostly the same way as for VMX (except CPUID is not intercepted
and only CR0 writes that change paging state are trapped). AMD-V guests can also
use ASID to tag TLB entries; as Jailhouse cells run on the same CPUs during all
their lifespan, it is assigned a static value (1).
AVIC is not present in any known AMD chip, so it is not configured yet.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: adjust overlapping entries in msrpm, add comment about x2APIC] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Extended Interrupt LVTs are vendor-specific APIC registers (0x50-0x53),
defined by AMD (see APMv2, Sect. 16.3.2). Jailhouse lists this MMIO
range as reserved, as it is not used on Intel systems. On AMD systems,
Extended Interrupt LVT is no more "privileged" than other LVT registers,
so we enable them in corresponding vcpu_init() much the same way it is
currently done for xAPIC mode. Note this also required to make
apic_reserved_bits[] non-static.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
VMX and SVM use different instructions to make a hypercall (vmcall and
vmmcall, respectively). Jailhouse abstracts hypercall instructions with
inlined functions in jailhouse_hypercall.h, and these need to be able to
differentiate between VMX and SVM. For this reason, jailhouse_use_vmcall
global variable was introduced that is stored and filled by the driver.
Inmates will require similar initialization. This is left out as inmates
do not make use of hypercalls at this point.
As jailhouse_call_*() functions are never called on a CPU without VM
extensions (the driver checks if Jailhouse is enabled before issuing a
hypercall, and inmates do not run outside cells), it is safe to assume
that the CPU without VMX support is an SVM one.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: dropped inmate initialization,
switched to bool for jailhouse_use_vmcall,
refactored init_use_vmcall_flag to init_hypercall] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This build system update brings an ability to build "jailhouse.bin"
firmware for different architecture "variants" (currently, AMD and
Intel on x86_64) simultaneously. Corresponding firmware files are
called 'jailhouse-$variant.bin'. Variants are introduced in
$(BUILD_VARIANTS) in hypervisor/Makefile and also in corresponding
arch Makefiles. Having per-variant compilation options inside one
architecture is not supported.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Introduce a set of vendor-specific headers and sources that contain stubs for
functions required to support AMD-V (SVM) in Jailhouse. As AMD IOMMU support
is not planned for now, iommu_init() does nothing more than print a warning.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
VMX-specific data members in struct cell and struct per_cpu were "unionized"
to avoid #ifdefs later, when AMD-V members will be introduced. As a part of these
changes, I/O bitmap became heap-allocated to make this field equally-sized for
both VMX and SVM.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This expresses the intention to load from gdt_ptr using CS clearer than
via the cs prefix, and it is more portable to other assemblers (namely
that of clang).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Henning Schild [Thu, 30 Oct 2014 16:29:54 +0000 (17:29 +0100)]
inmates: x86: align code after last level of page tables
The header contains the page tables but the last level (pd) contained the
code right after the first entry. Calls to map_range would actually
overwrite the inmates code.
This patch makes sure the code will start on the next page.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
As the number of external contributions to Jailhouse grows, the need
for some formal coding style to ease review process and integration
arise. This is the first attempt to summarize what's have been discussed
on jailhouse-dev@googlegroups.com mailing list so far.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: clarify include block separation] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Benjamin Block [Fri, 12 Sep 2014 17:05:31 +0000 (19:05 +0200)]
tools: config-create: rename parse_cmdline to parse_kernel_cmdline
`parse_cmdline` is quite missleading in the context of a script with
command-line parameters. Thus better name it for what it does, parse the
kernel command line.
Signed-off-by: Benjamin Block <bebl@mageta.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Henning Schild [Fri, 17 Oct 2014 17:19:29 +0000 (19:19 +0200)]
pci: fix msix device list remove-code
In pci_remove_device we want to remove only one device from the list.
The current code truncates our device list and drops the tail, fix that
by just unchaining one element.
Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Some systems may use 32-bit PM timer (as defined by TMR_VAL_EXT feature
flag in FADT), however pm_timer_read() assumes it is always 24-bit. Where
this assumption is wrong, return value becomes incorrect, and the error
grows over time leading to obscure bugs, including lockups in the hypervisor.
To fix this, TMR_VAL_EXT is made part of platform config and is passed to
inmates in the communication region. Config generator was also adapted
to parse FADT to get TMR_VAL_EXT value for target system. pm_timer_init()
function was also introduced to the inmates framework to the overflow value.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
[Jan: mark jailhouse_comm_region as packed] Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When an IOAPIC redirection entry is masked, only lower half of the register
is written. This causes the upper half to contain stale data when the entry
is unmasked. On systems that don't do interrupt remapping (currently, QEMU
and AMD) this may result in interrupts being lost or delivered to the wrong
destination.
Fix this by unconditionally writing the upper half of the register when
it is unmasked.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Finally, page fault handling in guests was generalized and can now
be called for any vendor. To communicate page fault details between
vendor-specific and generic code, struct vcpu_pf_intercept was introduced,
and vcpu_get_guest_paging_structures() was made public (i.e. non-static).
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
I/O VM exit handling code can now be used for any vendor.
This implies introducing struct vcpu_io_intercept to communicate
intercepted instruction properties like the port number and access
size between vendor-specific and generic code.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Hypercall handling code can now be used for any vendor.
This implies implementing accessor to EFER, RFLAGS, CS and RIP,
(commonly referred to as "execution state") and also making
vcpu_deactivate_vmm() non-static.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Refactor generic bits of vcpu_cell_{init,exit}
vcpu_cell_init() and vcpu_cell_exit() functions contain some code that is
the same regardless virtualization technology used. So they were moved to
the newly-introduced vcpu.c, calling vcpu_vendor_cell_init() and
vcpu_vendor_cell_exit() for vendor-specific actions.
This also implies introducing the first data abstraction structure, and the
first vendor-specific data wrapper function: vcpu_vendor_get_cell_io_bitmap().
More to follow.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
x86: Switchable guest code access for mmio_parse()
mmio_parse() and related infrastructure use link-time resolved (rather
than hardcoded) static function to access guest memory. This way,
vendor-specific code can provide an accelerated implementation if available.
map_code_page() helper routine is now superseded by vcpu_get_inst_bytes() with
different call semantics. The function returns a pointer to the first byte
available and accepts the number of bytes to map (or otherwise make available)
to the hypervisor. It can adjust this value (it is now done to save an
unnecessary page table walk) as described inside the commit.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Removed direct references to VMX functions from the APIC code,
which is generic by its design. NMI handlers are now defined in
corresponding vendor-specific code (presently, only vmx.c), and
resolved at the link time.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
entry.S was split between vendor-neutral code (arch_entry, interrupt handlers),
and vendor-specific code for handling VM exists. This helps to avoid #ifdefs later,
when SVM entry point will be introduced.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In preparation to support different vendor-specific implementations for
virtualization features, public functions for VMX/VTD were renamed.
"vmx_" and "vtd_" prefixes are now superseded with "vcpu_" and "iommu_",
and new header files were introduced to hold the declarations.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Real mode certainly has no paging, but having these structures in place make
guest memory access more uniform. Future AMD code will need to read guest
instructions for cells running in real mode.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Original set_cs() implementation relied on rex64/ljmp instruction. However,
AMD64 doesn't support 64-bit offsets in far jump (there is no rex-prefixed
version), and the offset used by Jailhouse is more than 32-bit long.
An alternative method that relies on lretq is used to switch CS now. It is
known to work both on Intel and AMD.
Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Mon, 29 Sep 2014 06:55:24 +0000 (08:55 +0200)]
driver: Use hypervisor's version.h
Let the driver module depend on the hypervisor subdir. This allows us to
reuse the version.h generated by the hypervisor build also for the
driver. They were identical.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Jan Kiszka [Wed, 24 Sep 2014 20:28:46 +0000 (22:28 +0200)]
x86: Disentangle circular dependency of percpu.h and vmx.h
Move the struct vmcs to where it really belongs: vmx.h. This requires
including of the latter file from percpu.h. Enable this via a forward-
declaration of struct per_cpu in vmx.h. And now that we split things up,
we can move the vmx_state enum as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
projects / jailhouse.git / log