From patchwork Fri Jun 22 23:59:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liran Alon X-Patchwork-Id: 10483347 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2D2B86023A for ; Sat, 23 Jun 2018 00:00:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ABB728E24 for ; Sat, 23 Jun 2018 00:00:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0F21929004; Sat, 23 Jun 2018 00:00:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A59928E24 for ; Sat, 23 Jun 2018 00:00:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934451AbeFWAAf (ORCPT ); Fri, 22 Jun 2018 20:00:35 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:46306 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934442AbeFWAA2 (ORCPT ); Fri, 22 Jun 2018 20:00:28 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w5MNx4pp130508; Sat, 23 Jun 2018 00:00:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2017-10-26; bh=zzKLejGRKddWKZ+Ry+Dd/L75r4AZ7/1F+hAiHpOkwDQ=; b=VFWM1xfwYyEcGHh1OLDYSWtOrXN8hPg81QteFet/aYvWl2QYA10K0OsrNMAm7r+MUFoU pJfbcKEA+9oOP+2+Ul/MmVxyvMzVXpsoqga5vvw/KZIswwOyCTgDeqnIAbf0zHl41nMn WgIqQAun/D0oId4VEoPoSUbeRi/aKI+Jecr1deh34j9jByykQejtosqbC/4rZ8MrQcEa SZ5DLaNL9VC8BEUj5aU9WefrTYKCFkho91EBWuxBAcxlb3mLECHdyqXYMpFwonCfIcdj WrUYn4aRYR/ddG5uKcZN6hM69BWeVDVRiTs/7JnArDoZaG3BZO684o3FkGjKT9w85OyA Ow== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2jrp8hure2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 23 Jun 2018 00:00:13 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w5N00DIi025933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 23 Jun 2018 00:00:13 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w5N00CIq026315; Sat, 23 Jun 2018 00:00:12 GMT Received: from liran-pc.mynet (/79.183.72.72) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 22 Jun 2018 17:00:12 -0700 From: Liran Alon To: pbonzini@redhat.com, rkrcmar@redhat.com, kvm@vger.kernel.org Cc: jmattson@google.com, idan.brown@oracle.com, Liran Alon Subject: [PATCH kvm-unit-tests 9/9] x86: nVMX: Add tests for VMCS Shadowing Date: Sat, 23 Jun 2018 02:59:40 +0300 Message-Id: <1529711980-32764-10-git-send-email-liran.alon@oracle.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1529711980-32764-1-git-send-email-liran.alon@oracle.com> References: <1529711980-32764-1-git-send-email-liran.alon@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8932 signatures=668703 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806220265 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The test iterates over every possible valid VMCS field and verifies that: - If VMWRITE/VMREAD bitmaps intercept both VMREAD & VMWRITE, then VMREAD & VMWRITE to this field is intercepted. - If VMWRITE/VMREAD bitmaps intercept only VMREAD, then VMREAD of this field is intercepted and VMWRITE is pass-throughed and written value written correctly to shadow VMCS. - If VMWRITE/VMREAD bitmaps intercept only VMWRITE, then VMWRITE of this field is intercepted and VMREAD is pass-throughed and value is read correctly from shadow VMCS. - If VMWRITE/VMREAD bitmaps neither intercept VMWRITE nor VMREAD of this field, then both VMREAD & VMWRITE of this field is pass-through and value is written and read correctly from shadow VMCS. - If field is pass-through for VMREAD/VMWRITE and field is not supported by physical CPU, then VMREAD/VMWRITE to it from guest should be intercepted with VMX_INST_ERROR equal to VMXERR_UNSUPPORTED_VMCS_COMPONENT. Above tests also verify that RFLAGS is updated correctly after VMREAD/VMWRITE simulation/pass-through. In addition, these tests are run again with shadow_vmcs==-1ull because this is a special valid case in which VMREAD/VMWRITE to shadowed-fields should fail with RFLAGS.CF being set. In addition, these tests are also run against non-valid VMCS fields (Fields having one bit set in bit-range 15-64. Each iteration with a single bit set on a different position) and verify that all VMREAD/VMWRITE to these fields are intercepted. Signed-off-by: Liran Alon Signed-off-by: Jim Mattson --- x86/unittests.cfg | 7 ++ x86/vmx_tests.c | 310 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 317 insertions(+) diff --git a/x86/unittests.cfg b/x86/unittests.cfg index a61df879990e..46f3a34e5e2e 100644 --- a/x86/unittests.cfg +++ b/x86/unittests.cfg @@ -571,6 +571,13 @@ extra_params = -cpu host,+vmx -m 2048 -append vmx_apic_passthrough_thread_test arch = x86_64 groups = vmx +[vmx_vmcs_shadow_test] +file = vmx.flat +smp = 2 +extra_params = -cpu host,+vmx -m 2048 -append vmx_vmcs_shadow_test +arch = x86_64 +groups = vmx + [debug] file = debug.flat arch = x86_64 diff --git a/x86/vmx_tests.c b/x86/vmx_tests.c index 932759701314..53140dbf0b92 100644 --- a/x86/vmx_tests.c +++ b/x86/vmx_tests.c @@ -4206,6 +4206,314 @@ static void vmx_apic_passthrough_thread_test(void) vmx_apic_passthrough(true); } +enum vmcs_access { + ACCESS_VMREAD, + ACCESS_VMWRITE, + ACCESS_NONE, +}; + +struct vmcs_shadow_test_common { + enum vmcs_access op; + enum Reason reason; + u64 field; + u64 value; + u64 flags; + u64 time; +} l1_l2_common; + +static inline u64 vmread_flags(u64 field, u64 *val) +{ + u64 flags; + + asm volatile ("vmread %2, %1; pushf; pop %0" + : "=r" (flags), "=rm" (*val) : "r" (field) : "cc"); + return flags & X86_EFLAGS_ALU; +} + +static inline u64 vmwrite_flags(u64 field, u64 val) +{ + u64 flags; + + asm volatile ("vmwrite %1, %2; pushf; pop %0" + : "=r"(flags) : "rm" (val), "r" (field) : "cc"); + return flags & X86_EFLAGS_ALU; +} + +static void vmx_vmcs_shadow_test_guest(void) +{ + struct vmcs_shadow_test_common *c = &l1_l2_common; + u64 start; + + while (c->op != ACCESS_NONE) { + start = rdtsc(); + switch (c->op) { + default: + c->flags = -1ull; + break; + case ACCESS_VMREAD: + c->flags = vmread_flags(c->field, &c->value); + break; + case ACCESS_VMWRITE: + c->flags = vmwrite_flags(c->field, 0); + break; + } + c->time = rdtsc() - start; + vmcall(); + } +} + +static u64 vmread_from_shadow(u64 field) +{ + struct vmcs *primary; + struct vmcs *shadow; + u64 value; + + TEST_ASSERT(!vmcs_save(&primary)); + shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); + TEST_ASSERT(!make_vmcs_current(shadow)); + value = vmcs_read(field); + TEST_ASSERT(!make_vmcs_current(primary)); + return value; +} + +static u64 vmwrite_to_shadow(u64 field, u64 value) +{ + struct vmcs *primary; + struct vmcs *shadow; + + TEST_ASSERT(!vmcs_save(&primary)); + shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); + TEST_ASSERT(!make_vmcs_current(shadow)); + vmcs_write(field, value); + value = vmcs_read(field); + TEST_ASSERT(!make_vmcs_current(primary)); + return value; +} + +static void vmcs_shadow_test_access(u8 *bitmap[2], enum vmcs_access access) +{ + struct vmcs_shadow_test_common *c = &l1_l2_common; + + c->op = access; + vmcs_write(VMX_INST_ERROR, 0); + enter_guest(); + c->reason = vmcs_read(EXI_REASON) & 0xffff; + if (c->reason != VMX_VMCALL) { + skip_exit_insn(); + enter_guest(); + } + skip_exit_vmcall(); +} + +static void vmcs_shadow_test_field(u8 *bitmap[2], u64 field) +{ + struct vmcs_shadow_test_common *c = &l1_l2_common; + struct vmcs *shadow; + u64 value; + uintptr_t flags[2]; + bool good_shadow; + u32 vmx_inst_error; + + report_prefix_pushf("field %lx", field); + c->field = field; + + shadow = (struct vmcs *)vmcs_read(VMCS_LINK_PTR); + if (shadow != (struct vmcs *)-1ull) { + flags[ACCESS_VMREAD] = vmread_flags(field, &value); + flags[ACCESS_VMWRITE] = vmwrite_flags(field, value); + good_shadow = !flags[ACCESS_VMREAD] && !flags[ACCESS_VMWRITE]; + } else { + /* + * When VMCS link pointer is -1ull, VMWRITE/VMREAD on + * shadowed-fields should fail with setting RFLAGS.CF. + */ + flags[ACCESS_VMREAD] = X86_EFLAGS_CF; + flags[ACCESS_VMWRITE] = X86_EFLAGS_CF; + good_shadow = false; + } + + /* Intercept both VMREAD and VMWRITE. */ + report_prefix_push("no VMREAD/VMWRITE permission"); + /* VMWRITE/VMREAD done on reserved-bit should always intercept */ + if (!(field >> VMCS_FIELD_RESERVED_SHIFT)) { + set_bit(field, bitmap[ACCESS_VMREAD]); + set_bit(field, bitmap[ACCESS_VMWRITE]); + } + vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); + report("not shadowed for VMWRITE", c->reason == VMX_VMWRITE); + vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); + report("not shadowed for VMREAD", c->reason == VMX_VMREAD); + report_prefix_pop(); + + if (field >> VMCS_FIELD_RESERVED_SHIFT) + goto out; + + /* Permit shadowed VMREAD. */ + report_prefix_push("VMREAD permission only"); + clear_bit(field, bitmap[ACCESS_VMREAD]); + set_bit(field, bitmap[ACCESS_VMWRITE]); + if (good_shadow) + value = vmwrite_to_shadow(field, MAGIC_VAL_1 + field); + vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); + report("not shadowed for VMWRITE", c->reason == VMX_VMWRITE); + vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); + vmx_inst_error = vmcs_read(VMX_INST_ERROR); + report("shadowed for VMREAD (in %ld cycles)", c->reason == VMX_VMCALL, + c->time); + report("ALU flags after VMREAD (%lx) are as expected (%lx)", + c->flags == flags[ACCESS_VMREAD], + c->flags, flags[ACCESS_VMREAD]); + if (good_shadow) + report("value read from shadow (%lx) is as expected (%lx)", + c->value == value, c->value, value); + else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMREAD]) + report("VMX_INST_ERROR (%d) is as expected (%d)", + vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, + vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); + report_prefix_pop(); + + /* Permit shadowed VMWRITE. */ + report_prefix_push("VMWRITE permission only"); + set_bit(field, bitmap[ACCESS_VMREAD]); + clear_bit(field, bitmap[ACCESS_VMWRITE]); + if (good_shadow) + vmwrite_to_shadow(field, MAGIC_VAL_1 + field); + vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); + vmx_inst_error = vmcs_read(VMX_INST_ERROR); + report("shadowed for VMWRITE (in %ld cycles)", c->reason == VMX_VMCALL, + c->time); + report("ALU flags after VMWRITE (%lx) are as expected (%lx)", + c->flags == flags[ACCESS_VMREAD], + c->flags, flags[ACCESS_VMREAD]); + if (good_shadow) { + value = vmread_from_shadow(field); + report("shadow VMCS value (%lx) is as expected (%lx)", + value == 0, value, 0ul); + } else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMWRITE]) { + report("VMX_INST_ERROR (%d) is as expected (%d)", + vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, + vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); + } + vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); + report("not shadowed for VMREAD", c->reason == VMX_VMREAD); + report_prefix_pop(); + + /* Permit shadowed VMREAD and VMWRITE. */ + report_prefix_push("VMREAD and VMWRITE permission"); + clear_bit(field, bitmap[ACCESS_VMREAD]); + clear_bit(field, bitmap[ACCESS_VMWRITE]); + if (good_shadow) + vmwrite_to_shadow(field, MAGIC_VAL_1 + field); + vmcs_shadow_test_access(bitmap, ACCESS_VMWRITE); + vmx_inst_error = vmcs_read(VMX_INST_ERROR); + report("shadowed for VMWRITE (in %ld cycles)", c->reason == VMX_VMCALL, + c->time); + report("ALU flags after VMWRITE (%lx) are as expected (%lx)", + c->flags == flags[ACCESS_VMREAD], + c->flags, flags[ACCESS_VMREAD]); + if (good_shadow) { + value = vmread_from_shadow(field); + report("shadow VMCS value (%lx) is as expected (%lx)", + value == 0, value, 0ul); + } else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMWRITE]) { + report("VMX_INST_ERROR (%d) is as expected (%d)", + vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, + vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); + } + vmcs_shadow_test_access(bitmap, ACCESS_VMREAD); + vmx_inst_error = vmcs_read(VMX_INST_ERROR); + report("shadowed for VMREAD (in %ld cycles)", c->reason == VMX_VMCALL, + c->time); + report("ALU flags after VMREAD (%lx) are as expected (%lx)", + c->flags == flags[ACCESS_VMREAD], + c->flags, flags[ACCESS_VMREAD]); + if (good_shadow) + report("value read from shadow (%lx) is as expected (%lx)", + c->value == 0, c->value, 0ul); + else if (shadow != (struct vmcs *)-1ull && flags[ACCESS_VMREAD]) + report("VMX_INST_ERROR (%d) is as expected (%d)", + vmx_inst_error == VMXERR_UNSUPPORTED_VMCS_COMPONENT, + vmx_inst_error, VMXERR_UNSUPPORTED_VMCS_COMPONENT); + report_prefix_pop(); + +out: + report_prefix_pop(); +} + +static void vmx_vmcs_shadow_test_body(u8 *bitmap[2]) +{ + unsigned base; + unsigned index; + unsigned bit; + unsigned highest_index = rdmsr(MSR_IA32_VMX_VMCS_ENUM); + + /* Run test on all possible valid VMCS fields */ + for (base = 0; + base < (1 << VMCS_FIELD_RESERVED_SHIFT); + base += (1 << VMCS_FIELD_TYPE_SHIFT)) + for (index = 0; index <= highest_index; index++) + vmcs_shadow_test_field(bitmap, base + index); + + /* + * Run tests on some invalid VMCS fields + * (Have reserved bit set). + */ + for (bit = VMCS_FIELD_RESERVED_SHIFT; bit < VMCS_FIELD_BIT_SIZE; bit++) + vmcs_shadow_test_field(bitmap, (1ull << bit)); +} + +static void vmx_vmcs_shadow_test(void) +{ + u8 *bitmap[2]; + struct vmcs *shadow; + + if (!(ctrl_cpu_rev[0].clr & CPU_SECONDARY)) { + printf("\t'Activate secondary controls' not supported.\n"); + return; + } + + if (!(ctrl_cpu_rev[1].clr & CPU_SHADOW_VMCS)) { + printf("\t'VMCS shadowing' not supported.\n"); + return; + } + + if (!(rdmsr(MSR_IA32_VMX_MISC) & + MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS)) { + printf("\tVMWRITE can't modify VM-exit information fields.\n"); + return; + } + + test_set_guest(vmx_vmcs_shadow_test_guest); + + bitmap[ACCESS_VMREAD] = alloc_page(); + bitmap[ACCESS_VMWRITE] = alloc_page(); + + vmcs_write(VMREAD_BITMAP, virt_to_phys(bitmap[ACCESS_VMREAD])); + vmcs_write(VMWRITE_BITMAP, virt_to_phys(bitmap[ACCESS_VMWRITE])); + + shadow = alloc_page(); + shadow->hdr.revision_id = basic.revision; + shadow->hdr.shadow_vmcs = 1; + TEST_ASSERT(!vmcs_clear(shadow)); + + vmcs_clear_bits(CPU_EXEC_CTRL0, CPU_RDTSC); + vmcs_set_bits(CPU_EXEC_CTRL0, CPU_SECONDARY); + vmcs_set_bits(CPU_EXEC_CTRL1, CPU_SHADOW_VMCS); + + vmcs_write(VMCS_LINK_PTR, virt_to_phys(shadow)); + report_prefix_push("valid link pointer"); + vmx_vmcs_shadow_test_body(bitmap); + report_prefix_pop(); + + vmcs_write(VMCS_LINK_PTR, -1ull); + report_prefix_push("invalid link pointer"); + vmx_vmcs_shadow_test_body(bitmap); + report_prefix_pop(); + + l1_l2_common.op = ACCESS_NONE; + enter_guest(); +} + #define TEST(name) { #name, .v2 = name } /* name/init/guest_main/exit_handler/syscall_handler/guest_regs */ @@ -4256,6 +4564,8 @@ struct vmx_test vmx_tests[] = { /* APIC pass-through tests */ TEST(vmx_apic_passthrough_test), TEST(vmx_apic_passthrough_thread_test), + /* VMCS Shadowing tests */ + TEST(vmx_vmcs_shadow_test), /* Regression tests */ TEST(vmx_cr_load_test), /* EPT access tests. */