1 /* 2 * All test cases of nested virtualization should be in this file 3 * 4 * Author : Arthur Chunqi Li <yzt356@gmail.com> 5 */ 6 #include "vmx.h" 7 #include "msr.h" 8 #include "processor.h" 9 #include "vm.h" 10 #include "pci.h" 11 #include "fwcfg.h" 12 #include "isr.h" 13 #include "desc.h" 14 #include "apic.h" 15 #include "types.h" 16 #include "vmalloc.h" 17 #include "alloc_page.h" 18 #include "smp.h" 19 #include "delay.h" 20 21 #define NONCANONICAL 0xaaaaaaaaaaaaaaaaull 22 23 #define VPID_CAP_INVVPID_TYPES_SHIFT 40 24 25 u64 ia32_pat; 26 u64 ia32_efer; 27 void *io_bitmap_a, *io_bitmap_b; 28 u16 ioport; 29 30 unsigned long *pml4; 31 u64 eptp; 32 void *data_page1, *data_page2; 33 34 phys_addr_t pci_physaddr; 35 36 void *pml_log; 37 #define PML_INDEX 512 38 39 static inline unsigned ffs(unsigned x) 40 { 41 int pos = -1; 42 43 __asm__ __volatile__("bsf %1, %%eax; cmovnz %%eax, %0" 44 : "+r"(pos) : "rm"(x) : "eax"); 45 return pos + 1; 46 } 47 48 static inline void vmcall(void) 49 { 50 asm volatile("vmcall"); 51 } 52 53 static void basic_guest_main(void) 54 { 55 report("Basic VMX test", 1); 56 } 57 58 static int basic_exit_handler(void) 59 { 60 report("Basic VMX test", 0); 61 print_vmexit_info(); 62 return VMX_TEST_EXIT; 63 } 64 65 static void vmenter_main(void) 66 { 67 u64 rax; 68 u64 rsp, resume_rsp; 69 70 report("test vmlaunch", 1); 71 72 asm volatile( 73 "mov %%rsp, %0\n\t" 74 "mov %3, %%rax\n\t" 75 "vmcall\n\t" 76 "mov %%rax, %1\n\t" 77 "mov %%rsp, %2\n\t" 78 : "=r"(rsp), "=r"(rax), "=r"(resume_rsp) 79 : "g"(0xABCD)); 80 report("test vmresume", (rax == 0xFFFF) && (rsp == resume_rsp)); 81 } 82 83 static int vmenter_exit_handler(void) 84 { 85 u64 guest_rip; 86 ulong reason; 87 88 guest_rip = vmcs_read(GUEST_RIP); 89 reason = vmcs_read(EXI_REASON) & 0xff; 90 switch (reason) { 91 case VMX_VMCALL: 92 if (regs.rax != 0xABCD) { 93 report("test vmresume", 0); 94 return VMX_TEST_VMEXIT; 95 } 96 regs.rax = 0xFFFF; 97 vmcs_write(GUEST_RIP, guest_rip + 3); 98 return VMX_TEST_RESUME; 99 default: 100 report("test vmresume", 0); 101 print_vmexit_info(); 102 } 103 return VMX_TEST_VMEXIT; 104 } 105 106 u32 preempt_scale; 107 volatile unsigned long long tsc_val; 108 volatile u32 preempt_val; 109 u64 saved_rip; 110 111 static int preemption_timer_init(struct vmcs *vmcs) 112 { 113 if (!(ctrl_pin_rev.clr & PIN_PREEMPT)) { 114 printf("\tPreemption timer is not supported\n"); 115 return VMX_TEST_EXIT; 116 } 117 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) | PIN_PREEMPT); 118 preempt_val = 10000000; 119 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 120 preempt_scale = rdmsr(MSR_IA32_VMX_MISC) & 0x1F; 121 122 if (!(ctrl_exit_rev.clr & EXI_SAVE_PREEMPT)) 123 printf("\tSave preemption value is not supported\n"); 124 125 return VMX_TEST_START; 126 } 127 128 static void preemption_timer_main(void) 129 { 130 tsc_val = rdtsc(); 131 if (ctrl_exit_rev.clr & EXI_SAVE_PREEMPT) { 132 vmx_set_test_stage(0); 133 vmcall(); 134 if (vmx_get_test_stage() == 1) 135 vmcall(); 136 } 137 vmx_set_test_stage(1); 138 while (vmx_get_test_stage() == 1) { 139 if (((rdtsc() - tsc_val) >> preempt_scale) 140 > 10 * preempt_val) { 141 vmx_set_test_stage(2); 142 vmcall(); 143 } 144 } 145 tsc_val = rdtsc(); 146 asm volatile ("hlt"); 147 vmcall(); 148 vmx_set_test_stage(5); 149 vmcall(); 150 } 151 152 static int preemption_timer_exit_handler(void) 153 { 154 bool guest_halted; 155 u64 guest_rip; 156 ulong reason; 157 u32 insn_len; 158 u32 ctrl_exit; 159 160 guest_rip = vmcs_read(GUEST_RIP); 161 reason = vmcs_read(EXI_REASON) & 0xff; 162 insn_len = vmcs_read(EXI_INST_LEN); 163 switch (reason) { 164 case VMX_PREEMPT: 165 switch (vmx_get_test_stage()) { 166 case 1: 167 case 2: 168 report("busy-wait for preemption timer", 169 ((rdtsc() - tsc_val) >> preempt_scale) >= 170 preempt_val); 171 vmx_set_test_stage(3); 172 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 173 return VMX_TEST_RESUME; 174 case 3: 175 guest_halted = 176 (vmcs_read(GUEST_ACTV_STATE) == ACTV_HLT); 177 report("preemption timer during hlt", 178 ((rdtsc() - tsc_val) >> preempt_scale) >= 179 preempt_val && guest_halted); 180 vmx_set_test_stage(4); 181 vmcs_write(PIN_CONTROLS, 182 vmcs_read(PIN_CONTROLS) & ~PIN_PREEMPT); 183 vmcs_write(GUEST_ACTV_STATE, ACTV_ACTIVE); 184 return VMX_TEST_RESUME; 185 case 4: 186 report("preemption timer with 0 value", 187 saved_rip == guest_rip); 188 break; 189 default: 190 report("Invalid stage.", false); 191 print_vmexit_info(); 192 break; 193 } 194 break; 195 case VMX_VMCALL: 196 vmcs_write(GUEST_RIP, guest_rip + insn_len); 197 switch (vmx_get_test_stage()) { 198 case 0: 199 report("Keep preemption value", 200 vmcs_read(PREEMPT_TIMER_VALUE) == preempt_val); 201 vmx_set_test_stage(1); 202 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 203 ctrl_exit = (vmcs_read(EXI_CONTROLS) | 204 EXI_SAVE_PREEMPT) & ctrl_exit_rev.clr; 205 vmcs_write(EXI_CONTROLS, ctrl_exit); 206 return VMX_TEST_RESUME; 207 case 1: 208 report("Save preemption value", 209 vmcs_read(PREEMPT_TIMER_VALUE) < preempt_val); 210 return VMX_TEST_RESUME; 211 case 2: 212 report("busy-wait for preemption timer", 0); 213 vmx_set_test_stage(3); 214 vmcs_write(PREEMPT_TIMER_VALUE, preempt_val); 215 return VMX_TEST_RESUME; 216 case 3: 217 report("preemption timer during hlt", 0); 218 vmx_set_test_stage(4); 219 /* fall through */ 220 case 4: 221 vmcs_write(PIN_CONTROLS, 222 vmcs_read(PIN_CONTROLS) | PIN_PREEMPT); 223 vmcs_write(PREEMPT_TIMER_VALUE, 0); 224 saved_rip = guest_rip + insn_len; 225 return VMX_TEST_RESUME; 226 case 5: 227 report("preemption timer with 0 value (vmcall stage 5)", 0); 228 break; 229 default: 230 // Should not reach here 231 report("unexpected stage, %d", false, 232 vmx_get_test_stage()); 233 print_vmexit_info(); 234 return VMX_TEST_VMEXIT; 235 } 236 break; 237 default: 238 report("Unknown exit reason, %ld", false, reason); 239 print_vmexit_info(); 240 } 241 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) & ~PIN_PREEMPT); 242 return VMX_TEST_VMEXIT; 243 } 244 245 static void msr_bmp_init(void) 246 { 247 void *msr_bitmap; 248 u32 ctrl_cpu0; 249 250 msr_bitmap = alloc_page(); 251 memset(msr_bitmap, 0x0, PAGE_SIZE); 252 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 253 ctrl_cpu0 |= CPU_MSR_BITMAP; 254 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 255 vmcs_write(MSR_BITMAP, (u64)msr_bitmap); 256 } 257 258 static void *get_msr_bitmap(void) 259 { 260 void *msr_bitmap; 261 262 if (vmcs_read(CPU_EXEC_CTRL0) & CPU_MSR_BITMAP) { 263 msr_bitmap = (void *)vmcs_read(MSR_BITMAP); 264 } else { 265 msr_bitmap = alloc_page(); 266 memset(msr_bitmap, 0xff, PAGE_SIZE); 267 vmcs_write(MSR_BITMAP, (u64)msr_bitmap); 268 vmcs_set_bits(CPU_EXEC_CTRL0, CPU_MSR_BITMAP); 269 } 270 271 return msr_bitmap; 272 } 273 274 static void disable_intercept_for_x2apic_msrs(void) 275 { 276 unsigned long *msr_bitmap = (unsigned long *)get_msr_bitmap(); 277 u32 msr; 278 279 for (msr = APIC_BASE_MSR; 280 msr < (APIC_BASE_MSR+0xff); 281 msr += BITS_PER_LONG) { 282 unsigned int word = msr / BITS_PER_LONG; 283 284 msr_bitmap[word] = 0; 285 msr_bitmap[word + (0x800 / sizeof(long))] = 0; 286 } 287 } 288 289 static int test_ctrl_pat_init(struct vmcs *vmcs) 290 { 291 u64 ctrl_ent; 292 u64 ctrl_exi; 293 294 msr_bmp_init(); 295 if (!(ctrl_exit_rev.clr & EXI_SAVE_PAT) && 296 !(ctrl_exit_rev.clr & EXI_LOAD_PAT) && 297 !(ctrl_enter_rev.clr & ENT_LOAD_PAT)) { 298 printf("\tSave/load PAT is not supported\n"); 299 return 1; 300 } 301 302 ctrl_ent = vmcs_read(ENT_CONTROLS); 303 ctrl_exi = vmcs_read(EXI_CONTROLS); 304 ctrl_ent |= ctrl_enter_rev.clr & ENT_LOAD_PAT; 305 ctrl_exi |= ctrl_exit_rev.clr & (EXI_SAVE_PAT | EXI_LOAD_PAT); 306 vmcs_write(ENT_CONTROLS, ctrl_ent); 307 vmcs_write(EXI_CONTROLS, ctrl_exi); 308 ia32_pat = rdmsr(MSR_IA32_CR_PAT); 309 vmcs_write(GUEST_PAT, 0x0); 310 vmcs_write(HOST_PAT, ia32_pat); 311 return VMX_TEST_START; 312 } 313 314 static void test_ctrl_pat_main(void) 315 { 316 u64 guest_ia32_pat; 317 318 guest_ia32_pat = rdmsr(MSR_IA32_CR_PAT); 319 if (!(ctrl_enter_rev.clr & ENT_LOAD_PAT)) 320 printf("\tENT_LOAD_PAT is not supported.\n"); 321 else { 322 if (guest_ia32_pat != 0) { 323 report("Entry load PAT", 0); 324 return; 325 } 326 } 327 wrmsr(MSR_IA32_CR_PAT, 0x6); 328 vmcall(); 329 guest_ia32_pat = rdmsr(MSR_IA32_CR_PAT); 330 if (ctrl_enter_rev.clr & ENT_LOAD_PAT) 331 report("Entry load PAT", guest_ia32_pat == ia32_pat); 332 } 333 334 static int test_ctrl_pat_exit_handler(void) 335 { 336 u64 guest_rip; 337 ulong reason; 338 u64 guest_pat; 339 340 guest_rip = vmcs_read(GUEST_RIP); 341 reason = vmcs_read(EXI_REASON) & 0xff; 342 switch (reason) { 343 case VMX_VMCALL: 344 guest_pat = vmcs_read(GUEST_PAT); 345 if (!(ctrl_exit_rev.clr & EXI_SAVE_PAT)) { 346 printf("\tEXI_SAVE_PAT is not supported\n"); 347 vmcs_write(GUEST_PAT, 0x6); 348 } else { 349 report("Exit save PAT", guest_pat == 0x6); 350 } 351 if (!(ctrl_exit_rev.clr & EXI_LOAD_PAT)) 352 printf("\tEXI_LOAD_PAT is not supported\n"); 353 else 354 report("Exit load PAT", rdmsr(MSR_IA32_CR_PAT) == ia32_pat); 355 vmcs_write(GUEST_PAT, ia32_pat); 356 vmcs_write(GUEST_RIP, guest_rip + 3); 357 return VMX_TEST_RESUME; 358 default: 359 printf("ERROR : Undefined exit reason, reason = %ld.\n", reason); 360 break; 361 } 362 return VMX_TEST_VMEXIT; 363 } 364 365 static int test_ctrl_efer_init(struct vmcs *vmcs) 366 { 367 u64 ctrl_ent; 368 u64 ctrl_exi; 369 370 msr_bmp_init(); 371 ctrl_ent = vmcs_read(ENT_CONTROLS) | ENT_LOAD_EFER; 372 ctrl_exi = vmcs_read(EXI_CONTROLS) | EXI_SAVE_EFER | EXI_LOAD_EFER; 373 vmcs_write(ENT_CONTROLS, ctrl_ent & ctrl_enter_rev.clr); 374 vmcs_write(EXI_CONTROLS, ctrl_exi & ctrl_exit_rev.clr); 375 ia32_efer = rdmsr(MSR_EFER); 376 vmcs_write(GUEST_EFER, ia32_efer ^ EFER_NX); 377 vmcs_write(HOST_EFER, ia32_efer ^ EFER_NX); 378 return VMX_TEST_START; 379 } 380 381 static void test_ctrl_efer_main(void) 382 { 383 u64 guest_ia32_efer; 384 385 guest_ia32_efer = rdmsr(MSR_EFER); 386 if (!(ctrl_enter_rev.clr & ENT_LOAD_EFER)) 387 printf("\tENT_LOAD_EFER is not supported.\n"); 388 else { 389 if (guest_ia32_efer != (ia32_efer ^ EFER_NX)) { 390 report("Entry load EFER", 0); 391 return; 392 } 393 } 394 wrmsr(MSR_EFER, ia32_efer); 395 vmcall(); 396 guest_ia32_efer = rdmsr(MSR_EFER); 397 if (ctrl_enter_rev.clr & ENT_LOAD_EFER) 398 report("Entry load EFER", guest_ia32_efer == ia32_efer); 399 } 400 401 static int test_ctrl_efer_exit_handler(void) 402 { 403 u64 guest_rip; 404 ulong reason; 405 u64 guest_efer; 406 407 guest_rip = vmcs_read(GUEST_RIP); 408 reason = vmcs_read(EXI_REASON) & 0xff; 409 switch (reason) { 410 case VMX_VMCALL: 411 guest_efer = vmcs_read(GUEST_EFER); 412 if (!(ctrl_exit_rev.clr & EXI_SAVE_EFER)) { 413 printf("\tEXI_SAVE_EFER is not supported\n"); 414 vmcs_write(GUEST_EFER, ia32_efer); 415 } else { 416 report("Exit save EFER", guest_efer == ia32_efer); 417 } 418 if (!(ctrl_exit_rev.clr & EXI_LOAD_EFER)) { 419 printf("\tEXI_LOAD_EFER is not supported\n"); 420 wrmsr(MSR_EFER, ia32_efer ^ EFER_NX); 421 } else { 422 report("Exit load EFER", rdmsr(MSR_EFER) == (ia32_efer ^ EFER_NX)); 423 } 424 vmcs_write(GUEST_PAT, ia32_efer); 425 vmcs_write(GUEST_RIP, guest_rip + 3); 426 return VMX_TEST_RESUME; 427 default: 428 printf("ERROR : Undefined exit reason, reason = %ld.\n", reason); 429 break; 430 } 431 return VMX_TEST_VMEXIT; 432 } 433 434 u32 guest_cr0, guest_cr4; 435 436 static void cr_shadowing_main(void) 437 { 438 u32 cr0, cr4, tmp; 439 440 // Test read through 441 vmx_set_test_stage(0); 442 guest_cr0 = read_cr0(); 443 if (vmx_get_test_stage() == 1) 444 report("Read through CR0", 0); 445 else 446 vmcall(); 447 vmx_set_test_stage(1); 448 guest_cr4 = read_cr4(); 449 if (vmx_get_test_stage() == 2) 450 report("Read through CR4", 0); 451 else 452 vmcall(); 453 // Test write through 454 guest_cr0 = guest_cr0 ^ (X86_CR0_TS | X86_CR0_MP); 455 guest_cr4 = guest_cr4 ^ (X86_CR4_TSD | X86_CR4_DE); 456 vmx_set_test_stage(2); 457 write_cr0(guest_cr0); 458 if (vmx_get_test_stage() == 3) 459 report("Write throuth CR0", 0); 460 else 461 vmcall(); 462 vmx_set_test_stage(3); 463 write_cr4(guest_cr4); 464 if (vmx_get_test_stage() == 4) 465 report("Write through CR4", 0); 466 else 467 vmcall(); 468 // Test read shadow 469 vmx_set_test_stage(4); 470 vmcall(); 471 cr0 = read_cr0(); 472 if (vmx_get_test_stage() != 5) 473 report("Read shadowing CR0", cr0 == guest_cr0); 474 vmx_set_test_stage(5); 475 cr4 = read_cr4(); 476 if (vmx_get_test_stage() != 6) 477 report("Read shadowing CR4", cr4 == guest_cr4); 478 // Test write shadow (same value with shadow) 479 vmx_set_test_stage(6); 480 write_cr0(guest_cr0); 481 if (vmx_get_test_stage() == 7) 482 report("Write shadowing CR0 (same value with shadow)", 0); 483 else 484 vmcall(); 485 vmx_set_test_stage(7); 486 write_cr4(guest_cr4); 487 if (vmx_get_test_stage() == 8) 488 report("Write shadowing CR4 (same value with shadow)", 0); 489 else 490 vmcall(); 491 // Test write shadow (different value) 492 vmx_set_test_stage(8); 493 tmp = guest_cr0 ^ X86_CR0_TS; 494 asm volatile("mov %0, %%rsi\n\t" 495 "mov %%rsi, %%cr0\n\t" 496 ::"m"(tmp) 497 :"rsi", "memory", "cc"); 498 report("Write shadowing different X86_CR0_TS", vmx_get_test_stage() == 9); 499 vmx_set_test_stage(9); 500 tmp = guest_cr0 ^ X86_CR0_MP; 501 asm volatile("mov %0, %%rsi\n\t" 502 "mov %%rsi, %%cr0\n\t" 503 ::"m"(tmp) 504 :"rsi", "memory", "cc"); 505 report("Write shadowing different X86_CR0_MP", vmx_get_test_stage() == 10); 506 vmx_set_test_stage(10); 507 tmp = guest_cr4 ^ X86_CR4_TSD; 508 asm volatile("mov %0, %%rsi\n\t" 509 "mov %%rsi, %%cr4\n\t" 510 ::"m"(tmp) 511 :"rsi", "memory", "cc"); 512 report("Write shadowing different X86_CR4_TSD", vmx_get_test_stage() == 11); 513 vmx_set_test_stage(11); 514 tmp = guest_cr4 ^ X86_CR4_DE; 515 asm volatile("mov %0, %%rsi\n\t" 516 "mov %%rsi, %%cr4\n\t" 517 ::"m"(tmp) 518 :"rsi", "memory", "cc"); 519 report("Write shadowing different X86_CR4_DE", vmx_get_test_stage() == 12); 520 } 521 522 static int cr_shadowing_exit_handler(void) 523 { 524 u64 guest_rip; 525 ulong reason; 526 u32 insn_len; 527 u32 exit_qual; 528 529 guest_rip = vmcs_read(GUEST_RIP); 530 reason = vmcs_read(EXI_REASON) & 0xff; 531 insn_len = vmcs_read(EXI_INST_LEN); 532 exit_qual = vmcs_read(EXI_QUALIFICATION); 533 switch (reason) { 534 case VMX_VMCALL: 535 switch (vmx_get_test_stage()) { 536 case 0: 537 report("Read through CR0", guest_cr0 == vmcs_read(GUEST_CR0)); 538 break; 539 case 1: 540 report("Read through CR4", guest_cr4 == vmcs_read(GUEST_CR4)); 541 break; 542 case 2: 543 report("Write through CR0", guest_cr0 == vmcs_read(GUEST_CR0)); 544 break; 545 case 3: 546 report("Write through CR4", guest_cr4 == vmcs_read(GUEST_CR4)); 547 break; 548 case 4: 549 guest_cr0 = vmcs_read(GUEST_CR0) ^ (X86_CR0_TS | X86_CR0_MP); 550 guest_cr4 = vmcs_read(GUEST_CR4) ^ (X86_CR4_TSD | X86_CR4_DE); 551 vmcs_write(CR0_MASK, X86_CR0_TS | X86_CR0_MP); 552 vmcs_write(CR0_READ_SHADOW, guest_cr0 & (X86_CR0_TS | X86_CR0_MP)); 553 vmcs_write(CR4_MASK, X86_CR4_TSD | X86_CR4_DE); 554 vmcs_write(CR4_READ_SHADOW, guest_cr4 & (X86_CR4_TSD | X86_CR4_DE)); 555 break; 556 case 6: 557 report("Write shadowing CR0 (same value)", 558 guest_cr0 == (vmcs_read(GUEST_CR0) ^ (X86_CR0_TS | X86_CR0_MP))); 559 break; 560 case 7: 561 report("Write shadowing CR4 (same value)", 562 guest_cr4 == (vmcs_read(GUEST_CR4) ^ (X86_CR4_TSD | X86_CR4_DE))); 563 break; 564 default: 565 // Should not reach here 566 report("unexpected stage, %d", false, 567 vmx_get_test_stage()); 568 print_vmexit_info(); 569 return VMX_TEST_VMEXIT; 570 } 571 vmcs_write(GUEST_RIP, guest_rip + insn_len); 572 return VMX_TEST_RESUME; 573 case VMX_CR: 574 switch (vmx_get_test_stage()) { 575 case 4: 576 report("Read shadowing CR0", 0); 577 vmx_inc_test_stage(); 578 break; 579 case 5: 580 report("Read shadowing CR4", 0); 581 vmx_inc_test_stage(); 582 break; 583 case 6: 584 report("Write shadowing CR0 (same value)", 0); 585 vmx_inc_test_stage(); 586 break; 587 case 7: 588 report("Write shadowing CR4 (same value)", 0); 589 vmx_inc_test_stage(); 590 break; 591 case 8: 592 case 9: 593 // 0x600 encodes "mov %esi, %cr0" 594 if (exit_qual == 0x600) 595 vmx_inc_test_stage(); 596 break; 597 case 10: 598 case 11: 599 // 0x604 encodes "mov %esi, %cr4" 600 if (exit_qual == 0x604) 601 vmx_inc_test_stage(); 602 break; 603 default: 604 // Should not reach here 605 report("unexpected stage, %d", false, 606 vmx_get_test_stage()); 607 print_vmexit_info(); 608 return VMX_TEST_VMEXIT; 609 } 610 vmcs_write(GUEST_RIP, guest_rip + insn_len); 611 return VMX_TEST_RESUME; 612 default: 613 report("Unknown exit reason, %ld", false, reason); 614 print_vmexit_info(); 615 } 616 return VMX_TEST_VMEXIT; 617 } 618 619 static int iobmp_init(struct vmcs *vmcs) 620 { 621 u32 ctrl_cpu0; 622 623 io_bitmap_a = alloc_page(); 624 io_bitmap_b = alloc_page(); 625 memset(io_bitmap_a, 0x0, PAGE_SIZE); 626 memset(io_bitmap_b, 0x0, PAGE_SIZE); 627 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 628 ctrl_cpu0 |= CPU_IO_BITMAP; 629 ctrl_cpu0 &= (~CPU_IO); 630 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 631 vmcs_write(IO_BITMAP_A, (u64)io_bitmap_a); 632 vmcs_write(IO_BITMAP_B, (u64)io_bitmap_b); 633 return VMX_TEST_START; 634 } 635 636 static void iobmp_main(void) 637 { 638 // stage 0, test IO pass 639 vmx_set_test_stage(0); 640 inb(0x5000); 641 outb(0x0, 0x5000); 642 report("I/O bitmap - I/O pass", vmx_get_test_stage() == 0); 643 // test IO width, in/out 644 ((u8 *)io_bitmap_a)[0] = 0xFF; 645 vmx_set_test_stage(2); 646 inb(0x0); 647 report("I/O bitmap - trap in", vmx_get_test_stage() == 3); 648 vmx_set_test_stage(3); 649 outw(0x0, 0x0); 650 report("I/O bitmap - trap out", vmx_get_test_stage() == 4); 651 vmx_set_test_stage(4); 652 inl(0x0); 653 report("I/O bitmap - I/O width, long", vmx_get_test_stage() == 5); 654 // test low/high IO port 655 vmx_set_test_stage(5); 656 ((u8 *)io_bitmap_a)[0x5000 / 8] = (1 << (0x5000 % 8)); 657 inb(0x5000); 658 report("I/O bitmap - I/O port, low part", vmx_get_test_stage() == 6); 659 vmx_set_test_stage(6); 660 ((u8 *)io_bitmap_b)[0x1000 / 8] = (1 << (0x1000 % 8)); 661 inb(0x9000); 662 report("I/O bitmap - I/O port, high part", vmx_get_test_stage() == 7); 663 // test partial pass 664 vmx_set_test_stage(7); 665 inl(0x4FFF); 666 report("I/O bitmap - partial pass", vmx_get_test_stage() == 8); 667 // test overrun 668 vmx_set_test_stage(8); 669 memset(io_bitmap_a, 0x0, PAGE_SIZE); 670 memset(io_bitmap_b, 0x0, PAGE_SIZE); 671 inl(0xFFFF); 672 report("I/O bitmap - overrun", vmx_get_test_stage() == 9); 673 vmx_set_test_stage(9); 674 vmcall(); 675 outb(0x0, 0x0); 676 report("I/O bitmap - ignore unconditional exiting", 677 vmx_get_test_stage() == 9); 678 vmx_set_test_stage(10); 679 vmcall(); 680 outb(0x0, 0x0); 681 report("I/O bitmap - unconditional exiting", 682 vmx_get_test_stage() == 11); 683 } 684 685 static int iobmp_exit_handler(void) 686 { 687 u64 guest_rip; 688 ulong reason, exit_qual; 689 u32 insn_len, ctrl_cpu0; 690 691 guest_rip = vmcs_read(GUEST_RIP); 692 reason = vmcs_read(EXI_REASON) & 0xff; 693 exit_qual = vmcs_read(EXI_QUALIFICATION); 694 insn_len = vmcs_read(EXI_INST_LEN); 695 switch (reason) { 696 case VMX_IO: 697 switch (vmx_get_test_stage()) { 698 case 0: 699 case 1: 700 vmx_inc_test_stage(); 701 break; 702 case 2: 703 report("I/O bitmap - I/O width, byte", 704 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_BYTE); 705 report("I/O bitmap - I/O direction, in", exit_qual & VMX_IO_IN); 706 vmx_inc_test_stage(); 707 break; 708 case 3: 709 report("I/O bitmap - I/O width, word", 710 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_WORD); 711 report("I/O bitmap - I/O direction, out", 712 !(exit_qual & VMX_IO_IN)); 713 vmx_inc_test_stage(); 714 break; 715 case 4: 716 report("I/O bitmap - I/O width, long", 717 (exit_qual & VMX_IO_SIZE_MASK) == _VMX_IO_LONG); 718 vmx_inc_test_stage(); 719 break; 720 case 5: 721 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x5000) 722 vmx_inc_test_stage(); 723 break; 724 case 6: 725 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x9000) 726 vmx_inc_test_stage(); 727 break; 728 case 7: 729 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0x4FFF) 730 vmx_inc_test_stage(); 731 break; 732 case 8: 733 if (((exit_qual & VMX_IO_PORT_MASK) >> VMX_IO_PORT_SHIFT) == 0xFFFF) 734 vmx_inc_test_stage(); 735 break; 736 case 9: 737 case 10: 738 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 739 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0 & ~CPU_IO); 740 vmx_inc_test_stage(); 741 break; 742 default: 743 // Should not reach here 744 report("unexpected stage, %d", false, 745 vmx_get_test_stage()); 746 print_vmexit_info(); 747 return VMX_TEST_VMEXIT; 748 } 749 vmcs_write(GUEST_RIP, guest_rip + insn_len); 750 return VMX_TEST_RESUME; 751 case VMX_VMCALL: 752 switch (vmx_get_test_stage()) { 753 case 9: 754 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 755 ctrl_cpu0 |= CPU_IO | CPU_IO_BITMAP; 756 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 757 break; 758 case 10: 759 ctrl_cpu0 = vmcs_read(CPU_EXEC_CTRL0); 760 ctrl_cpu0 = (ctrl_cpu0 & ~CPU_IO_BITMAP) | CPU_IO; 761 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu0); 762 break; 763 default: 764 // Should not reach here 765 report("unexpected stage, %d", false, 766 vmx_get_test_stage()); 767 print_vmexit_info(); 768 return VMX_TEST_VMEXIT; 769 } 770 vmcs_write(GUEST_RIP, guest_rip + insn_len); 771 return VMX_TEST_RESUME; 772 default: 773 printf("guest_rip = %#lx\n", guest_rip); 774 printf("\tERROR : Undefined exit reason, reason = %ld.\n", reason); 775 break; 776 } 777 return VMX_TEST_VMEXIT; 778 } 779 780 #define INSN_CPU0 0 781 #define INSN_CPU1 1 782 #define INSN_ALWAYS_TRAP 2 783 784 #define FIELD_EXIT_QUAL (1 << 0) 785 #define FIELD_INSN_INFO (1 << 1) 786 787 asm( 788 "insn_hlt: hlt;ret\n\t" 789 "insn_invlpg: invlpg 0x12345678;ret\n\t" 790 "insn_mwait: xor %eax, %eax; xor %ecx, %ecx; mwait;ret\n\t" 791 "insn_rdpmc: xor %ecx, %ecx; rdpmc;ret\n\t" 792 "insn_rdtsc: rdtsc;ret\n\t" 793 "insn_cr3_load: mov cr3,%rax; mov %rax,%cr3;ret\n\t" 794 "insn_cr3_store: mov %cr3,%rax;ret\n\t" 795 #ifdef __x86_64__ 796 "insn_cr8_load: xor %eax, %eax; mov %rax,%cr8;ret\n\t" 797 "insn_cr8_store: mov %cr8,%rax;ret\n\t" 798 #endif 799 "insn_monitor: xor %eax, %eax; xor %ecx, %ecx; xor %edx, %edx; monitor;ret\n\t" 800 "insn_pause: pause;ret\n\t" 801 "insn_wbinvd: wbinvd;ret\n\t" 802 "insn_cpuid: mov $10, %eax; cpuid;ret\n\t" 803 "insn_invd: invd;ret\n\t" 804 "insn_sgdt: sgdt gdt64_desc;ret\n\t" 805 "insn_lgdt: lgdt gdt64_desc;ret\n\t" 806 "insn_sidt: sidt idt_descr;ret\n\t" 807 "insn_lidt: lidt idt_descr;ret\n\t" 808 "insn_sldt: sldt %ax;ret\n\t" 809 "insn_lldt: xor %eax, %eax; lldt %ax;ret\n\t" 810 "insn_str: str %ax;ret\n\t" 811 "insn_rdrand: rdrand %rax;ret\n\t" 812 "insn_rdseed: rdseed %rax;ret\n\t" 813 ); 814 extern void insn_hlt(void); 815 extern void insn_invlpg(void); 816 extern void insn_mwait(void); 817 extern void insn_rdpmc(void); 818 extern void insn_rdtsc(void); 819 extern void insn_cr3_load(void); 820 extern void insn_cr3_store(void); 821 #ifdef __x86_64__ 822 extern void insn_cr8_load(void); 823 extern void insn_cr8_store(void); 824 #endif 825 extern void insn_monitor(void); 826 extern void insn_pause(void); 827 extern void insn_wbinvd(void); 828 extern void insn_sgdt(void); 829 extern void insn_lgdt(void); 830 extern void insn_sidt(void); 831 extern void insn_lidt(void); 832 extern void insn_sldt(void); 833 extern void insn_lldt(void); 834 extern void insn_str(void); 835 extern void insn_cpuid(void); 836 extern void insn_invd(void); 837 extern void insn_rdrand(void); 838 extern void insn_rdseed(void); 839 840 u32 cur_insn; 841 u64 cr3; 842 843 struct insn_table { 844 const char *name; 845 u32 flag; 846 void (*insn_func)(void); 847 u32 type; 848 u32 reason; 849 ulong exit_qual; 850 u32 insn_info; 851 // Use FIELD_EXIT_QUAL and FIELD_INSN_INFO to define 852 // which field need to be tested, reason is always tested 853 u32 test_field; 854 }; 855 856 /* 857 * Add more test cases of instruction intercept here. Elements in this 858 * table is: 859 * name/control flag/insn function/type/exit reason/exit qulification/ 860 * instruction info/field to test 861 * The last field defines which fields (exit_qual and insn_info) need to be 862 * tested in exit handler. If set to 0, only "reason" is checked. 863 */ 864 static struct insn_table insn_table[] = { 865 // Flags for Primary Processor-Based VM-Execution Controls 866 {"HLT", CPU_HLT, insn_hlt, INSN_CPU0, 12, 0, 0, 0}, 867 {"INVLPG", CPU_INVLPG, insn_invlpg, INSN_CPU0, 14, 868 0x12345678, 0, FIELD_EXIT_QUAL}, 869 {"MWAIT", CPU_MWAIT, insn_mwait, INSN_CPU0, 36, 0, 0, 0}, 870 {"RDPMC", CPU_RDPMC, insn_rdpmc, INSN_CPU0, 15, 0, 0, 0}, 871 {"RDTSC", CPU_RDTSC, insn_rdtsc, INSN_CPU0, 16, 0, 0, 0}, 872 {"CR3 load", CPU_CR3_LOAD, insn_cr3_load, INSN_CPU0, 28, 0x3, 0, 873 FIELD_EXIT_QUAL}, 874 {"CR3 store", CPU_CR3_STORE, insn_cr3_store, INSN_CPU0, 28, 0x13, 0, 875 FIELD_EXIT_QUAL}, 876 #ifdef __x86_64__ 877 {"CR8 load", CPU_CR8_LOAD, insn_cr8_load, INSN_CPU0, 28, 0x8, 0, 878 FIELD_EXIT_QUAL}, 879 {"CR8 store", CPU_CR8_STORE, insn_cr8_store, INSN_CPU0, 28, 0x18, 0, 880 FIELD_EXIT_QUAL}, 881 #endif 882 {"MONITOR", CPU_MONITOR, insn_monitor, INSN_CPU0, 39, 0, 0, 0}, 883 {"PAUSE", CPU_PAUSE, insn_pause, INSN_CPU0, 40, 0, 0, 0}, 884 // Flags for Secondary Processor-Based VM-Execution Controls 885 {"WBINVD", CPU_WBINVD, insn_wbinvd, INSN_CPU1, 54, 0, 0, 0}, 886 {"DESC_TABLE (SGDT)", CPU_DESC_TABLE, insn_sgdt, INSN_CPU1, 46, 0, 0, 0}, 887 {"DESC_TABLE (LGDT)", CPU_DESC_TABLE, insn_lgdt, INSN_CPU1, 46, 0, 0, 0}, 888 {"DESC_TABLE (SIDT)", CPU_DESC_TABLE, insn_sidt, INSN_CPU1, 46, 0, 0, 0}, 889 {"DESC_TABLE (LIDT)", CPU_DESC_TABLE, insn_lidt, INSN_CPU1, 46, 0, 0, 0}, 890 {"DESC_TABLE (SLDT)", CPU_DESC_TABLE, insn_sldt, INSN_CPU1, 47, 0, 0, 0}, 891 {"DESC_TABLE (LLDT)", CPU_DESC_TABLE, insn_lldt, INSN_CPU1, 47, 0, 0, 0}, 892 {"DESC_TABLE (STR)", CPU_DESC_TABLE, insn_str, INSN_CPU1, 47, 0, 0, 0}, 893 /* LTR causes a #GP if done with a busy selector, so it is not tested. */ 894 {"RDRAND", CPU_RDRAND, insn_rdrand, INSN_CPU1, VMX_RDRAND, 0, 0, 0}, 895 {"RDSEED", CPU_RDSEED, insn_rdseed, INSN_CPU1, VMX_RDSEED, 0, 0, 0}, 896 // Instructions always trap 897 {"CPUID", 0, insn_cpuid, INSN_ALWAYS_TRAP, 10, 0, 0, 0}, 898 {"INVD", 0, insn_invd, INSN_ALWAYS_TRAP, 13, 0, 0, 0}, 899 // Instructions never trap 900 {NULL}, 901 }; 902 903 static int insn_intercept_init(struct vmcs *vmcs) 904 { 905 u32 ctrl_cpu; 906 907 ctrl_cpu = ctrl_cpu_rev[0].set | CPU_SECONDARY; 908 ctrl_cpu &= ctrl_cpu_rev[0].clr; 909 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu); 910 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu_rev[1].set); 911 cr3 = read_cr3(); 912 return VMX_TEST_START; 913 } 914 915 static void insn_intercept_main(void) 916 { 917 for (cur_insn = 0; insn_table[cur_insn].name != NULL; cur_insn++) { 918 vmx_set_test_stage(cur_insn * 2); 919 if ((insn_table[cur_insn].type == INSN_CPU0 && 920 !(ctrl_cpu_rev[0].clr & insn_table[cur_insn].flag)) || 921 (insn_table[cur_insn].type == INSN_CPU1 && 922 !(ctrl_cpu_rev[1].clr & insn_table[cur_insn].flag))) { 923 printf("\tCPU_CTRL%d.CPU_%s is not supported.\n", 924 insn_table[cur_insn].type - INSN_CPU0, 925 insn_table[cur_insn].name); 926 continue; 927 } 928 929 if ((insn_table[cur_insn].type == INSN_CPU0 && 930 !(ctrl_cpu_rev[0].set & insn_table[cur_insn].flag)) || 931 (insn_table[cur_insn].type == INSN_CPU1 && 932 !(ctrl_cpu_rev[1].set & insn_table[cur_insn].flag))) { 933 /* skip hlt, it stalls the guest and is tested below */ 934 if (insn_table[cur_insn].insn_func != insn_hlt) 935 insn_table[cur_insn].insn_func(); 936 report("execute %s", vmx_get_test_stage() == cur_insn * 2, 937 insn_table[cur_insn].name); 938 } else if (insn_table[cur_insn].type != INSN_ALWAYS_TRAP) 939 printf("\tCPU_CTRL%d.CPU_%s always traps.\n", 940 insn_table[cur_insn].type - INSN_CPU0, 941 insn_table[cur_insn].name); 942 943 vmcall(); 944 945 insn_table[cur_insn].insn_func(); 946 report("intercept %s", vmx_get_test_stage() == cur_insn * 2 + 1, 947 insn_table[cur_insn].name); 948 949 vmx_set_test_stage(cur_insn * 2 + 1); 950 vmcall(); 951 } 952 } 953 954 static int insn_intercept_exit_handler(void) 955 { 956 u64 guest_rip; 957 u32 reason; 958 ulong exit_qual; 959 u32 insn_len; 960 u32 insn_info; 961 bool pass; 962 963 guest_rip = vmcs_read(GUEST_RIP); 964 reason = vmcs_read(EXI_REASON) & 0xff; 965 exit_qual = vmcs_read(EXI_QUALIFICATION); 966 insn_len = vmcs_read(EXI_INST_LEN); 967 insn_info = vmcs_read(EXI_INST_INFO); 968 969 if (reason == VMX_VMCALL) { 970 u32 val = 0; 971 972 if (insn_table[cur_insn].type == INSN_CPU0) 973 val = vmcs_read(CPU_EXEC_CTRL0); 974 else if (insn_table[cur_insn].type == INSN_CPU1) 975 val = vmcs_read(CPU_EXEC_CTRL1); 976 977 if (vmx_get_test_stage() & 1) 978 val &= ~insn_table[cur_insn].flag; 979 else 980 val |= insn_table[cur_insn].flag; 981 982 if (insn_table[cur_insn].type == INSN_CPU0) 983 vmcs_write(CPU_EXEC_CTRL0, val | ctrl_cpu_rev[0].set); 984 else if (insn_table[cur_insn].type == INSN_CPU1) 985 vmcs_write(CPU_EXEC_CTRL1, val | ctrl_cpu_rev[1].set); 986 } else { 987 pass = (cur_insn * 2 == vmx_get_test_stage()) && 988 insn_table[cur_insn].reason == reason; 989 if (insn_table[cur_insn].test_field & FIELD_EXIT_QUAL && 990 insn_table[cur_insn].exit_qual != exit_qual) 991 pass = false; 992 if (insn_table[cur_insn].test_field & FIELD_INSN_INFO && 993 insn_table[cur_insn].insn_info != insn_info) 994 pass = false; 995 if (pass) 996 vmx_inc_test_stage(); 997 } 998 vmcs_write(GUEST_RIP, guest_rip + insn_len); 999 return VMX_TEST_RESUME; 1000 } 1001 1002 1003 /* Enables EPT and sets up the identity map. */ 1004 static int setup_ept(bool enable_ad) 1005 { 1006 unsigned long end_of_memory; 1007 u32 ctrl_cpu[2]; 1008 1009 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 1010 !(ctrl_cpu_rev[1].clr & CPU_EPT)) { 1011 printf("\tEPT is not supported"); 1012 return 1; 1013 } 1014 1015 1016 if (!(ept_vpid.val & EPT_CAP_UC) && 1017 !(ept_vpid.val & EPT_CAP_WB)) { 1018 printf("\tEPT paging-structure memory type " 1019 "UC&WB are not supported\n"); 1020 return 1; 1021 } 1022 if (ept_vpid.val & EPT_CAP_UC) 1023 eptp = EPT_MEM_TYPE_UC; 1024 else 1025 eptp = EPT_MEM_TYPE_WB; 1026 if (!(ept_vpid.val & EPT_CAP_PWL4)) { 1027 printf("\tPWL4 is not supported\n"); 1028 return 1; 1029 } 1030 ctrl_cpu[0] = vmcs_read(CPU_EXEC_CTRL0); 1031 ctrl_cpu[1] = vmcs_read(CPU_EXEC_CTRL1); 1032 ctrl_cpu[0] = (ctrl_cpu[0] | CPU_SECONDARY) 1033 & ctrl_cpu_rev[0].clr; 1034 ctrl_cpu[1] = (ctrl_cpu[1] | CPU_EPT) 1035 & ctrl_cpu_rev[1].clr; 1036 vmcs_write(CPU_EXEC_CTRL0, ctrl_cpu[0]); 1037 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu[1]); 1038 eptp |= (3 << EPTP_PG_WALK_LEN_SHIFT); 1039 pml4 = alloc_page(); 1040 memset(pml4, 0, PAGE_SIZE); 1041 eptp |= virt_to_phys(pml4); 1042 if (enable_ad) 1043 eptp |= EPTP_AD_FLAG; 1044 vmcs_write(EPTP, eptp); 1045 end_of_memory = fwcfg_get_u64(FW_CFG_RAM_SIZE); 1046 if (end_of_memory < (1ul << 32)) 1047 end_of_memory = (1ul << 32); 1048 /* Cannot use large EPT pages if we need to track EPT 1049 * accessed/dirty bits at 4K granularity. 1050 */ 1051 setup_ept_range(pml4, 0, end_of_memory, 0, 1052 !enable_ad && ept_2m_supported(), 1053 EPT_WA | EPT_RA | EPT_EA); 1054 return 0; 1055 } 1056 1057 static void ept_enable_ad_bits(void) 1058 { 1059 eptp |= EPTP_AD_FLAG; 1060 vmcs_write(EPTP, eptp); 1061 } 1062 1063 static void ept_disable_ad_bits(void) 1064 { 1065 eptp &= ~EPTP_AD_FLAG; 1066 vmcs_write(EPTP, eptp); 1067 } 1068 1069 static void ept_enable_ad_bits_or_skip_test(void) 1070 { 1071 if (!ept_ad_bits_supported()) 1072 test_skip("EPT AD bits not supported."); 1073 ept_enable_ad_bits(); 1074 } 1075 1076 static int apic_version; 1077 1078 static int ept_init_common(bool have_ad) 1079 { 1080 int ret; 1081 struct pci_dev pcidev; 1082 1083 if (setup_ept(have_ad)) 1084 return VMX_TEST_EXIT; 1085 data_page1 = alloc_page(); 1086 data_page2 = alloc_page(); 1087 memset(data_page1, 0x0, PAGE_SIZE); 1088 memset(data_page2, 0x0, PAGE_SIZE); 1089 *((u32 *)data_page1) = MAGIC_VAL_1; 1090 *((u32 *)data_page2) = MAGIC_VAL_2; 1091 install_ept(pml4, (unsigned long)data_page1, (unsigned long)data_page2, 1092 EPT_RA | EPT_WA | EPT_EA); 1093 1094 apic_version = apic_read(APIC_LVR); 1095 1096 ret = pci_find_dev(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_TEST); 1097 if (ret != PCIDEVADDR_INVALID) { 1098 pci_dev_init(&pcidev, ret); 1099 pci_physaddr = pcidev.resource[PCI_TESTDEV_BAR_MEM]; 1100 } 1101 1102 return VMX_TEST_START; 1103 } 1104 1105 static int ept_init(struct vmcs *vmcs) 1106 { 1107 return ept_init_common(false); 1108 } 1109 1110 static void ept_common(void) 1111 { 1112 vmx_set_test_stage(0); 1113 if (*((u32 *)data_page2) != MAGIC_VAL_1 || 1114 *((u32 *)data_page1) != MAGIC_VAL_1) 1115 report("EPT basic framework - read", 0); 1116 else { 1117 *((u32 *)data_page2) = MAGIC_VAL_3; 1118 vmcall(); 1119 if (vmx_get_test_stage() == 1) { 1120 if (*((u32 *)data_page1) == MAGIC_VAL_3 && 1121 *((u32 *)data_page2) == MAGIC_VAL_2) 1122 report("EPT basic framework", 1); 1123 else 1124 report("EPT basic framework - remap", 1); 1125 } 1126 } 1127 // Test EPT Misconfigurations 1128 vmx_set_test_stage(1); 1129 vmcall(); 1130 *((u32 *)data_page1) = MAGIC_VAL_1; 1131 if (vmx_get_test_stage() != 2) { 1132 report("EPT misconfigurations", 0); 1133 goto t1; 1134 } 1135 vmx_set_test_stage(2); 1136 vmcall(); 1137 *((u32 *)data_page1) = MAGIC_VAL_1; 1138 report("EPT misconfigurations", vmx_get_test_stage() == 3); 1139 t1: 1140 // Test EPT violation 1141 vmx_set_test_stage(3); 1142 vmcall(); 1143 *((u32 *)data_page1) = MAGIC_VAL_1; 1144 report("EPT violation - page permission", vmx_get_test_stage() == 4); 1145 // Violation caused by EPT paging structure 1146 vmx_set_test_stage(4); 1147 vmcall(); 1148 *((u32 *)data_page1) = MAGIC_VAL_2; 1149 report("EPT violation - paging structure", vmx_get_test_stage() == 5); 1150 1151 // MMIO Read/Write 1152 vmx_set_test_stage(5); 1153 vmcall(); 1154 1155 *(u32 volatile *)pci_physaddr; 1156 report("MMIO EPT violation - read", vmx_get_test_stage() == 6); 1157 1158 *(u32 volatile *)pci_physaddr = MAGIC_VAL_1; 1159 report("MMIO EPT violation - write", vmx_get_test_stage() == 7); 1160 } 1161 1162 static void ept_main(void) 1163 { 1164 ept_common(); 1165 1166 // Test EPT access to L1 MMIO 1167 vmx_set_test_stage(7); 1168 report("EPT - MMIO access", *((u32 *)0xfee00030UL) == apic_version); 1169 1170 // Test invalid operand for INVEPT 1171 vmcall(); 1172 report("EPT - unsupported INVEPT", vmx_get_test_stage() == 8); 1173 } 1174 1175 static bool invept_test(int type, u64 eptp) 1176 { 1177 bool ret, supported; 1178 1179 supported = ept_vpid.val & (EPT_CAP_INVEPT_SINGLE >> INVEPT_SINGLE << type); 1180 ret = invept(type, eptp); 1181 1182 if (ret == !supported) 1183 return false; 1184 1185 if (!supported) 1186 printf("WARNING: unsupported invept passed!\n"); 1187 else 1188 printf("WARNING: invept failed!\n"); 1189 1190 return true; 1191 } 1192 1193 static int pml_exit_handler(void) 1194 { 1195 u16 index, count; 1196 ulong reason = vmcs_read(EXI_REASON) & 0xff; 1197 u64 *pmlbuf = pml_log; 1198 u64 guest_rip = vmcs_read(GUEST_RIP);; 1199 u64 guest_cr3 = vmcs_read(GUEST_CR3); 1200 u32 insn_len = vmcs_read(EXI_INST_LEN); 1201 1202 switch (reason) { 1203 case VMX_VMCALL: 1204 switch (vmx_get_test_stage()) { 1205 case 0: 1206 index = vmcs_read(GUEST_PML_INDEX); 1207 for (count = index + 1; count < PML_INDEX; count++) { 1208 if (pmlbuf[count] == (u64)data_page2) { 1209 vmx_inc_test_stage(); 1210 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1211 break; 1212 } 1213 } 1214 break; 1215 case 1: 1216 index = vmcs_read(GUEST_PML_INDEX); 1217 /* Keep clearing the dirty bit till a overflow */ 1218 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1219 break; 1220 default: 1221 report("unexpected stage, %d.", false, 1222 vmx_get_test_stage()); 1223 print_vmexit_info(); 1224 return VMX_TEST_VMEXIT; 1225 } 1226 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1227 return VMX_TEST_RESUME; 1228 case VMX_PML_FULL: 1229 vmx_inc_test_stage(); 1230 vmcs_write(GUEST_PML_INDEX, PML_INDEX - 1); 1231 return VMX_TEST_RESUME; 1232 default: 1233 report("Unknown exit reason, %ld", false, reason); 1234 print_vmexit_info(); 1235 } 1236 return VMX_TEST_VMEXIT; 1237 } 1238 1239 static int ept_exit_handler_common(bool have_ad) 1240 { 1241 u64 guest_rip; 1242 u64 guest_cr3; 1243 ulong reason; 1244 u32 insn_len; 1245 u32 exit_qual; 1246 static unsigned long data_page1_pte, data_page1_pte_pte, memaddr_pte; 1247 1248 guest_rip = vmcs_read(GUEST_RIP); 1249 guest_cr3 = vmcs_read(GUEST_CR3); 1250 reason = vmcs_read(EXI_REASON) & 0xff; 1251 insn_len = vmcs_read(EXI_INST_LEN); 1252 exit_qual = vmcs_read(EXI_QUALIFICATION); 1253 switch (reason) { 1254 case VMX_VMCALL: 1255 switch (vmx_get_test_stage()) { 1256 case 0: 1257 check_ept_ad(pml4, guest_cr3, 1258 (unsigned long)data_page1, 1259 have_ad ? EPT_ACCESS_FLAG : 0, 1260 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1261 check_ept_ad(pml4, guest_cr3, 1262 (unsigned long)data_page2, 1263 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0, 1264 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1265 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1266 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page2); 1267 if (have_ad) 1268 ept_sync(INVEPT_SINGLE, eptp);; 1269 if (*((u32 *)data_page1) == MAGIC_VAL_3 && 1270 *((u32 *)data_page2) == MAGIC_VAL_2) { 1271 vmx_inc_test_stage(); 1272 install_ept(pml4, (unsigned long)data_page2, 1273 (unsigned long)data_page2, 1274 EPT_RA | EPT_WA | EPT_EA); 1275 } else 1276 report("EPT basic framework - write", 0); 1277 break; 1278 case 1: 1279 install_ept(pml4, (unsigned long)data_page1, 1280 (unsigned long)data_page1, EPT_WA); 1281 ept_sync(INVEPT_SINGLE, eptp); 1282 break; 1283 case 2: 1284 install_ept(pml4, (unsigned long)data_page1, 1285 (unsigned long)data_page1, 1286 EPT_RA | EPT_WA | EPT_EA | 1287 (2 << EPT_MEM_TYPE_SHIFT)); 1288 ept_sync(INVEPT_SINGLE, eptp); 1289 break; 1290 case 3: 1291 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1292 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)data_page1, 1293 1, &data_page1_pte)); 1294 set_ept_pte(pml4, (unsigned long)data_page1, 1295 1, data_page1_pte & ~EPT_PRESENT); 1296 ept_sync(INVEPT_SINGLE, eptp); 1297 break; 1298 case 4: 1299 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)data_page1, 1300 2, &data_page1_pte)); 1301 data_page1_pte &= PAGE_MASK; 1302 TEST_ASSERT(get_ept_pte(pml4, data_page1_pte, 1303 2, &data_page1_pte_pte)); 1304 set_ept_pte(pml4, data_page1_pte, 2, 1305 data_page1_pte_pte & ~EPT_PRESENT); 1306 ept_sync(INVEPT_SINGLE, eptp); 1307 break; 1308 case 5: 1309 install_ept(pml4, (unsigned long)pci_physaddr, 1310 (unsigned long)pci_physaddr, 0); 1311 ept_sync(INVEPT_SINGLE, eptp); 1312 break; 1313 case 7: 1314 if (!invept_test(0, eptp)) 1315 vmx_inc_test_stage(); 1316 break; 1317 // Should not reach here 1318 default: 1319 report("ERROR - unexpected stage, %d.", false, 1320 vmx_get_test_stage()); 1321 print_vmexit_info(); 1322 return VMX_TEST_VMEXIT; 1323 } 1324 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1325 return VMX_TEST_RESUME; 1326 case VMX_EPT_MISCONFIG: 1327 switch (vmx_get_test_stage()) { 1328 case 1: 1329 case 2: 1330 vmx_inc_test_stage(); 1331 install_ept(pml4, (unsigned long)data_page1, 1332 (unsigned long)data_page1, 1333 EPT_RA | EPT_WA | EPT_EA); 1334 ept_sync(INVEPT_SINGLE, eptp); 1335 break; 1336 // Should not reach here 1337 default: 1338 report("ERROR - unexpected stage, %d.", false, 1339 vmx_get_test_stage()); 1340 print_vmexit_info(); 1341 return VMX_TEST_VMEXIT; 1342 } 1343 return VMX_TEST_RESUME; 1344 case VMX_EPT_VIOLATION: 1345 switch(vmx_get_test_stage()) { 1346 case 3: 1347 check_ept_ad(pml4, guest_cr3, (unsigned long)data_page1, 0, 1348 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1349 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1350 if (exit_qual == (EPT_VLT_WR | EPT_VLT_LADDR_VLD | 1351 EPT_VLT_PADDR)) 1352 vmx_inc_test_stage(); 1353 set_ept_pte(pml4, (unsigned long)data_page1, 1354 1, data_page1_pte | (EPT_PRESENT)); 1355 ept_sync(INVEPT_SINGLE, eptp); 1356 break; 1357 case 4: 1358 check_ept_ad(pml4, guest_cr3, (unsigned long)data_page1, 0, 1359 have_ad ? EPT_ACCESS_FLAG | EPT_DIRTY_FLAG : 0); 1360 clear_ept_ad(pml4, guest_cr3, (unsigned long)data_page1); 1361 if (exit_qual == (EPT_VLT_RD | 1362 (have_ad ? EPT_VLT_WR : 0) | 1363 EPT_VLT_LADDR_VLD)) 1364 vmx_inc_test_stage(); 1365 set_ept_pte(pml4, data_page1_pte, 2, 1366 data_page1_pte_pte | (EPT_PRESENT)); 1367 ept_sync(INVEPT_SINGLE, eptp); 1368 break; 1369 case 5: 1370 if (exit_qual & EPT_VLT_RD) 1371 vmx_inc_test_stage(); 1372 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)pci_physaddr, 1373 1, &memaddr_pte)); 1374 set_ept_pte(pml4, memaddr_pte, 1, memaddr_pte | EPT_RA); 1375 ept_sync(INVEPT_SINGLE, eptp); 1376 break; 1377 case 6: 1378 if (exit_qual & EPT_VLT_WR) 1379 vmx_inc_test_stage(); 1380 TEST_ASSERT(get_ept_pte(pml4, (unsigned long)pci_physaddr, 1381 1, &memaddr_pte)); 1382 set_ept_pte(pml4, memaddr_pte, 1, memaddr_pte | EPT_RA | EPT_WA); 1383 ept_sync(INVEPT_SINGLE, eptp); 1384 break; 1385 default: 1386 // Should not reach here 1387 report("ERROR : unexpected stage, %d", false, 1388 vmx_get_test_stage()); 1389 print_vmexit_info(); 1390 return VMX_TEST_VMEXIT; 1391 } 1392 return VMX_TEST_RESUME; 1393 default: 1394 report("Unknown exit reason, %ld", false, reason); 1395 print_vmexit_info(); 1396 } 1397 return VMX_TEST_VMEXIT; 1398 } 1399 1400 static int ept_exit_handler(void) 1401 { 1402 return ept_exit_handler_common(false); 1403 } 1404 1405 static int eptad_init(struct vmcs *vmcs) 1406 { 1407 int r = ept_init_common(true); 1408 1409 if (r == VMX_TEST_EXIT) 1410 return r; 1411 1412 if ((rdmsr(MSR_IA32_VMX_EPT_VPID_CAP) & EPT_CAP_AD_FLAG) == 0) { 1413 printf("\tEPT A/D bits are not supported"); 1414 return VMX_TEST_EXIT; 1415 } 1416 1417 return r; 1418 } 1419 1420 static int pml_init(struct vmcs *vmcs) 1421 { 1422 u32 ctrl_cpu; 1423 int r = eptad_init(vmcs); 1424 1425 if (r == VMX_TEST_EXIT) 1426 return r; 1427 1428 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 1429 !(ctrl_cpu_rev[1].clr & CPU_PML)) { 1430 printf("\tPML is not supported"); 1431 return VMX_TEST_EXIT; 1432 } 1433 1434 pml_log = alloc_page(); 1435 memset(pml_log, 0x0, PAGE_SIZE); 1436 vmcs_write(PMLADDR, (u64)pml_log); 1437 vmcs_write(GUEST_PML_INDEX, PML_INDEX - 1); 1438 1439 ctrl_cpu = vmcs_read(CPU_EXEC_CTRL1) | CPU_PML; 1440 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu); 1441 1442 return VMX_TEST_START; 1443 } 1444 1445 static void pml_main(void) 1446 { 1447 int count = 0; 1448 1449 vmx_set_test_stage(0); 1450 *((u32 *)data_page2) = 0x1; 1451 vmcall(); 1452 report("PML - Dirty GPA Logging", vmx_get_test_stage() == 1); 1453 1454 while (vmx_get_test_stage() == 1) { 1455 vmcall(); 1456 *((u32 *)data_page2) = 0x1; 1457 if (count++ > PML_INDEX) 1458 break; 1459 } 1460 report("PML Full Event", vmx_get_test_stage() == 2); 1461 } 1462 1463 static void eptad_main(void) 1464 { 1465 ept_common(); 1466 } 1467 1468 static int eptad_exit_handler(void) 1469 { 1470 return ept_exit_handler_common(true); 1471 } 1472 1473 static bool invvpid_test(int type, u16 vpid) 1474 { 1475 bool ret, supported; 1476 1477 supported = ept_vpid.val & 1478 (VPID_CAP_INVVPID_ADDR >> INVVPID_ADDR << type); 1479 ret = invvpid(type, vpid, 0); 1480 1481 if (ret == !supported) 1482 return false; 1483 1484 if (!supported) 1485 printf("WARNING: unsupported invvpid passed!\n"); 1486 else 1487 printf("WARNING: invvpid failed!\n"); 1488 1489 return true; 1490 } 1491 1492 static int vpid_init(struct vmcs *vmcs) 1493 { 1494 u32 ctrl_cpu1; 1495 1496 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 1497 !(ctrl_cpu_rev[1].clr & CPU_VPID)) { 1498 printf("\tVPID is not supported"); 1499 return VMX_TEST_EXIT; 1500 } 1501 1502 ctrl_cpu1 = vmcs_read(CPU_EXEC_CTRL1); 1503 ctrl_cpu1 |= CPU_VPID; 1504 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu1); 1505 return VMX_TEST_START; 1506 } 1507 1508 static void vpid_main(void) 1509 { 1510 vmx_set_test_stage(0); 1511 vmcall(); 1512 report("INVVPID SINGLE ADDRESS", vmx_get_test_stage() == 1); 1513 vmx_set_test_stage(2); 1514 vmcall(); 1515 report("INVVPID SINGLE", vmx_get_test_stage() == 3); 1516 vmx_set_test_stage(4); 1517 vmcall(); 1518 report("INVVPID ALL", vmx_get_test_stage() == 5); 1519 } 1520 1521 static int vpid_exit_handler(void) 1522 { 1523 u64 guest_rip; 1524 ulong reason; 1525 u32 insn_len; 1526 1527 guest_rip = vmcs_read(GUEST_RIP); 1528 reason = vmcs_read(EXI_REASON) & 0xff; 1529 insn_len = vmcs_read(EXI_INST_LEN); 1530 1531 switch (reason) { 1532 case VMX_VMCALL: 1533 switch(vmx_get_test_stage()) { 1534 case 0: 1535 if (!invvpid_test(INVVPID_ADDR, 1)) 1536 vmx_inc_test_stage(); 1537 break; 1538 case 2: 1539 if (!invvpid_test(INVVPID_CONTEXT_GLOBAL, 1)) 1540 vmx_inc_test_stage(); 1541 break; 1542 case 4: 1543 if (!invvpid_test(INVVPID_ALL, 1)) 1544 vmx_inc_test_stage(); 1545 break; 1546 default: 1547 report("ERROR: unexpected stage, %d", false, 1548 vmx_get_test_stage()); 1549 print_vmexit_info(); 1550 return VMX_TEST_VMEXIT; 1551 } 1552 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1553 return VMX_TEST_RESUME; 1554 default: 1555 report("Unknown exit reason, %ld", false, reason); 1556 print_vmexit_info(); 1557 } 1558 return VMX_TEST_VMEXIT; 1559 } 1560 1561 #define TIMER_VECTOR 222 1562 1563 static volatile bool timer_fired; 1564 1565 static void timer_isr(isr_regs_t *regs) 1566 { 1567 timer_fired = true; 1568 apic_write(APIC_EOI, 0); 1569 } 1570 1571 static int interrupt_init(struct vmcs *vmcs) 1572 { 1573 msr_bmp_init(); 1574 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) & ~PIN_EXTINT); 1575 handle_irq(TIMER_VECTOR, timer_isr); 1576 return VMX_TEST_START; 1577 } 1578 1579 static void interrupt_main(void) 1580 { 1581 long long start, loops; 1582 1583 vmx_set_test_stage(0); 1584 1585 apic_write(APIC_LVTT, TIMER_VECTOR); 1586 irq_enable(); 1587 1588 apic_write(APIC_TMICT, 1); 1589 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1590 asm volatile ("nop"); 1591 report("direct interrupt while running guest", timer_fired); 1592 1593 apic_write(APIC_TMICT, 0); 1594 irq_disable(); 1595 vmcall(); 1596 timer_fired = false; 1597 apic_write(APIC_TMICT, 1); 1598 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1599 asm volatile ("nop"); 1600 report("intercepted interrupt while running guest", timer_fired); 1601 1602 irq_enable(); 1603 apic_write(APIC_TMICT, 0); 1604 irq_disable(); 1605 vmcall(); 1606 timer_fired = false; 1607 start = rdtsc(); 1608 apic_write(APIC_TMICT, 1000000); 1609 1610 asm volatile ("sti; hlt"); 1611 1612 report("direct interrupt + hlt", 1613 rdtsc() - start > 1000000 && timer_fired); 1614 1615 apic_write(APIC_TMICT, 0); 1616 irq_disable(); 1617 vmcall(); 1618 timer_fired = false; 1619 start = rdtsc(); 1620 apic_write(APIC_TMICT, 1000000); 1621 1622 asm volatile ("sti; hlt"); 1623 1624 report("intercepted interrupt + hlt", 1625 rdtsc() - start > 10000 && timer_fired); 1626 1627 apic_write(APIC_TMICT, 0); 1628 irq_disable(); 1629 vmcall(); 1630 timer_fired = false; 1631 start = rdtsc(); 1632 apic_write(APIC_TMICT, 1000000); 1633 1634 irq_enable(); 1635 asm volatile ("nop"); 1636 vmcall(); 1637 1638 report("direct interrupt + activity state hlt", 1639 rdtsc() - start > 10000 && timer_fired); 1640 1641 apic_write(APIC_TMICT, 0); 1642 irq_disable(); 1643 vmcall(); 1644 timer_fired = false; 1645 start = rdtsc(); 1646 apic_write(APIC_TMICT, 1000000); 1647 1648 irq_enable(); 1649 asm volatile ("nop"); 1650 vmcall(); 1651 1652 report("intercepted interrupt + activity state hlt", 1653 rdtsc() - start > 10000 && timer_fired); 1654 1655 apic_write(APIC_TMICT, 0); 1656 irq_disable(); 1657 vmx_set_test_stage(7); 1658 vmcall(); 1659 timer_fired = false; 1660 apic_write(APIC_TMICT, 1); 1661 for (loops = 0; loops < 10000000 && !timer_fired; loops++) 1662 asm volatile ("nop"); 1663 report("running a guest with interrupt acknowledgement set", timer_fired); 1664 1665 apic_write(APIC_TMICT, 0); 1666 irq_enable(); 1667 timer_fired = false; 1668 vmcall(); 1669 report("Inject an event to a halted guest", timer_fired); 1670 } 1671 1672 static int interrupt_exit_handler(void) 1673 { 1674 u64 guest_rip = vmcs_read(GUEST_RIP); 1675 ulong reason = vmcs_read(EXI_REASON) & 0xff; 1676 u32 insn_len = vmcs_read(EXI_INST_LEN); 1677 1678 switch (reason) { 1679 case VMX_VMCALL: 1680 switch (vmx_get_test_stage()) { 1681 case 0: 1682 case 2: 1683 case 5: 1684 vmcs_write(PIN_CONTROLS, 1685 vmcs_read(PIN_CONTROLS) | PIN_EXTINT); 1686 break; 1687 case 7: 1688 vmcs_write(EXI_CONTROLS, vmcs_read(EXI_CONTROLS) | EXI_INTA); 1689 vmcs_write(PIN_CONTROLS, 1690 vmcs_read(PIN_CONTROLS) | PIN_EXTINT); 1691 break; 1692 case 1: 1693 case 3: 1694 vmcs_write(PIN_CONTROLS, 1695 vmcs_read(PIN_CONTROLS) & ~PIN_EXTINT); 1696 break; 1697 case 4: 1698 case 6: 1699 vmcs_write(GUEST_ACTV_STATE, ACTV_HLT); 1700 break; 1701 1702 case 8: 1703 vmcs_write(GUEST_ACTV_STATE, ACTV_HLT); 1704 vmcs_write(ENT_INTR_INFO, 1705 TIMER_VECTOR | 1706 (VMX_INTR_TYPE_EXT_INTR << INTR_INFO_INTR_TYPE_SHIFT) | 1707 INTR_INFO_VALID_MASK); 1708 break; 1709 } 1710 vmx_inc_test_stage(); 1711 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1712 return VMX_TEST_RESUME; 1713 case VMX_EXTINT: 1714 if (vmcs_read(EXI_CONTROLS) & EXI_INTA) { 1715 int vector = vmcs_read(EXI_INTR_INFO) & 0xff; 1716 handle_external_interrupt(vector); 1717 } else { 1718 irq_enable(); 1719 asm volatile ("nop"); 1720 irq_disable(); 1721 } 1722 if (vmx_get_test_stage() >= 2) 1723 vmcs_write(GUEST_ACTV_STATE, ACTV_ACTIVE); 1724 return VMX_TEST_RESUME; 1725 default: 1726 report("Unknown exit reason, %ld", false, reason); 1727 print_vmexit_info(); 1728 } 1729 1730 return VMX_TEST_VMEXIT; 1731 } 1732 1733 static int dbgctls_init(struct vmcs *vmcs) 1734 { 1735 u64 dr7 = 0x402; 1736 u64 zero = 0; 1737 1738 msr_bmp_init(); 1739 asm volatile( 1740 "mov %0,%%dr0\n\t" 1741 "mov %0,%%dr1\n\t" 1742 "mov %0,%%dr2\n\t" 1743 "mov %1,%%dr7\n\t" 1744 : : "r" (zero), "r" (dr7)); 1745 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x1); 1746 vmcs_write(GUEST_DR7, 0x404); 1747 vmcs_write(GUEST_DEBUGCTL, 0x2); 1748 1749 vmcs_write(ENT_CONTROLS, vmcs_read(ENT_CONTROLS) | ENT_LOAD_DBGCTLS); 1750 vmcs_write(EXI_CONTROLS, vmcs_read(EXI_CONTROLS) | EXI_SAVE_DBGCTLS); 1751 1752 return VMX_TEST_START; 1753 } 1754 1755 static void dbgctls_main(void) 1756 { 1757 u64 dr7, debugctl; 1758 1759 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1760 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1761 /* Commented out: KVM does not support DEBUGCTL so far */ 1762 (void)debugctl; 1763 report("Load debug controls", dr7 == 0x404 /* && debugctl == 0x2 */); 1764 1765 dr7 = 0x408; 1766 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1767 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x3); 1768 1769 vmx_set_test_stage(0); 1770 vmcall(); 1771 report("Save debug controls", vmx_get_test_stage() == 1); 1772 1773 if (ctrl_enter_rev.set & ENT_LOAD_DBGCTLS || 1774 ctrl_exit_rev.set & EXI_SAVE_DBGCTLS) { 1775 printf("\tDebug controls are always loaded/saved\n"); 1776 return; 1777 } 1778 vmx_set_test_stage(2); 1779 vmcall(); 1780 1781 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1782 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1783 /* Commented out: KVM does not support DEBUGCTL so far */ 1784 (void)debugctl; 1785 report("Guest=host debug controls", dr7 == 0x402 /* && debugctl == 0x1 */); 1786 1787 dr7 = 0x408; 1788 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1789 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x3); 1790 1791 vmx_set_test_stage(3); 1792 vmcall(); 1793 report("Don't save debug controls", vmx_get_test_stage() == 4); 1794 } 1795 1796 static int dbgctls_exit_handler(void) 1797 { 1798 unsigned int reason = vmcs_read(EXI_REASON) & 0xff; 1799 u32 insn_len = vmcs_read(EXI_INST_LEN); 1800 u64 guest_rip = vmcs_read(GUEST_RIP); 1801 u64 dr7, debugctl; 1802 1803 asm volatile("mov %%dr7,%0" : "=r" (dr7)); 1804 debugctl = rdmsr(MSR_IA32_DEBUGCTLMSR); 1805 1806 switch (reason) { 1807 case VMX_VMCALL: 1808 switch (vmx_get_test_stage()) { 1809 case 0: 1810 if (dr7 == 0x400 && debugctl == 0 && 1811 vmcs_read(GUEST_DR7) == 0x408 /* && 1812 Commented out: KVM does not support DEBUGCTL so far 1813 vmcs_read(GUEST_DEBUGCTL) == 0x3 */) 1814 vmx_inc_test_stage(); 1815 break; 1816 case 2: 1817 dr7 = 0x402; 1818 asm volatile("mov %0,%%dr7" : : "r" (dr7)); 1819 wrmsr(MSR_IA32_DEBUGCTLMSR, 0x1); 1820 vmcs_write(GUEST_DR7, 0x404); 1821 vmcs_write(GUEST_DEBUGCTL, 0x2); 1822 1823 vmcs_write(ENT_CONTROLS, 1824 vmcs_read(ENT_CONTROLS) & ~ENT_LOAD_DBGCTLS); 1825 vmcs_write(EXI_CONTROLS, 1826 vmcs_read(EXI_CONTROLS) & ~EXI_SAVE_DBGCTLS); 1827 break; 1828 case 3: 1829 if (dr7 == 0x400 && debugctl == 0 && 1830 vmcs_read(GUEST_DR7) == 0x404 /* && 1831 Commented out: KVM does not support DEBUGCTL so far 1832 vmcs_read(GUEST_DEBUGCTL) == 0x2 */) 1833 vmx_inc_test_stage(); 1834 break; 1835 } 1836 vmcs_write(GUEST_RIP, guest_rip + insn_len); 1837 return VMX_TEST_RESUME; 1838 default: 1839 report("Unknown exit reason, %d", false, reason); 1840 print_vmexit_info(); 1841 } 1842 return VMX_TEST_VMEXIT; 1843 } 1844 1845 struct vmx_msr_entry { 1846 u32 index; 1847 u32 reserved; 1848 u64 value; 1849 } __attribute__((packed)); 1850 1851 #define MSR_MAGIC 0x31415926 1852 struct vmx_msr_entry *exit_msr_store, *entry_msr_load, *exit_msr_load; 1853 1854 static int msr_switch_init(struct vmcs *vmcs) 1855 { 1856 msr_bmp_init(); 1857 exit_msr_store = alloc_page(); 1858 exit_msr_load = alloc_page(); 1859 entry_msr_load = alloc_page(); 1860 memset(exit_msr_store, 0, PAGE_SIZE); 1861 memset(exit_msr_load, 0, PAGE_SIZE); 1862 memset(entry_msr_load, 0, PAGE_SIZE); 1863 entry_msr_load[0].index = MSR_KERNEL_GS_BASE; 1864 entry_msr_load[0].value = MSR_MAGIC; 1865 1866 vmx_set_test_stage(1); 1867 vmcs_write(ENT_MSR_LD_CNT, 1); 1868 vmcs_write(ENTER_MSR_LD_ADDR, (u64)entry_msr_load); 1869 vmcs_write(EXI_MSR_ST_CNT, 1); 1870 vmcs_write(EXIT_MSR_ST_ADDR, (u64)exit_msr_store); 1871 vmcs_write(EXI_MSR_LD_CNT, 1); 1872 vmcs_write(EXIT_MSR_LD_ADDR, (u64)exit_msr_load); 1873 return VMX_TEST_START; 1874 } 1875 1876 static void msr_switch_main(void) 1877 { 1878 if (vmx_get_test_stage() == 1) { 1879 report("VM entry MSR load", 1880 rdmsr(MSR_KERNEL_GS_BASE) == MSR_MAGIC); 1881 vmx_set_test_stage(2); 1882 wrmsr(MSR_KERNEL_GS_BASE, MSR_MAGIC + 1); 1883 exit_msr_store[0].index = MSR_KERNEL_GS_BASE; 1884 exit_msr_load[0].index = MSR_KERNEL_GS_BASE; 1885 exit_msr_load[0].value = MSR_MAGIC + 2; 1886 } 1887 vmcall(); 1888 } 1889 1890 static int msr_switch_exit_handler(void) 1891 { 1892 ulong reason; 1893 1894 reason = vmcs_read(EXI_REASON); 1895 if (reason == VMX_VMCALL && vmx_get_test_stage() == 2) { 1896 report("VM exit MSR store", 1897 exit_msr_store[0].value == MSR_MAGIC + 1); 1898 report("VM exit MSR load", 1899 rdmsr(MSR_KERNEL_GS_BASE) == MSR_MAGIC + 2); 1900 vmx_set_test_stage(3); 1901 entry_msr_load[0].index = MSR_FS_BASE; 1902 return VMX_TEST_RESUME; 1903 } 1904 printf("ERROR %s: unexpected stage=%u or reason=%lu\n", 1905 __func__, vmx_get_test_stage(), reason); 1906 return VMX_TEST_EXIT; 1907 } 1908 1909 static int msr_switch_entry_failure(struct vmentry_failure *failure) 1910 { 1911 ulong reason; 1912 1913 if (failure->early) { 1914 printf("ERROR %s: early exit\n", __func__); 1915 return VMX_TEST_EXIT; 1916 } 1917 1918 reason = vmcs_read(EXI_REASON); 1919 if (reason == (VMX_ENTRY_FAILURE | VMX_FAIL_MSR) && 1920 vmx_get_test_stage() == 3) { 1921 report("VM entry MSR load: try to load FS_BASE", 1922 vmcs_read(EXI_QUALIFICATION) == 1); 1923 return VMX_TEST_VMEXIT; 1924 } 1925 printf("ERROR %s: unexpected stage=%u or reason=%lu\n", 1926 __func__, vmx_get_test_stage(), reason); 1927 return VMX_TEST_EXIT; 1928 } 1929 1930 static int vmmcall_init(struct vmcs *vmcs) 1931 { 1932 vmcs_write(EXC_BITMAP, 1 << UD_VECTOR); 1933 return VMX_TEST_START; 1934 } 1935 1936 static void vmmcall_main(void) 1937 { 1938 asm volatile( 1939 "mov $0xABCD, %%rax\n\t" 1940 "vmmcall\n\t" 1941 ::: "rax"); 1942 1943 report("VMMCALL", 0); 1944 } 1945 1946 static int vmmcall_exit_handler(void) 1947 { 1948 ulong reason; 1949 1950 reason = vmcs_read(EXI_REASON); 1951 switch (reason) { 1952 case VMX_VMCALL: 1953 printf("here\n"); 1954 report("VMMCALL triggers #UD", 0); 1955 break; 1956 case VMX_EXC_NMI: 1957 report("VMMCALL triggers #UD", 1958 (vmcs_read(EXI_INTR_INFO) & 0xff) == UD_VECTOR); 1959 break; 1960 default: 1961 report("Unknown exit reason, %ld", false, reason); 1962 print_vmexit_info(); 1963 } 1964 1965 return VMX_TEST_VMEXIT; 1966 } 1967 1968 static int disable_rdtscp_init(struct vmcs *vmcs) 1969 { 1970 u32 ctrl_cpu1; 1971 1972 if (ctrl_cpu_rev[0].clr & CPU_SECONDARY) { 1973 ctrl_cpu1 = vmcs_read(CPU_EXEC_CTRL1); 1974 ctrl_cpu1 &= ~CPU_RDTSCP; 1975 vmcs_write(CPU_EXEC_CTRL1, ctrl_cpu1); 1976 } 1977 1978 return VMX_TEST_START; 1979 } 1980 1981 static void disable_rdtscp_ud_handler(struct ex_regs *regs) 1982 { 1983 switch (vmx_get_test_stage()) { 1984 case 0: 1985 report("RDTSCP triggers #UD", true); 1986 vmx_inc_test_stage(); 1987 regs->rip += 3; 1988 break; 1989 case 2: 1990 report("RDPID triggers #UD", true); 1991 vmx_inc_test_stage(); 1992 regs->rip += 4; 1993 break; 1994 } 1995 return; 1996 1997 } 1998 1999 static void disable_rdtscp_main(void) 2000 { 2001 /* Test that #UD is properly injected in L2. */ 2002 handle_exception(UD_VECTOR, disable_rdtscp_ud_handler); 2003 2004 vmx_set_test_stage(0); 2005 asm volatile("rdtscp" : : : "eax", "ecx", "edx"); 2006 vmcall(); 2007 asm volatile(".byte 0xf3, 0x0f, 0xc7, 0xf8" : : : "eax"); 2008 2009 handle_exception(UD_VECTOR, 0); 2010 vmcall(); 2011 } 2012 2013 static int disable_rdtscp_exit_handler(void) 2014 { 2015 unsigned int reason = vmcs_read(EXI_REASON) & 0xff; 2016 2017 switch (reason) { 2018 case VMX_VMCALL: 2019 switch (vmx_get_test_stage()) { 2020 case 0: 2021 report("RDTSCP triggers #UD", false); 2022 vmx_inc_test_stage(); 2023 /* fallthrough */ 2024 case 1: 2025 vmx_inc_test_stage(); 2026 vmcs_write(GUEST_RIP, vmcs_read(GUEST_RIP) + 3); 2027 return VMX_TEST_RESUME; 2028 case 2: 2029 report("RDPID triggers #UD", false); 2030 break; 2031 } 2032 break; 2033 2034 default: 2035 report("Unknown exit reason, %d", false, reason); 2036 print_vmexit_info(); 2037 } 2038 return VMX_TEST_VMEXIT; 2039 } 2040 2041 static int int3_init(struct vmcs *vmcs) 2042 { 2043 vmcs_write(EXC_BITMAP, ~0u); 2044 return VMX_TEST_START; 2045 } 2046 2047 static void int3_guest_main(void) 2048 { 2049 asm volatile ("int3"); 2050 } 2051 2052 static int int3_exit_handler(void) 2053 { 2054 u32 reason = vmcs_read(EXI_REASON); 2055 u32 intr_info = vmcs_read(EXI_INTR_INFO); 2056 2057 report("L1 intercepts #BP", reason == VMX_EXC_NMI && 2058 (intr_info & INTR_INFO_VALID_MASK) && 2059 (intr_info & INTR_INFO_VECTOR_MASK) == BP_VECTOR && 2060 ((intr_info & INTR_INFO_INTR_TYPE_MASK) >> 2061 INTR_INFO_INTR_TYPE_SHIFT) == VMX_INTR_TYPE_SOFT_EXCEPTION); 2062 2063 return VMX_TEST_VMEXIT; 2064 } 2065 2066 static int into_init(struct vmcs *vmcs) 2067 { 2068 vmcs_write(EXC_BITMAP, ~0u); 2069 return VMX_TEST_START; 2070 } 2071 2072 static void into_guest_main(void) 2073 { 2074 struct far_pointer32 fp = { 2075 .offset = (uintptr_t)&&into, 2076 .selector = KERNEL_CS32, 2077 }; 2078 register uintptr_t rsp asm("rsp"); 2079 2080 if (fp.offset != (uintptr_t)&&into) { 2081 printf("Code address too high.\n"); 2082 return; 2083 } 2084 if ((u32)rsp != rsp) { 2085 printf("Stack address too high.\n"); 2086 return; 2087 } 2088 2089 asm goto ("lcall *%0" : : "m" (fp) : "rax" : into); 2090 return; 2091 into: 2092 asm volatile (".code32;" 2093 "movl $0x7fffffff, %eax;" 2094 "addl %eax, %eax;" 2095 "into;" 2096 "lret;" 2097 ".code64"); 2098 __builtin_unreachable(); 2099 } 2100 2101 static int into_exit_handler(void) 2102 { 2103 u32 reason = vmcs_read(EXI_REASON); 2104 u32 intr_info = vmcs_read(EXI_INTR_INFO); 2105 2106 report("L1 intercepts #OF", reason == VMX_EXC_NMI && 2107 (intr_info & INTR_INFO_VALID_MASK) && 2108 (intr_info & INTR_INFO_VECTOR_MASK) == OF_VECTOR && 2109 ((intr_info & INTR_INFO_INTR_TYPE_MASK) >> 2110 INTR_INFO_INTR_TYPE_SHIFT) == VMX_INTR_TYPE_SOFT_EXCEPTION); 2111 2112 return VMX_TEST_VMEXIT; 2113 } 2114 2115 static void exit_monitor_from_l2_main(void) 2116 { 2117 printf("Calling exit(0) from l2...\n"); 2118 exit(0); 2119 } 2120 2121 static int exit_monitor_from_l2_handler(void) 2122 { 2123 report("The guest should have killed the VMM", false); 2124 return VMX_TEST_EXIT; 2125 } 2126 2127 static void assert_exit_reason(u64 expected) 2128 { 2129 u64 actual = vmcs_read(EXI_REASON); 2130 2131 TEST_ASSERT_EQ_MSG(expected, actual, "Expected %s, got %s.", 2132 exit_reason_description(expected), 2133 exit_reason_description(actual)); 2134 } 2135 2136 static void skip_exit_insn(void) 2137 { 2138 u64 guest_rip = vmcs_read(GUEST_RIP); 2139 u32 insn_len = vmcs_read(EXI_INST_LEN); 2140 vmcs_write(GUEST_RIP, guest_rip + insn_len); 2141 } 2142 2143 static void skip_exit_vmcall(void) 2144 { 2145 assert_exit_reason(VMX_VMCALL); 2146 skip_exit_insn(); 2147 } 2148 2149 static void v2_null_test_guest(void) 2150 { 2151 } 2152 2153 static void v2_null_test(void) 2154 { 2155 test_set_guest(v2_null_test_guest); 2156 enter_guest(); 2157 report(__func__, 1); 2158 } 2159 2160 static void v2_multiple_entries_test_guest(void) 2161 { 2162 vmx_set_test_stage(1); 2163 vmcall(); 2164 vmx_set_test_stage(2); 2165 } 2166 2167 static void v2_multiple_entries_test(void) 2168 { 2169 test_set_guest(v2_multiple_entries_test_guest); 2170 enter_guest(); 2171 TEST_ASSERT_EQ(vmx_get_test_stage(), 1); 2172 skip_exit_vmcall(); 2173 enter_guest(); 2174 TEST_ASSERT_EQ(vmx_get_test_stage(), 2); 2175 report(__func__, 1); 2176 } 2177 2178 static int fixture_test_data = 1; 2179 2180 static void fixture_test_teardown(void *data) 2181 { 2182 *((int *) data) = 1; 2183 } 2184 2185 static void fixture_test_guest(void) 2186 { 2187 fixture_test_data++; 2188 } 2189 2190 2191 static void fixture_test_setup(void) 2192 { 2193 TEST_ASSERT_EQ_MSG(1, fixture_test_data, 2194 "fixture_test_teardown didn't run?!"); 2195 fixture_test_data = 2; 2196 test_add_teardown(fixture_test_teardown, &fixture_test_data); 2197 test_set_guest(fixture_test_guest); 2198 } 2199 2200 static void fixture_test_case1(void) 2201 { 2202 fixture_test_setup(); 2203 TEST_ASSERT_EQ(2, fixture_test_data); 2204 enter_guest(); 2205 TEST_ASSERT_EQ(3, fixture_test_data); 2206 report(__func__, 1); 2207 } 2208 2209 static void fixture_test_case2(void) 2210 { 2211 fixture_test_setup(); 2212 TEST_ASSERT_EQ(2, fixture_test_data); 2213 enter_guest(); 2214 TEST_ASSERT_EQ(3, fixture_test_data); 2215 report(__func__, 1); 2216 } 2217 2218 enum ept_access_op { 2219 OP_READ, 2220 OP_WRITE, 2221 OP_EXEC, 2222 OP_FLUSH_TLB, 2223 OP_EXIT, 2224 }; 2225 2226 static struct ept_access_test_data { 2227 unsigned long gpa; 2228 unsigned long *gva; 2229 unsigned long hpa; 2230 unsigned long *hva; 2231 enum ept_access_op op; 2232 } ept_access_test_data; 2233 2234 extern unsigned char ret42_start; 2235 extern unsigned char ret42_end; 2236 2237 /* Returns 42. */ 2238 asm( 2239 ".align 64\n" 2240 "ret42_start:\n" 2241 "mov $42, %eax\n" 2242 "ret\n" 2243 "ret42_end:\n" 2244 ); 2245 2246 static void 2247 diagnose_ept_violation_qual(u64 expected, u64 actual) 2248 { 2249 2250 #define DIAGNOSE(flag) \ 2251 do { \ 2252 if ((expected & flag) != (actual & flag)) \ 2253 printf(#flag " %sexpected\n", \ 2254 (expected & flag) ? "" : "un"); \ 2255 } while (0) 2256 2257 DIAGNOSE(EPT_VLT_RD); 2258 DIAGNOSE(EPT_VLT_WR); 2259 DIAGNOSE(EPT_VLT_FETCH); 2260 DIAGNOSE(EPT_VLT_PERM_RD); 2261 DIAGNOSE(EPT_VLT_PERM_WR); 2262 DIAGNOSE(EPT_VLT_PERM_EX); 2263 DIAGNOSE(EPT_VLT_LADDR_VLD); 2264 DIAGNOSE(EPT_VLT_PADDR); 2265 2266 #undef DIAGNOSE 2267 } 2268 2269 static void do_ept_access_op(enum ept_access_op op) 2270 { 2271 ept_access_test_data.op = op; 2272 enter_guest(); 2273 } 2274 2275 /* 2276 * Force the guest to flush its TLB (i.e., flush gva -> gpa mappings). Only 2277 * needed by tests that modify guest PTEs. 2278 */ 2279 static void ept_access_test_guest_flush_tlb(void) 2280 { 2281 do_ept_access_op(OP_FLUSH_TLB); 2282 skip_exit_vmcall(); 2283 } 2284 2285 /* 2286 * Modifies the EPT entry at @level in the mapping of @gpa. First clears the 2287 * bits in @clear then sets the bits in @set. @mkhuge transforms the entry into 2288 * a huge page. 2289 */ 2290 static unsigned long ept_twiddle(unsigned long gpa, bool mkhuge, int level, 2291 unsigned long clear, unsigned long set) 2292 { 2293 struct ept_access_test_data *data = &ept_access_test_data; 2294 unsigned long orig_pte; 2295 unsigned long pte; 2296 2297 /* Screw with the mapping at the requested level. */ 2298 TEST_ASSERT(get_ept_pte(pml4, gpa, level, &orig_pte)); 2299 pte = orig_pte; 2300 if (mkhuge) 2301 pte = (orig_pte & ~EPT_ADDR_MASK) | data->hpa | EPT_LARGE_PAGE; 2302 else 2303 pte = orig_pte; 2304 pte = (pte & ~clear) | set; 2305 set_ept_pte(pml4, gpa, level, pte); 2306 ept_sync(INVEPT_SINGLE, eptp); 2307 2308 return orig_pte; 2309 } 2310 2311 static void ept_untwiddle(unsigned long gpa, int level, unsigned long orig_pte) 2312 { 2313 set_ept_pte(pml4, gpa, level, orig_pte); 2314 } 2315 2316 static void do_ept_violation(bool leaf, enum ept_access_op op, 2317 u64 expected_qual, u64 expected_paddr) 2318 { 2319 u64 qual; 2320 2321 /* Try the access and observe the violation. */ 2322 do_ept_access_op(op); 2323 2324 assert_exit_reason(VMX_EPT_VIOLATION); 2325 2326 qual = vmcs_read(EXI_QUALIFICATION); 2327 2328 diagnose_ept_violation_qual(expected_qual, qual); 2329 TEST_EXPECT_EQ(expected_qual, qual); 2330 2331 #if 0 2332 /* Disable for now otherwise every test will fail */ 2333 TEST_EXPECT_EQ(vmcs_read(GUEST_LINEAR_ADDRESS), 2334 (unsigned long) ( 2335 op == OP_EXEC ? data->gva + 1 : data->gva)); 2336 #endif 2337 /* 2338 * TODO: tests that probe expected_paddr in pages other than the one at 2339 * the beginning of the 1g region. 2340 */ 2341 TEST_EXPECT_EQ(vmcs_read(INFO_PHYS_ADDR), expected_paddr); 2342 } 2343 2344 static void 2345 ept_violation_at_level_mkhuge(bool mkhuge, int level, unsigned long clear, 2346 unsigned long set, enum ept_access_op op, 2347 u64 expected_qual) 2348 { 2349 struct ept_access_test_data *data = &ept_access_test_data; 2350 unsigned long orig_pte; 2351 2352 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2353 2354 do_ept_violation(level == 1 || mkhuge, op, expected_qual, 2355 op == OP_EXEC ? data->gpa + sizeof(unsigned long) : 2356 data->gpa); 2357 2358 /* Fix the violation and resume the op loop. */ 2359 ept_untwiddle(data->gpa, level, orig_pte); 2360 enter_guest(); 2361 skip_exit_vmcall(); 2362 } 2363 2364 static void 2365 ept_violation_at_level(int level, unsigned long clear, unsigned long set, 2366 enum ept_access_op op, u64 expected_qual) 2367 { 2368 ept_violation_at_level_mkhuge(false, level, clear, set, op, 2369 expected_qual); 2370 if (ept_huge_pages_supported(level)) 2371 ept_violation_at_level_mkhuge(true, level, clear, set, op, 2372 expected_qual); 2373 } 2374 2375 static void ept_violation(unsigned long clear, unsigned long set, 2376 enum ept_access_op op, u64 expected_qual) 2377 { 2378 ept_violation_at_level(1, clear, set, op, expected_qual); 2379 ept_violation_at_level(2, clear, set, op, expected_qual); 2380 ept_violation_at_level(3, clear, set, op, expected_qual); 2381 ept_violation_at_level(4, clear, set, op, expected_qual); 2382 } 2383 2384 static void ept_access_violation(unsigned long access, enum ept_access_op op, 2385 u64 expected_qual) 2386 { 2387 ept_violation(EPT_PRESENT, access, op, 2388 expected_qual | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2389 } 2390 2391 /* 2392 * For translations that don't involve a GVA, that is physical address (paddr) 2393 * accesses, EPT violations don't set the flag EPT_VLT_PADDR. For a typical 2394 * guest memory access, the hardware does GVA -> GPA -> HPA. However, certain 2395 * translations don't involve GVAs, such as when the hardware does the guest 2396 * page table walk. For example, in translating GVA_1 -> GPA_1, the guest MMU 2397 * might try to set an A bit on a guest PTE. If the GPA_2 that the PTE resides 2398 * on isn't present in the EPT, then the EPT violation will be for GPA_2 and 2399 * the EPT_VLT_PADDR bit will be clear in the exit qualification. 2400 * 2401 * Note that paddr violations can also be triggered by loading PAE page tables 2402 * with wonky addresses. We don't test that yet. 2403 * 2404 * This function modifies the EPT entry that maps the GPA that the guest page 2405 * table entry mapping ept_access_data.gva resides on. 2406 * 2407 * @ept_access EPT permissions to set. Other permissions are cleared. 2408 * 2409 * @pte_ad Set the A/D bits on the guest PTE accordingly. 2410 * 2411 * @op Guest operation to perform with ept_access_data.gva. 2412 * 2413 * @expect_violation 2414 * Is a violation expected during the paddr access? 2415 * 2416 * @expected_qual Expected qualification for the EPT violation. 2417 * EPT_VLT_PADDR should be clear. 2418 */ 2419 static void ept_access_paddr(unsigned long ept_access, unsigned long pte_ad, 2420 enum ept_access_op op, bool expect_violation, 2421 u64 expected_qual) 2422 { 2423 struct ept_access_test_data *data = &ept_access_test_data; 2424 unsigned long *ptep; 2425 unsigned long gpa; 2426 unsigned long orig_epte; 2427 2428 /* Modify the guest PTE mapping data->gva according to @pte_ad. */ 2429 ptep = get_pte_level(current_page_table(), data->gva, /*level=*/1); 2430 TEST_ASSERT(ptep); 2431 TEST_ASSERT_EQ(*ptep & PT_ADDR_MASK, data->gpa); 2432 *ptep = (*ptep & ~PT_AD_MASK) | pte_ad; 2433 ept_access_test_guest_flush_tlb(); 2434 2435 /* 2436 * Now modify the access bits on the EPT entry for the GPA that the 2437 * guest PTE resides on. Note that by modifying a single EPT entry, 2438 * we're potentially affecting 512 guest PTEs. However, we've carefully 2439 * constructed our test such that those other 511 PTEs aren't used by 2440 * the guest: data->gva is at the beginning of a 1G huge page, thus the 2441 * PTE we're modifying is at the beginning of a 4K page and the 2442 * following 511 entires are also under our control (and not touched by 2443 * the guest). 2444 */ 2445 gpa = virt_to_phys(ptep); 2446 TEST_ASSERT_EQ(gpa & ~PAGE_MASK, 0); 2447 /* 2448 * Make sure the guest page table page is mapped with a 4K EPT entry, 2449 * otherwise our level=1 twiddling below will fail. We use the 2450 * identity map (gpa = gpa) since page tables are shared with the host. 2451 */ 2452 install_ept(pml4, gpa, gpa, EPT_PRESENT); 2453 orig_epte = ept_twiddle(gpa, /*mkhuge=*/0, /*level=*/1, 2454 /*clear=*/EPT_PRESENT, /*set=*/ept_access); 2455 2456 if (expect_violation) { 2457 do_ept_violation(/*leaf=*/true, op, 2458 expected_qual | EPT_VLT_LADDR_VLD, gpa); 2459 ept_untwiddle(gpa, /*level=*/1, orig_epte); 2460 do_ept_access_op(op); 2461 } else { 2462 do_ept_access_op(op); 2463 ept_untwiddle(gpa, /*level=*/1, orig_epte); 2464 } 2465 2466 TEST_ASSERT(*ptep & PT_ACCESSED_MASK); 2467 if ((pte_ad & PT_DIRTY_MASK) || op == OP_WRITE) 2468 TEST_ASSERT(*ptep & PT_DIRTY_MASK); 2469 2470 skip_exit_vmcall(); 2471 } 2472 2473 static void ept_access_allowed_paddr(unsigned long ept_access, 2474 unsigned long pte_ad, 2475 enum ept_access_op op) 2476 { 2477 ept_access_paddr(ept_access, pte_ad, op, /*expect_violation=*/false, 2478 /*expected_qual=*/-1); 2479 } 2480 2481 static void ept_access_violation_paddr(unsigned long ept_access, 2482 unsigned long pte_ad, 2483 enum ept_access_op op, 2484 u64 expected_qual) 2485 { 2486 ept_access_paddr(ept_access, pte_ad, op, /*expect_violation=*/true, 2487 expected_qual); 2488 } 2489 2490 2491 static void ept_allowed_at_level_mkhuge(bool mkhuge, int level, 2492 unsigned long clear, 2493 unsigned long set, 2494 enum ept_access_op op) 2495 { 2496 struct ept_access_test_data *data = &ept_access_test_data; 2497 unsigned long orig_pte; 2498 2499 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2500 2501 /* No violation. Should proceed to vmcall. */ 2502 do_ept_access_op(op); 2503 skip_exit_vmcall(); 2504 2505 ept_untwiddle(data->gpa, level, orig_pte); 2506 } 2507 2508 static void ept_allowed_at_level(int level, unsigned long clear, 2509 unsigned long set, enum ept_access_op op) 2510 { 2511 ept_allowed_at_level_mkhuge(false, level, clear, set, op); 2512 if (ept_huge_pages_supported(level)) 2513 ept_allowed_at_level_mkhuge(true, level, clear, set, op); 2514 } 2515 2516 static void ept_allowed(unsigned long clear, unsigned long set, 2517 enum ept_access_op op) 2518 { 2519 ept_allowed_at_level(1, clear, set, op); 2520 ept_allowed_at_level(2, clear, set, op); 2521 ept_allowed_at_level(3, clear, set, op); 2522 ept_allowed_at_level(4, clear, set, op); 2523 } 2524 2525 static void ept_ignored_bit(int bit) 2526 { 2527 /* Set the bit. */ 2528 ept_allowed(0, 1ul << bit, OP_READ); 2529 ept_allowed(0, 1ul << bit, OP_WRITE); 2530 ept_allowed(0, 1ul << bit, OP_EXEC); 2531 2532 /* Clear the bit. */ 2533 ept_allowed(1ul << bit, 0, OP_READ); 2534 ept_allowed(1ul << bit, 0, OP_WRITE); 2535 ept_allowed(1ul << bit, 0, OP_EXEC); 2536 } 2537 2538 static void ept_access_allowed(unsigned long access, enum ept_access_op op) 2539 { 2540 ept_allowed(EPT_PRESENT, access, op); 2541 } 2542 2543 2544 static void ept_misconfig_at_level_mkhuge_op(bool mkhuge, int level, 2545 unsigned long clear, 2546 unsigned long set, 2547 enum ept_access_op op) 2548 { 2549 struct ept_access_test_data *data = &ept_access_test_data; 2550 unsigned long orig_pte; 2551 2552 orig_pte = ept_twiddle(data->gpa, mkhuge, level, clear, set); 2553 2554 do_ept_access_op(op); 2555 assert_exit_reason(VMX_EPT_MISCONFIG); 2556 2557 /* Intel 27.2.1, "For all other VM exits, this field is cleared." */ 2558 #if 0 2559 /* broken: */ 2560 TEST_EXPECT_EQ_MSG(vmcs_read(EXI_QUALIFICATION), 0); 2561 #endif 2562 #if 0 2563 /* 2564 * broken: 2565 * According to description of exit qual for EPT violation, 2566 * EPT_VLT_LADDR_VLD indicates if GUEST_LINEAR_ADDRESS is valid. 2567 * However, I can't find anything that says GUEST_LINEAR_ADDRESS ought 2568 * to be set for msiconfig. 2569 */ 2570 TEST_EXPECT_EQ(vmcs_read(GUEST_LINEAR_ADDRESS), 2571 (unsigned long) ( 2572 op == OP_EXEC ? data->gva + 1 : data->gva)); 2573 #endif 2574 2575 /* Fix the violation and resume the op loop. */ 2576 ept_untwiddle(data->gpa, level, orig_pte); 2577 enter_guest(); 2578 skip_exit_vmcall(); 2579 } 2580 2581 static void ept_misconfig_at_level_mkhuge(bool mkhuge, int level, 2582 unsigned long clear, 2583 unsigned long set) 2584 { 2585 /* The op shouldn't matter (read, write, exec), so try them all! */ 2586 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_READ); 2587 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_WRITE); 2588 ept_misconfig_at_level_mkhuge_op(mkhuge, level, clear, set, OP_EXEC); 2589 } 2590 2591 static void ept_misconfig_at_level(int level, unsigned long clear, 2592 unsigned long set) 2593 { 2594 ept_misconfig_at_level_mkhuge(false, level, clear, set); 2595 if (ept_huge_pages_supported(level)) 2596 ept_misconfig_at_level_mkhuge(true, level, clear, set); 2597 } 2598 2599 static void ept_misconfig(unsigned long clear, unsigned long set) 2600 { 2601 ept_misconfig_at_level(1, clear, set); 2602 ept_misconfig_at_level(2, clear, set); 2603 ept_misconfig_at_level(3, clear, set); 2604 ept_misconfig_at_level(4, clear, set); 2605 } 2606 2607 static void ept_access_misconfig(unsigned long access) 2608 { 2609 ept_misconfig(EPT_PRESENT, access); 2610 } 2611 2612 static void ept_reserved_bit_at_level_nohuge(int level, int bit) 2613 { 2614 /* Setting the bit causes a misconfig. */ 2615 ept_misconfig_at_level_mkhuge(false, level, 0, 1ul << bit); 2616 2617 /* Making the entry non-present turns reserved bits into ignored. */ 2618 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2619 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2620 } 2621 2622 static void ept_reserved_bit_at_level_huge(int level, int bit) 2623 { 2624 /* Setting the bit causes a misconfig. */ 2625 ept_misconfig_at_level_mkhuge(true, level, 0, 1ul << bit); 2626 2627 /* Making the entry non-present turns reserved bits into ignored. */ 2628 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2629 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2630 } 2631 2632 static void ept_reserved_bit_at_level(int level, int bit) 2633 { 2634 /* Setting the bit causes a misconfig. */ 2635 ept_misconfig_at_level(level, 0, 1ul << bit); 2636 2637 /* Making the entry non-present turns reserved bits into ignored. */ 2638 ept_violation_at_level(level, EPT_PRESENT, 1ul << bit, OP_READ, 2639 EPT_VLT_RD | EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 2640 } 2641 2642 static void ept_reserved_bit(int bit) 2643 { 2644 ept_reserved_bit_at_level(1, bit); 2645 ept_reserved_bit_at_level(2, bit); 2646 ept_reserved_bit_at_level(3, bit); 2647 ept_reserved_bit_at_level(4, bit); 2648 } 2649 2650 #define PAGE_2M_ORDER 9 2651 #define PAGE_1G_ORDER 18 2652 2653 static void *get_1g_page(void) 2654 { 2655 static void *alloc; 2656 2657 if (!alloc) 2658 alloc = alloc_pages(PAGE_1G_ORDER); 2659 return alloc; 2660 } 2661 2662 static void ept_access_test_teardown(void *unused) 2663 { 2664 /* Exit the guest cleanly. */ 2665 do_ept_access_op(OP_EXIT); 2666 } 2667 2668 static void ept_access_test_guest(void) 2669 { 2670 struct ept_access_test_data *data = &ept_access_test_data; 2671 int (*code)(void) = (int (*)(void)) &data->gva[1]; 2672 2673 while (true) { 2674 switch (data->op) { 2675 case OP_READ: 2676 TEST_ASSERT_EQ(*data->gva, MAGIC_VAL_1); 2677 break; 2678 case OP_WRITE: 2679 *data->gva = MAGIC_VAL_2; 2680 TEST_ASSERT_EQ(*data->gva, MAGIC_VAL_2); 2681 *data->gva = MAGIC_VAL_1; 2682 break; 2683 case OP_EXEC: 2684 TEST_ASSERT_EQ(42, code()); 2685 break; 2686 case OP_FLUSH_TLB: 2687 write_cr3(read_cr3()); 2688 break; 2689 case OP_EXIT: 2690 return; 2691 default: 2692 TEST_ASSERT_MSG(false, "Unknown op %d", data->op); 2693 } 2694 vmcall(); 2695 } 2696 } 2697 2698 static void ept_access_test_setup(void) 2699 { 2700 struct ept_access_test_data *data = &ept_access_test_data; 2701 unsigned long npages = 1ul << PAGE_1G_ORDER; 2702 unsigned long size = npages * PAGE_SIZE; 2703 unsigned long *page_table = current_page_table(); 2704 unsigned long pte; 2705 2706 if (setup_ept(false)) 2707 test_skip("EPT not supported"); 2708 2709 /* We use data->gpa = 1 << 39 so that test data has a separate pml4 entry */ 2710 if (cpuid_maxphyaddr() < 40) 2711 test_skip("Test needs MAXPHYADDR >= 40"); 2712 2713 test_set_guest(ept_access_test_guest); 2714 test_add_teardown(ept_access_test_teardown, NULL); 2715 2716 data->hva = get_1g_page(); 2717 TEST_ASSERT(data->hva); 2718 data->hpa = virt_to_phys(data->hva); 2719 2720 data->gpa = 1ul << 39; 2721 data->gva = (void *) ALIGN((unsigned long) alloc_vpages(npages * 2), 2722 size); 2723 TEST_ASSERT(!any_present_pages(page_table, data->gva, size)); 2724 install_pages(page_table, data->gpa, size, data->gva); 2725 2726 /* 2727 * Make sure nothing's mapped here so the tests that screw with the 2728 * pml4 entry don't inadvertently break something. 2729 */ 2730 TEST_ASSERT(get_ept_pte(pml4, data->gpa, 4, &pte) && pte == 0); 2731 TEST_ASSERT(get_ept_pte(pml4, data->gpa + size - 1, 4, &pte) && pte == 0); 2732 install_ept(pml4, data->hpa, data->gpa, EPT_PRESENT); 2733 2734 data->hva[0] = MAGIC_VAL_1; 2735 memcpy(&data->hva[1], &ret42_start, &ret42_end - &ret42_start); 2736 } 2737 2738 static void ept_access_test_not_present(void) 2739 { 2740 ept_access_test_setup(); 2741 /* --- */ 2742 ept_access_violation(0, OP_READ, EPT_VLT_RD); 2743 ept_access_violation(0, OP_WRITE, EPT_VLT_WR); 2744 ept_access_violation(0, OP_EXEC, EPT_VLT_FETCH); 2745 } 2746 2747 static void ept_access_test_read_only(void) 2748 { 2749 ept_access_test_setup(); 2750 2751 /* r-- */ 2752 ept_access_allowed(EPT_RA, OP_READ); 2753 ept_access_violation(EPT_RA, OP_WRITE, EPT_VLT_WR | EPT_VLT_PERM_RD); 2754 ept_access_violation(EPT_RA, OP_EXEC, EPT_VLT_FETCH | EPT_VLT_PERM_RD); 2755 } 2756 2757 static void ept_access_test_write_only(void) 2758 { 2759 ept_access_test_setup(); 2760 /* -w- */ 2761 ept_access_misconfig(EPT_WA); 2762 } 2763 2764 static void ept_access_test_read_write(void) 2765 { 2766 ept_access_test_setup(); 2767 /* rw- */ 2768 ept_access_allowed(EPT_RA | EPT_WA, OP_READ); 2769 ept_access_allowed(EPT_RA | EPT_WA, OP_WRITE); 2770 ept_access_violation(EPT_RA | EPT_WA, OP_EXEC, 2771 EPT_VLT_FETCH | EPT_VLT_PERM_RD | EPT_VLT_PERM_WR); 2772 } 2773 2774 2775 static void ept_access_test_execute_only(void) 2776 { 2777 ept_access_test_setup(); 2778 /* --x */ 2779 if (ept_execute_only_supported()) { 2780 ept_access_violation(EPT_EA, OP_READ, 2781 EPT_VLT_RD | EPT_VLT_PERM_EX); 2782 ept_access_violation(EPT_EA, OP_WRITE, 2783 EPT_VLT_WR | EPT_VLT_PERM_EX); 2784 ept_access_allowed(EPT_EA, OP_EXEC); 2785 } else { 2786 ept_access_misconfig(EPT_EA); 2787 } 2788 } 2789 2790 static void ept_access_test_read_execute(void) 2791 { 2792 ept_access_test_setup(); 2793 /* r-x */ 2794 ept_access_allowed(EPT_RA | EPT_EA, OP_READ); 2795 ept_access_violation(EPT_RA | EPT_EA, OP_WRITE, 2796 EPT_VLT_WR | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX); 2797 ept_access_allowed(EPT_RA | EPT_EA, OP_EXEC); 2798 } 2799 2800 static void ept_access_test_write_execute(void) 2801 { 2802 ept_access_test_setup(); 2803 /* -wx */ 2804 ept_access_misconfig(EPT_WA | EPT_EA); 2805 } 2806 2807 static void ept_access_test_read_write_execute(void) 2808 { 2809 ept_access_test_setup(); 2810 /* rwx */ 2811 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_READ); 2812 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_WRITE); 2813 ept_access_allowed(EPT_RA | EPT_WA | EPT_EA, OP_EXEC); 2814 } 2815 2816 static void ept_access_test_reserved_bits(void) 2817 { 2818 int i; 2819 int maxphyaddr; 2820 2821 ept_access_test_setup(); 2822 2823 /* Reserved bits above maxphyaddr. */ 2824 maxphyaddr = cpuid_maxphyaddr(); 2825 for (i = maxphyaddr; i <= 51; i++) { 2826 report_prefix_pushf("reserved_bit=%d", i); 2827 ept_reserved_bit(i); 2828 report_prefix_pop(); 2829 } 2830 2831 /* Level-specific reserved bits. */ 2832 ept_reserved_bit_at_level_nohuge(2, 3); 2833 ept_reserved_bit_at_level_nohuge(2, 4); 2834 ept_reserved_bit_at_level_nohuge(2, 5); 2835 ept_reserved_bit_at_level_nohuge(2, 6); 2836 /* 2M alignment. */ 2837 for (i = 12; i < 20; i++) { 2838 report_prefix_pushf("reserved_bit=%d", i); 2839 ept_reserved_bit_at_level_huge(2, i); 2840 report_prefix_pop(); 2841 } 2842 ept_reserved_bit_at_level_nohuge(3, 3); 2843 ept_reserved_bit_at_level_nohuge(3, 4); 2844 ept_reserved_bit_at_level_nohuge(3, 5); 2845 ept_reserved_bit_at_level_nohuge(3, 6); 2846 /* 1G alignment. */ 2847 for (i = 12; i < 29; i++) { 2848 report_prefix_pushf("reserved_bit=%d", i); 2849 ept_reserved_bit_at_level_huge(3, i); 2850 report_prefix_pop(); 2851 } 2852 ept_reserved_bit_at_level(4, 3); 2853 ept_reserved_bit_at_level(4, 4); 2854 ept_reserved_bit_at_level(4, 5); 2855 ept_reserved_bit_at_level(4, 6); 2856 ept_reserved_bit_at_level(4, 7); 2857 } 2858 2859 static void ept_access_test_ignored_bits(void) 2860 { 2861 ept_access_test_setup(); 2862 /* 2863 * Bits ignored at every level. Bits 8 and 9 (A and D) are ignored as 2864 * far as translation is concerned even if AD bits are enabled in the 2865 * EPTP. Bit 63 is ignored because "EPT-violation #VE" VM-execution 2866 * control is 0. 2867 */ 2868 ept_ignored_bit(8); 2869 ept_ignored_bit(9); 2870 ept_ignored_bit(10); 2871 ept_ignored_bit(11); 2872 ept_ignored_bit(52); 2873 ept_ignored_bit(53); 2874 ept_ignored_bit(54); 2875 ept_ignored_bit(55); 2876 ept_ignored_bit(56); 2877 ept_ignored_bit(57); 2878 ept_ignored_bit(58); 2879 ept_ignored_bit(59); 2880 ept_ignored_bit(60); 2881 ept_ignored_bit(61); 2882 ept_ignored_bit(62); 2883 ept_ignored_bit(63); 2884 } 2885 2886 static void ept_access_test_paddr_not_present_ad_disabled(void) 2887 { 2888 ept_access_test_setup(); 2889 ept_disable_ad_bits(); 2890 2891 ept_access_violation_paddr(0, PT_AD_MASK, OP_READ, EPT_VLT_RD); 2892 ept_access_violation_paddr(0, PT_AD_MASK, OP_WRITE, EPT_VLT_RD); 2893 ept_access_violation_paddr(0, PT_AD_MASK, OP_EXEC, EPT_VLT_RD); 2894 } 2895 2896 static void ept_access_test_paddr_not_present_ad_enabled(void) 2897 { 2898 u64 qual = EPT_VLT_RD | EPT_VLT_WR; 2899 2900 ept_access_test_setup(); 2901 ept_enable_ad_bits_or_skip_test(); 2902 2903 ept_access_violation_paddr(0, PT_AD_MASK, OP_READ, qual); 2904 ept_access_violation_paddr(0, PT_AD_MASK, OP_WRITE, qual); 2905 ept_access_violation_paddr(0, PT_AD_MASK, OP_EXEC, qual); 2906 } 2907 2908 static void ept_access_test_paddr_read_only_ad_disabled(void) 2909 { 2910 /* 2911 * When EPT AD bits are disabled, all accesses to guest paging 2912 * structures are reported separately as a read and (after 2913 * translation of the GPA to host physical address) a read+write 2914 * if the A/D bits have to be set. 2915 */ 2916 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD; 2917 2918 ept_access_test_setup(); 2919 ept_disable_ad_bits(); 2920 2921 /* Can't update A bit, so all accesses fail. */ 2922 ept_access_violation_paddr(EPT_RA, 0, OP_READ, qual); 2923 ept_access_violation_paddr(EPT_RA, 0, OP_WRITE, qual); 2924 ept_access_violation_paddr(EPT_RA, 0, OP_EXEC, qual); 2925 /* AD bits disabled, so only writes try to update the D bit. */ 2926 ept_access_allowed_paddr(EPT_RA, PT_ACCESSED_MASK, OP_READ); 2927 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_WRITE, qual); 2928 ept_access_allowed_paddr(EPT_RA, PT_ACCESSED_MASK, OP_EXEC); 2929 /* Both A and D already set, so read-only is OK. */ 2930 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_READ); 2931 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_WRITE); 2932 ept_access_allowed_paddr(EPT_RA, PT_AD_MASK, OP_EXEC); 2933 } 2934 2935 static void ept_access_test_paddr_read_only_ad_enabled(void) 2936 { 2937 /* 2938 * When EPT AD bits are enabled, all accesses to guest paging 2939 * structures are considered writes as far as EPT translation 2940 * is concerned. 2941 */ 2942 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD; 2943 2944 ept_access_test_setup(); 2945 ept_enable_ad_bits_or_skip_test(); 2946 2947 ept_access_violation_paddr(EPT_RA, 0, OP_READ, qual); 2948 ept_access_violation_paddr(EPT_RA, 0, OP_WRITE, qual); 2949 ept_access_violation_paddr(EPT_RA, 0, OP_EXEC, qual); 2950 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_READ, qual); 2951 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_WRITE, qual); 2952 ept_access_violation_paddr(EPT_RA, PT_ACCESSED_MASK, OP_EXEC, qual); 2953 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_READ, qual); 2954 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_WRITE, qual); 2955 ept_access_violation_paddr(EPT_RA, PT_AD_MASK, OP_EXEC, qual); 2956 } 2957 2958 static void ept_access_test_paddr_read_write(void) 2959 { 2960 ept_access_test_setup(); 2961 /* Read-write access to paging structure. */ 2962 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_READ); 2963 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_WRITE); 2964 ept_access_allowed_paddr(EPT_RA | EPT_WA, 0, OP_EXEC); 2965 } 2966 2967 static void ept_access_test_paddr_read_write_execute(void) 2968 { 2969 ept_access_test_setup(); 2970 /* RWX access to paging structure. */ 2971 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_READ); 2972 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_WRITE); 2973 ept_access_allowed_paddr(EPT_PRESENT, 0, OP_EXEC); 2974 } 2975 2976 static void ept_access_test_paddr_read_execute_ad_disabled(void) 2977 { 2978 /* 2979 * When EPT AD bits are disabled, all accesses to guest paging 2980 * structures are reported separately as a read and (after 2981 * translation of the GPA to host physical address) a read+write 2982 * if the A/D bits have to be set. 2983 */ 2984 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX; 2985 2986 ept_access_test_setup(); 2987 ept_disable_ad_bits(); 2988 2989 /* Can't update A bit, so all accesses fail. */ 2990 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_READ, qual); 2991 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_WRITE, qual); 2992 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_EXEC, qual); 2993 /* AD bits disabled, so only writes try to update the D bit. */ 2994 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_READ); 2995 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_WRITE, qual); 2996 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_EXEC); 2997 /* Both A and D already set, so read-only is OK. */ 2998 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_READ); 2999 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_WRITE); 3000 ept_access_allowed_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_EXEC); 3001 } 3002 3003 static void ept_access_test_paddr_read_execute_ad_enabled(void) 3004 { 3005 /* 3006 * When EPT AD bits are enabled, all accesses to guest paging 3007 * structures are considered writes as far as EPT translation 3008 * is concerned. 3009 */ 3010 u64 qual = EPT_VLT_WR | EPT_VLT_RD | EPT_VLT_PERM_RD | EPT_VLT_PERM_EX; 3011 3012 ept_access_test_setup(); 3013 ept_enable_ad_bits_or_skip_test(); 3014 3015 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_READ, qual); 3016 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_WRITE, qual); 3017 ept_access_violation_paddr(EPT_RA | EPT_EA, 0, OP_EXEC, qual); 3018 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_READ, qual); 3019 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_WRITE, qual); 3020 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_ACCESSED_MASK, OP_EXEC, qual); 3021 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_READ, qual); 3022 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_WRITE, qual); 3023 ept_access_violation_paddr(EPT_RA | EPT_EA, PT_AD_MASK, OP_EXEC, qual); 3024 } 3025 3026 static void ept_access_test_paddr_not_present_page_fault(void) 3027 { 3028 ept_access_test_setup(); 3029 /* 3030 * TODO: test no EPT violation as long as guest PF occurs. e.g., GPA is 3031 * page is read-only in EPT but GVA is also mapped read only in PT. 3032 * Thus guest page fault before host takes EPT violation for trying to 3033 * update A bit. 3034 */ 3035 } 3036 3037 static void ept_access_test_force_2m_page(void) 3038 { 3039 ept_access_test_setup(); 3040 3041 TEST_ASSERT_EQ(ept_2m_supported(), true); 3042 ept_allowed_at_level_mkhuge(true, 2, 0, 0, OP_READ); 3043 ept_violation_at_level_mkhuge(true, 2, EPT_PRESENT, EPT_RA, OP_WRITE, 3044 EPT_VLT_WR | EPT_VLT_PERM_RD | 3045 EPT_VLT_LADDR_VLD | EPT_VLT_PADDR); 3046 ept_misconfig_at_level_mkhuge(true, 2, EPT_PRESENT, EPT_WA); 3047 } 3048 3049 static bool invvpid_valid(u64 type, u64 vpid, u64 gla) 3050 { 3051 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3052 3053 TEST_ASSERT(msr & VPID_CAP_INVVPID); 3054 3055 if (type < INVVPID_ADDR || type > INVVPID_CONTEXT_LOCAL) 3056 return false; 3057 3058 if (!(msr & (1ull << (type + VPID_CAP_INVVPID_TYPES_SHIFT)))) 3059 return false; 3060 3061 if (vpid >> 16) 3062 return false; 3063 3064 if (type != INVVPID_ALL && !vpid) 3065 return false; 3066 3067 if (type == INVVPID_ADDR && !is_canonical(gla)) 3068 return false; 3069 3070 return true; 3071 } 3072 3073 static void try_invvpid(u64 type, u64 vpid, u64 gla) 3074 { 3075 int rc; 3076 bool valid = invvpid_valid(type, vpid, gla); 3077 u64 expected = valid ? VMXERR_UNSUPPORTED_VMCS_COMPONENT 3078 : VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID; 3079 /* 3080 * Set VMX_INST_ERROR to VMXERR_UNVALID_VMCS_COMPONENT, so 3081 * that we can tell if it is updated by INVVPID. 3082 */ 3083 vmcs_read(~0); 3084 rc = invvpid(type, vpid, gla); 3085 report("INVVPID type %ld VPID %lx GLA %lx %s", 3086 !rc == valid, type, vpid, gla, 3087 valid ? "passes" : "fails"); 3088 report("After %s INVVPID, VMX_INST_ERR is %ld (actual %ld)", 3089 vmcs_read(VMX_INST_ERROR) == expected, 3090 rc ? "failed" : "successful", 3091 expected, vmcs_read(VMX_INST_ERROR)); 3092 } 3093 3094 static void ds_invvpid(void *data) 3095 { 3096 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3097 u64 type = ffs(msr >> VPID_CAP_INVVPID_TYPES_SHIFT) - 1; 3098 3099 TEST_ASSERT(type >= INVVPID_ADDR && type <= INVVPID_CONTEXT_LOCAL); 3100 asm volatile("invvpid %0, %1" 3101 : 3102 : "m"(*(struct invvpid_operand *)data), 3103 "r"(type)); 3104 } 3105 3106 /* 3107 * The SS override is ignored in 64-bit mode, so we use an addressing 3108 * mode with %rsp as the base register to generate an implicit SS 3109 * reference. 3110 */ 3111 static void ss_invvpid(void *data) 3112 { 3113 u64 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3114 u64 type = ffs(msr >> VPID_CAP_INVVPID_TYPES_SHIFT) - 1; 3115 3116 TEST_ASSERT(type >= INVVPID_ADDR && type <= INVVPID_CONTEXT_LOCAL); 3117 asm volatile("sub %%rsp,%0; invvpid (%%rsp,%0,1), %1" 3118 : "+r"(data) 3119 : "r"(type)); 3120 } 3121 3122 static void invvpid_test_gp(void) 3123 { 3124 bool fault; 3125 3126 fault = test_for_exception(GP_VECTOR, &ds_invvpid, 3127 (void *)NONCANONICAL); 3128 report("INVVPID with non-canonical DS operand raises #GP", fault); 3129 } 3130 3131 static void invvpid_test_ss(void) 3132 { 3133 bool fault; 3134 3135 fault = test_for_exception(SS_VECTOR, &ss_invvpid, 3136 (void *)NONCANONICAL); 3137 report("INVVPID with non-canonical SS operand raises #SS", fault); 3138 } 3139 3140 static void invvpid_test_pf(void) 3141 { 3142 void *vpage = alloc_vpage(); 3143 bool fault; 3144 3145 fault = test_for_exception(PF_VECTOR, &ds_invvpid, vpage); 3146 report("INVVPID with unmapped operand raises #PF", fault); 3147 } 3148 3149 static void try_compat_invvpid(void *unused) 3150 { 3151 struct far_pointer32 fp = { 3152 .offset = (uintptr_t)&&invvpid, 3153 .selector = KERNEL_CS32, 3154 }; 3155 register uintptr_t rsp asm("rsp"); 3156 3157 TEST_ASSERT_MSG(fp.offset == (uintptr_t)&&invvpid, 3158 "Code address too high."); 3159 TEST_ASSERT_MSG(rsp == (u32)rsp, "Stack address too high."); 3160 3161 asm goto ("lcall *%0" : : "m" (fp) : "rax" : invvpid); 3162 return; 3163 invvpid: 3164 asm volatile (".code32;" 3165 "invvpid (%eax), %eax;" 3166 "lret;" 3167 ".code64"); 3168 __builtin_unreachable(); 3169 } 3170 3171 static void invvpid_test_compatibility_mode(void) 3172 { 3173 bool fault; 3174 3175 fault = test_for_exception(UD_VECTOR, &try_compat_invvpid, NULL); 3176 report("Compatibility mode INVVPID raises #UD", fault); 3177 } 3178 3179 static void invvpid_test_not_in_vmx_operation(void) 3180 { 3181 bool fault; 3182 3183 TEST_ASSERT(!vmx_off()); 3184 fault = test_for_exception(UD_VECTOR, &ds_invvpid, NULL); 3185 report("INVVPID outside of VMX operation raises #UD", fault); 3186 TEST_ASSERT(!vmx_on()); 3187 } 3188 3189 /* 3190 * This does not test real-address mode, virtual-8086 mode, protected mode, 3191 * or CPL > 0. 3192 */ 3193 static void invvpid_test_v2(void) 3194 { 3195 u64 msr; 3196 int i; 3197 unsigned types = 0; 3198 unsigned type; 3199 3200 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY) || 3201 !(ctrl_cpu_rev[1].clr & CPU_VPID)) 3202 test_skip("VPID not supported"); 3203 3204 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 3205 3206 if (!(msr & VPID_CAP_INVVPID)) 3207 test_skip("INVVPID not supported.\n"); 3208 3209 if (msr & VPID_CAP_INVVPID_ADDR) 3210 types |= 1u << INVVPID_ADDR; 3211 if (msr & VPID_CAP_INVVPID_CXTGLB) 3212 types |= 1u << INVVPID_CONTEXT_GLOBAL; 3213 if (msr & VPID_CAP_INVVPID_ALL) 3214 types |= 1u << INVVPID_ALL; 3215 if (msr & VPID_CAP_INVVPID_CXTLOC) 3216 types |= 1u << INVVPID_CONTEXT_LOCAL; 3217 3218 if (!types) 3219 test_skip("No INVVPID types supported.\n"); 3220 3221 for (i = -127; i < 128; i++) 3222 try_invvpid(i, 0xffff, 0); 3223 3224 /* 3225 * VPID must not be more than 16 bits. 3226 */ 3227 for (i = 0; i < 64; i++) 3228 for (type = 0; type < 4; type++) 3229 if (types & (1u << type)) 3230 try_invvpid(type, 1ul << i, 0); 3231 3232 /* 3233 * VPID must not be zero, except for "all contexts." 3234 */ 3235 for (type = 0; type < 4; type++) 3236 if (types & (1u << type)) 3237 try_invvpid(type, 0, 0); 3238 3239 /* 3240 * The gla operand is only validated for single-address INVVPID. 3241 */ 3242 if (types & (1u << INVVPID_ADDR)) 3243 try_invvpid(INVVPID_ADDR, 0xffff, NONCANONICAL); 3244 3245 invvpid_test_gp(); 3246 invvpid_test_ss(); 3247 invvpid_test_pf(); 3248 invvpid_test_compatibility_mode(); 3249 invvpid_test_not_in_vmx_operation(); 3250 } 3251 3252 /* 3253 * Test for early VMLAUNCH failure. Returns true if VMLAUNCH makes it 3254 * at least as far as the guest-state checks. Returns false if the 3255 * VMLAUNCH fails early and execution falls through to the next 3256 * instruction. 3257 */ 3258 static bool vmlaunch_succeeds(void) 3259 { 3260 /* 3261 * Indirectly set VMX_INST_ERR to 12 ("VMREAD/VMWRITE from/to 3262 * unsupported VMCS component"). The caller can then check 3263 * to see if a failed VM-entry sets VMX_INST_ERR as expected. 3264 */ 3265 vmcs_write(~0u, 0); 3266 3267 vmcs_write(HOST_RIP, (uintptr_t)&&success); 3268 __asm__ __volatile__ goto ("vmwrite %%rsp, %0; vmlaunch" 3269 : 3270 : "r" ((u64)HOST_RSP) 3271 : "cc", "memory" 3272 : success); 3273 return false; 3274 success: 3275 TEST_ASSERT(vmcs_read(EXI_REASON) == 3276 (VMX_FAIL_STATE | VMX_ENTRY_FAILURE)); 3277 return true; 3278 } 3279 3280 /* 3281 * Try to launch the current VMCS. 3282 */ 3283 static void test_vmx_controls(bool controls_valid, bool xfail) 3284 { 3285 bool success = vmlaunch_succeeds(); 3286 u32 vmx_inst_err; 3287 3288 report_xfail("vmlaunch %s", xfail, success == controls_valid, 3289 controls_valid ? "succeeds" : "fails"); 3290 if (!success) { 3291 vmx_inst_err = vmcs_read(VMX_INST_ERROR); 3292 report("VMX inst error is %d (actual %d)", 3293 vmx_inst_err == VMXERR_ENTRY_INVALID_CONTROL_FIELD, 3294 VMXERR_ENTRY_INVALID_CONTROL_FIELD, vmx_inst_err); 3295 } 3296 } 3297 3298 /* 3299 * Test a particular value of a VM-execution control bit, if the value 3300 * is required or if the value is zero. 3301 */ 3302 static void test_rsvd_ctl_bit_value(const char *name, union vmx_ctrl_msr msr, 3303 enum Encoding encoding, unsigned bit, 3304 unsigned val) 3305 { 3306 u32 mask = 1u << bit; 3307 bool expected; 3308 u32 controls; 3309 3310 if (msr.set & mask) 3311 TEST_ASSERT(msr.clr & mask); 3312 3313 /* 3314 * We can't arbitrarily turn on a control bit, because it may 3315 * introduce dependencies on other VMCS fields. So, we only 3316 * test turning on bits that have a required setting. 3317 */ 3318 if (val && (msr.clr & mask) && !(msr.set & mask)) 3319 return; 3320 3321 report_prefix_pushf("%s %s bit %d", 3322 val ? "Set" : "Clear", name, bit); 3323 3324 controls = vmcs_read(encoding); 3325 if (val) { 3326 vmcs_write(encoding, msr.set | mask); 3327 expected = (msr.clr & mask); 3328 } else { 3329 vmcs_write(encoding, msr.set & ~mask); 3330 expected = !(msr.set & mask); 3331 } 3332 test_vmx_controls(expected, false); 3333 vmcs_write(encoding, controls); 3334 report_prefix_pop(); 3335 } 3336 3337 /* 3338 * Test reserved values of a VM-execution control bit, based on the 3339 * allowed bit settings from the corresponding VMX capability MSR. 3340 */ 3341 static void test_rsvd_ctl_bit(const char *name, union vmx_ctrl_msr msr, 3342 enum Encoding encoding, unsigned bit) 3343 { 3344 test_rsvd_ctl_bit_value(name, msr, encoding, bit, 0); 3345 test_rsvd_ctl_bit_value(name, msr, encoding, bit, 1); 3346 } 3347 3348 /* 3349 * Reserved bits in the pin-based VM-execution controls must be set 3350 * properly. Software may consult the VMX capability MSRs to determine 3351 * the proper settings. 3352 * [Intel SDM] 3353 */ 3354 static void test_pin_based_ctls(void) 3355 { 3356 unsigned bit; 3357 3358 printf("%s: %lx\n", basic.ctrl ? "MSR_IA32_VMX_TRUE_PIN" : 3359 "MSR_IA32_VMX_PINBASED_CTLS", ctrl_pin_rev.val); 3360 for (bit = 0; bit < 32; bit++) 3361 test_rsvd_ctl_bit("pin-based controls", 3362 ctrl_pin_rev, PIN_CONTROLS, bit); 3363 } 3364 3365 /* 3366 * Reserved bits in the primary processor-based VM-execution controls 3367 * must be set properly. Software may consult the VMX capability MSRs 3368 * to determine the proper settings. 3369 * [Intel SDM] 3370 */ 3371 static void test_primary_processor_based_ctls(void) 3372 { 3373 unsigned bit; 3374 3375 printf("\n%s: %lx\n", basic.ctrl ? "MSR_IA32_VMX_TRUE_PROC" : 3376 "MSR_IA32_VMX_PROCBASED_CTLS", ctrl_cpu_rev[0].val); 3377 for (bit = 0; bit < 32; bit++) 3378 test_rsvd_ctl_bit("primary processor-based controls", 3379 ctrl_cpu_rev[0], CPU_EXEC_CTRL0, bit); 3380 } 3381 3382 /* 3383 * If the "activate secondary controls" primary processor-based 3384 * VM-execution control is 1, reserved bits in the secondary 3385 * processor-based VM-execution controls must be cleared. Software may 3386 * consult the VMX capability MSRs to determine which bits are 3387 * reserved. 3388 * If the "activate secondary controls" primary processor-based 3389 * VM-execution control is 0 (or if the processor does not support the 3390 * 1-setting of that control), no checks are performed on the 3391 * secondary processor-based VM-execution controls. 3392 * [Intel SDM] 3393 */ 3394 static void test_secondary_processor_based_ctls(void) 3395 { 3396 u32 primary; 3397 u32 secondary; 3398 unsigned bit; 3399 3400 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY)) 3401 return; 3402 3403 primary = vmcs_read(CPU_EXEC_CTRL0); 3404 secondary = vmcs_read(CPU_EXEC_CTRL1); 3405 3406 vmcs_write(CPU_EXEC_CTRL0, primary | CPU_SECONDARY); 3407 printf("\nMSR_IA32_VMX_PROCBASED_CTLS2: %lx\n", ctrl_cpu_rev[1].val); 3408 for (bit = 0; bit < 32; bit++) 3409 test_rsvd_ctl_bit("secondary processor-based controls", 3410 ctrl_cpu_rev[1], CPU_EXEC_CTRL1, bit); 3411 3412 /* 3413 * When the "activate secondary controls" VM-execution control 3414 * is clear, there are no checks on the secondary controls. 3415 */ 3416 vmcs_write(CPU_EXEC_CTRL0, primary & ~CPU_SECONDARY); 3417 vmcs_write(CPU_EXEC_CTRL1, ~0); 3418 report("Secondary processor-based controls ignored", 3419 vmlaunch_succeeds()); 3420 vmcs_write(CPU_EXEC_CTRL1, secondary); 3421 vmcs_write(CPU_EXEC_CTRL0, primary); 3422 } 3423 3424 static void try_cr3_target_count(unsigned i, unsigned max) 3425 { 3426 report_prefix_pushf("CR3 target count 0x%x", i); 3427 vmcs_write(CR3_TARGET_COUNT, i); 3428 test_vmx_controls(i <= max, false); 3429 report_prefix_pop(); 3430 } 3431 3432 /* 3433 * The CR3-target count must not be greater than 4. Future processors 3434 * may support a different number of CR3-target values. Software 3435 * should read the VMX capability MSR IA32_VMX_MISC to determine the 3436 * number of values supported. 3437 * [Intel SDM] 3438 */ 3439 static void test_cr3_targets(void) 3440 { 3441 unsigned supported_targets = (rdmsr(MSR_IA32_VMX_MISC) >> 16) & 0x1ff; 3442 u32 cr3_targets = vmcs_read(CR3_TARGET_COUNT); 3443 unsigned i; 3444 3445 printf("\nSupported CR3 targets: %d\n", supported_targets); 3446 TEST_ASSERT(supported_targets <= 256); 3447 3448 try_cr3_target_count(-1u, supported_targets); 3449 try_cr3_target_count(0x80000000, supported_targets); 3450 try_cr3_target_count(0x7fffffff, supported_targets); 3451 for (i = 0; i <= supported_targets + 1; i++) 3452 try_cr3_target_count(i, supported_targets); 3453 vmcs_write(CR3_TARGET_COUNT, cr3_targets); 3454 } 3455 3456 /* 3457 * Test a particular address setting for a physical page reference in 3458 * the VMCS. 3459 */ 3460 static void test_vmcs_page_addr(const char *name, 3461 enum Encoding encoding, 3462 bool ignored, 3463 bool xfail_beyond_mapped_ram, 3464 u64 addr) 3465 { 3466 bool xfail = 3467 (xfail_beyond_mapped_ram && 3468 addr > fwcfg_get_u64(FW_CFG_RAM_SIZE) - PAGE_SIZE && 3469 addr < (1ul << cpuid_maxphyaddr())); 3470 3471 report_prefix_pushf("%s = %lx", name, addr); 3472 vmcs_write(encoding, addr); 3473 test_vmx_controls(ignored || (IS_ALIGNED(addr, PAGE_SIZE) && 3474 addr < (1ul << cpuid_maxphyaddr())), 3475 xfail); 3476 report_prefix_pop(); 3477 xfail = false; 3478 } 3479 3480 /* 3481 * Test interesting values for a physical page reference in the VMCS. 3482 */ 3483 static void test_vmcs_page_values(const char *name, 3484 enum Encoding encoding, 3485 bool ignored, 3486 bool xfail_beyond_mapped_ram) 3487 { 3488 unsigned i; 3489 u64 orig_val = vmcs_read(encoding); 3490 3491 for (i = 0; i < 64; i++) 3492 test_vmcs_page_addr(name, encoding, ignored, 3493 xfail_beyond_mapped_ram, 1ul << i); 3494 3495 test_vmcs_page_addr(name, encoding, ignored, 3496 xfail_beyond_mapped_ram, PAGE_SIZE - 1); 3497 test_vmcs_page_addr(name, encoding, ignored, 3498 xfail_beyond_mapped_ram, PAGE_SIZE); 3499 test_vmcs_page_addr(name, encoding, ignored, 3500 xfail_beyond_mapped_ram, 3501 (1ul << cpuid_maxphyaddr()) - PAGE_SIZE); 3502 test_vmcs_page_addr(name, encoding, ignored, 3503 xfail_beyond_mapped_ram, 3504 -1ul); 3505 3506 vmcs_write(encoding, orig_val); 3507 } 3508 3509 /* 3510 * Test a physical page reference in the VMCS, when the corresponding 3511 * feature is enabled and when the corresponding feature is disabled. 3512 */ 3513 static void test_vmcs_page_reference(u32 control_bit, enum Encoding field, 3514 const char *field_name, 3515 const char *control_name, 3516 bool xfail_beyond_mapped_ram, 3517 bool control_primary) 3518 { 3519 u32 primary = vmcs_read(CPU_EXEC_CTRL0); 3520 u32 secondary = vmcs_read(CPU_EXEC_CTRL1); 3521 u64 page_addr; 3522 3523 if (control_primary) { 3524 if (!(ctrl_cpu_rev[0].clr & control_bit)) 3525 return; 3526 } else { 3527 if (!(ctrl_cpu_rev[1].clr & control_bit)) 3528 return; 3529 } 3530 3531 page_addr = vmcs_read(field); 3532 3533 report_prefix_pushf("%s enabled", control_name); 3534 if (control_primary) { 3535 vmcs_write(CPU_EXEC_CTRL0, primary | control_bit); 3536 } else { 3537 vmcs_write(CPU_EXEC_CTRL0, primary | CPU_SECONDARY); 3538 vmcs_write(CPU_EXEC_CTRL1, secondary | control_bit); 3539 } 3540 test_vmcs_page_values(field_name, field, false, xfail_beyond_mapped_ram); 3541 report_prefix_pop(); 3542 3543 report_prefix_pushf("%s disabled", control_name); 3544 if (control_primary) { 3545 vmcs_write(CPU_EXEC_CTRL0, primary & ~control_bit); 3546 } else { 3547 vmcs_write(CPU_EXEC_CTRL0, primary & ~CPU_SECONDARY); 3548 vmcs_write(CPU_EXEC_CTRL1, secondary & ~control_bit); 3549 } 3550 test_vmcs_page_values(field_name, field, true, false); 3551 report_prefix_pop(); 3552 3553 vmcs_write(field, page_addr); 3554 vmcs_write(CPU_EXEC_CTRL0, primary); 3555 } 3556 3557 /* 3558 * If the "use I/O bitmaps" VM-execution control is 1, bits 11:0 of 3559 * each I/O-bitmap address must be 0. Neither address should set any 3560 * bits beyond the processor's physical-address width. 3561 * [Intel SDM] 3562 */ 3563 static void test_io_bitmaps(void) 3564 { 3565 test_vmcs_page_reference(CPU_IO_BITMAP, IO_BITMAP_A, 3566 "I/O bitmap A", "Use I/O bitmaps", false, 3567 true); 3568 test_vmcs_page_reference(CPU_IO_BITMAP, IO_BITMAP_B, 3569 "I/O bitmap B", "Use I/O bitmaps", false, 3570 true); 3571 } 3572 3573 /* 3574 * If the "use MSR bitmaps" VM-execution control is 1, bits 11:0 of 3575 * the MSR-bitmap address must be 0. The address should not set any 3576 * bits beyond the processor's physical-address width. 3577 * [Intel SDM] 3578 */ 3579 static void test_msr_bitmap(void) 3580 { 3581 test_vmcs_page_reference(CPU_MSR_BITMAP, MSR_BITMAP, 3582 "MSR bitmap", "Use MSR bitmaps", false, 3583 true); 3584 } 3585 3586 /* 3587 * If the "use TPR shadow" VM-execution control is 1, the virtual-APIC 3588 * address must satisfy the following checks: 3589 * - Bits 11:0 of the address must be 0. 3590 * - The address should not set any bits beyond the processor's 3591 * physical-address width. 3592 * [Intel SDM] 3593 */ 3594 static void test_apic_virt_addr(void) 3595 { 3596 test_vmcs_page_reference(CPU_TPR_SHADOW, APIC_VIRT_ADDR, 3597 "virtual-APIC address", "Use TPR shadow", 3598 true, true); 3599 } 3600 3601 /* 3602 * If the "virtualize APIC-accesses" VM-execution control is 1, the 3603 * APIC-access address must satisfy the following checks: 3604 * - Bits 11:0 of the address must be 0. 3605 * - The address should not set any bits beyond the processor's 3606 * physical-address width. 3607 * [Intel SDM] 3608 */ 3609 static void test_apic_access_addr(void) 3610 { 3611 void *apic_access_page = alloc_page(); 3612 3613 vmcs_write(APIC_ACCS_ADDR, virt_to_phys(apic_access_page)); 3614 3615 test_vmcs_page_reference(CPU_VIRT_APIC_ACCESSES, APIC_ACCS_ADDR, 3616 "APIC-access address", 3617 "virtualize APIC-accesses", false, false); 3618 } 3619 3620 static bool set_bit_pattern(u8 mask, u32 *secondary) 3621 { 3622 u8 i; 3623 bool flag = false; 3624 u32 test_bits[3] = { 3625 CPU_VIRT_X2APIC, 3626 CPU_APIC_REG_VIRT, 3627 CPU_VINTD 3628 }; 3629 3630 for (i = 0; i < ARRAY_SIZE(test_bits); i++) { 3631 if ((mask & (1u << i)) && 3632 (ctrl_cpu_rev[1].clr & test_bits[i])) { 3633 *secondary |= test_bits[i]; 3634 flag = true; 3635 } 3636 } 3637 3638 return (flag); 3639 } 3640 3641 /* 3642 * If the "use TPR shadow" VM-execution control is 0, the following 3643 * VM-execution controls must also be 0: 3644 * - virtualize x2APIC mode 3645 * - APIC-register virtualization 3646 * - virtual-interrupt delivery 3647 * [Intel SDM] 3648 * 3649 * 2. If the "virtualize x2APIC mode" VM-execution control is 1, the 3650 * "virtualize APIC accesses" VM-execution control must be 0. 3651 * [Intel SDM] 3652 */ 3653 static void test_apic_virtual_ctls(void) 3654 { 3655 u32 saved_primary = vmcs_read(CPU_EXEC_CTRL0); 3656 u32 saved_secondary = vmcs_read(CPU_EXEC_CTRL1); 3657 u32 primary = saved_primary; 3658 u32 secondary = saved_secondary; 3659 bool ctrl = false; 3660 char str[10] = "disabled"; 3661 u8 i = 0, j; 3662 3663 /* 3664 * First test 3665 */ 3666 if (!((ctrl_cpu_rev[0].clr & (CPU_SECONDARY | CPU_TPR_SHADOW)) == 3667 (CPU_SECONDARY | CPU_TPR_SHADOW))) 3668 return; 3669 3670 primary |= CPU_SECONDARY; 3671 primary &= ~CPU_TPR_SHADOW; 3672 vmcs_write(CPU_EXEC_CTRL0, primary); 3673 3674 while (1) { 3675 for (j = 1; j < 8; j++) { 3676 secondary &= ~(CPU_VIRT_X2APIC | CPU_APIC_REG_VIRT | CPU_VINTD); 3677 if (primary & CPU_TPR_SHADOW) { 3678 ctrl = true; 3679 } else { 3680 if (! set_bit_pattern(j, &secondary)) 3681 ctrl = true; 3682 else 3683 ctrl = false; 3684 } 3685 3686 vmcs_write(CPU_EXEC_CTRL1, secondary); 3687 report_prefix_pushf("Use TPR shadow %s, virtualize x2APIC mode %s, APIC-register virtualization %s, virtual-interrupt delivery %s", 3688 str, (secondary & CPU_VIRT_X2APIC) ? "enabled" : "disabled", (secondary & CPU_APIC_REG_VIRT) ? "enabled" : "disabled", (secondary & CPU_VINTD) ? "enabled" : "disabled"); 3689 test_vmx_controls(ctrl, false); 3690 report_prefix_pop(); 3691 } 3692 3693 if (i == 1) 3694 break; 3695 i++; 3696 3697 primary |= CPU_TPR_SHADOW; 3698 vmcs_write(CPU_EXEC_CTRL0, primary); 3699 strcpy(str, "enabled"); 3700 } 3701 3702 /* 3703 * Second test 3704 */ 3705 u32 apic_virt_ctls = (CPU_VIRT_X2APIC | CPU_VIRT_APIC_ACCESSES); 3706 3707 primary = saved_primary; 3708 secondary = saved_secondary; 3709 if (!((ctrl_cpu_rev[1].clr & apic_virt_ctls) == apic_virt_ctls)) 3710 return; 3711 3712 vmcs_write(CPU_EXEC_CTRL0, primary | CPU_SECONDARY); 3713 secondary &= ~CPU_VIRT_APIC_ACCESSES; 3714 vmcs_write(CPU_EXEC_CTRL1, secondary & ~CPU_VIRT_X2APIC); 3715 report_prefix_pushf("Virtualize x2APIC mode disabled; virtualize APIC access disabled"); 3716 test_vmx_controls(true, false); 3717 report_prefix_pop(); 3718 3719 vmcs_write(CPU_EXEC_CTRL1, secondary | CPU_VIRT_APIC_ACCESSES); 3720 report_prefix_pushf("Virtualize x2APIC mode disabled; virtualize APIC access enabled"); 3721 test_vmx_controls(true, false); 3722 report_prefix_pop(); 3723 3724 vmcs_write(CPU_EXEC_CTRL1, secondary | CPU_VIRT_X2APIC); 3725 report_prefix_pushf("Virtualize x2APIC mode enabled; virtualize APIC access enabled"); 3726 test_vmx_controls(false, false); 3727 report_prefix_pop(); 3728 3729 vmcs_write(CPU_EXEC_CTRL1, secondary & ~CPU_VIRT_APIC_ACCESSES); 3730 report_prefix_pushf("Virtualize x2APIC mode enabled; virtualize APIC access disabled"); 3731 test_vmx_controls(true, false); 3732 report_prefix_pop(); 3733 3734 vmcs_write(CPU_EXEC_CTRL0, saved_primary); 3735 vmcs_write(CPU_EXEC_CTRL1, saved_secondary); 3736 } 3737 3738 /* 3739 * If the "virtual-interrupt delivery" VM-execution control is 1, the 3740 * "external-interrupt exiting" VM-execution control must be 1. 3741 * [Intel SDM] 3742 */ 3743 static void test_virtual_intr_ctls(void) 3744 { 3745 u32 saved_primary = vmcs_read(CPU_EXEC_CTRL0); 3746 u32 saved_secondary = vmcs_read(CPU_EXEC_CTRL1); 3747 u32 saved_pin = vmcs_read(PIN_CONTROLS); 3748 u32 primary = saved_primary; 3749 u32 secondary = saved_secondary; 3750 u32 pin = saved_pin; 3751 3752 if (!((ctrl_cpu_rev[1].clr & CPU_VINTD) && 3753 (ctrl_pin_rev.clr & PIN_EXTINT))) 3754 return; 3755 3756 vmcs_write(CPU_EXEC_CTRL0, primary | CPU_SECONDARY | CPU_TPR_SHADOW); 3757 vmcs_write(CPU_EXEC_CTRL1, secondary & ~CPU_VINTD); 3758 vmcs_write(PIN_CONTROLS, pin & ~PIN_EXTINT); 3759 report_prefix_pushf("Virtualize interrupt-delivery disabled; external-interrupt exiting disabled"); 3760 test_vmx_controls(true, false); 3761 report_prefix_pop(); 3762 3763 vmcs_write(CPU_EXEC_CTRL1, secondary | CPU_VINTD); 3764 report_prefix_pushf("Virtualize interrupt-delivery enabled; external-interrupt exiting disabled"); 3765 test_vmx_controls(false, false); 3766 report_prefix_pop(); 3767 3768 vmcs_write(PIN_CONTROLS, pin | PIN_EXTINT); 3769 report_prefix_pushf("Virtualize interrupt-delivery enabled; external-interrupt exiting enabled"); 3770 test_vmx_controls(true, false); 3771 report_prefix_pop(); 3772 3773 vmcs_write(PIN_CONTROLS, pin & ~PIN_EXTINT); 3774 report_prefix_pushf("Virtualize interrupt-delivery enabled; external-interrupt exiting disabled"); 3775 test_vmx_controls(false, false); 3776 report_prefix_pop(); 3777 3778 vmcs_write(CPU_EXEC_CTRL0, saved_primary); 3779 vmcs_write(CPU_EXEC_CTRL1, saved_secondary); 3780 vmcs_write(PIN_CONTROLS, saved_pin); 3781 } 3782 3783 static void test_pi_desc_addr(u64 addr, bool ctrl) 3784 { 3785 vmcs_write(POSTED_INTR_DESC_ADDR, addr); 3786 report_prefix_pushf("Process-posted-interrupts enabled; posted-interrupt-descriptor-address 0x%lx", addr); 3787 test_vmx_controls(ctrl, false); 3788 report_prefix_pop(); 3789 } 3790 3791 /* 3792 * If the “process posted interrupts†VM-execution control is 1, the 3793 * following must be true: 3794 * 3795 * - The “virtual-interrupt delivery†VM-execution control is 1. 3796 * - The “acknowledge interrupt on exit†VM-exit control is 1. 3797 * - The posted-interrupt notification vector has a value in the 3798 * - range 0–255 (bits 15:8 are all 0). 3799 * - Bits 5:0 of the posted-interrupt descriptor address are all 0. 3800 * - The posted-interrupt descriptor address does not set any bits 3801 * beyond the processor's physical-address width. 3802 * [Intel SDM] 3803 */ 3804 static void test_posted_intr(void) 3805 { 3806 u32 saved_primary = vmcs_read(CPU_EXEC_CTRL0); 3807 u32 saved_secondary = vmcs_read(CPU_EXEC_CTRL1); 3808 u32 saved_pin = vmcs_read(PIN_CONTROLS); 3809 u32 exit_ctl_saved = vmcs_read(EXI_CONTROLS); 3810 u32 primary = saved_primary; 3811 u32 secondary = saved_secondary; 3812 u32 pin = saved_pin; 3813 u32 exit_ctl = exit_ctl_saved; 3814 u16 vec; 3815 int i; 3816 3817 if (!((ctrl_pin_rev.clr & PIN_POST_INTR) && 3818 (ctrl_cpu_rev[1].clr & CPU_VINTD) && 3819 (ctrl_exit_rev.clr & EXI_INTA))) 3820 return; 3821 3822 vmcs_write(CPU_EXEC_CTRL0, primary | CPU_SECONDARY | CPU_TPR_SHADOW); 3823 3824 /* 3825 * Test virtual-interrupt-delivery and acknowledge-interrupt-on-exit 3826 */ 3827 pin |= PIN_POST_INTR; 3828 vmcs_write(PIN_CONTROLS, pin); 3829 secondary &= ~CPU_VINTD; 3830 vmcs_write(CPU_EXEC_CTRL1, secondary); 3831 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery disabled"); 3832 test_vmx_controls(false, false); 3833 report_prefix_pop(); 3834 3835 secondary |= CPU_VINTD; 3836 vmcs_write(CPU_EXEC_CTRL1, secondary); 3837 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery enabled"); 3838 test_vmx_controls(false, false); 3839 report_prefix_pop(); 3840 3841 exit_ctl &= ~EXI_INTA; 3842 vmcs_write(EXI_CONTROLS, exit_ctl); 3843 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery enabled; acknowledge-interrupt-on-exit disabled"); 3844 test_vmx_controls(false, false); 3845 report_prefix_pop(); 3846 3847 exit_ctl |= EXI_INTA; 3848 vmcs_write(EXI_CONTROLS, exit_ctl); 3849 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery enabled; acknowledge-interrupt-on-exit enabled"); 3850 test_vmx_controls(true, false); 3851 report_prefix_pop(); 3852 3853 secondary &= ~CPU_VINTD; 3854 vmcs_write(CPU_EXEC_CTRL1, secondary); 3855 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery disabled; acknowledge-interrupt-on-exit enabled"); 3856 test_vmx_controls(false, false); 3857 report_prefix_pop(); 3858 3859 secondary |= CPU_VINTD; 3860 vmcs_write(CPU_EXEC_CTRL1, secondary); 3861 report_prefix_pushf("Process-posted-interrupts enabled; virtual-interrupt-delivery enabled; acknowledge-interrupt-on-exit enabled"); 3862 test_vmx_controls(true, false); 3863 report_prefix_pop(); 3864 3865 /* 3866 * Test posted-interrupt notification vector 3867 */ 3868 for (i = 0; i < 8; i++) { 3869 vec = (1ul << i); 3870 vmcs_write(PINV, vec); 3871 report_prefix_pushf("Process-posted-interrupts enabled; posted-interrupt-notification-vector %u", vec); 3872 test_vmx_controls(true, false); 3873 report_prefix_pop(); 3874 } 3875 for (i = 8; i < 16; i++) { 3876 vec = (1ul << i); 3877 vmcs_write(PINV, vec); 3878 report_prefix_pushf("Process-posted-interrupts enabled; posted-interrupt-notification-vector %u", vec); 3879 test_vmx_controls(false, false); 3880 report_prefix_pop(); 3881 } 3882 3883 vec &= ~(0xff << 8); 3884 vmcs_write(PINV, vec); 3885 report_prefix_pushf("Process-posted-interrupts enabled; posted-interrupt-notification-vector %u", vec); 3886 test_vmx_controls(true, false); 3887 report_prefix_pop(); 3888 3889 /* 3890 * Test posted-interrupt descriptor addresss 3891 */ 3892 for (i = 0; i < 6; i++) { 3893 test_pi_desc_addr(1ul << i, false); 3894 } 3895 3896 test_pi_desc_addr(0xf0, false); 3897 test_pi_desc_addr(0xff, false); 3898 test_pi_desc_addr(0x0f, false); 3899 test_pi_desc_addr(0x8000, true); 3900 test_pi_desc_addr(0x00, true); 3901 test_pi_desc_addr(0xc000, true); 3902 3903 test_vmcs_page_values("process-posted interrupts", POSTED_INTR_DESC_ADDR, false, false); 3904 3905 vmcs_write(CPU_EXEC_CTRL0, saved_primary); 3906 vmcs_write(CPU_EXEC_CTRL1, saved_secondary); 3907 vmcs_write(PIN_CONTROLS, saved_pin); 3908 } 3909 3910 static void test_apic_ctls(void) 3911 { 3912 test_apic_virt_addr(); 3913 test_apic_access_addr(); 3914 test_apic_virtual_ctls(); 3915 test_virtual_intr_ctls(); 3916 test_posted_intr(); 3917 } 3918 3919 /* 3920 * If the “enable VPID†VM-execution control is 1, the value of the 3921 * of the VPID VM-execution control field must not be 0000H. 3922 * [Intel SDM] 3923 */ 3924 static void test_vpid(void) 3925 { 3926 u32 saved_primary = vmcs_read(CPU_EXEC_CTRL0); 3927 u32 saved_secondary = vmcs_read(CPU_EXEC_CTRL1); 3928 u16 vpid = 0x0000; 3929 int i; 3930 3931 if (!((ctrl_cpu_rev[0].clr & CPU_SECONDARY) && 3932 (ctrl_cpu_rev[1].clr & CPU_VPID))) { 3933 test_skip("Secondary controls and/or VPID not supported"); 3934 return; 3935 } 3936 3937 vmcs_write(CPU_EXEC_CTRL0, saved_primary | CPU_SECONDARY); 3938 vmcs_write(CPU_EXEC_CTRL1, saved_secondary & ~CPU_VPID); 3939 vmcs_write(VPID, vpid); 3940 report_prefix_pushf("VPID disabled; VPID value %x", vpid); 3941 test_vmx_controls(true, false); 3942 report_prefix_pop(); 3943 3944 vmcs_write(CPU_EXEC_CTRL1, saved_secondary | CPU_VPID); 3945 report_prefix_pushf("VPID enabled; VPID value %x", vpid); 3946 test_vmx_controls(false, false); 3947 report_prefix_pop(); 3948 3949 for (i = 0; i < 16; i++) { 3950 vpid = (short)1 << i;; 3951 vmcs_write(VPID, vpid); 3952 report_prefix_pushf("VPID enabled; VPID value %x", vpid); 3953 test_vmx_controls(true, false); 3954 report_prefix_pop(); 3955 } 3956 3957 vmcs_write(CPU_EXEC_CTRL0, saved_primary); 3958 vmcs_write(CPU_EXEC_CTRL1, saved_secondary); 3959 } 3960 3961 static void set_vtpr(unsigned vtpr) 3962 { 3963 *(u32 *)phys_to_virt(vmcs_read(APIC_VIRT_ADDR) + APIC_TASKPRI) = vtpr; 3964 } 3965 3966 static void try_tpr_threshold_and_vtpr(unsigned threshold, unsigned vtpr) 3967 { 3968 bool valid = true; 3969 u32 primary = vmcs_read(CPU_EXEC_CTRL0); 3970 u32 secondary = vmcs_read(CPU_EXEC_CTRL1); 3971 3972 if ((primary & CPU_TPR_SHADOW) && 3973 (!(primary & CPU_SECONDARY) || 3974 !(secondary & (CPU_VINTD | CPU_VIRT_APIC_ACCESSES)))) 3975 valid = (threshold & 0xf) <= ((vtpr >> 4) & 0xf); 3976 3977 set_vtpr(vtpr); 3978 report_prefix_pushf("TPR threshold 0x%x, VTPR.class 0x%x", 3979 threshold, (vtpr >> 4) & 0xf); 3980 test_vmx_controls(valid, false); 3981 report_prefix_pop(); 3982 } 3983 3984 static void test_invalid_event_injection(void) 3985 { 3986 u32 ent_intr_info_save = vmcs_read(ENT_INTR_INFO); 3987 u32 ent_intr_error_save = vmcs_read(ENT_INTR_ERROR); 3988 u32 ent_inst_len_save = vmcs_read(ENT_INST_LEN); 3989 u32 primary_save = vmcs_read(CPU_EXEC_CTRL0); 3990 u32 secondary_save = vmcs_read(CPU_EXEC_CTRL1); 3991 u64 guest_cr0_save = vmcs_read(GUEST_CR0); 3992 u32 ent_intr_info_base = INTR_INFO_VALID_MASK; 3993 u32 ent_intr_info, ent_intr_err, ent_intr_len; 3994 u32 cnt; 3995 3996 /* Setup */ 3997 report_prefix_push("invalid event injection"); 3998 vmcs_write(ENT_INTR_ERROR, 0x00000000); 3999 vmcs_write(ENT_INST_LEN, 0x00000001); 4000 4001 /* The field’s interruption type is not set to a reserved value. */ 4002 ent_intr_info = ent_intr_info_base | INTR_TYPE_RESERVED | DE_VECTOR; 4003 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4004 "RESERVED interruption type invalid [-]", 4005 ent_intr_info); 4006 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4007 test_vmx_controls(false, false); 4008 report_prefix_pop(); 4009 4010 ent_intr_info = ent_intr_info_base | INTR_TYPE_EXT_INTR | 4011 DE_VECTOR; 4012 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4013 "RESERVED interruption type invalid [+]", 4014 ent_intr_info); 4015 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4016 test_vmx_controls(true, false); 4017 report_prefix_pop(); 4018 4019 /* If the interruption type is other event, the vector is 0. */ 4020 ent_intr_info = ent_intr_info_base | INTR_TYPE_OTHER_EVENT | DB_VECTOR; 4021 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4022 "(OTHER EVENT && vector != 0) invalid [-]", 4023 ent_intr_info); 4024 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4025 test_vmx_controls(false, false); 4026 report_prefix_pop(); 4027 4028 /* If the interruption type is NMI, the vector is 2 (negative case). */ 4029 ent_intr_info = ent_intr_info_base | INTR_TYPE_NMI_INTR | DE_VECTOR; 4030 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4031 "(NMI && vector != 2) invalid [-]", ent_intr_info); 4032 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4033 test_vmx_controls(false, false); 4034 report_prefix_pop(); 4035 4036 /* If the interruption type is NMI, the vector is 2 (positive case). */ 4037 ent_intr_info = ent_intr_info_base | INTR_TYPE_NMI_INTR | NMI_VECTOR; 4038 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4039 "(NMI && vector == 2) valid [+]", ent_intr_info); 4040 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4041 test_vmx_controls(true, false); 4042 report_prefix_pop(); 4043 4044 /* 4045 * If the interruption type 4046 * is HW exception, the vector is at most 31. 4047 */ 4048 ent_intr_info = ent_intr_info_base | INTR_TYPE_HARD_EXCEPTION | 0x20; 4049 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4050 "(HW exception && vector > 31) invalid [-]", 4051 ent_intr_info); 4052 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4053 test_vmx_controls(false, false); 4054 report_prefix_pop(); 4055 4056 /* 4057 * deliver-error-code is 1 iff either 4058 * (a) the "unrestricted guest" VM-execution control is 0 4059 * (b) CR0.PE is set. 4060 */ 4061 ent_intr_info = ent_intr_info_base | INTR_TYPE_HARD_EXCEPTION | 4062 GP_VECTOR; 4063 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4064 "error code <-> (!URG || prot_mode) [-]", 4065 ent_intr_info); 4066 disable_unrestricted_guest(); 4067 vmcs_write(GUEST_CR0, guest_cr0_save & ~X86_CR0_PE & ~X86_CR0_PG); 4068 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4069 test_vmx_controls(false, false); 4070 report_prefix_pop(); 4071 4072 ent_intr_info = ent_intr_info_base | INTR_INFO_DELIVER_CODE_MASK | 4073 INTR_TYPE_HARD_EXCEPTION | GP_VECTOR; 4074 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4075 "error code <-> (!URG || prot_mode) [+]", 4076 ent_intr_info); 4077 disable_unrestricted_guest(); 4078 vmcs_write(GUEST_CR0, guest_cr0_save & ~X86_CR0_PE & ~X86_CR0_PG); 4079 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4080 test_vmx_controls(true, false); 4081 report_prefix_pop(); 4082 4083 ent_intr_info = ent_intr_info_base | INTR_INFO_DELIVER_CODE_MASK | 4084 INTR_TYPE_HARD_EXCEPTION | GP_VECTOR; 4085 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4086 "error code <-> (!URG || prot_mode) [-]", 4087 ent_intr_info); 4088 enable_unrestricted_guest(); 4089 vmcs_write(GUEST_CR0, guest_cr0_save & ~X86_CR0_PE & ~X86_CR0_PG); 4090 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4091 test_vmx_controls(false, false); 4092 report_prefix_pop(); 4093 4094 ent_intr_info = ent_intr_info_base | INTR_TYPE_HARD_EXCEPTION | 4095 GP_VECTOR; 4096 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4097 "error code <-> (!URG || prot_mode) [-]", 4098 ent_intr_info); 4099 vmcs_write(GUEST_CR0, guest_cr0_save | X86_CR0_PE); 4100 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4101 test_vmx_controls(false, false); 4102 report_prefix_pop(); 4103 4104 /* deliver-error-code is 1 iff the interruption type is HW exception */ 4105 report_prefix_push("error code <-> HW exception"); 4106 for (cnt = 0; cnt < 8; cnt++) { 4107 u32 exception_type_mask = cnt << 8; 4108 u32 deliver_error_code_mask = 4109 exception_type_mask != INTR_TYPE_HARD_EXCEPTION ? 4110 INTR_INFO_DELIVER_CODE_MASK : 0; 4111 4112 ent_intr_info = ent_intr_info_base | deliver_error_code_mask | 4113 exception_type_mask | GP_VECTOR; 4114 report_prefix_pushf("VM-entry intr info=0x%x [-]", 4115 ent_intr_info); 4116 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4117 test_vmx_controls(false, false); 4118 report_prefix_pop(); 4119 } 4120 report_prefix_pop(); 4121 4122 /* 4123 * deliver-error-code is 1 iff the the vector 4124 * indicates an exception that would normally deliver an error code 4125 */ 4126 report_prefix_push("error code <-> vector delivers error code"); 4127 for (cnt = 0; cnt < 32; cnt++) { 4128 bool has_error_code = false; 4129 u32 deliver_error_code_mask; 4130 4131 switch (cnt) { 4132 case DF_VECTOR: 4133 case TS_VECTOR: 4134 case NP_VECTOR: 4135 case SS_VECTOR: 4136 case GP_VECTOR: 4137 case PF_VECTOR: 4138 case AC_VECTOR: 4139 has_error_code = true; 4140 } 4141 4142 /* Negative case */ 4143 deliver_error_code_mask = has_error_code ? 4144 0 : 4145 INTR_INFO_DELIVER_CODE_MASK; 4146 ent_intr_info = ent_intr_info_base | deliver_error_code_mask | 4147 INTR_TYPE_HARD_EXCEPTION | cnt; 4148 report_prefix_pushf("VM-entry intr info=0x%x [-]", 4149 ent_intr_info); 4150 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4151 test_vmx_controls(false, false); 4152 report_prefix_pop(); 4153 4154 /* Positive case */ 4155 deliver_error_code_mask = has_error_code ? 4156 INTR_INFO_DELIVER_CODE_MASK : 4157 0; 4158 ent_intr_info = ent_intr_info_base | deliver_error_code_mask | 4159 INTR_TYPE_HARD_EXCEPTION | cnt; 4160 report_prefix_pushf("VM-entry intr info=0x%x [+]", 4161 ent_intr_info); 4162 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4163 test_vmx_controls(true, false); 4164 report_prefix_pop(); 4165 } 4166 report_prefix_pop(); 4167 4168 /* Reserved bits in the field (30:12) are 0. */ 4169 report_prefix_push("reserved bits clear"); 4170 for (cnt = 12; cnt <= 30; cnt++) { 4171 ent_intr_info = ent_intr_info_base | 4172 INTR_INFO_DELIVER_CODE_MASK | 4173 INTR_TYPE_HARD_EXCEPTION | GP_VECTOR | 4174 (1U << cnt); 4175 report_prefix_pushf("VM-entry intr info=0x%x [-]", 4176 ent_intr_info); 4177 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4178 test_vmx_controls(false, false); 4179 report_prefix_pop(); 4180 } 4181 report_prefix_pop(); 4182 4183 /* 4184 * If deliver-error-code is 1 4185 * bits 31:15 of the VM-entry exception error-code field are 0. 4186 */ 4187 ent_intr_info = ent_intr_info_base | INTR_INFO_DELIVER_CODE_MASK | 4188 INTR_TYPE_HARD_EXCEPTION | GP_VECTOR; 4189 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4190 "VM-entry exception error code[31:15] clear", 4191 ent_intr_info); 4192 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4193 for (cnt = 15; cnt <= 31; cnt++) { 4194 ent_intr_err = 1U << cnt; 4195 report_prefix_pushf("VM-entry intr error=0x%x [-]", 4196 ent_intr_err); 4197 vmcs_write(ENT_INTR_ERROR, ent_intr_err); 4198 test_vmx_controls(false, false); 4199 report_prefix_pop(); 4200 } 4201 vmcs_write(ENT_INTR_ERROR, 0x00000000); 4202 report_prefix_pop(); 4203 4204 /* 4205 * If the interruption type is software interrupt, software exception, 4206 * or privileged software exception, the VM-entry instruction-length 4207 * field is in the range 0–15. 4208 */ 4209 4210 for (cnt = 0; cnt < 3; cnt++) { 4211 switch (cnt) { 4212 case 0: 4213 ent_intr_info = ent_intr_info_base | 4214 INTR_TYPE_SOFT_INTR; 4215 break; 4216 case 1: 4217 ent_intr_info = ent_intr_info_base | 4218 INTR_TYPE_SOFT_EXCEPTION; 4219 break; 4220 case 2: 4221 ent_intr_info = ent_intr_info_base | 4222 INTR_TYPE_PRIV_SW_EXCEPTION; 4223 break; 4224 } 4225 report_prefix_pushf("%s, VM-entry intr info=0x%x", 4226 "VM-entry instruction-length check", 4227 ent_intr_info); 4228 vmcs_write(ENT_INTR_INFO, ent_intr_info); 4229 4230 /* Instruction length set to -1 (0xFFFFFFFF) should fail */ 4231 ent_intr_len = -1; 4232 report_prefix_pushf("VM-entry intr length = 0x%x [-]", 4233 ent_intr_len); 4234 vmcs_write(ENT_INST_LEN, ent_intr_len); 4235 test_vmx_controls(false, false); 4236 report_prefix_pop(); 4237 4238 /* Instruction length set to 16 should fail */ 4239 ent_intr_len = 0x00000010; 4240 report_prefix_pushf("VM-entry intr length = 0x%x [-]", 4241 ent_intr_len); 4242 vmcs_write(ENT_INST_LEN, 0x00000010); 4243 test_vmx_controls(false, false); 4244 report_prefix_pop(); 4245 4246 report_prefix_pop(); 4247 } 4248 4249 /* Cleanup */ 4250 vmcs_write(ENT_INTR_INFO, ent_intr_info_save); 4251 vmcs_write(ENT_INTR_ERROR, ent_intr_error_save); 4252 vmcs_write(ENT_INST_LEN, ent_inst_len_save); 4253 vmcs_write(CPU_EXEC_CTRL0, primary_save); 4254 vmcs_write(CPU_EXEC_CTRL1, secondary_save); 4255 vmcs_write(GUEST_CR0, guest_cr0_save); 4256 report_prefix_pop(); 4257 } 4258 4259 /* 4260 * Test interesting vTPR values for a given TPR threshold. 4261 */ 4262 static void test_vtpr_values(unsigned threshold) 4263 { 4264 try_tpr_threshold_and_vtpr(threshold, (threshold - 1) << 4); 4265 try_tpr_threshold_and_vtpr(threshold, threshold << 4); 4266 try_tpr_threshold_and_vtpr(threshold, (threshold + 1) << 4); 4267 } 4268 4269 static void try_tpr_threshold(unsigned threshold) 4270 { 4271 bool valid = true; 4272 4273 u32 primary = vmcs_read(CPU_EXEC_CTRL0); 4274 u32 secondary = vmcs_read(CPU_EXEC_CTRL1); 4275 4276 if ((primary & CPU_TPR_SHADOW) && !((primary & CPU_SECONDARY) && 4277 (secondary & CPU_VINTD))) 4278 valid = !(threshold >> 4); 4279 4280 set_vtpr(-1); 4281 vmcs_write(TPR_THRESHOLD, threshold); 4282 report_prefix_pushf("TPR threshold 0x%x, VTPR.class 0xf", threshold); 4283 test_vmx_controls(valid, false); 4284 report_prefix_pop(); 4285 4286 if (valid) 4287 test_vtpr_values(threshold); 4288 } 4289 4290 /* 4291 * Test interesting TPR threshold values. 4292 */ 4293 static void test_tpr_threshold_values(void) 4294 { 4295 unsigned i; 4296 4297 for (i = 0; i < 0x10; i++) 4298 try_tpr_threshold(i); 4299 for (i = 4; i < 32; i++) 4300 try_tpr_threshold(1u << i); 4301 try_tpr_threshold(-1u); 4302 try_tpr_threshold(0x7fffffff); 4303 } 4304 4305 /* 4306 * This test covers the following two VM entry checks: 4307 * 4308 * i) If the "use TPR shadow" VM-execution control is 1 and the 4309 * "virtual-interrupt delivery" VM-execution control is 0, bits 4310 * 31:4 of the TPR threshold VM-execution control field must 4311 be 0. 4312 * [Intel SDM] 4313 * 4314 * ii) If the "use TPR shadow" VM-execution control is 1, the 4315 * "virtual-interrupt delivery" VM-execution control is 0 4316 * and the "virtualize APIC accesses" VM-execution control 4317 * is 0, the value of bits 3:0 of the TPR threshold VM-execution 4318 * control field must not be greater than the value of bits 4319 * 7:4 of VTPR. 4320 * [Intel SDM] 4321 */ 4322 static void test_tpr_threshold(void) 4323 { 4324 u32 primary = vmcs_read(CPU_EXEC_CTRL0); 4325 void *virtual_apic_page; 4326 4327 if (!(ctrl_cpu_rev[0].clr & CPU_TPR_SHADOW)) 4328 return; 4329 4330 virtual_apic_page = alloc_page(); 4331 memset(virtual_apic_page, 0xff, PAGE_SIZE); 4332 vmcs_write(APIC_VIRT_ADDR, virt_to_phys(virtual_apic_page)); 4333 4334 vmcs_write(CPU_EXEC_CTRL0, primary & ~(CPU_TPR_SHADOW | CPU_SECONDARY)); 4335 report_prefix_pushf("Use TPR shadow disabled, secondary controls disabled"); 4336 test_tpr_threshold_values(); 4337 report_prefix_pop(); 4338 vmcs_write(CPU_EXEC_CTRL0, vmcs_read(CPU_EXEC_CTRL0) | CPU_TPR_SHADOW); 4339 report_prefix_pushf("Use TPR shadow enabled, secondary controls disabled"); 4340 test_tpr_threshold_values(); 4341 report_prefix_pop(); 4342 4343 if (!((ctrl_cpu_rev[0].clr & CPU_SECONDARY) && 4344 (ctrl_cpu_rev[1].clr & (CPU_VINTD | CPU_VIRT_APIC_ACCESSES)))) { 4345 vmcs_write(CPU_EXEC_CTRL0, primary); 4346 return; 4347 } 4348 4349 u32 secondary = vmcs_read(CPU_EXEC_CTRL1); 4350 4351 if (ctrl_cpu_rev[1].clr & CPU_VINTD) { 4352 vmcs_write(CPU_EXEC_CTRL1, CPU_VINTD); 4353 report_prefix_pushf("Use TPR shadow enabled; secondary controls disabled; virtual-interrupt delivery enabled; virtualize APIC accesses disabled"); 4354 test_tpr_threshold_values(); 4355 report_prefix_pop(); 4356 4357 vmcs_write(CPU_EXEC_CTRL0, 4358 vmcs_read(CPU_EXEC_CTRL0) | CPU_SECONDARY); 4359 report_prefix_pushf("Use TPR shadow enabled; secondary controls enabled; virtual-interrupt delivery enabled; virtualize APIC accesses disabled"); 4360 test_tpr_threshold_values(); 4361 report_prefix_pop(); 4362 } 4363 4364 if (ctrl_cpu_rev[1].clr & CPU_VIRT_APIC_ACCESSES) { 4365 vmcs_write(CPU_EXEC_CTRL0, 4366 vmcs_read(CPU_EXEC_CTRL0) & ~CPU_SECONDARY); 4367 vmcs_write(CPU_EXEC_CTRL1, CPU_VIRT_APIC_ACCESSES); 4368 report_prefix_pushf("Use TPR shadow enabled; secondary controls disabled; virtual-interrupt delivery enabled; virtualize APIC accesses enabled"); 4369 test_tpr_threshold_values(); 4370 report_prefix_pop(); 4371 4372 vmcs_write(CPU_EXEC_CTRL0, 4373 vmcs_read(CPU_EXEC_CTRL0) | CPU_SECONDARY); 4374 report_prefix_pushf("Use TPR shadow enabled; secondary controls enabled; virtual-interrupt delivery enabled; virtualize APIC accesses enabled"); 4375 test_tpr_threshold_values(); 4376 report_prefix_pop(); 4377 } 4378 4379 if ((ctrl_cpu_rev[1].clr & 4380 (CPU_VINTD | CPU_VIRT_APIC_ACCESSES)) == 4381 (CPU_VINTD | CPU_VIRT_APIC_ACCESSES)) { 4382 vmcs_write(CPU_EXEC_CTRL0, 4383 vmcs_read(CPU_EXEC_CTRL0) & ~CPU_SECONDARY); 4384 vmcs_write(CPU_EXEC_CTRL1, 4385 CPU_VINTD | CPU_VIRT_APIC_ACCESSES); 4386 report_prefix_pushf("Use TPR shadow enabled; secondary controls disabled; virtual-interrupt delivery enabled; virtualize APIC accesses enabled"); 4387 test_tpr_threshold_values(); 4388 report_prefix_pop(); 4389 4390 vmcs_write(CPU_EXEC_CTRL0, 4391 vmcs_read(CPU_EXEC_CTRL0) | CPU_SECONDARY); 4392 report_prefix_pushf("Use TPR shadow enabled; secondary controls enabled; virtual-interrupt delivery enabled; virtualize APIC accesses enabled"); 4393 test_tpr_threshold_values(); 4394 report_prefix_pop(); 4395 } 4396 4397 vmcs_write(CPU_EXEC_CTRL1, secondary); 4398 vmcs_write(CPU_EXEC_CTRL0, primary); 4399 } 4400 4401 /* 4402 * This test verifies the following two vmentry checks: 4403 * 4404 * If the "NMI exiting" VM-execution control is 0, "Virtual NMIs" 4405 * VM-execution control must be 0. 4406 * [Intel SDM] 4407 * 4408 * If the “virtual NMIs” VM-execution control is 0, the “NMI-window 4409 * exiting” VM-execution control must be 0. 4410 * [Intel SDM] 4411 */ 4412 static void test_nmi_ctrls(void) 4413 { 4414 u32 pin_ctrls, cpu_ctrls0, test_pin_ctrls, test_cpu_ctrls0; 4415 4416 if ((ctrl_pin_rev.clr & (PIN_NMI | PIN_VIRT_NMI)) != 4417 (PIN_NMI | PIN_VIRT_NMI)) { 4418 test_skip("NMI exiting and Virtual NMIs are not supported !"); 4419 return; 4420 } 4421 4422 /* Save the controls so that we can restore them after our tests */ 4423 pin_ctrls = vmcs_read(PIN_CONTROLS); 4424 cpu_ctrls0 = vmcs_read(CPU_EXEC_CTRL0); 4425 4426 test_pin_ctrls = pin_ctrls & ~(PIN_NMI | PIN_VIRT_NMI); 4427 test_cpu_ctrls0 = cpu_ctrls0 & ~CPU_NMI_WINDOW; 4428 4429 vmcs_write(PIN_CONTROLS, test_pin_ctrls); 4430 report_prefix_pushf("NMI-exiting disabled, virtual-NMIs disabled"); 4431 test_vmx_controls(true, false); 4432 report_prefix_pop(); 4433 4434 vmcs_write(PIN_CONTROLS, test_pin_ctrls | PIN_VIRT_NMI); 4435 report_prefix_pushf("NMI-exiting disabled, virtual-NMIs enabled"); 4436 test_vmx_controls(false, false); 4437 report_prefix_pop(); 4438 4439 vmcs_write(PIN_CONTROLS, test_pin_ctrls | (PIN_NMI | PIN_VIRT_NMI)); 4440 report_prefix_pushf("NMI-exiting enabled, virtual-NMIs enabled"); 4441 test_vmx_controls(true, false); 4442 report_prefix_pop(); 4443 4444 vmcs_write(PIN_CONTROLS, test_pin_ctrls | PIN_NMI); 4445 report_prefix_pushf("NMI-exiting enabled, virtual-NMIs disabled"); 4446 test_vmx_controls(true, false); 4447 report_prefix_pop(); 4448 4449 if (!(ctrl_cpu_rev[0].clr & CPU_NMI_WINDOW)) { 4450 report_info("NMI-window exiting is not supported, skipping..."); 4451 goto done; 4452 } 4453 4454 vmcs_write(PIN_CONTROLS, test_pin_ctrls); 4455 vmcs_write(CPU_EXEC_CTRL0, test_cpu_ctrls0 | CPU_NMI_WINDOW); 4456 report_prefix_pushf("Virtual-NMIs disabled, NMI-window-exiting enabled"); 4457 test_vmx_controls(false, false); 4458 report_prefix_pop(); 4459 4460 vmcs_write(PIN_CONTROLS, test_pin_ctrls); 4461 vmcs_write(CPU_EXEC_CTRL0, test_cpu_ctrls0); 4462 report_prefix_pushf("Virtual-NMIs disabled, NMI-window-exiting disabled"); 4463 test_vmx_controls(true, false); 4464 report_prefix_pop(); 4465 4466 vmcs_write(PIN_CONTROLS, test_pin_ctrls | (PIN_NMI | PIN_VIRT_NMI)); 4467 vmcs_write(CPU_EXEC_CTRL0, test_cpu_ctrls0 | CPU_NMI_WINDOW); 4468 report_prefix_pushf("Virtual-NMIs enabled, NMI-window-exiting enabled"); 4469 test_vmx_controls(true, false); 4470 report_prefix_pop(); 4471 4472 vmcs_write(PIN_CONTROLS, test_pin_ctrls | (PIN_NMI | PIN_VIRT_NMI)); 4473 vmcs_write(CPU_EXEC_CTRL0, test_cpu_ctrls0); 4474 report_prefix_pushf("Virtual-NMIs enabled, NMI-window-exiting disabled"); 4475 test_vmx_controls(true, false); 4476 report_prefix_pop(); 4477 4478 /* Restore the controls to their original values */ 4479 vmcs_write(CPU_EXEC_CTRL0, cpu_ctrls0); 4480 done: 4481 vmcs_write(PIN_CONTROLS, pin_ctrls); 4482 } 4483 4484 static void test_eptp_ad_bit(u64 eptp, bool ctrl) 4485 { 4486 vmcs_write(EPTP, eptp); 4487 report_prefix_pushf("Enable-EPT enabled; EPT accessed and dirty flag %s", 4488 (eptp & EPTP_AD_FLAG) ? "1": "0"); 4489 test_vmx_controls(ctrl, false); 4490 report_prefix_pop(); 4491 4492 } 4493 /* 4494 * If the “enable EPT†VM-execution control is 1, the EPTP VM-execution 4495 * control field must satisfy the following checks: 4496 * 4497 * — The EPT memory type (bits 2:0) must be a value supported by the 4498 * processor as indicated in the IA32_VMX_EPT_VPID_CAP MSR. 4499 * — Bits 5:3 (1 less than the EPT page-walk length) must be 3, 4500 * indicating an EPT page-walk length of 4. 4501 * — Bit 6 (enable bit for accessed and dirty flags for EPT) must be 4502 * 0 if bit 21 of the IA32_VMX_EPT_VPID_CAP MSR is read as 0, 4503 * indicating that the processor does not support accessed and dirty 4504 * dirty flags for EPT. 4505 * — Reserved bits 11:7 and 63:N (where N is the processor’s 4506 * physical-address width) must all be 0. 4507 * 4508 * [Intel SDM] 4509 */ 4510 static void test_eptp(void) 4511 { 4512 u32 primary_saved = vmcs_read(CPU_EXEC_CTRL0); 4513 u32 secondary_saved = vmcs_read(CPU_EXEC_CTRL1); 4514 u64 eptp_saved = vmcs_read(EPTP); 4515 u32 primary = primary_saved; 4516 u32 secondary = secondary_saved; 4517 u64 msr, eptp = eptp_saved; 4518 bool un_cache = false; 4519 bool wr_bk = false; 4520 bool ctrl; 4521 u32 i, maxphysaddr; 4522 u64 j, resv_bits_mask = 0; 4523 4524 if (!((ctrl_cpu_rev[0].clr & CPU_SECONDARY) && 4525 (ctrl_cpu_rev[1].clr & CPU_EPT))) { 4526 test_skip("\"CPU secondary\" and/or \"enable EPT\" execution controls are not supported !"); 4527 return; 4528 } 4529 4530 /* 4531 * Memory type (bits 2:0) 4532 */ 4533 msr = rdmsr(MSR_IA32_VMX_EPT_VPID_CAP); 4534 if (msr & EPT_CAP_UC) 4535 un_cache = true; 4536 if (msr & EPT_CAP_WB) 4537 wr_bk = true; 4538 4539 primary |= CPU_SECONDARY; 4540 vmcs_write(CPU_EXEC_CTRL0, primary); 4541 secondary |= CPU_EPT; 4542 vmcs_write(CPU_EXEC_CTRL1, secondary); 4543 eptp = (eptp & ~EPTP_PG_WALK_LEN_MASK) | 4544 (3ul << EPTP_PG_WALK_LEN_SHIFT); 4545 vmcs_write(EPTP, eptp); 4546 4547 for (i = 0; i < 8; i++) { 4548 if (i == 0) { 4549 if (un_cache) { 4550 report_info("EPT paging structure memory-type is Un-cacheable\n"); 4551 ctrl = true; 4552 } else { 4553 ctrl = false; 4554 } 4555 } else if (i == 6) { 4556 if (wr_bk) { 4557 report_info("EPT paging structure memory-type is Write-back\n"); 4558 ctrl = true; 4559 } else { 4560 ctrl = false; 4561 } 4562 } else { 4563 ctrl = false; 4564 } 4565 4566 eptp = (eptp & ~EPT_MEM_TYPE_MASK) | i; 4567 vmcs_write(EPTP, eptp); 4568 report_prefix_pushf("Enable-EPT enabled; EPT memory type %lu", 4569 eptp & EPT_MEM_TYPE_MASK); 4570 test_vmx_controls(ctrl, false); 4571 report_prefix_pop(); 4572 } 4573 4574 eptp = (eptp & ~EPT_MEM_TYPE_MASK) | 6ul; 4575 4576 /* 4577 * Page walk length (bits 5:3) 4578 */ 4579 for (i = 0; i < 8; i++) { 4580 eptp = (eptp & ~EPTP_PG_WALK_LEN_MASK) | 4581 (i << EPTP_PG_WALK_LEN_SHIFT); 4582 if (i == 3) 4583 ctrl = true; 4584 else 4585 ctrl = false; 4586 4587 vmcs_write(EPTP, eptp); 4588 report_prefix_pushf("Enable-EPT enabled; EPT page walk length %lu", 4589 eptp & EPTP_PG_WALK_LEN_MASK); 4590 test_vmx_controls(ctrl, false); 4591 report_prefix_pop(); 4592 } 4593 4594 eptp = (eptp & ~EPTP_PG_WALK_LEN_MASK) | 4595 3ul << EPTP_PG_WALK_LEN_SHIFT; 4596 4597 /* 4598 * Accessed and dirty flag (bit 6) 4599 */ 4600 if (msr & EPT_CAP_AD_FLAG) { 4601 report_info("Processor supports accessed and dirty flag"); 4602 eptp &= ~EPTP_AD_FLAG; 4603 test_eptp_ad_bit(eptp, true); 4604 4605 eptp |= EPTP_AD_FLAG; 4606 test_eptp_ad_bit(eptp, true); 4607 } else { 4608 report_info("Processor does not supports accessed and dirty flag"); 4609 eptp &= ~EPTP_AD_FLAG; 4610 test_eptp_ad_bit(eptp, true); 4611 4612 eptp |= EPTP_AD_FLAG; 4613 test_eptp_ad_bit(eptp, false); 4614 } 4615 4616 /* 4617 * Reserved bits [11:7] and [63:N] 4618 */ 4619 for (i = 0; i < 32; i++) { 4620 if (i == 0) 4621 ctrl = true; 4622 else 4623 ctrl = false; 4624 4625 eptp = (eptp & 4626 ~(EPTP_RESERV_BITS_MASK << EPTP_RESERV_BITS_SHIFT)) | 4627 (i << EPTP_RESERV_BITS_SHIFT); 4628 vmcs_write(EPTP, eptp); 4629 report_prefix_pushf("Enable-EPT enabled; reserved bits [11:7] %lu", 4630 (eptp >> EPTP_RESERV_BITS_SHIFT) & 4631 EPTP_RESERV_BITS_MASK); 4632 test_vmx_controls(ctrl, false); 4633 report_prefix_pop(); 4634 } 4635 4636 eptp = (eptp & ~(EPTP_RESERV_BITS_MASK << EPTP_RESERV_BITS_SHIFT)); 4637 4638 maxphysaddr = cpuid_maxphyaddr(); 4639 for (i = 0; i < (63 - maxphysaddr + 1); i++) { 4640 resv_bits_mask |= 1ul << i; 4641 } 4642 4643 for (j = 0; j < (63 - maxphysaddr + 1); j++) { 4644 if (j == 0) 4645 ctrl = true; 4646 else 4647 ctrl = false; 4648 4649 eptp = (eptp & ~(resv_bits_mask << maxphysaddr)) | 4650 (j << maxphysaddr); 4651 vmcs_write(EPTP, eptp); 4652 report_prefix_pushf("Enable-EPT enabled; reserved bits [63:N] %lu", 4653 (eptp >> maxphysaddr) & resv_bits_mask); 4654 test_vmx_controls(ctrl, false); 4655 report_prefix_pop(); 4656 } 4657 4658 vmcs_write(CPU_EXEC_CTRL0, primary_saved); 4659 vmcs_write(CPU_EXEC_CTRL1, secondary_saved); 4660 vmcs_write(EPTP, eptp_saved); 4661 } 4662 4663 /* 4664 * Check that the virtual CPU checks all of the VMX controls as 4665 * documented in the Intel SDM. 4666 */ 4667 static void vmx_controls_test(void) 4668 { 4669 /* 4670 * Bit 1 of the guest's RFLAGS must be 1, or VM-entry will 4671 * fail due to invalid guest state, should we make it that 4672 * far. 4673 */ 4674 vmcs_write(GUEST_RFLAGS, 0); 4675 4676 test_pin_based_ctls(); 4677 test_primary_processor_based_ctls(); 4678 test_secondary_processor_based_ctls(); 4679 test_cr3_targets(); 4680 test_io_bitmaps(); 4681 test_msr_bitmap(); 4682 test_apic_ctls(); 4683 test_tpr_threshold(); 4684 test_nmi_ctrls(); 4685 test_invalid_event_injection(); 4686 test_vpid(); 4687 test_eptp(); 4688 } 4689 4690 static bool valid_vmcs_for_vmentry(void) 4691 { 4692 struct vmcs *current_vmcs = NULL; 4693 4694 if (vmcs_save(¤t_vmcs)) 4695 return false; 4696 4697 return current_vmcs && !current_vmcs->hdr.shadow_vmcs; 4698 } 4699 4700 static void try_vmentry_in_movss_shadow(void) 4701 { 4702 u32 vm_inst_err; 4703 u32 flags; 4704 bool early_failure = false; 4705 u32 expected_flags = X86_EFLAGS_FIXED; 4706 bool valid_vmcs = valid_vmcs_for_vmentry(); 4707 4708 expected_flags |= valid_vmcs ? X86_EFLAGS_ZF : X86_EFLAGS_CF; 4709 4710 /* 4711 * Indirectly set VM_INST_ERR to 12 ("VMREAD/VMWRITE from/to 4712 * unsupported VMCS component"). 4713 */ 4714 vmcs_write(~0u, 0); 4715 4716 __asm__ __volatile__ ("mov %[host_rsp], %%edx;" 4717 "vmwrite %%rsp, %%rdx;" 4718 "mov 0f, %%rax;" 4719 "mov %[host_rip], %%edx;" 4720 "vmwrite %%rax, %%rdx;" 4721 "mov $-1, %%ah;" 4722 "sahf;" 4723 "mov %%ss, %%ax;" 4724 "mov %%ax, %%ss;" 4725 "vmlaunch;" 4726 "mov $1, %[early_failure];" 4727 "0: lahf;" 4728 "movzbl %%ah, %[flags]" 4729 : [early_failure] "+r" (early_failure), 4730 [flags] "=&a" (flags) 4731 : [host_rsp] "i" (HOST_RSP), 4732 [host_rip] "i" (HOST_RIP) 4733 : "rdx", "cc", "memory"); 4734 vm_inst_err = vmcs_read(VMX_INST_ERROR); 4735 4736 report("Early VM-entry failure", early_failure); 4737 report("RFLAGS[8:0] is %x (actual %x)", flags == expected_flags, 4738 expected_flags, flags); 4739 if (valid_vmcs) 4740 report("VM-instruction error is %d (actual %d)", 4741 vm_inst_err == VMXERR_ENTRY_EVENTS_BLOCKED_BY_MOV_SS, 4742 VMXERR_ENTRY_EVENTS_BLOCKED_BY_MOV_SS, vm_inst_err); 4743 } 4744 4745 static void vmentry_movss_shadow_test(void) 4746 { 4747 struct vmcs *orig_vmcs; 4748 4749 TEST_ASSERT(!vmcs_save(&orig_vmcs)); 4750 4751 /* 4752 * Set the launched flag on the current VMCS to verify the correct 4753 * error priority, below. 4754 */ 4755 test_set_guest(v2_null_test_guest); 4756 enter_guest(); 4757 4758 /* 4759 * With bit 1 of the guest's RFLAGS clear, VM-entry should 4760 * fail due to invalid guest state (if we make it that far). 4761 */ 4762 vmcs_write(GUEST_RFLAGS, 0); 4763 4764 /* 4765 * "VM entry with events blocked by MOV SS" takes precedence over 4766 * "VMLAUNCH with non-clear VMCS." 4767 */ 4768 report_prefix_push("valid current-VMCS"); 4769 try_vmentry_in_movss_shadow(); 4770 report_prefix_pop(); 4771 4772 /* 4773 * VMfailInvalid takes precedence over "VM entry with events 4774 * blocked by MOV SS." 4775 */ 4776 TEST_ASSERT(!vmcs_clear(orig_vmcs)); 4777 report_prefix_push("no current-VMCS"); 4778 try_vmentry_in_movss_shadow(); 4779 report_prefix_pop(); 4780 4781 TEST_ASSERT(!make_vmcs_current(orig_vmcs)); 4782 vmcs_write(GUEST_RFLAGS, X86_EFLAGS_FIXED); 4783 } 4784 4785 #define X86_FEATURE_PCID (1 << 17) 4786 #define X86_FEATURE_MCE (1 << 7) 4787 4788 static int write_cr4_checking(unsigned long val) 4789 { 4790 asm volatile(ASM_TRY("1f") 4791 "mov %0, %%cr4\n\t" 4792 "1:": : "r" (val)); 4793 return exception_vector(); 4794 } 4795 4796 static void vmx_cr_load_test(void) 4797 { 4798 struct cpuid _cpuid = cpuid(1); 4799 unsigned long cr4 = read_cr4(), cr3 = read_cr3(); 4800 4801 if (!(_cpuid.c & X86_FEATURE_PCID)) { 4802 report_skip("PCID not detected"); 4803 return; 4804 } 4805 if (!(_cpuid.d & X86_FEATURE_MCE)) { 4806 report_skip("MCE not detected"); 4807 return; 4808 } 4809 4810 TEST_ASSERT(!(cr4 & (X86_CR4_PCIDE | X86_CR4_MCE))); 4811 TEST_ASSERT(!(cr3 & X86_CR3_PCID_MASK)); 4812 4813 /* Enable PCID for L1. */ 4814 cr4 |= X86_CR4_PCIDE; 4815 cr3 |= 0x1; 4816 TEST_ASSERT(!write_cr4_checking(cr4)); 4817 write_cr3(cr3); 4818 4819 test_set_guest(v2_null_test_guest); 4820 vmcs_write(HOST_CR4, cr4); 4821 vmcs_write(HOST_CR3, cr3); 4822 enter_guest(); 4823 4824 /* 4825 * No exception is expected. 4826 * 4827 * NB. KVM loads the last guest write to CR4 into CR4 read 4828 * shadow. In order to trigger an exit to KVM, we can set a 4829 * bit that was zero in the above CR4 write and is owned by 4830 * KVM. We choose to set CR4.MCE, which shall have no side 4831 * effect because normally no guest MCE (e.g., as the result 4832 * of bad memory) would happen during this test. 4833 */ 4834 TEST_ASSERT(!write_cr4_checking(cr4 | X86_CR4_MCE)); 4835 4836 /* Cleanup L1 state: disable PCID. */ 4837 write_cr3(cr3 & ~X86_CR3_PCID_MASK); 4838 TEST_ASSERT(!write_cr4_checking(cr4 & ~X86_CR4_PCIDE)); 4839 } 4840 4841 bool vmx_pending_event_ipi_fired; 4842 static void vmx_pending_event_ipi_isr(isr_regs_t *regs) 4843 { 4844 vmx_pending_event_ipi_fired = true; 4845 eoi(); 4846 } 4847 4848 bool vmx_pending_event_guest_run; 4849 static void vmx_pending_event_guest(void) 4850 { 4851 vmcall(); 4852 vmx_pending_event_guest_run = true; 4853 } 4854 4855 static void vmx_pending_event_test_core(bool guest_hlt) 4856 { 4857 int ipi_vector = 0xf1; 4858 4859 vmx_pending_event_ipi_fired = false; 4860 handle_irq(ipi_vector, vmx_pending_event_ipi_isr); 4861 4862 vmx_pending_event_guest_run = false; 4863 test_set_guest(vmx_pending_event_guest); 4864 4865 vmcs_set_bits(PIN_CONTROLS, PIN_EXTINT); 4866 4867 enter_guest(); 4868 skip_exit_vmcall(); 4869 4870 if (guest_hlt) 4871 vmcs_write(GUEST_ACTV_STATE, ACTV_HLT); 4872 4873 irq_disable(); 4874 apic_icr_write(APIC_DEST_SELF | APIC_DEST_PHYSICAL | 4875 APIC_DM_FIXED | ipi_vector, 4876 0); 4877 4878 enter_guest(); 4879 4880 assert_exit_reason(VMX_EXTINT); 4881 report("Guest did not run before host received IPI", 4882 !vmx_pending_event_guest_run); 4883 4884 irq_enable(); 4885 asm volatile ("nop"); 4886 irq_disable(); 4887 report("Got pending interrupt after IRQ enabled", 4888 vmx_pending_event_ipi_fired); 4889 4890 if (guest_hlt) 4891 vmcs_write(GUEST_ACTV_STATE, ACTV_ACTIVE); 4892 4893 enter_guest(); 4894 report("Guest finished running when no interrupt", 4895 vmx_pending_event_guest_run); 4896 } 4897 4898 static void vmx_pending_event_test(void) 4899 { 4900 vmx_pending_event_test_core(false); 4901 } 4902 4903 static void vmx_pending_event_hlt_test(void) 4904 { 4905 vmx_pending_event_test_core(true); 4906 } 4907 4908 static bool cpu_has_apicv(void) 4909 { 4910 return ((ctrl_cpu_rev[1].clr & CPU_APIC_REG_VIRT) && 4911 (ctrl_cpu_rev[1].clr & CPU_VINTD) && 4912 (ctrl_pin_rev.clr & PIN_POST_INTR)); 4913 } 4914 4915 static void enable_vid(void) 4916 { 4917 void *virtual_apic_page; 4918 4919 assert(cpu_has_apicv()); 4920 4921 disable_intercept_for_x2apic_msrs(); 4922 4923 virtual_apic_page = alloc_page(); 4924 vmcs_write(APIC_VIRT_ADDR, (u64)virtual_apic_page); 4925 4926 vmcs_set_bits(PIN_CONTROLS, PIN_EXTINT); 4927 4928 vmcs_write(EOI_EXIT_BITMAP0, 0x0); 4929 vmcs_write(EOI_EXIT_BITMAP1, 0x0); 4930 vmcs_write(EOI_EXIT_BITMAP2, 0x0); 4931 vmcs_write(EOI_EXIT_BITMAP3, 0x0); 4932 4933 vmcs_set_bits(CPU_EXEC_CTRL0, CPU_SECONDARY | CPU_TPR_SHADOW); 4934 vmcs_set_bits(CPU_EXEC_CTRL1, CPU_VINTD | CPU_VIRT_X2APIC); 4935 } 4936 4937 static void trigger_ioapic_scan_thread(void *data) 4938 { 4939 /* Wait until other CPU entered L2 */ 4940 while (vmx_get_test_stage() != 1) 4941 ; 4942 4943 /* Trigger ioapic scan */ 4944 ioapic_set_redir(0xf, 0x79, TRIGGER_LEVEL); 4945 vmx_set_test_stage(2); 4946 } 4947 4948 static void irq_79_handler_guest(isr_regs_t *regs) 4949 { 4950 eoi(); 4951 4952 /* L1 expects vmexit on VMX_VMCALL and not VMX_EOI_INDUCED */ 4953 vmcall(); 4954 } 4955 4956 /* 4957 * Constant for num of busy-loop iterations after which 4958 * a timer interrupt should have happened in host 4959 */ 4960 #define TIMER_INTERRUPT_DELAY 100000000 4961 4962 static void vmx_eoi_bitmap_ioapic_scan_test_guest(void) 4963 { 4964 handle_irq(0x79, irq_79_handler_guest); 4965 irq_enable(); 4966 4967 /* Signal to L1 CPU to trigger ioapic scan */ 4968 vmx_set_test_stage(1); 4969 /* Wait until L1 CPU to trigger ioapic scan */ 4970 while (vmx_get_test_stage() != 2) 4971 ; 4972 4973 /* 4974 * Wait for L0 timer interrupt to be raised while we run in L2 4975 * such that L0 will process the IOAPIC scan request before 4976 * resuming L2 4977 */ 4978 delay(TIMER_INTERRUPT_DELAY); 4979 4980 asm volatile ("int $0x79"); 4981 } 4982 4983 static void vmx_eoi_bitmap_ioapic_scan_test(void) 4984 { 4985 if (!cpu_has_apicv() || (cpu_count() < 2)) { 4986 report_skip(__func__); 4987 return; 4988 } 4989 4990 enable_vid(); 4991 4992 on_cpu_async(1, trigger_ioapic_scan_thread, NULL); 4993 test_set_guest(vmx_eoi_bitmap_ioapic_scan_test_guest); 4994 4995 /* 4996 * Launch L2. 4997 * We expect the exit reason to be VMX_VMCALL (and not EOI INDUCED). 4998 * In case the reason isn't VMX_VMCALL, the asserion inside 4999 * skip_exit_vmcall() will fail. 5000 */ 5001 enter_guest(); 5002 skip_exit_vmcall(); 5003 5004 /* Let L2 finish */ 5005 enter_guest(); 5006 report(__func__, 1); 5007 } 5008 5009 static void set_irq_line_thread(void *data) 5010 { 5011 /* Wait until other CPU entered L2 */ 5012 while (vmx_get_test_stage() != 1) 5013 ; 5014 5015 /* Set irq-line 0xf to raise vector 0x78 for vCPU 0 */ 5016 ioapic_set_redir(0xf, 0x78, TRIGGER_LEVEL); 5017 vmx_set_test_stage(2); 5018 } 5019 5020 static bool irq_78_handler_vmcall_before_eoi; 5021 static void irq_78_handler_guest(isr_regs_t *regs) 5022 { 5023 set_irq_line(0xf, 0); 5024 if (irq_78_handler_vmcall_before_eoi) 5025 vmcall(); 5026 eoi(); 5027 vmcall(); 5028 } 5029 5030 static void vmx_apic_passthrough_guest(void) 5031 { 5032 handle_irq(0x78, irq_78_handler_guest); 5033 irq_enable(); 5034 5035 /* If requested, wait for other CPU to trigger ioapic scan */ 5036 if (vmx_get_test_stage() < 1) { 5037 vmx_set_test_stage(1); 5038 while (vmx_get_test_stage() != 2) 5039 ; 5040 } 5041 5042 set_irq_line(0xf, 1); 5043 } 5044 5045 static void vmx_apic_passthrough(bool set_irq_line_from_thread) 5046 { 5047 if (set_irq_line_from_thread && (cpu_count() < 2)) { 5048 report_skip(__func__); 5049 return; 5050 } 5051 5052 u64 cpu_ctrl_0 = CPU_SECONDARY; 5053 u64 cpu_ctrl_1 = 0; 5054 5055 disable_intercept_for_x2apic_msrs(); 5056 5057 vmcs_write(PIN_CONTROLS, vmcs_read(PIN_CONTROLS) & ~PIN_EXTINT); 5058 5059 vmcs_write(CPU_EXEC_CTRL0, vmcs_read(CPU_EXEC_CTRL0) | cpu_ctrl_0); 5060 vmcs_write(CPU_EXEC_CTRL1, vmcs_read(CPU_EXEC_CTRL1) | cpu_ctrl_1); 5061 5062 if (set_irq_line_from_thread) { 5063 irq_78_handler_vmcall_before_eoi = false; 5064 on_cpu_async(1, set_irq_line_thread, NULL); 5065 } else { 5066 irq_78_handler_vmcall_before_eoi = true; 5067 ioapic_set_redir(0xf, 0x78, TRIGGER_LEVEL); 5068 vmx_set_test_stage(2); 5069 } 5070 test_set_guest(vmx_apic_passthrough_guest); 5071 5072 if (irq_78_handler_vmcall_before_eoi) { 5073 /* Before EOI remote_irr should still be set */ 5074 enter_guest(); 5075 skip_exit_vmcall(); 5076 TEST_ASSERT_EQ_MSG(1, (int)ioapic_read_redir(0xf).remote_irr, 5077 "IOAPIC pass-through: remote_irr=1 before EOI"); 5078 } 5079 5080 /* After EOI remote_irr should be cleared */ 5081 enter_guest(); 5082 skip_exit_vmcall(); 5083 TEST_ASSERT_EQ_MSG(0, (int)ioapic_read_redir(0xf).remote_irr, 5084 "IOAPIC pass-through: remote_irr=0 after EOI"); 5085 5086 /* Let L2 finish */ 5087 enter_guest(); 5088 report(__func__, 1); 5089 } 5090 5091 static void vmx_apic_passthrough_test(void) 5092 { 5093 vmx_apic_passthrough(false); 5094 } 5095 5096 static void vmx_apic_passthrough_thread_test(void) 5097 { 5098 vmx_apic_passthrough(true); 5099 } 5100 5101 enum vmcs_access { 5102 ACCESS_VMREAD, 5103 ACCESS_VMWRITE, 5104 ACCESS_NONE, 5105 }; 5106 5107 struct vmcs_shadow_test_common { 5108 enum vmcs_access op; 5109 enum Reason reason; 5110 u64 field; 5111 u64 value; 5112 u64 flags; 5113 u64 time; 5114 } l1_l2_common; 5115 5116 static inline u64 vmread_flags(u64 field, u64 *val) 5117 { 5118 u64 flags; 5119 5120 asm volatile ("vmread %2, %1; pushf; pop %0" 5121 : "=r" (flags), "=rm" (*val) : "r" (field) : "cc"); 5122 return flags & X86_EFLAGS_ALU; 5123 } 5124 5125 static inline u64 vmwrite_flags(u64 field, u64 val) 5126 { 5127 u64 flags; 5128 5129 asm volatile ("vmwrite %1, %2; pushf; pop %0" 5130 : "=r"(flags) : "rm" (val), "r" (field) : "cc"); 5131 return flags & X86_EFLAGS_ALU; 5132 } 5133 5134 static void vmx_vmcs_shadow_test_guest(void) 5135 { 5136 struct vmcs_shadow_test_common *c = &l1_l2_common; 5137 u64 start; 5138 5139 while (c->op != ACCESS_NONE) { 5140 start = rdtsc(); 5141 switch (c->op) { 5142 default: 5143 c->flags = -1ull; 5144 break; 5145 case ACCESS_VMREAD: 5146 c->flags = vmread_flags(c->field, &c->value); 5147 break; 5148 case ACCESS_VMWRITE: 5149 c->flags = vmwrite_flags(c->field, 0); 5150 break; 5151 } 5152 c->time = rdtsc() - start; 5153 vmcall(); 5154 } 5155 } 5156 5157 static u64 vmread_from_shadow(u64 field) 5158 { 5159 struct vmcs *primary; 5160 struct vmcs *shadow; 5161 u64 value; 5162 5163 TEST_ASSERT(!vmcs_save(&primary)); 5164 shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); 5165 TEST_ASSERT(!make_vmcs_current(shadow)); 5166 value = vmcs_read(field); 5167 TEST_ASSERT(!make_vmcs_current(primary)); 5168 return value; 5169 } 5170 5171 static u64 vmwrite_to_shadow(u64 field, u64 value) 5172 { 5173 struct vmcs *primary; 5174 struct vmcs *shadow; 5175 5176 TEST_ASSERT(!vmcs_save(&primary)); 5177 shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); 5178 TEST_ASSERT(!make_vmcs_current(shadow)); 5179 vmcs_write(field, value); 5180 value = vmcs_read(field); 5181 TEST_ASSERT(!make_vmcs_current(primary)); 5182 return value; 5183 } 5184 5185 static void vmcs_shadow_test_access(u8 *bitmap[2], enum vmcs_access access) 5186 { 5187 struct vmcs_shadow_test_common *c = &l1_l2_common; 5188 5189 c->op = access; 5190 vmcs_write(VMX_INST_ERROR, 0); 5191 enter_guest(); 5192 c->reason = vmcs_read(EXI_REASON) & 0xffff; 5193 if (c->reason != VMX_VMCALL) { 5194 skip_exit_insn(); 5195 enter_guest(); 5196 } 5197 skip_exit_vmcall(); 5198 } 5199 5200 static void vmcs_shadow_test_field(u8 *bitmap[2], u64 field) 5201 { 5202 struct vmcs_shadow_test_common *c = &l1_l2_common; 5203 struct vmcs *shadow; 5204 u64 value; 5205 uintptr_t flags[2]; 5206 bool good_shadow; 5207 u32 vmx_inst_error; 5208 5209 report_prefix_pushf("field %lx", field); 5210 c->field = field; 5211 5212 shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); 5213 if (shadow != (struct vmcs *)-1ull) { 5214 flags[ACCESS_VMREAD] = vmread_flags(field, &value); 5215 flags[ACCESS_VMWRITE] = vmwrite_flags(field, value); 5216 good_shadow = !flags[ACCESS_VMREAD] && !flags[ACCESS_VMWRITE]; 5217 } else { 5218 /* 5219 * When VMCS link pointer is -1ull, VMWRITE/VMREAD on 5220 * shadowed-fields should fail with setting RFLAGS.CF. 5221 */ 5222 flags[ACCESS_VMREAD] = X86_EFLAGS_CF; 5223 flags[ACCESS_VMWRITE] = X86_EFLAGS_CF; 5224 good_shadow = false; 5225 } 5226 5227 /* Intercept both VMREAD and VMWRITE. */ 5228 report_prefix_push("no VMREAD/VMWRITE permission"); 5229 /* VMWRITE/VMREAD done on reserved-bit should always intercept */ 5230 if (!(field >> VMCS_FIELD_RESERVED_SHIFT)) { 5231 set_bit(field, bitmap[ACCESS_VMREAD]); 5232 set_bit(field, bitmap[ACCESS_VMWRITE]); 5233 } 5234 vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); 5235 report("not shadowed for VMWRITE", c->reason == VMX_VMWRITE); 5236 vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); 5237 report("not shadowed for VMREAD", c->reason == VMX_VMREAD); 5238 report_prefix_pop(); 5239 5240 if (field >> VMCS_FIELD_RESERVED_SHIFT) 5241 goto out; 5242 5243 /* Permit shadowed VMREAD. */ 5244 report_prefix_push("VMREAD permission only"); 5245 clear_bit(field, bitmap[ACCESS_VMREAD]); 5246 set_bit(field, bitmap[ACCESS_VMWRITE]); 5247 if (good_shadow) 5248 value = vmwrite_to_shadow(field, MAGIC_VAL_1 + field); 5249 vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); 5250 report("not shadowed for VMWRITE", c->reason == VMX_VMWRITE); 5251 vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); 5252 vmx_inst_error = vmcs_read(VMX_INST_ERROR); 5253 report("shadowed for VMREAD (in %ld cycles)", c->reason == VMX_VMCALL, 5254 c->time); 5255 report("ALU flags after VMREAD (%lx) are as expected (%lx)", 5256 c->flags == flags[ACCESS_VMREAD], 5257 c->flags, flags[ACCESS_VMREAD]); 5258 if (good_shadow) 5259 report("value read from shadow (%lx) is as expected (%lx)", 5260 c->value == value, c->value, value); 5261 else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMREAD]) 5262 report("VMX_INST_ERROR (%d) is as expected (%d)", 5263 vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, 5264 vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); 5265 report_prefix_pop(); 5266 5267 /* Permit shadowed VMWRITE. */ 5268 report_prefix_push("VMWRITE permission only"); 5269 set_bit(field, bitmap[ACCESS_VMREAD]); 5270 clear_bit(field, bitmap[ACCESS_VMWRITE]); 5271 if (good_shadow) 5272 vmwrite_to_shadow(field, MAGIC_VAL_1 + field); 5273 vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); 5274 vmx_inst_error = vmcs_read(VMX_INST_ERROR); 5275 report("shadowed for VMWRITE (in %ld cycles)", c->reason == VMX_VMCALL, 5276 c->time); 5277 report("ALU flags after VMWRITE (%lx) are as expected (%lx)", 5278 c->flags == flags[ACCESS_VMREAD], 5279 c->flags, flags[ACCESS_VMREAD]); 5280 if (good_shadow) { 5281 value = vmread_from_shadow(field); 5282 report("shadow VMCS value (%lx) is as expected (%lx)", 5283 value == 0, value, 0ul); 5284 } else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMWRITE]) { 5285 report("VMX_INST_ERROR (%d) is as expected (%d)", 5286 vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, 5287 vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); 5288 } 5289 vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); 5290 report("not shadowed for VMREAD", c->reason == VMX_VMREAD); 5291 report_prefix_pop(); 5292 5293 /* Permit shadowed VMREAD and VMWRITE. */ 5294 report_prefix_push("VMREAD and VMWRITE permission"); 5295 clear_bit(field, bitmap[ACCESS_VMREAD]); 5296 clear_bit(field, bitmap[ACCESS_VMWRITE]); 5297 if (good_shadow) 5298 vmwrite_to_shadow(field, MAGIC_VAL_1 + field); 5299 vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); 5300 vmx_inst_error = vmcs_read(VMX_INST_ERROR); 5301 report("shadowed for VMWRITE (in %ld cycles)", c->reason == VMX_VMCALL, 5302 c->time); 5303 report("ALU flags after VMWRITE (%lx) are as expected (%lx)", 5304 c->flags == flags[ACCESS_VMREAD], 5305 c->flags, flags[ACCESS_VMREAD]); 5306 if (good_shadow) { 5307 value = vmread_from_shadow(field); 5308 report("shadow VMCS value (%lx) is as expected (%lx)", 5309 value == 0, value, 0ul); 5310 } else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMWRITE]) { 5311 report("VMX_INST_ERROR (%d) is as expected (%d)", 5312 vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, 5313 vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); 5314 } 5315 vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); 5316 vmx_inst_error = vmcs_read(VMX_INST_ERROR); 5317 report("shadowed for VMREAD (in %ld cycles)", c->reason == VMX_VMCALL, 5318 c->time); 5319 report("ALU flags after VMREAD (%lx) are as expected (%lx)", 5320 c->flags == flags[ACCESS_VMREAD], 5321 c->flags, flags[ACCESS_VMREAD]); 5322 if (good_shadow) 5323 report("value read from shadow (%lx) is as expected (%lx)", 5324 c->value == 0, c->value, 0ul); 5325 else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMREAD]) 5326 report("VMX_INST_ERROR (%d) is as expected (%d)", 5327 vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, 5328 vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); 5329 report_prefix_pop(); 5330 5331 out: 5332 report_prefix_pop(); 5333 } 5334 5335 static void vmx_vmcs_shadow_test_body(u8 *bitmap[2]) 5336 { 5337 unsigned base; 5338 unsigned index; 5339 unsigned bit; 5340 unsigned highest_index = rdmsr(MSR_IA32_VMX_VMCS_ENUM); 5341 5342 /* Run test on all possible valid VMCS fields */ 5343 for (base = 0; 5344 base < (1 << VMCS_FIELD_RESERVED_SHIFT); 5345 base += (1 << VMCS_FIELD_TYPE_SHIFT)) 5346 for (index = 0; index <= highest_index; index++) 5347 vmcs_shadow_test_field(bitmap, base + index); 5348 5349 /* 5350 * Run tests on some invalid VMCS fields 5351 * (Have reserved bit set). 5352 */ 5353 for (bit = VMCS_FIELD_RESERVED_SHIFT; bit < VMCS_FIELD_BIT_SIZE; bit++) 5354 vmcs_shadow_test_field(bitmap, (1ull << bit)); 5355 } 5356 5357 static void vmx_vmcs_shadow_test(void) 5358 { 5359 u8 *bitmap[2]; 5360 struct vmcs *shadow; 5361 5362 if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY)) { 5363 printf("\t'Activate secondary controls' not supported.\n"); 5364 return; 5365 } 5366 5367 if (!(ctrl_cpu_rev[1].clr & CPU_SHADOW_VMCS)) { 5368 printf("\t'VMCS shadowing' not supported.\n"); 5369 return; 5370 } 5371 5372 if (!(rdmsr(MSR_IA32_VMX_MISC) & 5373 MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS)) { 5374 printf("\tVMWRITE can't modify VM-exit information fields.\n"); 5375 return; 5376 } 5377 5378 test_set_guest(vmx_vmcs_shadow_test_guest); 5379 5380 bitmap[ACCESS_VMREAD] = alloc_page(); 5381 bitmap[ACCESS_VMWRITE] = alloc_page(); 5382 5383 vmcs_write(VMREAD_BITMAP, virt_to_phys(bitmap[ACCESS_VMREAD])); 5384 vmcs_write(VMWRITE_BITMAP, virt_to_phys(bitmap[ACCESS_VMWRITE])); 5385 5386 shadow = alloc_page(); 5387 shadow->hdr.revision_id = basic.revision; 5388 shadow->hdr.shadow_vmcs = 1; 5389 TEST_ASSERT(!vmcs_clear(shadow)); 5390 5391 vmcs_clear_bits(CPU_EXEC_CTRL0, CPU_RDTSC); 5392 vmcs_set_bits(CPU_EXEC_CTRL0, CPU_SECONDARY); 5393 vmcs_set_bits(CPU_EXEC_CTRL1, CPU_SHADOW_VMCS); 5394 5395 vmcs_write(VMCS_LINK_PTR, virt_to_phys(shadow)); 5396 report_prefix_push("valid link pointer"); 5397 vmx_vmcs_shadow_test_body(bitmap); 5398 report_prefix_pop(); 5399 5400 vmcs_write(VMCS_LINK_PTR, -1ull); 5401 report_prefix_push("invalid link pointer"); 5402 vmx_vmcs_shadow_test_body(bitmap); 5403 report_prefix_pop(); 5404 5405 l1_l2_common.op = ACCESS_NONE; 5406 enter_guest(); 5407 } 5408 5409 #define TEST(name) { #name, .v2 = name } 5410 5411 /* name/init/guest_main/exit_handler/syscall_handler/guest_regs */ 5412 struct vmx_test vmx_tests[] = { 5413 { "null", NULL, basic_guest_main, basic_exit_handler, NULL, {0} }, 5414 { "vmenter", NULL, vmenter_main, vmenter_exit_handler, NULL, {0} }, 5415 { "preemption timer", preemption_timer_init, preemption_timer_main, 5416 preemption_timer_exit_handler, NULL, {0} }, 5417 { "control field PAT", test_ctrl_pat_init, test_ctrl_pat_main, 5418 test_ctrl_pat_exit_handler, NULL, {0} }, 5419 { "control field EFER", test_ctrl_efer_init, test_ctrl_efer_main, 5420 test_ctrl_efer_exit_handler, NULL, {0} }, 5421 { "CR shadowing", NULL, cr_shadowing_main, 5422 cr_shadowing_exit_handler, NULL, {0} }, 5423 { "I/O bitmap", iobmp_init, iobmp_main, iobmp_exit_handler, 5424 NULL, {0} }, 5425 { "instruction intercept", insn_intercept_init, insn_intercept_main, 5426 insn_intercept_exit_handler, NULL, {0} }, 5427 { "EPT A/D disabled", ept_init, ept_main, ept_exit_handler, NULL, {0} }, 5428 { "EPT A/D enabled", eptad_init, eptad_main, eptad_exit_handler, NULL, {0} }, 5429 { "PML", pml_init, pml_main, pml_exit_handler, NULL, {0} }, 5430 { "VPID", vpid_init, vpid_main, vpid_exit_handler, NULL, {0} }, 5431 { "interrupt", interrupt_init, interrupt_main, 5432 interrupt_exit_handler, NULL, {0} }, 5433 { "debug controls", dbgctls_init, dbgctls_main, dbgctls_exit_handler, 5434 NULL, {0} }, 5435 { "MSR switch", msr_switch_init, msr_switch_main, 5436 msr_switch_exit_handler, NULL, {0}, msr_switch_entry_failure }, 5437 { "vmmcall", vmmcall_init, vmmcall_main, vmmcall_exit_handler, NULL, {0} }, 5438 { "disable RDTSCP", disable_rdtscp_init, disable_rdtscp_main, 5439 disable_rdtscp_exit_handler, NULL, {0} }, 5440 { "int3", int3_init, int3_guest_main, int3_exit_handler, NULL, {0} }, 5441 { "into", into_init, into_guest_main, into_exit_handler, NULL, {0} }, 5442 { "exit_monitor_from_l2_test", NULL, exit_monitor_from_l2_main, 5443 exit_monitor_from_l2_handler, NULL, {0} }, 5444 /* Basic V2 tests. */ 5445 TEST(v2_null_test), 5446 TEST(v2_multiple_entries_test), 5447 TEST(fixture_test_case1), 5448 TEST(fixture_test_case2), 5449 /* Opcode tests. */ 5450 TEST(invvpid_test_v2), 5451 /* VM-entry tests */ 5452 TEST(vmx_controls_test), 5453 TEST(vmentry_movss_shadow_test), 5454 /* APICv tests */ 5455 TEST(vmx_eoi_bitmap_ioapic_scan_test), 5456 /* APIC pass-through tests */ 5457 TEST(vmx_apic_passthrough_test), 5458 TEST(vmx_apic_passthrough_thread_test), 5459 /* VMCS Shadowing tests */ 5460 TEST(vmx_vmcs_shadow_test), 5461 /* Regression tests */ 5462 TEST(vmx_cr_load_test), 5463 TEST(vmx_pending_event_test), 5464 TEST(vmx_pending_event_hlt_test), 5465 /* EPT access tests. */ 5466 TEST(ept_access_test_not_present), 5467 TEST(ept_access_test_read_only), 5468 TEST(ept_access_test_write_only), 5469 TEST(ept_access_test_read_write), 5470 TEST(ept_access_test_execute_only), 5471 TEST(ept_access_test_read_execute), 5472 TEST(ept_access_test_write_execute), 5473 TEST(ept_access_test_read_write_execute), 5474 TEST(ept_access_test_reserved_bits), 5475 TEST(ept_access_test_ignored_bits), 5476 TEST(ept_access_test_paddr_not_present_ad_disabled), 5477 TEST(ept_access_test_paddr_not_present_ad_enabled), 5478 TEST(ept_access_test_paddr_read_only_ad_disabled), 5479 TEST(ept_access_test_paddr_read_only_ad_enabled), 5480 TEST(ept_access_test_paddr_read_write), 5481 TEST(ept_access_test_paddr_read_write_execute), 5482 TEST(ept_access_test_paddr_read_execute_ad_disabled), 5483 TEST(ept_access_test_paddr_read_execute_ad_enabled), 5484 TEST(ept_access_test_paddr_not_present_page_fault), 5485 TEST(ept_access_test_force_2m_page), 5486 { NULL, NULL, NULL, NULL, NULL, {0} }, 5487 }; 5488