1 /* 2 * All test cases of nested virtualization should be in this file 3 * 4 * Author : Arthur Chunqi Li <yzt356@gmail.com> 5 */ 6 #include "vmx.h" 7 #include "msr.h" 8 #include "processor.h" 9 #include "vm.h" 10 #include "fwcfg.h" 11 #include "isr.h" 12 #include "desc.h" 13 #include "apic.h" 14 #include "types.h" 15 16 #define NONCANONICAL 0xaaaaaaaaaaaaaaaaull 17 18 #define VPID_CAP_INVVPID_TYPES_SHIFT 40 19 20 u64 ia32_pat; 21 u64 ia32_efer; 22 void *io_bitmap_a, *io_bitmap_b; 23 u16 ioport; 24 25 unsigned long *pml4; 26 u64 eptp; 27 void *data_page1, *data_page2; 28 29 void *pml_log; 30 #define PML_INDEX 512 31 32 static inline unsigned ffs(unsigned x) 33 { 34 int pos = -1; 35 36 __asm__ __volatile__("bsf %1, %%eax; cmovnz %%eax, %0" 37 : "+r"(pos) : "rm"(x) : "eax"); 38 return pos + 1; 39 } 40 41 static inline void vmcall() 42 { 43 asm volatile("vmcall"); 44 } 45 46 void basic_guest_main() 47 { 48 report("Basic VMX test", 1); 49 } 50 51 int basic_exit_handler() 52 { 53 report("Basic VMX test", 0); 54 print_vmexit_info(); 55 return VMX_TEST_EXIT; 56 } 57 58 void vmenter_main() 59 { 60 u64 rax; 61 u64 rsp, resume_rsp; 62 63 report("test vmlaunch", 1); 64 65 asm volatile( 66 "mov %%rsp, %0\n\t" 67 "mov %3, %%rax\n\t" 68 "vmcall\n\t" 69 "mov %%rax, %1\n\t" 70 "mov %%rsp, %2\n\t" 71 : "=r"(rsp), "=r"(rax), "=r"(resume_rsp) 72 : "g"(0xABCD)); 73 report("test vmresume", (rax == 0xFFFF) && (rsp == resume_rsp)); 74 } 75 76 int vmenter_exit_handler() 77 { 78 u64 guest_rip; 79 ulong reason; 80 81 guest_rip = vmcs_read(GUEST_RIP); 82 reason = vmcs_read(EXI_REASON) & 0xff; 83 switch (reason) { 84 case VMX_VMCALL: 85 if (regs.rax != 0xABCD) { 86 report("test vmresume", 0); 87 return VMX_TEST_VMEXIT; 88 } 89 regs.rax = 0xFFFF; 90 vmcs_write(GUEST_RIP, guest_rip + 3); 91 return VMX_TEST_RESUME; 92 default: 93 report("test vmresume", 0); 94 print_vmexit_info(); 95 } 96 return VMX_TEST_VMEXIT; 97 } 98 99 u32 preempt_scale; 100 volatile unsigned long long tsc_val; 101 volatile u32 preempt_val; 102 u64 saved_rip; 103 104 int preemption_timer_init() 105 { 106 if (!(ctrl_pin_rev.clr & PIN_PREEMPT)) { 107 printf("\tPreemption timer is not supported\n"); 108 return VMX_TEST_EXIT; 109 } 110 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) | PIN_PREEMPT); 111 preempt_val = 10000000; 112 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 113 preempt_scale = rdmsr(MSR_IA32_VMX_MISC) & 0x1F; 114 115 if (!(ctrl_exit_rev.clr & EXI_SAVE_PREEMPT)) 116 printf("\tSave preemption value is not supported\n"); 117 118 return VMX_TEST_START; 119 } 120 121 void preemption_timer_main() 122 { 123 tsc_val = rdtsc(); 124 if (ctrl_exit_rev.clr & EXI_SAVE_PREEMPT) { 125 vmx_set_test_stage(0); 126 vmcall(); 127 if (vmx_get_test_stage() == 1) 128 vmcall(); 129 } 130 vmx_set_test_stage(1); 131 while (vmx_get_test_stage() == 1) { 132 if (((rdtsc() - tsc_val) >> preempt_scale) 133 > 10 * preempt_val) { 134 vmx_set_test_stage(2); 135 vmcall(); 136 } 137 } 138 tsc_val = rdtsc(); 139 asm volatile ("hlt"); 140 vmcall(); 141 vmx_set_test_stage(5); 142 vmcall(); 143 } 144 145 int preemption_timer_exit_handler() 146 { 147 bool guest_halted; 148 u64 guest_rip; 149 ulong reason; 150 u32 insn_len; 151 u32 ctrl_exit; 152 153 guest_rip = vmcs_read(GUEST_RIP); 154 reason = vmcs_read(EXI_REASON) & 0xff; 155 insn_len = vmcs_read(EXI_INST_LEN); 156 switch (reason) { 157 case VMX_PREEMPT: 158 switch (vmx_get_test_stage()) { 159 case 1: 160 case 2: 161 report("busy-wait for preemption timer", 162 ((rdtsc() - tsc_val) >> preempt_scale) >= 163 preempt_val); 164 vmx_set_test_stage(3); 165 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 166 return VMX_TEST_RESUME; 167 case 3: 168 guest_halted = 169 (vmcs_read(GUEST_ACTV_STATE) == ACTV_HLT); 170 report("preemption timer during hlt", 171 ((rdtsc() - tsc_val) >> preempt_scale) >= 172 preempt_val && guest_halted); 173 vmx_set_test_stage(4); 174 vmcs_write(PIN_CONTROLS, 175 vmcs_read(PIN_CONTROLS) & ~PIN_PREEMPT); 176 vmcs_write(GUEST_ACTV_STATE, ACTV_ACTIVE); 177 return VMX_TEST_RESUME; 178 case 4: 179 report("preemption timer with 0 value", 180 saved_rip == guest_rip); 181 break; 182 default: 183 report("Invalid stage.", false); 184 print_vmexit_info(); 185 break; 186 } 187 break; 188 case VMX_VMCALL: 189 vmcs_write(GUEST_RIP, guest_rip + insn_len); 190 switch (vmx_get_test_stage()) { 191 case 0: 192 report("Keep preemption value", 193 vmcs_read(PREEMPT_TIMER_VALUE) == preempt_val); 194 vmx_set_test_stage(1); 195 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 196 ctrl_exit = (vmcs_read(EXI_CONTROLS) | 197 EXI_SAVE_PREEMPT) & ctrl_exit_rev.clr; 198 vmcs_write(EXI_CONTROLS, ctrl_exit); 199 return VMX_TEST_RESUME; 200 case 1: 201 report("Save preemption value", 202 vmcs_read(PREEMPT_TIMER_VALUE) < preempt_val); 203 return VMX_TEST_RESUME; 204 case 2: 205 report("busy-wait for preemption timer", 0); 206 vmx_set_test_stage(3); 207 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 208 return VMX_TEST_RESUME; 209 case 3: 210 report("preemption timer during hlt", 0); 211 vmx_set_test_stage(4); 212 /* fall through */ 213 case 4: 214 vmcs_write(PIN_CONTROLS, 215 vmcs_read(PIN_CONTROLS) | PIN_PREEMPT); 216 vmcs_write(PREEMPT_TIMER_VALUE, 0); 217 saved_rip = guest_rip + insn_len; 218 return VMX_TEST_RESUME; 219 case 5: 220 report("preemption timer with 0 value (vmcall stage 5)", 0); 221 break; 222 default: 223 // Should not reach here 224 report("unexpected stage, %d", false, 225 vmx_get_test_stage()); 226 print_vmexit_info(); 227 return VMX_TEST_VMEXIT; 228 } 229 break; 230 default: 231 report("Unknown exit reason, %ld", false, reason); 232 print_vmexit_info(); 233 } 234 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) & ~PIN_PREEMPT); 235 return VMX_TEST_VMEXIT; 236 } 237 238 void msr_bmp_init() 239 { 240 void *msr_bitmap; 241 u32 ctrl_cpu0; 242 243 msr_bitmap = alloc_page(); 244 memset(msr_bitmap, 0x0, PAGE_SIZE); 245 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 246 ctrl_cpu0 |= CPU_MSR_BITMAP; 247 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 248 vmcs_write(MSR_BITMAP, (u64)msr_bitmap); 249 } 250 251 static int test_ctrl_pat_init() 252 { 253 u64 ctrl_ent; 254 u64 ctrl_exi; 255 256 msr_bmp_init(); 257 if (!(ctrl_exit_rev.clr & EXI_SAVE_PAT) && 258 !(ctrl_exit_rev.clr & EXI_LOAD_PAT) && 259 !(ctrl_enter_rev.clr & ENT_LOAD_PAT)) { 260 printf("\tSave/load PAT is not supported\n"); 261 return 1; 262 } 263 264 ctrl_ent = vmcs_read(ENT_CONTROLS); 265 ctrl_exi = vmcs_read(EXI_CONTROLS); 266 ctrl_ent |= ctrl_enter_rev.clr & ENT_LOAD_PAT; 267 ctrl_exi |= ctrl_exit_rev.clr & (EXI_SAVE_PAT | EXI_LOAD_PAT); 268 vmcs_write(ENT_CONTROLS, ctrl_ent); 269 vmcs_write(EXI_CONTROLS, ctrl_exi); 270 ia32_pat = rdmsr(MSR_IA32_CR_PAT); 271 vmcs_write(GUEST_PAT, 0x0); 272 vmcs_write(HOST_PAT, ia32_pat); 273 return VMX_TEST_START; 274 } 275 276 static void test_ctrl_pat_main() 277 { 278 u64 guest_ia32_pat; 279 280 guest_ia32_pat = rdmsr(MSR_IA32_CR_PAT); 281 if (!(ctrl_enter_rev.clr & ENT_LOAD_PAT)) 282 printf("\tENT_LOAD_PAT is not supported.\n"); 283 else { 284 if (guest_ia32_pat != 0) { 285 report("Entry load PAT", 0); 286 return; 287 } 288 } 289 wrmsr(MSR_IA32_CR_PAT, 0x6); 290 vmcall(); 291 guest_ia32_pat = rdmsr(MSR_IA32_CR_PAT); 292 if (ctrl_enter_rev.clr & ENT_LOAD_PAT) 293 report("Entry load PAT", guest_ia32_pat == ia32_pat); 294 } 295 296 static int test_ctrl_pat_exit_handler() 297 { 298 u64 guest_rip; 299 ulong reason; 300 u64 guest_pat; 301 302 guest_rip = vmcs_read(GUEST_RIP); 303 reason = vmcs_read(EXI_REASON) & 0xff; 304 switch (reason) { 305 case VMX_VMCALL: 306 guest_pat = vmcs_read(GUEST_PAT); 307 if (!(ctrl_exit_rev.clr & EXI_SAVE_PAT)) { 308 printf("\tEXI_SAVE_PAT is not supported\n"); 309 vmcs_write(GUEST_PAT, 0x6); 310 } else { 311 report("Exit save PAT", guest_pat == 0x6); 312 } 313 if (!(ctrl_exit_rev.clr & EXI_LOAD_PAT)) 314 printf("\tEXI_LOAD_PAT is not supported\n"); 315 else 316 report("Exit load PAT", rdmsr(MSR_IA32_CR_PAT) == ia32_pat); 317 vmcs_write(GUEST_PAT, ia32_pat); 318 vmcs_write(GUEST_RIP, guest_rip + 3); 319 return VMX_TEST_RESUME; 320 default: 321 printf("ERROR : Undefined exit reason, reason = %ld.\n", reason); 322 break; 323 } 324 return VMX_TEST_VMEXIT; 325 } 326 327 static int test_ctrl_efer_init() 328 { 329 u64 ctrl_ent; 330 u64 ctrl_exi; 331 332 msr_bmp_init(); 333 ctrl_ent = vmcs_read(ENT_CONTROLS) | ENT_LOAD_EFER; 334 ctrl_exi = vmcs_read(EXI_CONTROLS) | EXI_SAVE_EFER | EXI_LOAD_EFER; 335 vmcs_write(ENT_CONTROLS, ctrl_ent & ctrl_enter_rev.clr); 336 vmcs_write(EXI_CONTROLS, ctrl_exi & ctrl_exit_rev.clr); 337 ia32_efer = rdmsr(MSR_EFER); 338 vmcs_write(GUEST_EFER, ia32_efer ^ EFER_NX); 339 vmcs_write(HOST_EFER, ia32_efer ^ EFER_NX); 340 return VMX_TEST_START; 341 } 342 343 static void test_ctrl_efer_main() 344 { 345 u64 guest_ia32_efer; 346 347 guest_ia32_efer = rdmsr(MSR_EFER); 348 if (!(ctrl_enter_rev.clr & ENT_LOAD_EFER)) 349 printf("\tENT_LOAD_EFER is not supported.\n"); 350 else { 351 if (guest_ia32_efer != (ia32_efer ^ EFER_NX)) { 352 report("Entry load EFER", 0); 353 return; 354 } 355 } 356 wrmsr(MSR_EFER, ia32_efer); 357 vmcall(); 358 guest_ia32_efer = rdmsr(MSR_EFER); 359 if (ctrl_enter_rev.clr & ENT_LOAD_EFER) 360 report("Entry load EFER", guest_ia32_efer == ia32_efer); 361 } 362 363 static int test_ctrl_efer_exit_handler() 364 { 365 u64 guest_rip; 366 ulong reason; 367 u64 guest_efer; 368 369 guest_rip = vmcs_read(GUEST_RIP); 370 reason = vmcs_read(EXI_REASON) & 0xff; 371 switch (reason) { 372 case VMX_VMCALL: 373 guest_efer = vmcs_read(GUEST_EFER); 374 if (!(ctrl_exit_rev.clr & EXI_SAVE_EFER)) { 375 printf("\tEXI_SAVE_EFER is not supported\n"); 376 vmcs_write(GUEST_EFER, ia32_efer); 377 } else { 378 report("Exit save EFER", guest_efer == ia32_efer); 379 } 380 if (!(ctrl_exit_rev.clr & EXI_LOAD_EFER)) { 381 printf("\tEXI_LOAD_EFER is not supported\n"); 382 wrmsr(MSR_EFER, ia32_efer ^ EFER_NX); 383 } else { 384 report("Exit load EFER", rdmsr(MSR_EFER) == (ia32_efer ^ EFER_NX)); 385 } 386 vmcs_write(GUEST_PAT, ia32_efer); 387 vmcs_write(GUEST_RIP, guest_rip + 3); 388 return VMX_TEST_RESUME; 389 default: 390 printf("ERROR : Undefined exit reason, reason = %ld.\n", reason); 391 break; 392 } 393 return VMX_TEST_VMEXIT; 394 } 395 396 u32 guest_cr0, guest_cr4; 397 398 static void cr_shadowing_main() 399 { 400 u32 cr0, cr4, tmp; 401 402 // Test read through 403 vmx_set_test_stage(0); 404 guest_cr0 = read_cr0(); 405 if (vmx_get_test_stage() == 1) 406 report("Read through CR0", 0); 407 else 408 vmcall(); 409 vmx_set_test_stage(1); 410 guest_cr4 = read_cr4(); 411 if (vmx_get_test_stage() == 2) 412 report("Read through CR4", 0); 413 else 414 vmcall(); 415 // Test write through 416 guest_cr0 = guest_cr0 ^ (X86_CR0_TS | X86_CR0_MP); 417 guest_cr4 = guest_cr4 ^ (X86_CR4_TSD | X86_CR4_DE); 418 vmx_set_test_stage(2); 419 write_cr0(guest_cr0); 420 if (vmx_get_test_stage() == 3) 421 report("Write throuth CR0", 0); 422 else 423 vmcall(); 424 vmx_set_test_stage(3); 425 write_cr4(guest_cr4); 426 if (vmx_get_test_stage() == 4) 427 report("Write through CR4", 0); 428 else 429 vmcall(); 430 // Test read shadow 431 vmx_set_test_stage(4); 432 vmcall(); 433 cr0 = read_cr0(); 434 if (vmx_get_test_stage() != 5) 435 report("Read shadowing CR0", cr0 == guest_cr0); 436 vmx_set_test_stage(5); 437 cr4 = read_cr4(); 438 if (vmx_get_test_stage() != 6) 439 report("Read shadowing CR4", cr4 == guest_cr4); 440 // Test write shadow (same value with shadow) 441 vmx_set_test_stage(6); 442 write_cr0(guest_cr0); 443 if (vmx_get_test_stage() == 7) 444 report("Write shadowing CR0 (same value with shadow)", 0); 445 else 446 vmcall(); 447 vmx_set_test_stage(7); 448 write_cr4(guest_cr4); 449 if (vmx_get_test_stage() == 8) 450 report("Write shadowing CR4 (same value with shadow)", 0); 451 else 452 vmcall(); 453 // Test write shadow (different value) 454 vmx_set_test_stage(8); 455 tmp = guest_cr0 ^ X86_CR0_TS; 456 asm volatile("mov %0, %%rsi\n\t" 457 "mov %%rsi, %%cr0\n\t" 458 ::"m"(tmp) 459 :"rsi", "memory", "cc"); 460 report("Write shadowing different X86_CR0_TS", vmx_get_test_stage() == 9); 461 vmx_set_test_stage(9); 462 tmp = guest_cr0 ^ X86_CR0_MP; 463 asm volatile("mov %0, %%rsi\n\t" 464 "mov %%rsi, %%cr0\n\t" 465 ::"m"(tmp) 466 :"rsi", "memory", "cc"); 467 report("Write shadowing different X86_CR0_MP", vmx_get_test_stage() == 10); 468 vmx_set_test_stage(10); 469 tmp = guest_cr4 ^ X86_CR4_TSD; 470 asm volatile("mov %0, %%rsi\n\t" 471 "mov %%rsi, %%cr4\n\t" 472 ::"m"(tmp) 473 :"rsi", "memory", "cc"); 474 report("Write shadowing different X86_CR4_TSD", vmx_get_test_stage() == 11); 475 vmx_set_test_stage(11); 476 tmp = guest_cr4 ^ X86_CR4_DE; 477 asm volatile("mov %0, %%rsi\n\t" 478 "mov %%rsi, %%cr4\n\t" 479 ::"m"(tmp) 480 :"rsi", "memory", "cc"); 481 report("Write shadowing different X86_CR4_DE", vmx_get_test_stage() == 12); 482 } 483 484 static int cr_shadowing_exit_handler() 485 { 486 u64 guest_rip; 487 ulong reason; 488 u32 insn_len; 489 u32 exit_qual; 490 491 guest_rip = vmcs_read(GUEST_RIP); 492 reason = vmcs_read(EXI_REASON) & 0xff; 493 insn_len = vmcs_read(EXI_INST_LEN); 494 exit_qual = vmcs_read(EXI_QUALIFICATION); 495 switch (reason) { 496 case VMX_VMCALL: 497 switch (vmx_get_test_stage()) { 498 case 0: 499 report("Read through CR0", guest_cr0 == vmcs_read(GUEST_CR0)); 500 break; 501 case 1: 502 report("Read through CR4", guest_cr4 == vmcs_read(GUEST_CR4)); 503 break; 504 case 2: 505 report("Write through CR0", guest_cr0 == vmcs_read(GUEST_CR0)); 506 break; 507 case 3: 508 report("Write through CR4", guest_cr4 == vmcs_read(GUEST_CR4)); 509 break; 510 case 4: 511 guest_cr0 = vmcs_read(GUEST_CR0) ^ (X86_CR0_TS | X86_CR0_MP); 512 guest_cr4 = vmcs_read(GUEST_CR4) ^ (X86_CR4_TSD | X86_CR4_DE); 513 vmcs_write(CR0_MASK, X86_CR0_TS | X86_CR0_MP); 514 vmcs_write(CR0_READ_SHADOW, guest_cr0 & (X86_CR0_TS | X86_CR0_MP)); 515 vmcs_write(CR4_MASK, X86_CR4_TSD | X86_CR4_DE); 516 vmcs_write(CR4_READ_SHADOW, guest_cr4 & (X86_CR4_TSD | X86_CR4_DE)); 517 break; 518 case 6: 519 report("Write shadowing CR0 (same value)", 520 guest_cr0 == (vmcs_read(GUEST_CR0) ^ (X86_CR0_TS | X86_CR0_MP))); 521 break; 522 case 7: 523 report("Write shadowing CR4 (same value)", 524 guest_cr4 == (vmcs_read(GUEST_CR4) ^ (X86_CR4_TSD | X86_CR4_DE))); 525 break; 526 default: 527 // Should not reach here 528 report("unexpected stage, %d", false, 529 vmx_get_test_stage()); 530 print_vmexit_info(); 531 return VMX_TEST_VMEXIT; 532 } 533 vmcs_write(GUEST_RIP, guest_rip + insn_len); 534 return VMX_TEST_RESUME; 535 case VMX_CR: 536 switch (vmx_get_test_stage()) { 537 case 4: 538 report("Read shadowing CR0", 0); 539 vmx_inc_test_stage(); 540 break; 541 case 5: 542 report("Read shadowing CR4", 0); 543 vmx_inc_test_stage(); 544 break; 545 case 6: 546 report("Write shadowing CR0 (same value)", 0); 547 vmx_inc_test_stage(); 548 break; 549 case 7: 550 report("Write shadowing CR4 (same value)", 0); 551 vmx_inc_test_stage(); 552 break; 553 case 8: 554 case 9: 555 // 0x600 encodes "mov %esi, %cr0" 556 if (exit_qual == 0x600) 557 vmx_inc_test_stage(); 558 break; 559 case 10: 560 case 11: 561 // 0x604 encodes "mov %esi, %cr4" 562 if (exit_qual == 0x604) 563 vmx_inc_test_stage(); 564 break; 565 default: 566 // Should not reach here 567 report("unexpected stage, %d", false, 568 vmx_get_test_stage()); 569 print_vmexit_info(); 570 return VMX_TEST_VMEXIT; 571 } 572 vmcs_write(GUEST_RIP, guest_rip + insn_len); 573 return VMX_TEST_RESUME; 574 default: 575 report("Unknown exit reason, %ld", false, reason); 576 print_vmexit_info(); 577 } 578 return VMX_TEST_VMEXIT; 579 } 580 581 static int iobmp_init() 582 { 583 u32 ctrl_cpu0; 584 585 io_bitmap_a = alloc_page(); 586 io_bitmap_b = alloc_page(); 587 memset(io_bitmap_a, 0x0, PAGE_SIZE); 588 memset(io_bitmap_b, 0x0, PAGE_SIZE); 589 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 590 ctrl_cpu0 |= CPU_IO_BITMAP; 591 ctrl_cpu0 &= (~CPU_IO); 592 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 593 vmcs_write(IO_BITMAP_A, (u64)io_bitmap_a); 594 vmcs_write(IO_BITMAP_B, (u64)io_bitmap_b); 595 return VMX_TEST_START; 596 } 597 598 static void iobmp_main() 599 { 600 // stage 0, test IO pass 601 vmx_set_test_stage(0); 602 inb(0x5000); 603 outb(0x0, 0x5000); 604 report("I/O bitmap - I/O pass", vmx_get_test_stage() == 0); 605 // test IO width, in/out 606 ((u8 *)io_bitmap_a)[0] = 0xFF; 607 vmx_set_test_stage(2); 608 inb(0x0); 609 report("I/O bitmap - trap in", vmx_get_test_stage() == 3); 610 vmx_set_test_stage(3); 611 outw(0x0, 0x0); 612 report("I/O bitmap - trap out", vmx_get_test_stage() == 4); 613 vmx_set_test_stage(4); 614 inl(0x0); 615 report("I/O bitmap - I/O width, long", vmx_get_test_stage() == 5); 616 // test low/high IO port 617 vmx_set_test_stage(5); 618 ((u8 *)io_bitmap_a)[0x5000 / 8] = (1 << (0x5000 % 8)); 619 inb(0x5000); 620 report("I/O bitmap - I/O port, low part", vmx_get_test_stage() == 6); 621 vmx_set_test_stage(6); 622 ((u8 *)io_bitmap_b)[0x1000 / 8] = (1 << (0x1000 % 8)); 623 inb(0x9000); 624 report("I/O bitmap - I/O port, high part", vmx_get_test_stage() == 7); 625 // test partial pass 626 vmx_set_test_stage(7); 627 inl(0x4FFF); 628 report("I/O bitmap - partial pass", vmx_get_test_stage() == 8); 629 // test overrun 630 vmx_set_test_stage(8); 631 memset(io_bitmap_a, 0x0, PAGE_SIZE); 632 memset(io_bitmap_b, 0x0, PAGE_SIZE); 633 inl(0xFFFF); 634 report("I/O bitmap - overrun", vmx_get_test_stage() == 9); 635 vmx_set_test_stage(9); 636 vmcall(); 637 outb(0x0, 0x0); 638 report("I/O bitmap - ignore unconditional exiting", 639 vmx_get_test_stage() == 9); 640 vmx_set_test_stage(10); 641 vmcall(); 642 outb(0x0, 0x0); 643 report("I/O bitmap - unconditional exiting", 644 vmx_get_test_stage() == 11); 645 } 646 647 static int iobmp_exit_handler() 648 { 649 u64 guest_rip; 650 ulong reason, exit_qual; 651 u32 insn_len, ctrl_cpu0; 652 653 guest_rip = vmcs_read(GUEST_RIP); 654 reason = vmcs_read(EXI_REASON) & 0xff; 655 exit_qual = vmcs_read(EXI_QUALIFICATION); 656 insn_len = vmcs_read(EXI_INST_LEN); 657 switch (reason) { 658 case VMX_IO: 659 switch (vmx_get_test_stage()) { 660 case 0: 661 case 1: 662 vmx_inc_test_stage(); 663 break; 664 case 2: 665 report("I/O bitmap - I/O width, byte", 666 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_BYTE); 667 report("I/O bitmap - I/O direction, in", exit_qual & VMX_IO_IN); 668 vmx_inc_test_stage(); 669 break; 670 case 3: 671 report("I/O bitmap - I/O width, word", 672 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_WORD); 673 report("I/O bitmap - I/O direction, out", 674 !(exit_qual & VMX_IO_IN)); 675 vmx_inc_test_stage(); 676 break; 677 case 4: 678 report("I/O bitmap - I/O width, long", 679 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_LONG); 680 vmx_inc_test_stage(); 681 break; 682 case 5: 683 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x5000) 684 vmx_inc_test_stage(); 685 break; 686 case 6: 687 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x9000) 688 vmx_inc_test_stage(); 689 break; 690 case 7: 691 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x4FFF) 692 vmx_inc_test_stage(); 693 break; 694 case 8: 695 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0xFFFF) 696 vmx_inc_test_stage(); 697 break; 698 case 9: 699 case 10: 700 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 701 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0 & ~CPU_IO); 702 vmx_inc_test_stage(); 703 break; 704 default: 705 // Should not reach here 706 report("unexpected stage, %d", false, 707 vmx_get_test_stage()); 708 print_vmexit_info(); 709 return VMX_TEST_VMEXIT; 710 } 711 vmcs_write(GUEST_RIP, guest_rip + insn_len); 712 return VMX_TEST_RESUME; 713 case VMX_VMCALL: 714 switch (vmx_get_test_stage()) { 715 case 9: 716 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 717 ctrl_cpu0 |= CPU_IO | CPU_IO_BITMAP; 718 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 719 break; 720 case 10: 721 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 722 ctrl_cpu0 = (ctrl_cpu0 & ~CPU_IO_BITMAP) | CPU_IO; 723 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 724 break; 725 default: 726 // Should not reach here 727 report("unexpected stage, %d", false, 728 vmx_get_test_stage()); 729 print_vmexit_info(); 730 return VMX_TEST_VMEXIT; 731 } 732 vmcs_write(GUEST_RIP, guest_rip + insn_len); 733 return VMX_TEST_RESUME; 734 default: 735 printf("guest_rip = %#lx\n", guest_rip); 736 printf("\tERROR : Undefined exit reason, reason = %ld.\n", reason); 737 break; 738 } 739 return VMX_TEST_VMEXIT; 740 } 741 742 #define INSN_CPU0 0 743 #define INSN_CPU1 1 744 #define INSN_ALWAYS_TRAP 2 745 746 #define FIELD_EXIT_QUAL (1 << 0) 747 #define FIELD_INSN_INFO (1 << 1) 748 749 asm( 750 "insn_hlt: hlt;ret\n\t" 751 "insn_invlpg: invlpg 0x12345678;ret\n\t" 752 "insn_mwait: xor %eax, %eax; xor %ecx, %ecx; mwait;ret\n\t" 753 "insn_rdpmc: xor %ecx, %ecx; rdpmc;ret\n\t" 754 "insn_rdtsc: rdtsc;ret\n\t" 755 "insn_cr3_load: mov cr3,%rax; mov %rax,%cr3;ret\n\t" 756 "insn_cr3_store: mov %cr3,%rax;ret\n\t" 757 #ifdef __x86_64__ 758 "insn_cr8_load: mov %rax,%cr8;ret\n\t" 759 "insn_cr8_store: mov %cr8,%rax;ret\n\t" 760 #endif 761 "insn_monitor: xor %eax, %eax; xor %ecx, %ecx; xor %edx, %edx; monitor;ret\n\t" 762 "insn_pause: pause;ret\n\t" 763 "insn_wbinvd: wbinvd;ret\n\t" 764 "insn_cpuid: mov $10, %eax; cpuid;ret\n\t" 765 "insn_invd: invd;ret\n\t" 766 "insn_sgdt: sgdt gdt64_desc;ret\n\t" 767 "insn_lgdt: lgdt gdt64_desc;ret\n\t" 768 "insn_sidt: sidt idt_descr;ret\n\t" 769 "insn_lidt: lidt idt_descr;ret\n\t" 770 "insn_sldt: sldt %ax;ret\n\t" 771 "insn_lldt: xor %eax, %eax; lldt %ax;ret\n\t" 772 "insn_str: str %ax;ret\n\t" 773 "insn_rdrand: rdrand %rax;ret\n\t" 774 "insn_rdseed: rdseed %rax;ret\n\t" 775 ); 776 extern void insn_hlt(); 777 extern void insn_invlpg(); 778 extern void insn_mwait(); 779 extern void insn_rdpmc(); 780 extern void insn_rdtsc(); 781 extern void insn_cr3_load(); 782 extern void insn_cr3_store(); 783 #ifdef __x86_64__ 784 extern void insn_cr8_load(); 785 extern void insn_cr8_store(); 786 #endif 787 extern void insn_monitor(); 788 extern void insn_pause(); 789 extern void insn_wbinvd(); 790 extern void insn_sgdt(); 791 extern void insn_lgdt(); 792 extern void insn_sidt(); 793 extern void insn_lidt(); 794 extern void insn_sldt(); 795 extern void insn_lldt(); 796 extern void insn_str(); 797 extern void insn_cpuid(); 798 extern void insn_invd(); 799 extern void insn_rdrand(); 800 extern void insn_rdseed(); 801 802 u32 cur_insn; 803 u64 cr3; 804 805 struct insn_table { 806 const char *name; 807 u32 flag; 808 void (*insn_func)(); 809 u32 type; 810 u32 reason; 811 ulong exit_qual; 812 u32 insn_info; 813 // Use FIELD_EXIT_QUAL and FIELD_INSN_INFO to define 814 // which field need to be tested, reason is always tested 815 u32 test_field; 816 }; 817 818 /* 819 * Add more test cases of instruction intercept here. Elements in this 820 * table is: 821 * name/control flag/insn function/type/exit reason/exit qulification/ 822 * instruction info/field to test 823 * The last field defines which fields (exit_qual and insn_info) need to be 824 * tested in exit handler. If set to 0, only "reason" is checked. 825 */ 826 static struct insn_table insn_table[] = { 827 // Flags for Primary Processor-Based VM-Execution Controls 828 {"HLT", CPU_HLT, insn_hlt, INSN_CPU0, 12, 0, 0, 0}, 829 {"INVLPG", CPU_INVLPG, insn_invlpg, INSN_CPU0, 14, 830 0x12345678, 0, FIELD_EXIT_QUAL}, 831 {"MWAIT", CPU_MWAIT, insn_mwait, INSN_CPU0, 36, 0, 0, 0}, 832 {"RDPMC", CPU_RDPMC, insn_rdpmc, INSN_CPU0, 15, 0, 0, 0}, 833 {"RDTSC", CPU_RDTSC, insn_rdtsc, INSN_CPU0, 16, 0, 0, 0}, 834 {"CR3 load", CPU_CR3_LOAD, insn_cr3_load, INSN_CPU0, 28, 0x3, 0, 835 FIELD_EXIT_QUAL}, 836 {"CR3 store", CPU_CR3_STORE, insn_cr3_store, INSN_CPU0, 28, 0x13, 0, 837 FIELD_EXIT_QUAL}, 838 #ifdef __x86_64__ 839 {"CR8 load", CPU_CR8_LOAD, insn_cr8_load, INSN_CPU0, 28, 0x8, 0, 840 FIELD_EXIT_QUAL}, 841 {"CR8 store", CPU_CR8_STORE, insn_cr8_store, INSN_CPU0, 28, 0x18, 0, 842 FIELD_EXIT_QUAL}, 843 #endif 844 {"MONITOR", CPU_MONITOR, insn_monitor, INSN_CPU0, 39, 0, 0, 0}, 845 {"PAUSE", CPU_PAUSE, insn_pause, INSN_CPU0, 40, 0, 0, 0}, 846 // Flags for Secondary Processor-Based VM-Execution Controls 847 {"WBINVD", CPU_WBINVD, insn_wbinvd, INSN_CPU1, 54, 0, 0, 0}, 848 {"DESC_TABLE (SGDT)", CPU_DESC_TABLE, insn_sgdt, INSN_CPU1, 46, 0, 0, 0}, 849 {"DESC_TABLE (LGDT)", CPU_DESC_TABLE, insn_lgdt, INSN_CPU1, 46, 0, 0, 0}, 850 {"DESC_TABLE (SIDT)", CPU_DESC_TABLE, insn_sidt, INSN_CPU1, 46, 0, 0, 0}, 851 {"DESC_TABLE (LIDT)", CPU_DESC_TABLE, insn_lidt, INSN_CPU1, 46, 0, 0, 0}, 852 {"DESC_TABLE (SLDT)", CPU_DESC_TABLE, insn_sldt, INSN_CPU1, 47, 0, 0, 0}, 853 {"DESC_TABLE (LLDT)", CPU_DESC_TABLE, insn_lldt, INSN_CPU1, 47, 0, 0, 0}, 854 {"DESC_TABLE (STR)", CPU_DESC_TABLE, insn_str, INSN_CPU1, 47, 0, 0, 0}, 855 /* LTR causes a #GP if done with a busy selector, so it is not tested. */ 856 {"RDRAND", CPU_RDRAND, insn_rdrand, INSN_CPU1, VMX_RDRAND, 0, 0, 0}, 857 {"RDSEED", CPU_RDSEED, insn_rdseed, INSN_CPU1, VMX_RDSEED, 0, 0, 0}, 858 // Instructions always trap 859 {"CPUID", 0, insn_cpuid, INSN_ALWAYS_TRAP, 10, 0, 0, 0}, 860 {"INVD", 0, insn_invd, INSN_ALWAYS_TRAP, 13, 0, 0, 0}, 861 // Instructions never trap 862 {NULL}, 863 }; 864 865 static int insn_intercept_init() 866 { 867 u32 ctrl_cpu; 868 869 ctrl_cpu = ctrl_cpu_rev[0].set | CPU_SECONDARY; 870 ctrl_cpu &= ctrl_cpu_rev[0].clr; 871 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu); 872 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu_rev[1].set); 873 cr3 = read_cr3(); 874 return VMX_TEST_START; 875 } 876 877 static void insn_intercept_main() 878 { 879 for (cur_insn = 0; insn_table[cur_insn].name != NULL; cur_insn++) { 880 vmx_set_test_stage(cur_insn * 2); 881 if ((insn_table[cur_insn].type == INSN_CPU0 && 882 !(ctrl_cpu_rev[0].clr & insn_table[cur_insn].flag)) || 883 (insn_table[cur_insn].type == INSN_CPU1 && 884 !(ctrl_cpu_rev[1].clr & insn_table[cur_insn].flag))) { 885 printf("\tCPU_CTRL%d.CPU_%s is not supported.\n", 886 insn_table[cur_insn].type - INSN_CPU0, 887 insn_table[cur_insn].name); 888 continue; 889 } 890 891 if ((insn_table[cur_insn].type == INSN_CPU0 && 892 !(ctrl_cpu_rev[0].set & insn_table[cur_insn].flag)) || 893 (insn_table[cur_insn].type == INSN_CPU1 && 894 !(ctrl_cpu_rev[1].set & insn_table[cur_insn].flag))) { 895 /* skip hlt, it stalls the guest and is tested below */ 896 if (insn_table[cur_insn].insn_func != insn_hlt) 897 insn_table[cur_insn].insn_func(); 898 report("execute %s", vmx_get_test_stage() == cur_insn * 2, 899 insn_table[cur_insn].name); 900 } else if (insn_table[cur_insn].type != INSN_ALWAYS_TRAP) 901 printf("\tCPU_CTRL%d.CPU_%s always traps.\n", 902 insn_table[cur_insn].type - INSN_CPU0, 903 insn_table[cur_insn].name); 904 905 vmcall(); 906 907 insn_table[cur_insn].insn_func(); 908 report("intercept %s", vmx_get_test_stage() == cur_insn * 2 + 1, 909 insn_table[cur_insn].name); 910 911 vmx_set_test_stage(cur_insn * 2 + 1); 912 vmcall(); 913 } 914 } 915 916 static int insn_intercept_exit_handler() 917 { 918 u64 guest_rip; 919 u32 reason; 920 ulong exit_qual; 921 u32 insn_len; 922 u32 insn_info; 923 bool pass; 924 925 guest_rip = vmcs_read(GUEST_RIP); 926 reason = vmcs_read(EXI_REASON) & 0xff; 927 exit_qual = vmcs_read(EXI_QUALIFICATION); 928 insn_len = vmcs_read(EXI_INST_LEN); 929 insn_info = vmcs_read(EXI_INST_INFO); 930 931 if (reason == VMX_VMCALL) { 932 u32 val = 0; 933 934 if (insn_table[cur_insn].type == INSN_CPU0) 935 val = vmcs_read(CPU_EXEC_CTRL0); 936 else if (insn_table[cur_insn].type == INSN_CPU1) 937 val = vmcs_read(CPU_EXEC_CTRL1); 938 939 if (vmx_get_test_stage() & 1) 940 val &= ~insn_table[cur_insn].flag; 941 else 942 val |= insn_table[cur_insn].flag; 943 944 if (insn_table[cur_insn].type == INSN_CPU0) 945 vmcs_write(CPU_EXEC_CTRL0, val | ctrl_cpu_rev[0].set); 946 else if (insn_table[cur_insn].type == INSN_CPU1) 947 vmcs_write(CPU_EXEC_CTRL1, val | ctrl_cpu_rev[1].set); 948 } else { 949 pass = (cur_insn * 2 == vmx_get_test_stage()) && 950 insn_table[cur_insn].reason == reason; 951 if (insn_table[cur_insn].test_field & FIELD_EXIT_QUAL && 952 insn_table[cur_insn].exit_qual != exit_qual) 953 pass = false; 954 if (insn_table[cur_insn].test_field & FIELD_INSN_INFO && 955 insn_table[cur_insn].insn_info != insn_info) 956 pass = false; 957 if (pass) 958 vmx_inc_test_stage(); 959 } 960 vmcs_write(GUEST_RIP, guest_rip + insn_len); 961 return VMX_TEST_RESUME; 962 } 963 964 965 /* Enables EPT and sets up the identity map. */ 966 static int setup_ept(bool enable_ad) 967 { 968 unsigned long end_of_memory; 969 u32 ctrl_cpu[2]; 970 971 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 972 !(ctrl_cpu_rev[1].clr & CPU_EPT)) { 973 printf("\tEPT is not supported"); 974 return 1; 975 } 976 977 978 if (!(ept_vpid.val & EPT_CAP_UC) && 979 !(ept_vpid.val & EPT_CAP_WB)) { 980 printf("\tEPT paging-structure memory type " 981 "UC&WB are not supported\n"); 982 return 1; 983 } 984 if (ept_vpid.val & EPT_CAP_UC) 985 eptp = EPT_MEM_TYPE_UC; 986 else 987 eptp = EPT_MEM_TYPE_WB; 988 if (!(ept_vpid.val & EPT_CAP_PWL4)) { 989 printf("\tPWL4 is not supported\n"); 990 return 1; 991 } 992 ctrl_cpu[0] = vmcs_read(CPU_EXEC_CTRL0); 993 ctrl_cpu[1] = vmcs_read(CPU_EXEC_CTRL1); 994 ctrl_cpu[0] = (ctrl_cpu[0] | CPU_SECONDARY) 995 & ctrl_cpu_rev[0].clr; 996 ctrl_cpu[1] = (ctrl_cpu[1] | CPU_EPT) 997 & ctrl_cpu_rev[1].clr; 998 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu[0]); 999 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu[1]); 1000 eptp |= (3 << EPTP_PG_WALK_LEN_SHIFT); 1001 pml4 = alloc_page(); 1002 memset(pml4, 0, PAGE_SIZE); 1003 eptp |= virt_to_phys(pml4); 1004 if (enable_ad) 1005 eptp |= EPTP_AD_FLAG; 1006 vmcs_write(EPTP, eptp); 1007 end_of_memory = fwcfg_get_u64(FW_CFG_RAM_SIZE); 1008 if (end_of_memory < (1ul << 32)) 1009 end_of_memory = (1ul << 32); 1010 /* Cannot use large EPT pages if we need to track EPT 1011 * accessed/dirty bits at 4K granularity. 1012 */ 1013 setup_ept_range(pml4, 0, end_of_memory, 0, 1014 !enable_ad && ept_2m_supported(), 1015 EPT_WA | EPT_RA | EPT_EA); 1016 return 0; 1017 } 1018 1019 static void ept_enable_ad_bits(void) 1020 { 1021 eptp |= EPTP_AD_FLAG; 1022 vmcs_write(EPTP, eptp); 1023 } 1024 1025 static void ept_disable_ad_bits(void) 1026 { 1027 eptp &= ~EPTP_AD_FLAG; 1028 vmcs_write(EPTP, eptp); 1029 } 1030 1031 static void ept_enable_ad_bits_or_skip_test(void) 1032 { 1033 if (!ept_ad_bits_supported()) 1034 test_skip("EPT AD bits not supported."); 1035 ept_enable_ad_bits(); 1036 } 1037 1038 static int apic_version; 1039 1040 static int ept_init_common(bool have_ad) 1041 { 1042 if (setup_ept(have_ad)) 1043 return VMX_TEST_EXIT; 1044 data_page1 = alloc_page(); 1045 data_page2 = alloc_page(); 1046 memset(data_page1, 0x0, PAGE_SIZE); 1047 memset(data_page2, 0x0, PAGE_SIZE); 1048 *((u32 *)data_page1) = MAGIC_VAL_1; 1049 *((u32 *)data_page2) = MAGIC_VAL_2; 1050 install_ept(pml4, (unsigned long)data_page1, (unsigned long)data_page2, 1051 EPT_RA | EPT_WA | EPT_EA); 1052 1053 apic_version = apic_read(APIC_LVR); 1054 return VMX_TEST_START; 1055 } 1056 1057 static int ept_init() 1058 { 1059 return ept_init_common(false); 1060 } 1061 1062 static void ept_common() 1063 { 1064 vmx_set_test_stage(0); 1065 if (*((u32 *)data_page2) != MAGIC_VAL_1 || 1066 *((u32 *)data_page1) != MAGIC_VAL_1) 1067 report("EPT basic framework - read", 0); 1068 else { 1069 *((u32 *)data_page2) = MAGIC_VAL_3; 1070 vmcall(); 1071 if (vmx_get_test_stage() == 1) { 1072 if (*((u32 *)data_page1) == MAGIC_VAL_3 && 1073 *((u32 *)data_page2) == MAGIC_VAL_2) 1074 report("EPT basic framework", 1); 1075 else 1076 report("EPT basic framework - remap", 1); 1077 } 1078 } 1079 // Test EPT Misconfigurations 1080 vmx_set_test_stage(1); 1081 vmcall(); 1082 *((u32 *)data_page1) = MAGIC_VAL_1; 1083 if (vmx_get_test_stage() != 2) { 1084 report("EPT misconfigurations", 0); 1085 goto t1; 1086 } 1087 vmx_set_test_stage(2); 1088 vmcall(); 1089 *((u32 *)data_page1) = MAGIC_VAL_1; 1090 report("EPT misconfigurations", vmx_get_test_stage() == 3); 1091 t1: 1092 // Test EPT violation 1093 vmx_set_test_stage(3); 1094 vmcall(); 1095 *((u32 *)data_page1) = MAGIC_VAL_1; 1096 report("EPT violation - page permission", vmx_get_test_stage() == 4); 1097 // Violation caused by EPT paging structure 1098 vmx_set_test_stage(4); 1099 vmcall(); 1100 *((u32 *)data_page1) = MAGIC_VAL_2; 1101 report("EPT violation - paging structure", vmx_get_test_stage() == 5); 1102 } 1103 1104 static void ept_main() 1105 { 1106 ept_common(); 1107 1108 // Test EPT access to L1 MMIO 1109 vmx_set_test_stage(6); 1110 report("EPT - MMIO access", *((u32 *)0xfee00030UL) == apic_version); 1111 1112 // Test invalid operand for INVEPT 1113 vmcall(); 1114 report("EPT - unsupported INVEPT", vmx_get_test_stage() == 7); 1115 } 1116 1117 bool invept_test(int type, u64 eptp) 1118 { 1119 bool ret, supported; 1120 1121 supported = ept_vpid.val & (EPT_CAP_INVEPT_SINGLE >> INVEPT_SINGLE << type); 1122 ret = invept(type, eptp); 1123 1124 if (ret == !supported) 1125 return false; 1126 1127 if (!supported) 1128 printf("WARNING: unsupported invept passed!\n"); 1129 else 1130 printf("WARNING: invept failed!\n"); 1131 1132 return true; 1133 } 1134 1135 static int pml_exit_handler(void) 1136 { 1137 u16 index, count; 1138 ulong reason = vmcs_read(EXI_REASON) & 0xff; 1139 u64 *pmlbuf = pml_log; 1140 u64 guest_rip = vmcs_read(GUEST_RIP);; 1141 u64 guest_cr3 = vmcs_read(GUEST_CR3); 1142 u32 insn_len = vmcs_read(EXI_INST_LEN); 1143 1144 switch (reason) { 1145 case VMX_VMCALL: 1146 switch (vmx_get_test_stage()) { 1147 case 0: 1148 index = vmcs_read(GUEST_PML_INDEX); 1149 for (count = index + 1; count < PML_INDEX; count++) { 1150 if (pmlbuf[count] == (u64)data_page2) { 1151 vmx_inc_test_stage(); 1152 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1153 break; 1154 } 1155 } 1156 break; 1157 case 1: 1158 index = vmcs_read(GUEST_PML_INDEX); 1159 /* Keep clearing the dirty bit till a overflow */ 1160 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1161 break; 1162 default: 1163 report("unexpected stage, %d.", false, 1164 vmx_get_test_stage()); 1165 print_vmexit_info(); 1166 return VMX_TEST_VMEXIT; 1167 } 1168 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1169 return VMX_TEST_RESUME; 1170 case VMX_PML_FULL: 1171 vmx_inc_test_stage(); 1172 vmcs_write(GUEST_PML_INDEX, PML_INDEX - 1); 1173 return VMX_TEST_RESUME; 1174 default: 1175 report("Unknown exit reason, %ld", false, reason); 1176 print_vmexit_info(); 1177 } 1178 return VMX_TEST_VMEXIT; 1179 } 1180 1181 static int ept_exit_handler_common(bool have_ad) 1182 { 1183 u64 guest_rip; 1184 u64 guest_cr3; 1185 ulong reason; 1186 u32 insn_len; 1187 u32 exit_qual; 1188 static unsigned long data_page1_pte, data_page1_pte_pte; 1189 1190 guest_rip = vmcs_read(GUEST_RIP); 1191 guest_cr3 = vmcs_read(GUEST_CR3); 1192 reason = vmcs_read(EXI_REASON) & 0xff; 1193 insn_len = vmcs_read(EXI_INST_LEN); 1194 exit_qual = vmcs_read(EXI_QUALIFICATION); 1195 switch (reason) { 1196 case VMX_VMCALL: 1197 switch (vmx_get_test_stage()) { 1198 case 0: 1199 check_ept_ad(pml4, guest_cr3, 1200 (unsigned long)data_page1, 1201 have_ad ? EPT_ACCESS_FLAG : 0, 1202 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1203 check_ept_ad(pml4, guest_cr3, 1204 (unsigned long)data_page2, 1205 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0, 1206 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1207 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1208 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1209 if (have_ad) 1210 ept_sync(INVEPT_SINGLE, eptp);; 1211 if (*((u32 *)data_page1) == MAGIC_VAL_3 && 1212 *((u32 *)data_page2) == MAGIC_VAL_2) { 1213 vmx_inc_test_stage(); 1214 install_ept(pml4, (unsigned long)data_page2, 1215 (unsigned long)data_page2, 1216 EPT_RA | EPT_WA | EPT_EA); 1217 } else 1218 report("EPT basic framework - write", 0); 1219 break; 1220 case 1: 1221 install_ept(pml4, (unsigned long)data_page1, 1222 (unsigned long)data_page1, EPT_WA); 1223 ept_sync(INVEPT_SINGLE, eptp); 1224 break; 1225 case 2: 1226 install_ept(pml4, (unsigned long)data_page1, 1227 (unsigned long)data_page1, 1228 EPT_RA | EPT_WA | EPT_EA | 1229 (2 << EPT_MEM_TYPE_SHIFT)); 1230 ept_sync(INVEPT_SINGLE, eptp); 1231 break; 1232 case 3: 1233 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1234 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)data_page1, 1235 1, &data_page1_pte)); 1236 set_ept_pte(pml4, (unsigned long)data_page1, 1237 1, data_page1_pte & ~EPT_PRESENT); 1238 ept_sync(INVEPT_SINGLE, eptp); 1239 break; 1240 case 4: 1241 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)data_page1, 1242 2, &data_page1_pte)); 1243 data_page1_pte &= PAGE_MASK; 1244 TEST_ASSERT(get_ept_pte(pml4, data_page1_pte, 1245 2, &data_page1_pte_pte)); 1246 set_ept_pte(pml4, data_page1_pte, 2, 1247 data_page1_pte_pte & ~EPT_PRESENT); 1248 ept_sync(INVEPT_SINGLE, eptp); 1249 break; 1250 case 6: 1251 if (!invept_test(0, eptp)) 1252 vmx_inc_test_stage(); 1253 break; 1254 // Should not reach here 1255 default: 1256 report("ERROR - unexpected stage, %d.", false, 1257 vmx_get_test_stage()); 1258 print_vmexit_info(); 1259 return VMX_TEST_VMEXIT; 1260 } 1261 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1262 return VMX_TEST_RESUME; 1263 case VMX_EPT_MISCONFIG: 1264 switch (vmx_get_test_stage()) { 1265 case 1: 1266 case 2: 1267 vmx_inc_test_stage(); 1268 install_ept(pml4, (unsigned long)data_page1, 1269 (unsigned long)data_page1, 1270 EPT_RA | EPT_WA | EPT_EA); 1271 ept_sync(INVEPT_SINGLE, eptp); 1272 break; 1273 // Should not reach here 1274 default: 1275 report("ERROR - unexpected stage, %d.", false, 1276 vmx_get_test_stage()); 1277 print_vmexit_info(); 1278 return VMX_TEST_VMEXIT; 1279 } 1280 return VMX_TEST_RESUME; 1281 case VMX_EPT_VIOLATION: 1282 switch(vmx_get_test_stage()) { 1283 case 3: 1284 check_ept_ad(pml4, guest_cr3, (unsigned long)data_page1, 0, 1285 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1286 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1287 if (exit_qual == (EPT_VLT_WR | EPT_VLT_LADDR_VLD | 1288 EPT_VLT_PADDR)) 1289 vmx_inc_test_stage(); 1290 set_ept_pte(pml4, (unsigned long)data_page1, 1291 1, data_page1_pte | (EPT_PRESENT)); 1292 ept_sync(INVEPT_SINGLE, eptp); 1293 break; 1294 case 4: 1295 check_ept_ad(pml4, guest_cr3, (unsigned long)data_page1, 0, 1296 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1297 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1298 if (exit_qual == (EPT_VLT_RD | 1299 (have_ad ? EPT_VLT_WR : 0) | 1300 EPT_VLT_LADDR_VLD)) 1301 vmx_inc_test_stage(); 1302 set_ept_pte(pml4, data_page1_pte, 2, 1303 data_page1_pte_pte | (EPT_PRESENT)); 1304 ept_sync(INVEPT_SINGLE, eptp); 1305 break; 1306 default: 1307 // Should not reach here 1308 report("ERROR : unexpected stage, %d", false, 1309 vmx_get_test_stage()); 1310 print_vmexit_info(); 1311 return VMX_TEST_VMEXIT; 1312 } 1313 return VMX_TEST_RESUME; 1314 default: 1315 report("Unknown exit reason, %ld", false, reason); 1316 print_vmexit_info(); 1317 } 1318 return VMX_TEST_VMEXIT; 1319 } 1320 1321 static int ept_exit_handler() 1322 { 1323 return ept_exit_handler_common(false); 1324 } 1325 1326 static int eptad_init() 1327 { 1328 int r = ept_init_common(true); 1329 1330 if (r == VMX_TEST_EXIT) 1331 return r; 1332 1333 if ((rdmsr(MSR_IA32_VMX_EPT_VPID_CAP) & EPT_CAP_AD_FLAG) == 0) { 1334 printf("\tEPT A/D bits are not supported"); 1335 return VMX_TEST_EXIT; 1336 } 1337 1338 return r; 1339 } 1340 1341 static int pml_init() 1342 { 1343 u32 ctrl_cpu; 1344 int r = eptad_init(); 1345 1346 if (r == VMX_TEST_EXIT) 1347 return r; 1348 1349 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 1350 !(ctrl_cpu_rev[1].clr & CPU_PML)) { 1351 printf("\tPML is not supported"); 1352 return VMX_TEST_EXIT; 1353 } 1354 1355 pml_log = alloc_page(); 1356 memset(pml_log, 0x0, PAGE_SIZE); 1357 vmcs_write(PMLADDR, (u64)pml_log); 1358 vmcs_write(GUEST_PML_INDEX, PML_INDEX - 1); 1359 1360 ctrl_cpu = vmcs_read(CPU_EXEC_CTRL1) | CPU_PML; 1361 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu); 1362 1363 return VMX_TEST_START; 1364 } 1365 1366 static void pml_main() 1367 { 1368 int count = 0; 1369 1370 vmx_set_test_stage(0); 1371 *((u32 *)data_page2) = 0x1; 1372 vmcall(); 1373 report("PML - Dirty GPA Logging", vmx_get_test_stage() == 1); 1374 1375 while (vmx_get_test_stage() == 1) { 1376 vmcall(); 1377 *((u32 *)data_page2) = 0x1; 1378 if (count++ > PML_INDEX) 1379 break; 1380 } 1381 report("PML Full Event", vmx_get_test_stage() == 2); 1382 } 1383 1384 static void eptad_main() 1385 { 1386 ept_common(); 1387 } 1388 1389 static int eptad_exit_handler() 1390 { 1391 return ept_exit_handler_common(true); 1392 } 1393 1394 bool invvpid_test(int type, u16 vpid) 1395 { 1396 bool ret, supported; 1397 1398 supported = ept_vpid.val & 1399 (VPID_CAP_INVVPID_ADDR >> INVVPID_ADDR << type); 1400 ret = invvpid(type, vpid, 0); 1401 1402 if (ret == !supported) 1403 return false; 1404 1405 if (!supported) 1406 printf("WARNING: unsupported invvpid passed!\n"); 1407 else 1408 printf("WARNING: invvpid failed!\n"); 1409 1410 return true; 1411 } 1412 1413 static int vpid_init() 1414 { 1415 u32 ctrl_cpu1; 1416 1417 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 1418 !(ctrl_cpu_rev[1].clr & CPU_VPID)) { 1419 printf("\tVPID is not supported"); 1420 return VMX_TEST_EXIT; 1421 } 1422 1423 ctrl_cpu1 = vmcs_read(CPU_EXEC_CTRL1); 1424 ctrl_cpu1 |= CPU_VPID; 1425 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu1); 1426 return VMX_TEST_START; 1427 } 1428 1429 static void vpid_main() 1430 { 1431 vmx_set_test_stage(0); 1432 vmcall(); 1433 report("INVVPID SINGLE ADDRESS", vmx_get_test_stage() == 1); 1434 vmx_set_test_stage(2); 1435 vmcall(); 1436 report("INVVPID SINGLE", vmx_get_test_stage() == 3); 1437 vmx_set_test_stage(4); 1438 vmcall(); 1439 report("INVVPID ALL", vmx_get_test_stage() == 5); 1440 } 1441 1442 static int vpid_exit_handler() 1443 { 1444 u64 guest_rip; 1445 ulong reason; 1446 u32 insn_len; 1447 1448 guest_rip = vmcs_read(GUEST_RIP); 1449 reason = vmcs_read(EXI_REASON) & 0xff; 1450 insn_len = vmcs_read(EXI_INST_LEN); 1451 1452 switch (reason) { 1453 case VMX_VMCALL: 1454 switch(vmx_get_test_stage()) { 1455 case 0: 1456 if (!invvpid_test(INVVPID_ADDR, 1)) 1457 vmx_inc_test_stage(); 1458 break; 1459 case 2: 1460 if (!invvpid_test(INVVPID_CONTEXT_GLOBAL, 1)) 1461 vmx_inc_test_stage(); 1462 break; 1463 case 4: 1464 if (!invvpid_test(INVVPID_ALL, 1)) 1465 vmx_inc_test_stage(); 1466 break; 1467 default: 1468 report("ERROR: unexpected stage, %d", false, 1469 vmx_get_test_stage()); 1470 print_vmexit_info(); 1471 return VMX_TEST_VMEXIT; 1472 } 1473 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1474 return VMX_TEST_RESUME; 1475 default: 1476 report("Unknown exit reason, %ld", false, reason); 1477 print_vmexit_info(); 1478 } 1479 return VMX_TEST_VMEXIT; 1480 } 1481 1482 #define TIMER_VECTOR 222 1483 1484 static volatile bool timer_fired; 1485 1486 static void timer_isr(isr_regs_t *regs) 1487 { 1488 timer_fired = true; 1489 apic_write(APIC_EOI, 0); 1490 } 1491 1492 static int interrupt_init(struct vmcs *vmcs) 1493 { 1494 msr_bmp_init(); 1495 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) & ~PIN_EXTINT); 1496 handle_irq(TIMER_VECTOR, timer_isr); 1497 return VMX_TEST_START; 1498 } 1499 1500 static void interrupt_main(void) 1501 { 1502 long long start, loops; 1503 1504 vmx_set_test_stage(0); 1505 1506 apic_write(APIC_LVTT, TIMER_VECTOR); 1507 irq_enable(); 1508 1509 apic_write(APIC_TMICT, 1); 1510 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1511 asm volatile ("nop"); 1512 report("direct interrupt while running guest", timer_fired); 1513 1514 apic_write(APIC_TMICT, 0); 1515 irq_disable(); 1516 vmcall(); 1517 timer_fired = false; 1518 apic_write(APIC_TMICT, 1); 1519 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1520 asm volatile ("nop"); 1521 report("intercepted interrupt while running guest", timer_fired); 1522 1523 irq_enable(); 1524 apic_write(APIC_TMICT, 0); 1525 irq_disable(); 1526 vmcall(); 1527 timer_fired = false; 1528 start = rdtsc(); 1529 apic_write(APIC_TMICT, 1000000); 1530 1531 asm volatile ("sti; hlt"); 1532 1533 report("direct interrupt + hlt", 1534 rdtsc() - start > 1000000 && timer_fired); 1535 1536 apic_write(APIC_TMICT, 0); 1537 irq_disable(); 1538 vmcall(); 1539 timer_fired = false; 1540 start = rdtsc(); 1541 apic_write(APIC_TMICT, 1000000); 1542 1543 asm volatile ("sti; hlt"); 1544 1545 report("intercepted interrupt + hlt", 1546 rdtsc() - start > 10000 && timer_fired); 1547 1548 apic_write(APIC_TMICT, 0); 1549 irq_disable(); 1550 vmcall(); 1551 timer_fired = false; 1552 start = rdtsc(); 1553 apic_write(APIC_TMICT, 1000000); 1554 1555 irq_enable(); 1556 asm volatile ("nop"); 1557 vmcall(); 1558 1559 report("direct interrupt + activity state hlt", 1560 rdtsc() - start > 10000 && timer_fired); 1561 1562 apic_write(APIC_TMICT, 0); 1563 irq_disable(); 1564 vmcall(); 1565 timer_fired = false; 1566 start = rdtsc(); 1567 apic_write(APIC_TMICT, 1000000); 1568 1569 irq_enable(); 1570 asm volatile ("nop"); 1571 vmcall(); 1572 1573 report("intercepted interrupt + activity state hlt", 1574 rdtsc() - start > 10000 && timer_fired); 1575 1576 apic_write(APIC_TMICT, 0); 1577 irq_disable(); 1578 vmx_set_test_stage(7); 1579 vmcall(); 1580 timer_fired = false; 1581 apic_write(APIC_TMICT, 1); 1582 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1583 asm volatile ("nop"); 1584 report("running a guest with interrupt acknowledgement set", timer_fired); 1585 } 1586 1587 static int interrupt_exit_handler(void) 1588 { 1589 u64 guest_rip = vmcs_read(GUEST_RIP); 1590 ulong reason = vmcs_read(EXI_REASON) & 0xff; 1591 u32 insn_len = vmcs_read(EXI_INST_LEN); 1592 1593 switch (reason) { 1594 case VMX_VMCALL: 1595 switch (vmx_get_test_stage()) { 1596 case 0: 1597 case 2: 1598 case 5: 1599 vmcs_write(PIN_CONTROLS, 1600 vmcs_read(PIN_CONTROLS) | PIN_EXTINT); 1601 break; 1602 case 7: 1603 vmcs_write(EXI_CONTROLS, vmcs_read(EXI_CONTROLS) | EXI_INTA); 1604 vmcs_write(PIN_CONTROLS, 1605 vmcs_read(PIN_CONTROLS) | PIN_EXTINT); 1606 break; 1607 case 1: 1608 case 3: 1609 vmcs_write(PIN_CONTROLS, 1610 vmcs_read(PIN_CONTROLS) & ~PIN_EXTINT); 1611 break; 1612 case 4: 1613 case 6: 1614 vmcs_write(GUEST_ACTV_STATE, ACTV_HLT); 1615 break; 1616 } 1617 vmx_inc_test_stage(); 1618 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1619 return VMX_TEST_RESUME; 1620 case VMX_EXTINT: 1621 if (vmcs_read(EXI_CONTROLS) & EXI_INTA) { 1622 int vector = vmcs_read(EXI_INTR_INFO) & 0xff; 1623 handle_external_interrupt(vector); 1624 } else { 1625 irq_enable(); 1626 asm volatile ("nop"); 1627 irq_disable(); 1628 } 1629 if (vmx_get_test_stage() >= 2) 1630 vmcs_write(GUEST_ACTV_STATE, ACTV_ACTIVE); 1631 return VMX_TEST_RESUME; 1632 default: 1633 report("Unknown exit reason, %ld", false, reason); 1634 print_vmexit_info(); 1635 } 1636 1637 return VMX_TEST_VMEXIT; 1638 } 1639 1640 static int dbgctls_init(struct vmcs *vmcs) 1641 { 1642 u64 dr7 = 0x402; 1643 u64 zero = 0; 1644 1645 msr_bmp_init(); 1646 asm volatile( 1647 "mov %0,%%dr0\n\t" 1648 "mov %0,%%dr1\n\t" 1649 "mov %0,%%dr2\n\t" 1650 "mov %1,%%dr7\n\t" 1651 : : "r" (zero), "r" (dr7)); 1652 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x1); 1653 vmcs_write(GUEST_DR7, 0x404); 1654 vmcs_write(GUEST_DEBUGCTL, 0x2); 1655 1656 vmcs_write(ENT_CONTROLS, vmcs_read(ENT_CONTROLS) | ENT_LOAD_DBGCTLS); 1657 vmcs_write(EXI_CONTROLS, vmcs_read(EXI_CONTROLS) | EXI_SAVE_DBGCTLS); 1658 1659 return VMX_TEST_START; 1660 } 1661 1662 static void dbgctls_main(void) 1663 { 1664 u64 dr7, debugctl; 1665 1666 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1667 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1668 /* Commented out: KVM does not support DEBUGCTL so far */ 1669 (void)debugctl; 1670 report("Load debug controls", dr7 == 0x404 /* && debugctl == 0x2 */); 1671 1672 dr7 = 0x408; 1673 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1674 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x3); 1675 1676 vmx_set_test_stage(0); 1677 vmcall(); 1678 report("Save debug controls", vmx_get_test_stage() == 1); 1679 1680 if (ctrl_enter_rev.set & ENT_LOAD_DBGCTLS || 1681 ctrl_exit_rev.set & EXI_SAVE_DBGCTLS) { 1682 printf("\tDebug controls are always loaded/saved\n"); 1683 return; 1684 } 1685 vmx_set_test_stage(2); 1686 vmcall(); 1687 1688 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1689 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1690 /* Commented out: KVM does not support DEBUGCTL so far */ 1691 (void)debugctl; 1692 report("Guest=host debug controls", dr7 == 0x402 /* && debugctl == 0x1 */); 1693 1694 dr7 = 0x408; 1695 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1696 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x3); 1697 1698 vmx_set_test_stage(3); 1699 vmcall(); 1700 report("Don't save debug controls", vmx_get_test_stage() == 4); 1701 } 1702 1703 static int dbgctls_exit_handler(void) 1704 { 1705 unsigned int reason = vmcs_read(EXI_REASON) & 0xff; 1706 u32 insn_len = vmcs_read(EXI_INST_LEN); 1707 u64 guest_rip = vmcs_read(GUEST_RIP); 1708 u64 dr7, debugctl; 1709 1710 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1711 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1712 1713 switch (reason) { 1714 case VMX_VMCALL: 1715 switch (vmx_get_test_stage()) { 1716 case 0: 1717 if (dr7 == 0x400 && debugctl == 0 && 1718 vmcs_read(GUEST_DR7) == 0x408 /* && 1719 Commented out: KVM does not support DEBUGCTL so far 1720 vmcs_read(GUEST_DEBUGCTL) == 0x3 */) 1721 vmx_inc_test_stage(); 1722 break; 1723 case 2: 1724 dr7 = 0x402; 1725 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1726 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x1); 1727 vmcs_write(GUEST_DR7, 0x404); 1728 vmcs_write(GUEST_DEBUGCTL, 0x2); 1729 1730 vmcs_write(ENT_CONTROLS, 1731 vmcs_read(ENT_CONTROLS) & ~ENT_LOAD_DBGCTLS); 1732 vmcs_write(EXI_CONTROLS, 1733 vmcs_read(EXI_CONTROLS) & ~EXI_SAVE_DBGCTLS); 1734 break; 1735 case 3: 1736 if (dr7 == 0x400 && debugctl == 0 && 1737 vmcs_read(GUEST_DR7) == 0x404 /* && 1738 Commented out: KVM does not support DEBUGCTL so far 1739 vmcs_read(GUEST_DEBUGCTL) == 0x2 */) 1740 vmx_inc_test_stage(); 1741 break; 1742 } 1743 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1744 return VMX_TEST_RESUME; 1745 default: 1746 report("Unknown exit reason, %d", false, reason); 1747 print_vmexit_info(); 1748 } 1749 return VMX_TEST_VMEXIT; 1750 } 1751 1752 struct vmx_msr_entry { 1753 u32 index; 1754 u32 reserved; 1755 u64 value; 1756 } __attribute__((packed)); 1757 1758 #define MSR_MAGIC 0x31415926 1759 struct vmx_msr_entry *exit_msr_store, *entry_msr_load, *exit_msr_load; 1760 1761 static int msr_switch_init(struct vmcs *vmcs) 1762 { 1763 msr_bmp_init(); 1764 exit_msr_store = alloc_page(); 1765 exit_msr_load = alloc_page(); 1766 entry_msr_load = alloc_page(); 1767 memset(exit_msr_store, 0, PAGE_SIZE); 1768 memset(exit_msr_load, 0, PAGE_SIZE); 1769 memset(entry_msr_load, 0, PAGE_SIZE); 1770 entry_msr_load[0].index = MSR_KERNEL_GS_BASE; 1771 entry_msr_load[0].value = MSR_MAGIC; 1772 1773 vmx_set_test_stage(1); 1774 vmcs_write(ENT_MSR_LD_CNT, 1); 1775 vmcs_write(ENTER_MSR_LD_ADDR, (u64)entry_msr_load); 1776 vmcs_write(EXI_MSR_ST_CNT, 1); 1777 vmcs_write(EXIT_MSR_ST_ADDR, (u64)exit_msr_store); 1778 vmcs_write(EXI_MSR_LD_CNT, 1); 1779 vmcs_write(EXIT_MSR_LD_ADDR, (u64)exit_msr_load); 1780 return VMX_TEST_START; 1781 } 1782 1783 static void msr_switch_main() 1784 { 1785 if (vmx_get_test_stage() == 1) { 1786 report("VM entry MSR load", 1787 rdmsr(MSR_KERNEL_GS_BASE) == MSR_MAGIC); 1788 vmx_set_test_stage(2); 1789 wrmsr(MSR_KERNEL_GS_BASE, MSR_MAGIC + 1); 1790 exit_msr_store[0].index = MSR_KERNEL_GS_BASE; 1791 exit_msr_load[0].index = MSR_KERNEL_GS_BASE; 1792 exit_msr_load[0].value = MSR_MAGIC + 2; 1793 } 1794 vmcall(); 1795 } 1796 1797 static int msr_switch_exit_handler() 1798 { 1799 ulong reason; 1800 1801 reason = vmcs_read(EXI_REASON); 1802 if (reason == VMX_VMCALL && vmx_get_test_stage() == 2) { 1803 report("VM exit MSR store", 1804 exit_msr_store[0].value == MSR_MAGIC + 1); 1805 report("VM exit MSR load", 1806 rdmsr(MSR_KERNEL_GS_BASE) == MSR_MAGIC + 2); 1807 vmx_set_test_stage(3); 1808 entry_msr_load[0].index = MSR_FS_BASE; 1809 return VMX_TEST_RESUME; 1810 } 1811 printf("ERROR %s: unexpected stage=%u or reason=%lu\n", 1812 __func__, vmx_get_test_stage(), reason); 1813 return VMX_TEST_EXIT; 1814 } 1815 1816 static int msr_switch_entry_failure(struct vmentry_failure *failure) 1817 { 1818 ulong reason; 1819 1820 if (failure->early) { 1821 printf("ERROR %s: early exit\n", __func__); 1822 return VMX_TEST_EXIT; 1823 } 1824 1825 reason = vmcs_read(EXI_REASON); 1826 if (reason == (VMX_ENTRY_FAILURE | VMX_FAIL_MSR) && 1827 vmx_get_test_stage() == 3) { 1828 report("VM entry MSR load: try to load FS_BASE", 1829 vmcs_read(EXI_QUALIFICATION) == 1); 1830 return VMX_TEST_VMEXIT; 1831 } 1832 printf("ERROR %s: unexpected stage=%u or reason=%lu\n", 1833 __func__, vmx_get_test_stage(), reason); 1834 return VMX_TEST_EXIT; 1835 } 1836 1837 static int vmmcall_init(struct vmcs *vmcs ) 1838 { 1839 vmcs_write(EXC_BITMAP, 1 << UD_VECTOR); 1840 return VMX_TEST_START; 1841 } 1842 1843 static void vmmcall_main(void) 1844 { 1845 asm volatile( 1846 "mov $0xABCD, %%rax\n\t" 1847 "vmmcall\n\t" 1848 ::: "rax"); 1849 1850 report("VMMCALL", 0); 1851 } 1852 1853 static int vmmcall_exit_handler() 1854 { 1855 ulong reason; 1856 1857 reason = vmcs_read(EXI_REASON); 1858 switch (reason) { 1859 case VMX_VMCALL: 1860 printf("here\n"); 1861 report("VMMCALL triggers #UD", 0); 1862 break; 1863 case VMX_EXC_NMI: 1864 report("VMMCALL triggers #UD", 1865 (vmcs_read(EXI_INTR_INFO) & 0xff) == UD_VECTOR); 1866 break; 1867 default: 1868 report("Unknown exit reason, %ld", false, reason); 1869 print_vmexit_info(); 1870 } 1871 1872 return VMX_TEST_VMEXIT; 1873 } 1874 1875 static int disable_rdtscp_init(struct vmcs *vmcs) 1876 { 1877 u32 ctrl_cpu1; 1878 1879 if (ctrl_cpu_rev[0].clr & CPU_SECONDARY) { 1880 ctrl_cpu1 = vmcs_read(CPU_EXEC_CTRL1); 1881 ctrl_cpu1 &= ~CPU_RDTSCP; 1882 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu1); 1883 } 1884 1885 return VMX_TEST_START; 1886 } 1887 1888 static void disable_rdtscp_ud_handler(struct ex_regs *regs) 1889 { 1890 switch (vmx_get_test_stage()) { 1891 case 0: 1892 report("RDTSCP triggers #UD", true); 1893 vmx_inc_test_stage(); 1894 regs->rip += 3; 1895 break; 1896 case 2: 1897 report("RDPID triggers #UD", true); 1898 vmx_inc_test_stage(); 1899 regs->rip += 4; 1900 break; 1901 } 1902 return; 1903 1904 } 1905 1906 static void disable_rdtscp_main(void) 1907 { 1908 /* Test that #UD is properly injected in L2. */ 1909 handle_exception(UD_VECTOR, disable_rdtscp_ud_handler); 1910 1911 vmx_set_test_stage(0); 1912 asm volatile("rdtscp" : : : "eax", "ecx", "edx"); 1913 vmcall(); 1914 asm volatile(".byte 0xf3, 0x0f, 0xc7, 0xf8" : : : "eax"); 1915 vmcall(); 1916 } 1917 1918 static int disable_rdtscp_exit_handler(void) 1919 { 1920 unsigned int reason = vmcs_read(EXI_REASON) & 0xff; 1921 1922 switch (reason) { 1923 case VMX_VMCALL: 1924 switch (vmx_get_test_stage()) { 1925 case 0: 1926 report("RDTSCP triggers #UD", false); 1927 vmx_inc_test_stage(); 1928 /* fallthrough */ 1929 case 1: 1930 vmx_inc_test_stage(); 1931 vmcs_write(GUEST_RIP, vmcs_read(GUEST_RIP) + 3); 1932 return VMX_TEST_RESUME; 1933 case 2: 1934 report("RDPID triggers #UD", false); 1935 break; 1936 } 1937 break; 1938 1939 default: 1940 report("Unknown exit reason, %d", false, reason); 1941 print_vmexit_info(); 1942 } 1943 return VMX_TEST_VMEXIT; 1944 } 1945 1946 int int3_init() 1947 { 1948 vmcs_write(EXC_BITMAP, ~0u); 1949 return VMX_TEST_START; 1950 } 1951 1952 void int3_guest_main() 1953 { 1954 asm volatile ("int3"); 1955 } 1956 1957 int int3_exit_handler() 1958 { 1959 u32 reason = vmcs_read(EXI_REASON); 1960 u32 intr_info = vmcs_read(EXI_INTR_INFO); 1961 1962 report("L1 intercepts #BP", reason == VMX_EXC_NMI && 1963 (intr_info & INTR_INFO_VALID_MASK) && 1964 (intr_info & INTR_INFO_VECTOR_MASK) == BP_VECTOR && 1965 ((intr_info & INTR_INFO_INTR_TYPE_MASK) >> 1966 INTR_INFO_INTR_TYPE_SHIFT) == VMX_INTR_TYPE_SOFT_EXCEPTION); 1967 1968 return VMX_TEST_VMEXIT; 1969 } 1970 1971 int into_init() 1972 { 1973 vmcs_write(EXC_BITMAP, ~0u); 1974 return VMX_TEST_START; 1975 } 1976 1977 void into_guest_main() 1978 { 1979 struct far_pointer32 fp = { 1980 .offset = (uintptr_t)&&into, 1981 .selector = KERNEL_CS32, 1982 }; 1983 register uintptr_t rsp asm("rsp"); 1984 1985 if (fp.offset != (uintptr_t)&&into) { 1986 printf("Code address too high.\n"); 1987 return; 1988 } 1989 if ((u32)rsp != rsp) { 1990 printf("Stack address too high.\n"); 1991 return; 1992 } 1993 1994 asm goto ("lcall *%0" : : "m" (fp) : "rax" : into); 1995 return; 1996 into: 1997 asm volatile (".code32;" 1998 "movl $0x7fffffff, %eax;" 1999 "addl %eax, %eax;" 2000 "into;" 2001 "lret;" 2002 ".code64"); 2003 __builtin_unreachable(); 2004 } 2005 2006 int into_exit_handler() 2007 { 2008 u32 reason = vmcs_read(EXI_REASON); 2009 u32 intr_info = vmcs_read(EXI_INTR_INFO); 2010 2011 report("L1 intercepts #OF", reason == VMX_EXC_NMI && 2012 (intr_info & INTR_INFO_VALID_MASK) && 2013 (intr_info & INTR_INFO_VECTOR_MASK) == OF_VECTOR && 2014 ((intr_info & INTR_INFO_INTR_TYPE_MASK) >> 2015 INTR_INFO_INTR_TYPE_SHIFT) == VMX_INTR_TYPE_SOFT_EXCEPTION); 2016 2017 return VMX_TEST_VMEXIT; 2018 } 2019 2020 static void exit_monitor_from_l2_main(void) 2021 { 2022 printf("Calling exit(0) from l2...\n"); 2023 exit(0); 2024 } 2025 2026 static int exit_monitor_from_l2_handler(void) 2027 { 2028 report("The guest should have killed the VMM", false); 2029 return VMX_TEST_EXIT; 2030 } 2031 2032 static void assert_exit_reason(u64 expected) 2033 { 2034 u64 actual = vmcs_read(EXI_REASON); 2035 2036 TEST_ASSERT_EQ_MSG(expected, actual, "Expected %s, got %s.", 2037 exit_reason_description(expected), 2038 exit_reason_description(actual)); 2039 } 2040 2041 static void skip_exit_vmcall() 2042 { 2043 u64 guest_rip = vmcs_read(GUEST_RIP); 2044 u32 insn_len = vmcs_read(EXI_INST_LEN); 2045 2046 assert_exit_reason(VMX_VMCALL); 2047 vmcs_write(GUEST_RIP, guest_rip + insn_len); 2048 } 2049 2050 static void v2_null_test_guest(void) 2051 { 2052 } 2053 2054 static void v2_null_test(void) 2055 { 2056 test_set_guest(v2_null_test_guest); 2057 enter_guest(); 2058 report(__func__, 1); 2059 } 2060 2061 static void v2_multiple_entries_test_guest(void) 2062 { 2063 vmx_set_test_stage(1); 2064 vmcall(); 2065 vmx_set_test_stage(2); 2066 } 2067 2068 static void v2_multiple_entries_test(void) 2069 { 2070 test_set_guest(v2_multiple_entries_test_guest); 2071 enter_guest(); 2072 TEST_ASSERT_EQ(vmx_get_test_stage(), 1); 2073 skip_exit_vmcall(); 2074 enter_guest(); 2075 TEST_ASSERT_EQ(vmx_get_test_stage(), 2); 2076 report(__func__, 1); 2077 } 2078 2079 static int fixture_test_data = 1; 2080 2081 static void fixture_test_teardown(void *data) 2082 { 2083 *((int *) data) = 1; 2084 } 2085 2086 static void fixture_test_guest(void) 2087 { 2088 fixture_test_data++; 2089 } 2090 2091 2092 static void fixture_test_setup(void) 2093 { 2094 TEST_ASSERT_EQ_MSG(1, fixture_test_data, 2095 "fixture_test_teardown didn't run?!"); 2096 fixture_test_data = 2; 2097 test_add_teardown(fixture_test_teardown, &fixture_test_data); 2098 test_set_guest(fixture_test_guest); 2099 } 2100 2101 static void fixture_test_case1(void) 2102 { 2103 fixture_test_setup(); 2104 TEST_ASSERT_EQ(2, fixture_test_data); 2105 enter_guest(); 2106 TEST_ASSERT_EQ(3, fixture_test_data); 2107 report(__func__, 1); 2108 } 2109 2110 static void fixture_test_case2(void) 2111 { 2112 fixture_test_setup(); 2113 TEST_ASSERT_EQ(2, fixture_test_data); 2114 enter_guest(); 2115 TEST_ASSERT_EQ(3, fixture_test_data); 2116 report(__func__, 1); 2117 } 2118 2119 enum ept_access_op { 2120 OP_READ, 2121 OP_WRITE, 2122 OP_EXEC, 2123 OP_FLUSH_TLB, 2124 OP_EXIT, 2125 }; 2126 2127 static struct ept_access_test_data { 2128 unsigned long gpa; 2129 unsigned long *gva; 2130 unsigned long hpa; 2131 unsigned long *hva; 2132 enum ept_access_op op; 2133 } ept_access_test_data; 2134 2135 extern unsigned char ret42_start; 2136 extern unsigned char ret42_end; 2137 2138 /* Returns 42. */ 2139 asm( 2140 ".align 64\n" 2141 "ret42_start:\n" 2142 "mov $42, %eax\n" 2143 "ret\n" 2144 "ret42_end:\n" 2145 ); 2146 2147 static void 2148 diagnose_ept_violation_qual(u64 expected, u64 actual) 2149 { 2150 2151 #define DIAGNOSE(flag) \ 2152 do { \ 2153 if ((expected & flag) != (actual & flag)) \ 2154 printf(#flag " %sexpected\n", \ 2155 (expected & flag) ? "" : "un"); \ 2156 } while (0) 2157 2158 DIAGNOSE(EPT_VLT_RD); 2159 DIAGNOSE(EPT_VLT_WR); 2160 DIAGNOSE(EPT_VLT_FETCH); 2161 DIAGNOSE(EPT_VLT_PERM_RD); 2162 DIAGNOSE(EPT_VLT_PERM_WR); 2163 DIAGNOSE(EPT_VLT_PERM_EX); 2164 DIAGNOSE(EPT_VLT_LADDR_VLD); 2165 DIAGNOSE(EPT_VLT_PADDR); 2166 2167 #undef DIAGNOSE 2168 } 2169 2170 static void do_ept_access_op(enum ept_access_op op) 2171 { 2172 ept_access_test_data.op = op; 2173 enter_guest(); 2174 } 2175 2176 /* 2177 * Force the guest to flush its TLB (i.e., flush gva -> gpa mappings). Only 2178 * needed by tests that modify guest PTEs. 2179 */ 2180 static void ept_access_test_guest_flush_tlb(void) 2181 { 2182 do_ept_access_op(OP_FLUSH_TLB); 2183 skip_exit_vmcall(); 2184 } 2185 2186 /* 2187 * Modifies the EPT entry at @level in the mapping of @gpa. First clears the 2188 * bits in @clear then sets the bits in @set. @mkhuge transforms the entry into 2189 * a huge page. 2190 */ 2191 static unsigned long ept_twiddle(unsigned long gpa, bool mkhuge, int level, 2192 unsigned long clear, unsigned long set) 2193 { 2194 struct ept_access_test_data *data = &ept_access_test_data; 2195 unsigned long orig_pte; 2196 unsigned long pte; 2197 2198 /* Screw with the mapping at the requested level. */ 2199 TEST_ASSERT(get_ept_pte(pml4, gpa, level, &orig_pte)); 2200 pte = orig_pte; 2201 if (mkhuge) 2202 pte = (orig_pte & ~EPT_ADDR_MASK) | data->hpa | EPT_LARGE_PAGE; 2203 else 2204 pte = orig_pte; 2205 pte = (pte & ~clear) | set; 2206 set_ept_pte(pml4, gpa, level, pte); 2207 ept_sync(INVEPT_SINGLE, eptp); 2208 2209 return orig_pte; 2210 } 2211 2212 static void ept_untwiddle(unsigned long gpa, int level, unsigned long orig_pte) 2213 { 2214 set_ept_pte(pml4, gpa, level, orig_pte); 2215 } 2216 2217 static void do_ept_violation(bool leaf, enum ept_access_op op, 2218 u64 expected_qual, u64 expected_paddr) 2219 { 2220 u64 qual; 2221 2222 /* Try the access and observe the violation. */ 2223 do_ept_access_op(op); 2224 2225 assert_exit_reason(VMX_EPT_VIOLATION); 2226 2227 qual = vmcs_read(EXI_QUALIFICATION); 2228 2229 diagnose_ept_violation_qual(expected_qual, qual); 2230 TEST_EXPECT_EQ(expected_qual, qual); 2231 2232 #if 0 2233 /* Disable for now otherwise every test will fail */ 2234 TEST_EXPECT_EQ(vmcs_read(GUEST_LINEAR_ADDRESS), 2235 (unsigned long) ( 2236 op == OP_EXEC ? data->gva + 1 : data->gva)); 2237 #endif 2238 /* 2239 * TODO: tests that probe expected_paddr in pages other than the one at 2240 * the beginning of the 1g region. 2241 */ 2242 TEST_EXPECT_EQ(vmcs_read(INFO_PHYS_ADDR), expected_paddr); 2243 } 2244 2245 static void 2246 ept_violation_at_level_mkhuge(bool mkhuge, int level, unsigned long clear, 2247 unsigned long set, enum ept_access_op op, 2248 u64 expected_qual) 2249 { 2250 struct ept_access_test_data *data = &ept_access_test_data; 2251 unsigned long orig_pte; 2252 2253 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2254 2255 do_ept_violation(level == 1 || mkhuge, op, expected_qual, 2256 op == OP_EXEC ? data->gpa + sizeof(unsigned long) : 2257 data->gpa); 2258 2259 /* Fix the violation and resume the op loop. */ 2260 ept_untwiddle(data->gpa, level, orig_pte); 2261 enter_guest(); 2262 skip_exit_vmcall(); 2263 } 2264 2265 static void 2266 ept_violation_at_level(int level, unsigned long clear, unsigned long set, 2267 enum ept_access_op op, u64 expected_qual) 2268 { 2269 ept_violation_at_level_mkhuge(false, level, clear, set, op, 2270 expected_qual); 2271 if (ept_huge_pages_supported(level)) 2272 ept_violation_at_level_mkhuge(true, level, clear, set, op, 2273 expected_qual); 2274 } 2275 2276 static void ept_violation(unsigned long clear, unsigned long set, 2277 enum ept_access_op op, u64 expected_qual) 2278 { 2279 ept_violation_at_level(1, clear, set, op, expected_qual); 2280 ept_violation_at_level(2, clear, set, op, expected_qual); 2281 ept_violation_at_level(3, clear, set, op, expected_qual); 2282 ept_violation_at_level(4, clear, set, op, expected_qual); 2283 } 2284 2285 static void ept_access_violation(unsigned long access, enum ept_access_op op, 2286 u64 expected_qual) 2287 { 2288 ept_violation(EPT_PRESENT, access, op, 2289 expected_qual | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2290 } 2291 2292 /* 2293 * For translations that don't involve a GVA, that is physical address (paddr) 2294 * accesses, EPT violations don't set the flag EPT_VLT_PADDR. For a typical 2295 * guest memory access, the hardware does GVA -> GPA -> HPA. However, certain 2296 * translations don't involve GVAs, such as when the hardware does the guest 2297 * page table walk. For example, in translating GVA_1 -> GPA_1, the guest MMU 2298 * might try to set an A bit on a guest PTE. If the GPA_2 that the PTE resides 2299 * on isn't present in the EPT, then the EPT violation will be for GPA_2 and 2300 * the EPT_VLT_PADDR bit will be clear in the exit qualification. 2301 * 2302 * Note that paddr violations can also be triggered by loading PAE page tables 2303 * with wonky addresses. We don't test that yet. 2304 * 2305 * This function modifies the EPT entry that maps the GPA that the guest page 2306 * table entry mapping ept_access_data.gva resides on. 2307 * 2308 * @ept_access EPT permissions to set. Other permissions are cleared. 2309 * 2310 * @pte_ad Set the A/D bits on the guest PTE accordingly. 2311 * 2312 * @op Guest operation to perform with ept_access_data.gva. 2313 * 2314 * @expect_violation 2315 * Is a violation expected during the paddr access? 2316 * 2317 * @expected_qual Expected qualification for the EPT violation. 2318 * EPT_VLT_PADDR should be clear. 2319 */ 2320 static void ept_access_paddr(unsigned long ept_access, unsigned long pte_ad, 2321 enum ept_access_op op, bool expect_violation, 2322 u64 expected_qual) 2323 { 2324 struct ept_access_test_data *data = &ept_access_test_data; 2325 unsigned long *ptep; 2326 unsigned long gpa; 2327 unsigned long orig_epte; 2328 2329 /* Modify the guest PTE mapping data->gva according to @pte_ad. */ 2330 ptep = get_pte_level(current_page_table(), data->gva, /*level=*/1); 2331 TEST_ASSERT(ptep); 2332 TEST_ASSERT_EQ(*ptep & PT_ADDR_MASK, data->gpa); 2333 *ptep = (*ptep & ~PT_AD_MASK) | pte_ad; 2334 ept_access_test_guest_flush_tlb(); 2335 2336 /* 2337 * Now modify the access bits on the EPT entry for the GPA that the 2338 * guest PTE resides on. Note that by modifying a single EPT entry, 2339 * we're potentially affecting 512 guest PTEs. However, we've carefully 2340 * constructed our test such that those other 511 PTEs aren't used by 2341 * the guest: data->gva is at the beginning of a 1G huge page, thus the 2342 * PTE we're modifying is at the beginning of a 4K page and the 2343 * following 511 entires are also under our control (and not touched by 2344 * the guest). 2345 */ 2346 gpa = virt_to_phys(ptep); 2347 TEST_ASSERT_EQ(gpa & ~PAGE_MASK, 0); 2348 /* 2349 * Make sure the guest page table page is mapped with a 4K EPT entry, 2350 * otherwise our level=1 twiddling below will fail. We use the 2351 * identity map (gpa = gpa) since page tables are shared with the host. 2352 */ 2353 install_ept(pml4, gpa, gpa, EPT_PRESENT); 2354 orig_epte = ept_twiddle(gpa, /*mkhuge=*/0, /*level=*/1, 2355 /*clear=*/EPT_PRESENT, /*set=*/ept_access); 2356 2357 if (expect_violation) { 2358 do_ept_violation(/*leaf=*/true, op, 2359 expected_qual | EPT_VLT_LADDR_VLD, gpa); 2360 ept_untwiddle(gpa, /*level=*/1, orig_epte); 2361 do_ept_access_op(op); 2362 } else { 2363 do_ept_access_op(op); 2364 ept_untwiddle(gpa, /*level=*/1, orig_epte); 2365 } 2366 2367 TEST_ASSERT(*ptep & PT_ACCESSED_MASK); 2368 if ((pte_ad & PT_DIRTY_MASK) || op == OP_WRITE) 2369 TEST_ASSERT(*ptep & PT_DIRTY_MASK); 2370 2371 skip_exit_vmcall(); 2372 } 2373 2374 static void ept_access_allowed_paddr(unsigned long ept_access, 2375 unsigned long pte_ad, 2376 enum ept_access_op op) 2377 { 2378 ept_access_paddr(ept_access, pte_ad, op, /*expect_violation=*/false, 2379 /*expected_qual=*/-1); 2380 } 2381 2382 static void ept_access_violation_paddr(unsigned long ept_access, 2383 unsigned long pte_ad, 2384 enum ept_access_op op, 2385 u64 expected_qual) 2386 { 2387 ept_access_paddr(ept_access, pte_ad, op, /*expect_violation=*/true, 2388 expected_qual); 2389 } 2390 2391 2392 static void ept_allowed_at_level_mkhuge(bool mkhuge, int level, 2393 unsigned long clear, 2394 unsigned long set, 2395 enum ept_access_op op) 2396 { 2397 struct ept_access_test_data *data = &ept_access_test_data; 2398 unsigned long orig_pte; 2399 2400 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2401 2402 /* No violation. Should proceed to vmcall. */ 2403 do_ept_access_op(op); 2404 skip_exit_vmcall(); 2405 2406 ept_untwiddle(data->gpa, level, orig_pte); 2407 } 2408 2409 static void ept_allowed_at_level(int level, unsigned long clear, 2410 unsigned long set, enum ept_access_op op) 2411 { 2412 ept_allowed_at_level_mkhuge(false, level, clear, set, op); 2413 if (ept_huge_pages_supported(level)) 2414 ept_allowed_at_level_mkhuge(true, level, clear, set, op); 2415 } 2416 2417 static void ept_allowed(unsigned long clear, unsigned long set, 2418 enum ept_access_op op) 2419 { 2420 ept_allowed_at_level(1, clear, set, op); 2421 ept_allowed_at_level(2, clear, set, op); 2422 ept_allowed_at_level(3, clear, set, op); 2423 ept_allowed_at_level(4, clear, set, op); 2424 } 2425 2426 static void ept_ignored_bit(int bit) 2427 { 2428 /* Set the bit. */ 2429 ept_allowed(0, 1ul << bit, OP_READ); 2430 ept_allowed(0, 1ul << bit, OP_WRITE); 2431 ept_allowed(0, 1ul << bit, OP_EXEC); 2432 2433 /* Clear the bit. */ 2434 ept_allowed(1ul << bit, 0, OP_READ); 2435 ept_allowed(1ul << bit, 0, OP_WRITE); 2436 ept_allowed(1ul << bit, 0, OP_EXEC); 2437 } 2438 2439 static void ept_access_allowed(unsigned long access, enum ept_access_op op) 2440 { 2441 ept_allowed(EPT_PRESENT, access, op); 2442 } 2443 2444 2445 static void ept_misconfig_at_level_mkhuge_op(bool mkhuge, int level, 2446 unsigned long clear, 2447 unsigned long set, 2448 enum ept_access_op op) 2449 { 2450 struct ept_access_test_data *data = &ept_access_test_data; 2451 unsigned long orig_pte; 2452 2453 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2454 2455 do_ept_access_op(op); 2456 assert_exit_reason(VMX_EPT_MISCONFIG); 2457 2458 /* Intel 27.2.1, "For all other VM exits, this field is cleared." */ 2459 #if 0 2460 /* broken: */ 2461 TEST_EXPECT_EQ_MSG(vmcs_read(EXI_QUALIFICATION), 0); 2462 #endif 2463 #if 0 2464 /* 2465 * broken: 2466 * According to description of exit qual for EPT violation, 2467 * EPT_VLT_LADDR_VLD indicates if GUEST_LINEAR_ADDRESS is valid. 2468 * However, I can't find anything that says GUEST_LINEAR_ADDRESS ought 2469 * to be set for msiconfig. 2470 */ 2471 TEST_EXPECT_EQ(vmcs_read(GUEST_LINEAR_ADDRESS), 2472 (unsigned long) ( 2473 op == OP_EXEC ? data->gva + 1 : data->gva)); 2474 #endif 2475 2476 /* Fix the violation and resume the op loop. */ 2477 ept_untwiddle(data->gpa, level, orig_pte); 2478 enter_guest(); 2479 skip_exit_vmcall(); 2480 } 2481 2482 static void ept_misconfig_at_level_mkhuge(bool mkhuge, int level, 2483 unsigned long clear, 2484 unsigned long set) 2485 { 2486 /* The op shouldn't matter (read, write, exec), so try them all! */ 2487 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_READ); 2488 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_WRITE); 2489 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_EXEC); 2490 } 2491 2492 static void ept_misconfig_at_level(int level, unsigned long clear, 2493 unsigned long set) 2494 { 2495 ept_misconfig_at_level_mkhuge(false, level, clear, set); 2496 if (ept_huge_pages_supported(level)) 2497 ept_misconfig_at_level_mkhuge(true, level, clear, set); 2498 } 2499 2500 static void ept_misconfig(unsigned long clear, unsigned long set) 2501 { 2502 ept_misconfig_at_level(1, clear, set); 2503 ept_misconfig_at_level(2, clear, set); 2504 ept_misconfig_at_level(3, clear, set); 2505 ept_misconfig_at_level(4, clear, set); 2506 } 2507 2508 static void ept_access_misconfig(unsigned long access) 2509 { 2510 ept_misconfig(EPT_PRESENT, access); 2511 } 2512 2513 static void ept_reserved_bit_at_level_nohuge(int level, int bit) 2514 { 2515 /* Setting the bit causes a misconfig. */ 2516 ept_misconfig_at_level_mkhuge(false, level, 0, 1ul << bit); 2517 2518 /* Making the entry non-present turns reserved bits into ignored. */ 2519 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2520 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2521 } 2522 2523 static void ept_reserved_bit_at_level_huge(int level, int bit) 2524 { 2525 /* Setting the bit causes a misconfig. */ 2526 ept_misconfig_at_level_mkhuge(true, level, 0, 1ul << bit); 2527 2528 /* Making the entry non-present turns reserved bits into ignored. */ 2529 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2530 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2531 } 2532 2533 static void ept_reserved_bit_at_level(int level, int bit) 2534 { 2535 /* Setting the bit causes a misconfig. */ 2536 ept_misconfig_at_level(level, 0, 1ul << bit); 2537 2538 /* Making the entry non-present turns reserved bits into ignored. */ 2539 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2540 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2541 } 2542 2543 static void ept_reserved_bit(int bit) 2544 { 2545 ept_reserved_bit_at_level(1, bit); 2546 ept_reserved_bit_at_level(2, bit); 2547 ept_reserved_bit_at_level(3, bit); 2548 ept_reserved_bit_at_level(4, bit); 2549 } 2550 2551 #define PAGE_2M_ORDER 9 2552 #define PAGE_1G_ORDER 18 2553 2554 static void *get_1g_page(void) 2555 { 2556 static void *alloc; 2557 2558 if (!alloc) 2559 alloc = alloc_pages(PAGE_1G_ORDER); 2560 return alloc; 2561 } 2562 2563 static void ept_access_test_teardown(void *unused) 2564 { 2565 /* Exit the guest cleanly. */ 2566 do_ept_access_op(OP_EXIT); 2567 } 2568 2569 static void ept_access_test_guest(void) 2570 { 2571 struct ept_access_test_data *data = &ept_access_test_data; 2572 int (*code)(void) = (int (*)(void)) &data->gva[1]; 2573 2574 while (true) { 2575 switch (data->op) { 2576 case OP_READ: 2577 TEST_ASSERT_EQ(*data->gva, MAGIC_VAL_1); 2578 break; 2579 case OP_WRITE: 2580 *data->gva = MAGIC_VAL_2; 2581 TEST_ASSERT_EQ(*data->gva, MAGIC_VAL_2); 2582 *data->gva = MAGIC_VAL_1; 2583 break; 2584 case OP_EXEC: 2585 TEST_ASSERT_EQ(42, code()); 2586 break; 2587 case OP_FLUSH_TLB: 2588 write_cr3(read_cr3()); 2589 break; 2590 case OP_EXIT: 2591 return; 2592 default: 2593 TEST_ASSERT_MSG(false, "Unknown op %d", data->op); 2594 } 2595 vmcall(); 2596 } 2597 } 2598 2599 static void ept_access_test_setup(void) 2600 { 2601 struct ept_access_test_data *data = &ept_access_test_data; 2602 unsigned long npages = 1ul << PAGE_1G_ORDER; 2603 unsigned long size = npages * PAGE_SIZE; 2604 unsigned long *page_table = current_page_table(); 2605 unsigned long pte; 2606 2607 if (setup_ept(false)) 2608 test_skip("EPT not supported"); 2609 2610 test_set_guest(ept_access_test_guest); 2611 test_add_teardown(ept_access_test_teardown, NULL); 2612 2613 data->hva = get_1g_page(); 2614 TEST_ASSERT(data->hva); 2615 data->hpa = virt_to_phys(data->hva); 2616 2617 data->gpa = 1ul << 40; 2618 data->gva = (void *) ALIGN((unsigned long) alloc_vpages(npages * 2), 2619 size); 2620 TEST_ASSERT(!any_present_pages(page_table, data->gva, size)); 2621 install_pages(page_table, data->gpa, size, data->gva); 2622 2623 /* 2624 * Make sure nothing's mapped here so the tests that screw with the 2625 * pml4 entry don't inadvertently break something. 2626 */ 2627 TEST_ASSERT(get_ept_pte(pml4, data->gpa, 4, &pte) && pte == 0); 2628 TEST_ASSERT(get_ept_pte(pml4, data->gpa + size - 1, 4, &pte) && pte == 0); 2629 install_ept(pml4, data->hpa, data->gpa, EPT_PRESENT); 2630 2631 data->hva[0] = MAGIC_VAL_1; 2632 memcpy(&data->hva[1], &ret42_start, &ret42_end - &ret42_start); 2633 } 2634 2635 static void ept_access_test_not_present(void) 2636 { 2637 ept_access_test_setup(); 2638 /* --- */ 2639 ept_access_violation(0, OP_READ, EPT_VLT_RD); 2640 ept_access_violation(0, OP_WRITE, EPT_VLT_WR); 2641 ept_access_violation(0, OP_EXEC, EPT_VLT_FETCH); 2642 } 2643 2644 static void ept_access_test_read_only(void) 2645 { 2646 ept_access_test_setup(); 2647 2648 /* r-- */ 2649 ept_access_allowed(EPT_RA, OP_READ); 2650 ept_access_violation(EPT_RA, OP_WRITE, EPT_VLT_WR | EPT_VLT_PERM_RD); 2651 ept_access_violation(EPT_RA, OP_EXEC, EPT_VLT_FETCH | EPT_VLT_PERM_RD); 2652 } 2653 2654 static void ept_access_test_write_only(void) 2655 { 2656 ept_access_test_setup(); 2657 /* -w- */ 2658 ept_access_misconfig(EPT_WA); 2659 } 2660 2661 static void ept_access_test_read_write(void) 2662 { 2663 ept_access_test_setup(); 2664 /* rw- */ 2665 ept_access_allowed(EPT_RA | EPT_WA, OP_READ); 2666 ept_access_allowed(EPT_RA | EPT_WA, OP_WRITE); 2667 ept_access_violation(EPT_RA | EPT_WA, OP_EXEC, 2668 EPT_VLT_FETCH | EPT_VLT_PERM_RD | EPT_VLT_PERM_WR); 2669 } 2670 2671 2672 static void ept_access_test_execute_only(void) 2673 { 2674 ept_access_test_setup(); 2675 /* --x */ 2676 if (ept_execute_only_supported()) { 2677 ept_access_violation(EPT_EA, OP_READ, 2678 EPT_VLT_RD | EPT_VLT_PERM_EX); 2679 ept_access_violation(EPT_EA, OP_WRITE, 2680 EPT_VLT_WR | EPT_VLT_PERM_EX); 2681 ept_access_allowed(EPT_EA, OP_EXEC); 2682 } else { 2683 ept_access_misconfig(EPT_EA); 2684 } 2685 } 2686 2687 static void ept_access_test_read_execute(void) 2688 { 2689 ept_access_test_setup(); 2690 /* r-x */ 2691 ept_access_allowed(EPT_RA | EPT_EA, OP_READ); 2692 ept_access_violation(EPT_RA | EPT_EA, OP_WRITE, 2693 EPT_VLT_WR | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX); 2694 ept_access_allowed(EPT_RA | EPT_EA, OP_EXEC); 2695 } 2696 2697 static void ept_access_test_write_execute(void) 2698 { 2699 ept_access_test_setup(); 2700 /* -wx */ 2701 ept_access_misconfig(EPT_WA | EPT_EA); 2702 } 2703 2704 static void ept_access_test_read_write_execute(void) 2705 { 2706 ept_access_test_setup(); 2707 /* rwx */ 2708 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_READ); 2709 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_WRITE); 2710 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_EXEC); 2711 } 2712 2713 static void ept_access_test_reserved_bits(void) 2714 { 2715 int i; 2716 int maxphyaddr; 2717 2718 ept_access_test_setup(); 2719 2720 /* Reserved bits above maxphyaddr. */ 2721 maxphyaddr = cpuid_maxphyaddr(); 2722 for (i = maxphyaddr; i <= 51; i++) { 2723 report_prefix_pushf("reserved_bit=%d", i); 2724 ept_reserved_bit(i); 2725 report_prefix_pop(); 2726 } 2727 2728 /* Level-specific reserved bits. */ 2729 ept_reserved_bit_at_level_nohuge(2, 3); 2730 ept_reserved_bit_at_level_nohuge(2, 4); 2731 ept_reserved_bit_at_level_nohuge(2, 5); 2732 ept_reserved_bit_at_level_nohuge(2, 6); 2733 /* 2M alignment. */ 2734 for (i = 12; i < 20; i++) { 2735 report_prefix_pushf("reserved_bit=%d", i); 2736 ept_reserved_bit_at_level_huge(2, i); 2737 report_prefix_pop(); 2738 } 2739 ept_reserved_bit_at_level_nohuge(3, 3); 2740 ept_reserved_bit_at_level_nohuge(3, 4); 2741 ept_reserved_bit_at_level_nohuge(3, 5); 2742 ept_reserved_bit_at_level_nohuge(3, 6); 2743 /* 1G alignment. */ 2744 for (i = 12; i < 29; i++) { 2745 report_prefix_pushf("reserved_bit=%d", i); 2746 ept_reserved_bit_at_level_huge(3, i); 2747 report_prefix_pop(); 2748 } 2749 ept_reserved_bit_at_level(4, 3); 2750 ept_reserved_bit_at_level(4, 4); 2751 ept_reserved_bit_at_level(4, 5); 2752 ept_reserved_bit_at_level(4, 6); 2753 ept_reserved_bit_at_level(4, 7); 2754 } 2755 2756 static void ept_access_test_ignored_bits(void) 2757 { 2758 ept_access_test_setup(); 2759 /* 2760 * Bits ignored at every level. Bits 8 and 9 (A and D) are ignored as 2761 * far as translation is concerned even if AD bits are enabled in the 2762 * EPTP. Bit 63 is ignored because "EPT-violation #VE" VM-execution 2763 * control is 0. 2764 */ 2765 ept_ignored_bit(8); 2766 ept_ignored_bit(9); 2767 ept_ignored_bit(10); 2768 ept_ignored_bit(11); 2769 ept_ignored_bit(52); 2770 ept_ignored_bit(53); 2771 ept_ignored_bit(54); 2772 ept_ignored_bit(55); 2773 ept_ignored_bit(56); 2774 ept_ignored_bit(57); 2775 ept_ignored_bit(58); 2776 ept_ignored_bit(59); 2777 ept_ignored_bit(60); 2778 ept_ignored_bit(61); 2779 ept_ignored_bit(62); 2780 ept_ignored_bit(63); 2781 } 2782 2783 static void ept_access_test_paddr_not_present_ad_disabled(void) 2784 { 2785 ept_access_test_setup(); 2786 ept_disable_ad_bits(); 2787 2788 ept_access_violation_paddr(0, PT_AD_MASK, OP_READ, EPT_VLT_RD); 2789 ept_access_violation_paddr(0, PT_AD_MASK, OP_WRITE, EPT_VLT_RD); 2790 ept_access_violation_paddr(0, PT_AD_MASK, OP_EXEC, EPT_VLT_RD); 2791 } 2792 2793 static void ept_access_test_paddr_not_present_ad_enabled(void) 2794 { 2795 u64 qual = EPT_VLT_RD | EPT_VLT_WR; 2796 2797 ept_access_test_setup(); 2798 ept_enable_ad_bits_or_skip_test(); 2799 2800 ept_access_violation_paddr(0, PT_AD_MASK, OP_READ, qual); 2801 ept_access_violation_paddr(0, PT_AD_MASK, OP_WRITE, qual); 2802 ept_access_violation_paddr(0, PT_AD_MASK, OP_EXEC, qual); 2803 } 2804 2805 static void ept_access_test_paddr_read_only_ad_disabled(void) 2806 { 2807 /* 2808 * When EPT AD bits are disabled, all accesses to guest paging 2809 * structures are reported separately as a read and (after 2810 * translation of the GPA to host physical address) a read+write 2811 * if the A/D bits have to be set. 2812 */ 2813 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD; 2814 2815 ept_access_test_setup(); 2816 ept_disable_ad_bits(); 2817 2818 /* Can't update A bit, so all accesses fail. */ 2819 ept_access_violation_paddr(EPT_RA, 0, OP_READ, qual); 2820 ept_access_violation_paddr(EPT_RA, 0, OP_WRITE, qual); 2821 ept_access_violation_paddr(EPT_RA, 0, OP_EXEC, qual); 2822 /* AD bits disabled, so only writes try to update the D bit. */ 2823 ept_access_allowed_paddr(EPT_RA, PT_ACCESSED_MASK, OP_READ); 2824 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_WRITE, qual); 2825 ept_access_allowed_paddr(EPT_RA, PT_ACCESSED_MASK, OP_EXEC); 2826 /* Both A and D already set, so read-only is OK. */ 2827 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_READ); 2828 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_WRITE); 2829 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_EXEC); 2830 } 2831 2832 static void ept_access_test_paddr_read_only_ad_enabled(void) 2833 { 2834 /* 2835 * When EPT AD bits are enabled, all accesses to guest paging 2836 * structures are considered writes as far as EPT translation 2837 * is concerned. 2838 */ 2839 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD; 2840 2841 ept_access_test_setup(); 2842 ept_enable_ad_bits_or_skip_test(); 2843 2844 ept_access_violation_paddr(EPT_RA, 0, OP_READ, qual); 2845 ept_access_violation_paddr(EPT_RA, 0, OP_WRITE, qual); 2846 ept_access_violation_paddr(EPT_RA, 0, OP_EXEC, qual); 2847 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_READ, qual); 2848 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_WRITE, qual); 2849 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_EXEC, qual); 2850 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_READ, qual); 2851 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_WRITE, qual); 2852 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_EXEC, qual); 2853 } 2854 2855 static void ept_access_test_paddr_read_write(void) 2856 { 2857 ept_access_test_setup(); 2858 /* Read-write access to paging structure. */ 2859 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_READ); 2860 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_WRITE); 2861 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_EXEC); 2862 } 2863 2864 static void ept_access_test_paddr_read_write_execute(void) 2865 { 2866 ept_access_test_setup(); 2867 /* RWX access to paging structure. */ 2868 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_READ); 2869 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_WRITE); 2870 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_EXEC); 2871 } 2872 2873 static void ept_access_test_paddr_read_execute_ad_disabled(void) 2874 { 2875 /* 2876 * When EPT AD bits are disabled, all accesses to guest paging 2877 * structures are reported separately as a read and (after 2878 * translation of the GPA to host physical address) a read+write 2879 * if the A/D bits have to be set. 2880 */ 2881 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX; 2882 2883 ept_access_test_setup(); 2884 ept_disable_ad_bits(); 2885 2886 /* Can't update A bit, so all accesses fail. */ 2887 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_READ, qual); 2888 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_WRITE, qual); 2889 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_EXEC, qual); 2890 /* AD bits disabled, so only writes try to update the D bit. */ 2891 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_READ); 2892 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_WRITE, qual); 2893 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_EXEC); 2894 /* Both A and D already set, so read-only is OK. */ 2895 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_READ); 2896 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_WRITE); 2897 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_EXEC); 2898 } 2899 2900 static void ept_access_test_paddr_read_execute_ad_enabled(void) 2901 { 2902 /* 2903 * When EPT AD bits are enabled, all accesses to guest paging 2904 * structures are considered writes as far as EPT translation 2905 * is concerned. 2906 */ 2907 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX; 2908 2909 ept_access_test_setup(); 2910 ept_enable_ad_bits_or_skip_test(); 2911 2912 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_READ, qual); 2913 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_WRITE, qual); 2914 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_EXEC, qual); 2915 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_READ, qual); 2916 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_WRITE, qual); 2917 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_EXEC, qual); 2918 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_READ, qual); 2919 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_WRITE, qual); 2920 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_EXEC, qual); 2921 } 2922 2923 static void ept_access_test_paddr_not_present_page_fault(void) 2924 { 2925 ept_access_test_setup(); 2926 /* 2927 * TODO: test no EPT violation as long as guest PF occurs. e.g., GPA is 2928 * page is read-only in EPT but GVA is also mapped read only in PT. 2929 * Thus guest page fault before host takes EPT violation for trying to 2930 * update A bit. 2931 */ 2932 } 2933 2934 static void ept_access_test_force_2m_page(void) 2935 { 2936 ept_access_test_setup(); 2937 2938 TEST_ASSERT_EQ(ept_2m_supported(), true); 2939 ept_allowed_at_level_mkhuge(true, 2, 0, 0, OP_READ); 2940 ept_violation_at_level_mkhuge(true, 2, EPT_PRESENT, EPT_RA, OP_WRITE, 2941 EPT_VLT_WR | EPT_VLT_PERM_RD | 2942 EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2943 ept_misconfig_at_level_mkhuge(true, 2, EPT_PRESENT, EPT_WA); 2944 } 2945 2946 static bool invvpid_valid(u64 type, u64 vpid, u64 gla) 2947 { 2948 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 2949 2950 TEST_ASSERT(msr & VPID_CAP_INVVPID); 2951 2952 if (type < INVVPID_ADDR || type > INVVPID_CONTEXT_LOCAL) 2953 return false; 2954 2955 if (!(msr & (1ull << (type + VPID_CAP_INVVPID_TYPES_SHIFT)))) 2956 return false; 2957 2958 if (vpid >> 16) 2959 return false; 2960 2961 if (type != INVVPID_ALL && !vpid) 2962 return false; 2963 2964 if (type == INVVPID_ADDR && !is_canonical(gla)) 2965 return false; 2966 2967 return true; 2968 } 2969 2970 static void try_invvpid(u64 type, u64 vpid, u64 gla) 2971 { 2972 int rc; 2973 bool valid = invvpid_valid(type, vpid, gla); 2974 u64 expected = valid ? VMXERR_UNSUPPORTED_VMCS_COMPONENT 2975 : VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID; 2976 /* 2977 * Set VMX_INST_ERROR to VMXERR_UNVALID_VMCS_COMPONENT, so 2978 * that we can tell if it is updated by INVVPID. 2979 */ 2980 vmcs_read(~0); 2981 rc = invvpid(type, vpid, gla); 2982 report("INVVPID type %ld VPID %lx GLA %lx %s", 2983 !rc == valid, type, vpid, gla, 2984 valid ? "passes" : "fails"); 2985 report("After %s INVVPID, VMX_INST_ERR is %ld (actual %ld)", 2986 vmcs_read(VMX_INST_ERROR) == expected, 2987 rc ? "failed" : "successful", 2988 expected, vmcs_read(VMX_INST_ERROR)); 2989 } 2990 2991 static void ds_invvpid(void *data) 2992 { 2993 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 2994 u64 type = ffs(msr >> VPID_CAP_INVVPID_TYPES_SHIFT) - 1; 2995 2996 TEST_ASSERT(type >= INVVPID_ADDR && type <= INVVPID_CONTEXT_LOCAL); 2997 asm volatile("invvpid %0, %1" 2998 : 2999 : "m"(*(struct invvpid_operand *)data), 3000 "r"(type)); 3001 } 3002 3003 /* 3004 * The SS override is ignored in 64-bit mode, so we use an addressing 3005 * mode with %rsp as the base register to generate an implicit SS 3006 * reference. 3007 */ 3008 static void ss_invvpid(void *data) 3009 { 3010 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3011 u64 type = ffs(msr >> VPID_CAP_INVVPID_TYPES_SHIFT) - 1; 3012 3013 TEST_ASSERT(type >= INVVPID_ADDR && type <= INVVPID_CONTEXT_LOCAL); 3014 asm volatile("sub %%rsp,%0; invvpid (%%rsp,%0,1), %1" 3015 : "+r"(data) 3016 : "r"(type)); 3017 } 3018 3019 static void invvpid_test_gp(void) 3020 { 3021 bool fault; 3022 3023 fault = test_for_exception(GP_VECTOR, &ds_invvpid, 3024 (void *)NONCANONICAL); 3025 report("INVVPID with non-canonical DS operand raises #GP", fault); 3026 } 3027 3028 static void invvpid_test_ss(void) 3029 { 3030 bool fault; 3031 3032 fault = test_for_exception(SS_VECTOR, &ss_invvpid, 3033 (void *)NONCANONICAL); 3034 report("INVVPID with non-canonical SS operand raises #SS", fault); 3035 } 3036 3037 static void invvpid_test_pf(void) 3038 { 3039 void *vpage = alloc_vpage(); 3040 bool fault; 3041 3042 fault = test_for_exception(PF_VECTOR, &ds_invvpid, vpage); 3043 report("INVVPID with unmapped operand raises #PF", fault); 3044 } 3045 3046 static void try_compat_invvpid(void *unused) 3047 { 3048 struct far_pointer32 fp = { 3049 .offset = (uintptr_t)&&invvpid, 3050 .selector = KERNEL_CS32, 3051 }; 3052 register uintptr_t rsp asm("rsp"); 3053 3054 TEST_ASSERT_MSG(fp.offset == (uintptr_t)&&invvpid, 3055 "Code address too high."); 3056 TEST_ASSERT_MSG(rsp == (u32)rsp, "Stack address too high."); 3057 3058 asm goto ("lcall *%0" : : "m" (fp) : "rax" : invvpid); 3059 return; 3060 invvpid: 3061 asm volatile (".code32;" 3062 "invvpid (%eax), %eax;" 3063 "lret;" 3064 ".code64"); 3065 __builtin_unreachable(); 3066 } 3067 3068 static void invvpid_test_compatibility_mode(void) 3069 { 3070 bool fault; 3071 3072 fault = test_for_exception(UD_VECTOR, &try_compat_invvpid, NULL); 3073 report("Compatibility mode INVVPID raises #UD", fault); 3074 } 3075 3076 static void invvpid_test_not_in_vmx_operation(void) 3077 { 3078 bool fault; 3079 3080 TEST_ASSERT(!vmx_off()); 3081 fault = test_for_exception(UD_VECTOR, &ds_invvpid, NULL); 3082 report("INVVPID outside of VMX operation raises #UD", fault); 3083 TEST_ASSERT(!vmx_on()); 3084 } 3085 3086 /* 3087 * This does not test real-address mode, virtual-8086 mode, protected mode, 3088 * or CPL > 0. 3089 */ 3090 static void invvpid_test_v2(void) 3091 { 3092 u64 msr; 3093 int i; 3094 unsigned types = 0; 3095 unsigned type; 3096 3097 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 3098 !(ctrl_cpu_rev[1].clr & CPU_VPID)) 3099 test_skip("VPID not supported"); 3100 3101 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3102 3103 if (!(msr & VPID_CAP_INVVPID)) 3104 test_skip("INVVPID not supported.\n"); 3105 3106 if (msr & VPID_CAP_INVVPID_ADDR) 3107 types |= 1u << INVVPID_ADDR; 3108 if (msr & VPID_CAP_INVVPID_CXTGLB) 3109 types |= 1u << INVVPID_CONTEXT_GLOBAL; 3110 if (msr & VPID_CAP_INVVPID_ALL) 3111 types |= 1u << INVVPID_ALL; 3112 if (msr & VPID_CAP_INVVPID_CXTLOC) 3113 types |= 1u << INVVPID_CONTEXT_LOCAL; 3114 3115 if (!types) 3116 test_skip("No INVVPID types supported.\n"); 3117 3118 for (i = -127; i < 128; i++) 3119 try_invvpid(i, 0xffff, 0); 3120 3121 /* 3122 * VPID must not be more than 16 bits. 3123 */ 3124 for (i = 0; i < 64; i++) 3125 for (type = 0; type < 4; type++) 3126 if (types & (1u << type)) 3127 try_invvpid(type, 1ul << i, 0); 3128 3129 /* 3130 * VPID must not be zero, except for "all contexts." 3131 */ 3132 for (type = 0; type < 4; type++) 3133 if (types & (1u << type)) 3134 try_invvpid(type, 0, 0); 3135 3136 /* 3137 * The gla operand is only validated for single-address INVVPID. 3138 */ 3139 if (types & (1u << INVVPID_ADDR)) 3140 try_invvpid(INVVPID_ADDR, 0xffff, NONCANONICAL); 3141 3142 invvpid_test_gp(); 3143 invvpid_test_ss(); 3144 invvpid_test_pf(); 3145 invvpid_test_compatibility_mode(); 3146 invvpid_test_not_in_vmx_operation(); 3147 } 3148 3149 /* 3150 * Test for early VMLAUNCH failure. Returns true if VMLAUNCH makes it 3151 * at least as far as the guest-state checks. Returns false if the 3152 * VMLAUNCH fails early and execution falls through to the next 3153 * instruction. 3154 */ 3155 static bool vmlaunch_succeeds(void) 3156 { 3157 /* 3158 * Indirectly set VMX_INST_ERR to 12 ("VMREAD/VMWRITE from/to 3159 * unsupported VMCS component"). The caller can then check 3160 * to see if a failed VM-entry sets VMX_INST_ERR as expected. 3161 */ 3162 vmcs_write(~0u, 0); 3163 3164 vmcs_write(HOST_RIP, (uintptr_t)&&success); 3165 __asm__ __volatile__ goto ("vmwrite %%rsp, %0; vmlaunch" 3166 : 3167 : "r" ((u64)HOST_RSP) 3168 : "cc", "memory" 3169 : success); 3170 return false; 3171 success: 3172 TEST_ASSERT(vmcs_read(EXI_REASON) == 3173 (VMX_FAIL_STATE | VMX_ENTRY_FAILURE)); 3174 return true; 3175 } 3176 3177 /* 3178 * Try to launch the current VMCS. 3179 */ 3180 static void test_vmx_controls(bool controls_valid) 3181 { 3182 bool success = vmlaunch_succeeds(); 3183 u32 vmx_inst_err; 3184 3185 report("vmlaunch %s", success == controls_valid, 3186 controls_valid ? "succeeds" : "fails"); 3187 if (!controls_valid) { 3188 vmx_inst_err = vmcs_read(VMX_INST_ERROR); 3189 report("VMX inst error is %d (actual %d)", 3190 vmx_inst_err == VMXERR_ENTRY_INVALID_CONTROL_FIELD, 3191 VMXERR_ENTRY_INVALID_CONTROL_FIELD, vmx_inst_err); 3192 } 3193 } 3194 3195 /* 3196 * Test a particular value of a VM-execution control bit, if the value 3197 * is required or if the value is zero. 3198 */ 3199 static void test_rsvd_ctl_bit_value(const char *name, union vmx_ctrl_msr msr, 3200 enum Encoding encoding, unsigned bit, 3201 unsigned val) 3202 { 3203 u32 mask = 1u << bit; 3204 bool expected; 3205 u32 controls; 3206 3207 if (msr.set & mask) 3208 TEST_ASSERT(msr.clr & mask); 3209 3210 /* 3211 * We can't arbitrarily turn on a control bit, because it may 3212 * introduce dependencies on other VMCS fields. So, we only 3213 * test turning on bits that have a required setting. 3214 */ 3215 if (val && (msr.clr & mask) && !(msr.set & mask)) 3216 return; 3217 3218 report_prefix_pushf("%s %s bit %d", 3219 val ? "Set" : "Clear", name, bit); 3220 3221 controls = vmcs_read(encoding); 3222 if (val) { 3223 vmcs_write(encoding, msr.set | mask); 3224 expected = (msr.clr & mask); 3225 } else { 3226 vmcs_write(encoding, msr.set & ~mask); 3227 expected = !(msr.set & mask); 3228 } 3229 test_vmx_controls(expected); 3230 vmcs_write(encoding, controls); 3231 report_prefix_pop(); 3232 } 3233 3234 /* 3235 * Test reserved values of a VM-execution control bit, based on the 3236 * allowed bit settings from the corresponding VMX capability MSR. 3237 */ 3238 static void test_rsvd_ctl_bit(const char *name, union vmx_ctrl_msr msr, 3239 enum Encoding encoding, unsigned bit) 3240 { 3241 test_rsvd_ctl_bit_value(name, msr, encoding, bit, 0); 3242 test_rsvd_ctl_bit_value(name, msr, encoding, bit, 1); 3243 } 3244 3245 /* 3246 * Reserved bits in the pin-based VM-execution controls must be set 3247 * properly. Software may consult the VMX capability MSRs to determine 3248 * the proper settings. 3249 * [Intel SDM] 3250 */ 3251 static void test_pin_based_ctls(void) 3252 { 3253 unsigned bit; 3254 3255 printf("%s: %lx\n", basic.ctrl ? "MSR_IA32_VMX_TRUE_PIN" : 3256 "MSR_IA32_VMX_PINBASED_CTLS", ctrl_pin_rev.val); 3257 for (bit = 0; bit < 32; bit++) 3258 test_rsvd_ctl_bit("pin-based controls", 3259 ctrl_pin_rev, PIN_CONTROLS, bit); 3260 } 3261 3262 /* 3263 * Test a particular address setting for a physical page reference in 3264 * the VMCS. 3265 */ 3266 static void test_vmcs_page_addr(const char *name, 3267 enum Encoding encoding, 3268 bool ignored, 3269 u64 addr) 3270 { 3271 report_prefix_pushf("%s = %lx", name, addr); 3272 vmcs_write(encoding, addr); 3273 test_vmx_controls(ignored || (IS_ALIGNED(addr, PAGE_SIZE) && 3274 addr < (1ul << cpuid_maxphyaddr()))); 3275 report_prefix_pop(); 3276 } 3277 3278 /* 3279 * Test interesting values for a physical page reference in the VMCS. 3280 */ 3281 static void test_vmcs_page_values(const char *name, 3282 enum Encoding encoding, 3283 bool ignored) 3284 { 3285 unsigned i; 3286 u64 orig_val = vmcs_read(encoding); 3287 3288 for (i = 0; i < 64; i++) 3289 test_vmcs_page_addr(name, encoding, ignored, 1ul << i); 3290 3291 test_vmcs_page_addr(name, encoding, ignored, PAGE_SIZE - 1); 3292 test_vmcs_page_addr(name, encoding, ignored, PAGE_SIZE); 3293 test_vmcs_page_addr(name, encoding, ignored, 3294 (1ul << cpuid_maxphyaddr()) - PAGE_SIZE); 3295 test_vmcs_page_addr(name, encoding, ignored, -1ul); 3296 3297 vmcs_write(encoding, orig_val); 3298 } 3299 3300 /* 3301 * Test a physical page reference in the VMCS, when the corresponding 3302 * feature is enabled and when the corresponding feature is disabled. 3303 */ 3304 static void test_vmcs_page_reference(u32 control_bit, enum Encoding field, 3305 const char *field_name, 3306 const char *control_name) 3307 { 3308 u32 primary = vmcs_read(CPU_EXEC_CTRL0); 3309 u64 page_addr; 3310 3311 if (!(ctrl_cpu_rev[0].clr & control_bit)) 3312 return; 3313 3314 page_addr = vmcs_read(field); 3315 3316 report_prefix_pushf("%s enabled", control_name); 3317 vmcs_write(CPU_EXEC_CTRL0, primary | control_bit); 3318 test_vmcs_page_values(field_name, field, false); 3319 report_prefix_pop(); 3320 3321 report_prefix_pushf("%s disabled", control_name); 3322 vmcs_write(CPU_EXEC_CTRL0, primary & ~control_bit); 3323 test_vmcs_page_values(field_name, field, true); 3324 report_prefix_pop(); 3325 3326 vmcs_write(field, page_addr); 3327 vmcs_write(CPU_EXEC_CTRL0, primary); 3328 } 3329 3330 /* 3331 * If the "use I/O bitmaps" VM-execution control is 1, bits 11:0 of 3332 * each I/O-bitmap address must be 0. Neither address should set any 3333 * bits beyond the processor's physical-address width. 3334 * [Intel SDM] 3335 */ 3336 static void test_io_bitmaps(void) 3337 { 3338 test_vmcs_page_reference(CPU_IO_BITMAP, IO_BITMAP_A, 3339 "I/O bitmap A", "Use I/O bitmaps"); 3340 test_vmcs_page_reference(CPU_IO_BITMAP, IO_BITMAP_B, 3341 "I/O bitmap B", "Use I/O bitmaps"); 3342 } 3343 3344 /* 3345 * If the "use MSR bitmaps" VM-execution control is 1, bits 11:0 of 3346 * the MSR-bitmap address must be 0. The address should not set any 3347 * bits beyond the processor's physical-address width. 3348 * [Intel SDM] 3349 */ 3350 static void test_msr_bitmap(void) 3351 { 3352 test_vmcs_page_reference(CPU_MSR_BITMAP, MSR_BITMAP, 3353 "MSR bitmap", "Use MSR bitmaps"); 3354 } 3355 3356 static void vmx_controls_test(void) 3357 { 3358 /* 3359 * Bit 1 of the guest's RFLAGS must be 1, or VM-entry will 3360 * fail due to invalid guest state, should we make it that 3361 * far. 3362 */ 3363 vmcs_write(GUEST_RFLAGS, 0); 3364 3365 test_pin_based_ctls(); 3366 test_io_bitmaps(); 3367 test_msr_bitmap(); 3368 } 3369 3370 static bool valid_vmcs_for_vmentry(void) 3371 { 3372 struct vmcs *current_vmcs = NULL; 3373 3374 if (vmcs_save(¤t_vmcs)) 3375 return false; 3376 3377 return current_vmcs && !(current_vmcs->revision_id >> 31); 3378 } 3379 3380 static void try_vmentry_in_movss_shadow(void) 3381 { 3382 u32 vm_inst_err; 3383 u32 flags; 3384 bool early_failure = false; 3385 u32 expected_flags = X86_EFLAGS_FIXED; 3386 bool valid_vmcs = valid_vmcs_for_vmentry(); 3387 3388 expected_flags |= valid_vmcs ? X86_EFLAGS_ZF : X86_EFLAGS_CF; 3389 3390 /* 3391 * Indirectly set VM_INST_ERR to 12 ("VMREAD/VMWRITE from/to 3392 * unsupported VMCS component"). 3393 */ 3394 vmcs_write(~0u, 0); 3395 3396 __asm__ __volatile__ ("mov %[host_rsp], %%edx;" 3397 "vmwrite %%rsp, %%rdx;" 3398 "mov 0f, %%rax;" 3399 "mov %[host_rip], %%edx;" 3400 "vmwrite %%rax, %%rdx;" 3401 "mov $-1, %%ah;" 3402 "sahf;" 3403 "mov %%ss, %%ax;" 3404 "mov %%ax, %%ss;" 3405 "vmlaunch;" 3406 "mov $1, %[early_failure];" 3407 "0: lahf;" 3408 "movzbl %%ah, %[flags]" 3409 : [early_failure] "+r" (early_failure), 3410 [flags] "=&a" (flags) 3411 : [host_rsp] "i" (HOST_RSP), 3412 [host_rip] "i" (HOST_RIP) 3413 : "rdx", "cc", "memory"); 3414 vm_inst_err = vmcs_read(VMX_INST_ERROR); 3415 3416 report("Early VM-entry failure", early_failure); 3417 report("RFLAGS[8:0] is %x (actual %x)", flags == expected_flags, 3418 expected_flags, flags); 3419 if (valid_vmcs) 3420 report("VM-instruction error is %d (actual %d)", 3421 vm_inst_err == VMXERR_ENTRY_EVENTS_BLOCKED_BY_MOV_SS, 3422 VMXERR_ENTRY_EVENTS_BLOCKED_BY_MOV_SS, vm_inst_err); 3423 } 3424 3425 static void vmentry_movss_shadow_test(void) 3426 { 3427 struct vmcs *orig_vmcs; 3428 3429 TEST_ASSERT(!vmcs_save(&orig_vmcs)); 3430 3431 /* 3432 * Set the launched flag on the current VMCS to verify the correct 3433 * error priority, below. 3434 */ 3435 test_set_guest(v2_null_test_guest); 3436 enter_guest(); 3437 3438 /* 3439 * With bit 1 of the guest's RFLAGS clear, VM-entry should 3440 * fail due to invalid guest state (if we make it that far). 3441 */ 3442 vmcs_write(GUEST_RFLAGS, 0); 3443 3444 /* 3445 * "VM entry with events blocked by MOV SS" takes precedence over 3446 * "VMLAUNCH with non-clear VMCS." 3447 */ 3448 report_prefix_push("valid current-VMCS"); 3449 try_vmentry_in_movss_shadow(); 3450 report_prefix_pop(); 3451 3452 /* 3453 * VMfailInvalid takes precedence over "VM entry with events 3454 * blocked by MOV SS." 3455 */ 3456 TEST_ASSERT(!vmcs_clear(orig_vmcs)); 3457 report_prefix_push("no current-VMCS"); 3458 try_vmentry_in_movss_shadow(); 3459 report_prefix_pop(); 3460 3461 TEST_ASSERT(!make_vmcs_current(orig_vmcs)); 3462 vmcs_write(GUEST_RFLAGS, X86_EFLAGS_FIXED); 3463 } 3464 3465 #define TEST(name) { #name, .v2 = name } 3466 3467 /* name/init/guest_main/exit_handler/syscall_handler/guest_regs */ 3468 struct vmx_test vmx_tests[] = { 3469 { "null", NULL, basic_guest_main, basic_exit_handler, NULL, {0} }, 3470 { "vmenter", NULL, vmenter_main, vmenter_exit_handler, NULL, {0} }, 3471 { "preemption timer", preemption_timer_init, preemption_timer_main, 3472 preemption_timer_exit_handler, NULL, {0} }, 3473 { "control field PAT", test_ctrl_pat_init, test_ctrl_pat_main, 3474 test_ctrl_pat_exit_handler, NULL, {0} }, 3475 { "control field EFER", test_ctrl_efer_init, test_ctrl_efer_main, 3476 test_ctrl_efer_exit_handler, NULL, {0} }, 3477 { "CR shadowing", NULL, cr_shadowing_main, 3478 cr_shadowing_exit_handler, NULL, {0} }, 3479 { "I/O bitmap", iobmp_init, iobmp_main, iobmp_exit_handler, 3480 NULL, {0} }, 3481 { "instruction intercept", insn_intercept_init, insn_intercept_main, 3482 insn_intercept_exit_handler, NULL, {0} }, 3483 { "EPT A/D disabled", ept_init, ept_main, ept_exit_handler, NULL, {0} }, 3484 { "EPT A/D enabled", eptad_init, eptad_main, eptad_exit_handler, NULL, {0} }, 3485 { "PML", pml_init, pml_main, pml_exit_handler, NULL, {0} }, 3486 { "VPID", vpid_init, vpid_main, vpid_exit_handler, NULL, {0} }, 3487 { "interrupt", interrupt_init, interrupt_main, 3488 interrupt_exit_handler, NULL, {0} }, 3489 { "debug controls", dbgctls_init, dbgctls_main, dbgctls_exit_handler, 3490 NULL, {0} }, 3491 { "MSR switch", msr_switch_init, msr_switch_main, 3492 msr_switch_exit_handler, NULL, {0}, msr_switch_entry_failure }, 3493 { "vmmcall", vmmcall_init, vmmcall_main, vmmcall_exit_handler, NULL, {0} }, 3494 { "disable RDTSCP", disable_rdtscp_init, disable_rdtscp_main, 3495 disable_rdtscp_exit_handler, NULL, {0} }, 3496 { "int3", int3_init, int3_guest_main, int3_exit_handler, NULL, {0} }, 3497 { "into", into_init, into_guest_main, into_exit_handler, NULL, {0} }, 3498 { "exit_monitor_from_l2_test", NULL, exit_monitor_from_l2_main, 3499 exit_monitor_from_l2_handler, NULL, {0} }, 3500 /* Basic V2 tests. */ 3501 TEST(v2_null_test), 3502 TEST(v2_multiple_entries_test), 3503 TEST(fixture_test_case1), 3504 TEST(fixture_test_case2), 3505 /* EPT access tests. */ 3506 TEST(ept_access_test_not_present), 3507 TEST(ept_access_test_read_only), 3508 TEST(ept_access_test_write_only), 3509 TEST(ept_access_test_read_write), 3510 TEST(ept_access_test_execute_only), 3511 TEST(ept_access_test_read_execute), 3512 TEST(ept_access_test_write_execute), 3513 TEST(ept_access_test_read_write_execute), 3514 TEST(ept_access_test_reserved_bits), 3515 TEST(ept_access_test_ignored_bits), 3516 TEST(ept_access_test_paddr_not_present_ad_disabled), 3517 TEST(ept_access_test_paddr_not_present_ad_enabled), 3518 TEST(ept_access_test_paddr_read_only_ad_disabled), 3519 TEST(ept_access_test_paddr_read_only_ad_enabled), 3520 TEST(ept_access_test_paddr_read_write), 3521 TEST(ept_access_test_paddr_read_write_execute), 3522 TEST(ept_access_test_paddr_read_execute_ad_disabled), 3523 TEST(ept_access_test_paddr_read_execute_ad_enabled), 3524 TEST(ept_access_test_paddr_not_present_page_fault), 3525 TEST(ept_access_test_force_2m_page), 3526 /* Opcode tests. */ 3527 TEST(invvpid_test_v2), 3528 /* VM-entry tests */ 3529 TEST(vmx_controls_test), 3530 TEST(vmentry_movss_shadow_test), 3531 { NULL, NULL, NULL, NULL, NULL, {0} }, 3532 }; 3533