2 * Copyright (c) 2011 NetApp, Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY NETAPP, INC ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL NETAPP, INC OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include <sys/param.h>
33 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/malloc.h>
39 #include <sys/sysctl.h>
44 #include <machine/psl.h>
45 #include <machine/cpufunc.h>
46 #include <machine/md_var.h>
47 #include <machine/segments.h>
48 #include <machine/specialreg.h>
49 #include <machine/vmparam.h>
51 #include <machine/vmm.h>
57 #include "vlapic_priv.h"
61 #include "vmx_cpufunc.h"
64 #include "vmx_controls.h"
66 #define PINBASED_CTLS_ONE_SETTING \
67 (PINBASED_EXTINT_EXITING | \
68 PINBASED_NMI_EXITING | \
70 #define PINBASED_CTLS_ZERO_SETTING 0
72 #define PROCBASED_CTLS_WINDOW_SETTING \
73 (PROCBASED_INT_WINDOW_EXITING | \
74 PROCBASED_NMI_WINDOW_EXITING)
76 #define PROCBASED_CTLS_ONE_SETTING \
77 (PROCBASED_SECONDARY_CONTROLS | \
78 PROCBASED_IO_EXITING | \
79 PROCBASED_MSR_BITMAPS | \
80 PROCBASED_CTLS_WINDOW_SETTING)
81 #define PROCBASED_CTLS_ZERO_SETTING \
82 (PROCBASED_CR3_LOAD_EXITING | \
83 PROCBASED_CR3_STORE_EXITING | \
86 #define PROCBASED_CTLS2_ONE_SETTING PROCBASED2_ENABLE_EPT
87 #define PROCBASED_CTLS2_ZERO_SETTING 0
89 #define VM_EXIT_CTLS_ONE_SETTING_NO_PAT \
94 #define VM_EXIT_CTLS_ONE_SETTING \
95 (VM_EXIT_CTLS_ONE_SETTING_NO_PAT | \
98 #define VM_EXIT_CTLS_ZERO_SETTING VM_EXIT_SAVE_DEBUG_CONTROLS
100 #define VM_ENTRY_CTLS_ONE_SETTING_NO_PAT VM_ENTRY_LOAD_EFER
102 #define VM_ENTRY_CTLS_ONE_SETTING \
103 (VM_ENTRY_CTLS_ONE_SETTING_NO_PAT | \
105 #define VM_ENTRY_CTLS_ZERO_SETTING \
106 (VM_ENTRY_LOAD_DEBUG_CONTROLS | \
107 VM_ENTRY_INTO_SMM | \
108 VM_ENTRY_DEACTIVATE_DUAL_MONITOR)
110 #define guest_msr_rw(vmx, msr) \
111 msr_bitmap_change_access((vmx)->msr_bitmap, (msr), MSR_BITMAP_ACCESS_RW)
116 static MALLOC_DEFINE(M_VMX, "vmx", "vmx");
117 static MALLOC_DEFINE(M_VLAPIC, "vlapic", "vlapic");
119 SYSCTL_DECL(_hw_vmm);
120 SYSCTL_NODE(_hw_vmm, OID_AUTO, vmx, CTLFLAG_RW, NULL, NULL);
122 int vmxon_enabled[MAXCPU];
123 static char vmxon_region[MAXCPU][PAGE_SIZE] __aligned(PAGE_SIZE);
125 static uint32_t pinbased_ctls, procbased_ctls, procbased_ctls2;
126 static uint32_t exit_ctls, entry_ctls;
128 static uint64_t cr0_ones_mask, cr0_zeros_mask;
129 SYSCTL_ULONG(_hw_vmm_vmx, OID_AUTO, cr0_ones_mask, CTLFLAG_RD,
130 &cr0_ones_mask, 0, NULL);
131 SYSCTL_ULONG(_hw_vmm_vmx, OID_AUTO, cr0_zeros_mask, CTLFLAG_RD,
132 &cr0_zeros_mask, 0, NULL);
134 static uint64_t cr4_ones_mask, cr4_zeros_mask;
135 SYSCTL_ULONG(_hw_vmm_vmx, OID_AUTO, cr4_ones_mask, CTLFLAG_RD,
136 &cr4_ones_mask, 0, NULL);
137 SYSCTL_ULONG(_hw_vmm_vmx, OID_AUTO, cr4_zeros_mask, CTLFLAG_RD,
138 &cr4_zeros_mask, 0, NULL);
140 static int vmx_no_patmsr;
142 static int vmx_initialized;
143 SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, initialized, CTLFLAG_RD,
144 &vmx_initialized, 0, "Intel VMX initialized");
147 * Virtual NMI blocking conditions.
149 * Some processor implementations also require NMI to be blocked if
150 * the STI_BLOCKING bit is set. It is possible to detect this at runtime
151 * based on the (exit_reason,exit_qual) tuple being set to
152 * (EXIT_REASON_INVAL_VMCS, EXIT_QUAL_NMI_WHILE_STI_BLOCKING).
154 * We take the easy way out and also include STI_BLOCKING as one of the
155 * gating items for vNMI injection.
157 static uint64_t nmi_blocking_bits = VMCS_INTERRUPTIBILITY_MOVSS_BLOCKING |
158 VMCS_INTERRUPTIBILITY_NMI_BLOCKING |
159 VMCS_INTERRUPTIBILITY_STI_BLOCKING;
162 * Optional capabilities
164 static int cap_halt_exit;
165 static int cap_pause_exit;
166 static int cap_unrestricted_guest;
167 static int cap_monitor_trap;
168 static int cap_invpcid;
170 static int virtual_interrupt_delivery;
171 SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, virtual_interrupt_delivery, CTLFLAG_RD,
172 &virtual_interrupt_delivery, 0, "APICv virtual interrupt delivery support");
174 static struct unrhdr *vpid_unr;
175 static u_int vpid_alloc_failed;
176 SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
177 &vpid_alloc_failed, 0, NULL);
180 * Use the last page below 4GB as the APIC access address. This address is
181 * occupied by the boot firmware so it is guaranteed that it will not conflict
182 * with a page in system memory.
184 #define APIC_ACCESS_ADDRESS 0xFFFFF000
186 static void vmx_inject_pir(struct vlapic *vlapic);
190 exit_reason_to_str(int reason)
192 static char reasonbuf[32];
195 case EXIT_REASON_EXCEPTION:
197 case EXIT_REASON_EXT_INTR:
199 case EXIT_REASON_TRIPLE_FAULT:
200 return "triplefault";
201 case EXIT_REASON_INIT:
203 case EXIT_REASON_SIPI:
205 case EXIT_REASON_IO_SMI:
207 case EXIT_REASON_SMI:
209 case EXIT_REASON_INTR_WINDOW:
211 case EXIT_REASON_NMI_WINDOW:
213 case EXIT_REASON_TASK_SWITCH:
215 case EXIT_REASON_CPUID:
217 case EXIT_REASON_GETSEC:
219 case EXIT_REASON_HLT:
221 case EXIT_REASON_INVD:
223 case EXIT_REASON_INVLPG:
225 case EXIT_REASON_RDPMC:
227 case EXIT_REASON_RDTSC:
229 case EXIT_REASON_RSM:
231 case EXIT_REASON_VMCALL:
233 case EXIT_REASON_VMCLEAR:
235 case EXIT_REASON_VMLAUNCH:
237 case EXIT_REASON_VMPTRLD:
239 case EXIT_REASON_VMPTRST:
241 case EXIT_REASON_VMREAD:
243 case EXIT_REASON_VMRESUME:
245 case EXIT_REASON_VMWRITE:
247 case EXIT_REASON_VMXOFF:
249 case EXIT_REASON_VMXON:
251 case EXIT_REASON_CR_ACCESS:
253 case EXIT_REASON_DR_ACCESS:
255 case EXIT_REASON_INOUT:
257 case EXIT_REASON_RDMSR:
259 case EXIT_REASON_WRMSR:
261 case EXIT_REASON_INVAL_VMCS:
263 case EXIT_REASON_INVAL_MSR:
265 case EXIT_REASON_MWAIT:
267 case EXIT_REASON_MTF:
269 case EXIT_REASON_MONITOR:
271 case EXIT_REASON_PAUSE:
273 case EXIT_REASON_MCE:
275 case EXIT_REASON_TPR:
277 case EXIT_REASON_APIC_ACCESS:
278 return "apic-access";
279 case EXIT_REASON_GDTR_IDTR:
281 case EXIT_REASON_LDTR_TR:
283 case EXIT_REASON_EPT_FAULT:
285 case EXIT_REASON_EPT_MISCONFIG:
286 return "eptmisconfig";
287 case EXIT_REASON_INVEPT:
289 case EXIT_REASON_RDTSCP:
291 case EXIT_REASON_VMX_PREEMPT:
293 case EXIT_REASON_INVVPID:
295 case EXIT_REASON_WBINVD:
297 case EXIT_REASON_XSETBV:
299 case EXIT_REASON_APIC_WRITE:
302 snprintf(reasonbuf, sizeof(reasonbuf), "%d", reason);
309 vmx_fix_cr0(u_long cr0)
312 return ((cr0 | cr0_ones_mask) & ~cr0_zeros_mask);
316 vmx_fix_cr4(u_long cr4)
319 return ((cr4 | cr4_ones_mask) & ~cr4_zeros_mask);
325 if (vpid < 0 || vpid > 0xffff)
326 panic("vpid_free: invalid vpid %d", vpid);
329 * VPIDs [0,VM_MAXCPU] are special and are not allocated from
330 * the unit number allocator.
333 if (vpid > VM_MAXCPU)
334 free_unr(vpid_unr, vpid);
338 vpid_alloc(uint16_t *vpid, int num)
342 if (num <= 0 || num > VM_MAXCPU)
343 panic("invalid number of vpids requested: %d", num);
346 * If the "enable vpid" execution control is not enabled then the
347 * VPID is required to be 0 for all vcpus.
349 if ((procbased_ctls2 & PROCBASED2_ENABLE_VPID) == 0) {
350 for (i = 0; i < num; i++)
356 * Allocate a unique VPID for each vcpu from the unit number allocator.
358 for (i = 0; i < num; i++) {
359 x = alloc_unr(vpid_unr);
367 atomic_add_int(&vpid_alloc_failed, 1);
370 * If the unit number allocator does not have enough unique
371 * VPIDs then we need to allocate from the [1,VM_MAXCPU] range.
373 * These VPIDs are not be unique across VMs but this does not
374 * affect correctness because the combined mappings are also
375 * tagged with the EP4TA which is unique for each VM.
377 * It is still sub-optimal because the invvpid will invalidate
378 * combined mappings for a particular VPID across all EP4TAs.
383 for (i = 0; i < num; i++)
392 * VPID 0 is required when the "enable VPID" execution control is
395 * VPIDs [1,VM_MAXCPU] are used as the "overflow namespace" when the
396 * unit number allocator does not have sufficient unique VPIDs to
397 * satisfy the allocation.
399 * The remaining VPIDs are managed by the unit number allocator.
401 vpid_unr = new_unrhdr(VM_MAXCPU + 1, 0xffff, NULL);
405 msr_save_area_init(struct msr_entry *g_area, int *g_count)
409 static struct msr_entry guest_msrs[] = {
410 { MSR_KGSBASE, 0, 0 },
413 cnt = sizeof(guest_msrs) / sizeof(guest_msrs[0]);
414 if (cnt > GUEST_MSR_MAX_ENTRIES)
415 panic("guest msr save area overrun");
416 bcopy(guest_msrs, g_area, sizeof(guest_msrs));
421 vmx_disable(void *arg __unused)
423 struct invvpid_desc invvpid_desc = { 0 };
424 struct invept_desc invept_desc = { 0 };
426 if (vmxon_enabled[curcpu]) {
428 * See sections 25.3.3.3 and 25.3.3.4 in Intel Vol 3b.
430 * VMXON or VMXOFF are not required to invalidate any TLB
431 * caching structures. This prevents potential retention of
432 * cached information in the TLB between distinct VMX episodes.
434 invvpid(INVVPID_TYPE_ALL_CONTEXTS, invvpid_desc);
435 invept(INVEPT_TYPE_ALL_CONTEXTS, invept_desc);
438 load_cr4(rcr4() & ~CR4_VMXE);
445 if (vpid_unr != NULL) {
446 delete_unrhdr(vpid_unr);
450 smp_rendezvous(NULL, vmx_disable, NULL, NULL);
456 vmx_enable(void *arg __unused)
460 load_cr4(rcr4() | CR4_VMXE);
462 *(uint32_t *)vmxon_region[curcpu] = vmx_revision();
463 error = vmxon(vmxon_region[curcpu]);
465 vmxon_enabled[curcpu] = 1;
472 if (vmxon_enabled[curcpu])
473 vmxon(vmxon_region[curcpu]);
479 int error, use_tpr_shadow;
480 uint64_t fixed0, fixed1, feature_control;
481 uint32_t tmp, procbased2_vid_bits;
483 /* CPUID.1:ECX[bit 5] must be 1 for processor to support VMX */
484 if (!(cpu_feature2 & CPUID2_VMX)) {
485 printf("vmx_init: processor does not support VMX operation\n");
490 * Verify that MSR_IA32_FEATURE_CONTROL lock and VMXON enable bits
491 * are set (bits 0 and 2 respectively).
493 feature_control = rdmsr(MSR_IA32_FEATURE_CONTROL);
494 if ((feature_control & IA32_FEATURE_CONTROL_LOCK) == 0 ||
495 (feature_control & IA32_FEATURE_CONTROL_VMX_EN) == 0) {
496 printf("vmx_init: VMX operation disabled by BIOS\n");
500 /* Check support for primary processor-based VM-execution controls */
501 error = vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS,
502 MSR_VMX_TRUE_PROCBASED_CTLS,
503 PROCBASED_CTLS_ONE_SETTING,
504 PROCBASED_CTLS_ZERO_SETTING, &procbased_ctls);
506 printf("vmx_init: processor does not support desired primary "
507 "processor-based controls\n");
511 /* Clear the processor-based ctl bits that are set on demand */
512 procbased_ctls &= ~PROCBASED_CTLS_WINDOW_SETTING;
514 /* Check support for secondary processor-based VM-execution controls */
515 error = vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2,
516 MSR_VMX_PROCBASED_CTLS2,
517 PROCBASED_CTLS2_ONE_SETTING,
518 PROCBASED_CTLS2_ZERO_SETTING, &procbased_ctls2);
520 printf("vmx_init: processor does not support desired secondary "
521 "processor-based controls\n");
525 /* Check support for VPID */
526 error = vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2, MSR_VMX_PROCBASED_CTLS2,
527 PROCBASED2_ENABLE_VPID, 0, &tmp);
529 procbased_ctls2 |= PROCBASED2_ENABLE_VPID;
531 /* Check support for pin-based VM-execution controls */
532 error = vmx_set_ctlreg(MSR_VMX_PINBASED_CTLS,
533 MSR_VMX_TRUE_PINBASED_CTLS,
534 PINBASED_CTLS_ONE_SETTING,
535 PINBASED_CTLS_ZERO_SETTING, &pinbased_ctls);
537 printf("vmx_init: processor does not support desired "
538 "pin-based controls\n");
542 /* Check support for VM-exit controls */
543 error = vmx_set_ctlreg(MSR_VMX_EXIT_CTLS, MSR_VMX_TRUE_EXIT_CTLS,
544 VM_EXIT_CTLS_ONE_SETTING,
545 VM_EXIT_CTLS_ZERO_SETTING,
548 /* Try again without the PAT MSR bits */
549 error = vmx_set_ctlreg(MSR_VMX_EXIT_CTLS,
550 MSR_VMX_TRUE_EXIT_CTLS,
551 VM_EXIT_CTLS_ONE_SETTING_NO_PAT,
552 VM_EXIT_CTLS_ZERO_SETTING,
555 printf("vmx_init: processor does not support desired "
560 printf("vmm: PAT MSR access not supported\n");
561 guest_msr_valid(MSR_PAT);
566 /* Check support for VM-entry controls */
567 if (!vmx_no_patmsr) {
568 error = vmx_set_ctlreg(MSR_VMX_ENTRY_CTLS,
569 MSR_VMX_TRUE_ENTRY_CTLS,
570 VM_ENTRY_CTLS_ONE_SETTING,
571 VM_ENTRY_CTLS_ZERO_SETTING,
574 error = vmx_set_ctlreg(MSR_VMX_ENTRY_CTLS,
575 MSR_VMX_TRUE_ENTRY_CTLS,
576 VM_ENTRY_CTLS_ONE_SETTING_NO_PAT,
577 VM_ENTRY_CTLS_ZERO_SETTING,
582 printf("vmx_init: processor does not support desired "
588 * Check support for optional features by testing them
591 cap_halt_exit = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS,
592 MSR_VMX_TRUE_PROCBASED_CTLS,
593 PROCBASED_HLT_EXITING, 0,
596 cap_monitor_trap = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS,
597 MSR_VMX_PROCBASED_CTLS,
601 cap_pause_exit = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS,
602 MSR_VMX_TRUE_PROCBASED_CTLS,
603 PROCBASED_PAUSE_EXITING, 0,
606 cap_unrestricted_guest = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2,
607 MSR_VMX_PROCBASED_CTLS2,
608 PROCBASED2_UNRESTRICTED_GUEST, 0,
611 cap_invpcid = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2,
612 MSR_VMX_PROCBASED_CTLS2, PROCBASED2_ENABLE_INVPCID, 0,
616 * Check support for virtual interrupt delivery.
618 procbased2_vid_bits = (PROCBASED2_VIRTUALIZE_APIC_ACCESSES |
619 PROCBASED2_VIRTUALIZE_X2APIC_MODE |
620 PROCBASED2_APIC_REGISTER_VIRTUALIZATION |
621 PROCBASED2_VIRTUAL_INTERRUPT_DELIVERY);
623 use_tpr_shadow = (vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS,
624 MSR_VMX_TRUE_PROCBASED_CTLS, PROCBASED_USE_TPR_SHADOW, 0,
627 error = vmx_set_ctlreg(MSR_VMX_PROCBASED_CTLS2, MSR_VMX_PROCBASED_CTLS2,
628 procbased2_vid_bits, 0, &tmp);
629 if (error == 0 && use_tpr_shadow) {
630 virtual_interrupt_delivery = 1;
631 TUNABLE_INT_FETCH("hw.vmm.vmx.use_apic_vid",
632 &virtual_interrupt_delivery);
635 if (virtual_interrupt_delivery) {
636 procbased_ctls |= PROCBASED_USE_TPR_SHADOW;
637 procbased_ctls2 |= procbased2_vid_bits;
638 procbased_ctls2 &= ~PROCBASED2_VIRTUALIZE_X2APIC_MODE;
644 printf("vmx_init: ept initialization failed (%d)\n", error);
649 * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
651 fixed0 = rdmsr(MSR_VMX_CR0_FIXED0);
652 fixed1 = rdmsr(MSR_VMX_CR0_FIXED1);
653 cr0_ones_mask = fixed0 & fixed1;
654 cr0_zeros_mask = ~fixed0 & ~fixed1;
657 * CR0_PE and CR0_PG can be set to zero in VMX non-root operation
658 * if unrestricted guest execution is allowed.
660 if (cap_unrestricted_guest)
661 cr0_ones_mask &= ~(CR0_PG | CR0_PE);
664 * Do not allow the guest to set CR0_NW or CR0_CD.
666 cr0_zeros_mask |= (CR0_NW | CR0_CD);
668 fixed0 = rdmsr(MSR_VMX_CR4_FIXED0);
669 fixed1 = rdmsr(MSR_VMX_CR4_FIXED1);
670 cr4_ones_mask = fixed0 & fixed1;
671 cr4_zeros_mask = ~fixed0 & ~fixed1;
675 /* enable VMX operation */
676 smp_rendezvous(NULL, vmx_enable, NULL, NULL);
684 vmx_setup_cr_shadow(int which, struct vmcs *vmcs, uint32_t initial)
686 int error, mask_ident, shadow_ident;
689 if (which != 0 && which != 4)
690 panic("vmx_setup_cr_shadow: unknown cr%d", which);
693 mask_ident = VMCS_CR0_MASK;
694 mask_value = cr0_ones_mask | cr0_zeros_mask;
695 shadow_ident = VMCS_CR0_SHADOW;
697 mask_ident = VMCS_CR4_MASK;
698 mask_value = cr4_ones_mask | cr4_zeros_mask;
699 shadow_ident = VMCS_CR4_SHADOW;
702 error = vmcs_setreg(vmcs, 0, VMCS_IDENT(mask_ident), mask_value);
706 error = vmcs_setreg(vmcs, 0, VMCS_IDENT(shadow_ident), initial);
712 #define vmx_setup_cr0_shadow(vmcs,init) vmx_setup_cr_shadow(0, (vmcs), (init))
713 #define vmx_setup_cr4_shadow(vmcs,init) vmx_setup_cr_shadow(4, (vmcs), (init))
716 vmx_vminit(struct vm *vm, pmap_t pmap)
718 uint16_t vpid[VM_MAXCPU];
719 int i, error, guest_msr_count;
723 vmx = malloc(sizeof(struct vmx), M_VMX, M_WAITOK | M_ZERO);
724 if ((uintptr_t)vmx & PAGE_MASK) {
725 panic("malloc of struct vmx not aligned on %d byte boundary",
730 vmx->eptp = eptp(vtophys((vm_offset_t)pmap->pm_pml4));
733 * Clean up EPTP-tagged guest physical and combined mappings
735 * VMX transitions are not required to invalidate any guest physical
736 * mappings. So, it may be possible for stale guest physical mappings
737 * to be present in the processor TLBs.
739 * Combined mappings for this EP4TA are also invalidated for all VPIDs.
741 ept_invalidate_mappings(vmx->eptp);
743 msr_bitmap_initialize(vmx->msr_bitmap);
746 * It is safe to allow direct access to MSR_GSBASE and MSR_FSBASE.
747 * The guest FSBASE and GSBASE are saved and restored during
748 * vm-exit and vm-entry respectively. The host FSBASE and GSBASE are
749 * always restored from the vmcs host state area on vm-exit.
751 * The SYSENTER_CS/ESP/EIP MSRs are identical to FS/GSBASE in
752 * how they are saved/restored so can be directly accessed by the
755 * Guest KGSBASE is saved and restored in the guest MSR save area.
756 * Host KGSBASE is restored before returning to userland from the pcb.
757 * There will be a window of time when we are executing in the host
758 * kernel context with a value of KGSBASE from the guest. This is ok
759 * because the value of KGSBASE is inconsequential in kernel context.
761 * MSR_EFER is saved and restored in the guest VMCS area on a
762 * VM exit and entry respectively. It is also restored from the
763 * host VMCS area on a VM exit.
765 if (guest_msr_rw(vmx, MSR_GSBASE) ||
766 guest_msr_rw(vmx, MSR_FSBASE) ||
767 guest_msr_rw(vmx, MSR_SYSENTER_CS_MSR) ||
768 guest_msr_rw(vmx, MSR_SYSENTER_ESP_MSR) ||
769 guest_msr_rw(vmx, MSR_SYSENTER_EIP_MSR) ||
770 guest_msr_rw(vmx, MSR_KGSBASE) ||
771 guest_msr_rw(vmx, MSR_EFER))
772 panic("vmx_vminit: error setting guest msr access");
775 * MSR_PAT is saved and restored in the guest VMCS are on a VM exit
776 * and entry respectively. It is also restored from the host VMCS
777 * area on a VM exit. However, if running on a system with no
778 * MSR_PAT save/restore support, leave access disabled so accesses
781 if (!vmx_no_patmsr && guest_msr_rw(vmx, MSR_PAT))
782 panic("vmx_vminit: error setting guest pat msr access");
784 vpid_alloc(vpid, VM_MAXCPU);
786 if (virtual_interrupt_delivery) {
787 error = vm_map_mmio(vm, DEFAULT_APIC_BASE, PAGE_SIZE,
788 APIC_ACCESS_ADDRESS);
789 /* XXX this should really return an error to the caller */
790 KASSERT(error == 0, ("vm_map_mmio(apicbase) error %d", error));
793 for (i = 0; i < VM_MAXCPU; i++) {
794 vmcs = &vmx->vmcs[i];
795 vmcs->identifier = vmx_revision();
796 error = vmclear(vmcs);
798 panic("vmx_vminit: vmclear error %d on vcpu %d\n",
802 error = vmcs_init(vmcs);
803 KASSERT(error == 0, ("vmcs_init error %d", error));
807 error += vmwrite(VMCS_HOST_RSP, (u_long)&vmx->ctx[i]);
808 error += vmwrite(VMCS_EPTP, vmx->eptp);
809 error += vmwrite(VMCS_PIN_BASED_CTLS, pinbased_ctls);
810 error += vmwrite(VMCS_PRI_PROC_BASED_CTLS, procbased_ctls);
811 error += vmwrite(VMCS_SEC_PROC_BASED_CTLS, procbased_ctls2);
812 error += vmwrite(VMCS_EXIT_CTLS, exit_ctls);
813 error += vmwrite(VMCS_ENTRY_CTLS, entry_ctls);
814 error += vmwrite(VMCS_MSR_BITMAP, vtophys(vmx->msr_bitmap));
815 error += vmwrite(VMCS_VPID, vpid[i]);
816 if (virtual_interrupt_delivery) {
817 error += vmwrite(VMCS_APIC_ACCESS, APIC_ACCESS_ADDRESS);
818 error += vmwrite(VMCS_VIRTUAL_APIC,
819 vtophys(&vmx->apic_page[i]));
820 error += vmwrite(VMCS_EOI_EXIT0, 0);
821 error += vmwrite(VMCS_EOI_EXIT1, 0);
822 error += vmwrite(VMCS_EOI_EXIT2, 0);
823 error += vmwrite(VMCS_EOI_EXIT3, 0);
826 KASSERT(error == 0, ("vmx_vminit: error customizing the vmcs"));
829 vmx->cap[i].proc_ctls = procbased_ctls;
830 vmx->cap[i].proc_ctls2 = procbased_ctls2;
832 vmx->state[i].lastcpu = -1;
833 vmx->state[i].vpid = vpid[i];
835 msr_save_area_init(vmx->guest_msrs[i], &guest_msr_count);
837 error = vmcs_set_msr_save(vmcs, vtophys(vmx->guest_msrs[i]),
840 panic("vmcs_set_msr_save error %d", error);
843 * Set up the CR0/4 shadows, and init the read shadow
844 * to the power-on register value from the Intel Sys Arch.
848 error = vmx_setup_cr0_shadow(vmcs, 0x60000010);
850 panic("vmx_setup_cr0_shadow %d", error);
852 error = vmx_setup_cr4_shadow(vmcs, 0);
854 panic("vmx_setup_cr4_shadow %d", error);
856 vmx->ctx[i].pmap = pmap;
857 vmx->ctx[i].eptp = vmx->eptp;
864 vmx_handle_cpuid(struct vm *vm, int vcpu, struct vmxctx *vmxctx)
868 func = vmxctx->guest_rax;
870 handled = x86_emulate_cpuid(vm, vcpu,
871 (uint32_t*)(&vmxctx->guest_rax),
872 (uint32_t*)(&vmxctx->guest_rbx),
873 (uint32_t*)(&vmxctx->guest_rcx),
874 (uint32_t*)(&vmxctx->guest_rdx));
879 vmx_run_trace(struct vmx *vmx, int vcpu)
882 VCPU_CTR1(vmx->vm, vcpu, "Resume execution at %#lx", vmcs_guest_rip());
887 vmx_exit_trace(struct vmx *vmx, int vcpu, uint64_t rip, uint32_t exit_reason,
891 VCPU_CTR3(vmx->vm, vcpu, "%s %s vmexit at 0x%0lx",
892 handled ? "handled" : "unhandled",
893 exit_reason_to_str(exit_reason), rip);
898 vmx_astpending_trace(struct vmx *vmx, int vcpu, uint64_t rip)
901 VCPU_CTR1(vmx->vm, vcpu, "astpending vmexit at 0x%0lx", rip);
906 vmx_set_pcpu_defaults(struct vmx *vmx, int vcpu)
909 struct vmxstate *vmxstate;
910 struct invvpid_desc invvpid_desc = { 0 };
912 vmxstate = &vmx->state[vcpu];
913 lastcpu = vmxstate->lastcpu;
914 vmxstate->lastcpu = curcpu;
916 if (lastcpu == curcpu)
919 vmm_stat_incr(vmx->vm, vcpu, VCPU_MIGRATIONS, 1);
921 vmcs_write(VMCS_HOST_TR_BASE, vmm_get_host_trbase());
922 vmcs_write(VMCS_HOST_GDTR_BASE, vmm_get_host_gdtrbase());
923 vmcs_write(VMCS_HOST_GS_BASE, vmm_get_host_gsbase());
926 * If we are using VPIDs then invalidate all mappings tagged with 'vpid'
928 * We do this because this vcpu was executing on a different host
929 * cpu when it last ran. We do not track whether it invalidated
930 * mappings associated with its 'vpid' during that run. So we must
931 * assume that the mappings associated with 'vpid' on 'curcpu' are
932 * stale and invalidate them.
934 * Note that we incur this penalty only when the scheduler chooses to
935 * move the thread associated with this vcpu between host cpus.
937 * Note also that this will invalidate mappings tagged with 'vpid'
940 if (vmxstate->vpid != 0) {
941 invvpid_desc.vpid = vmxstate->vpid;
942 invvpid(INVVPID_TYPE_SINGLE_CONTEXT, invvpid_desc);
947 * We depend on 'procbased_ctls' to have the Interrupt Window Exiting bit set.
949 CTASSERT((PROCBASED_CTLS_ONE_SETTING & PROCBASED_INT_WINDOW_EXITING) != 0);
952 vmx_set_int_window_exiting(struct vmx *vmx, int vcpu)
955 vmx->cap[vcpu].proc_ctls |= PROCBASED_INT_WINDOW_EXITING;
956 vmcs_write(VMCS_PRI_PROC_BASED_CTLS, vmx->cap[vcpu].proc_ctls);
960 vmx_clear_int_window_exiting(struct vmx *vmx, int vcpu)
963 vmx->cap[vcpu].proc_ctls &= ~PROCBASED_INT_WINDOW_EXITING;
964 vmcs_write(VMCS_PRI_PROC_BASED_CTLS, vmx->cap[vcpu].proc_ctls);
968 vmx_set_nmi_window_exiting(struct vmx *vmx, int vcpu)
971 vmx->cap[vcpu].proc_ctls |= PROCBASED_NMI_WINDOW_EXITING;
972 vmcs_write(VMCS_PRI_PROC_BASED_CTLS, vmx->cap[vcpu].proc_ctls);
976 vmx_clear_nmi_window_exiting(struct vmx *vmx, int vcpu)
979 vmx->cap[vcpu].proc_ctls &= ~PROCBASED_NMI_WINDOW_EXITING;
980 vmcs_write(VMCS_PRI_PROC_BASED_CTLS, vmx->cap[vcpu].proc_ctls);
984 vmx_inject_nmi(struct vmx *vmx, int vcpu)
986 uint64_t info, interruptibility;
988 /* Bail out if no NMI requested */
989 if (!vm_nmi_pending(vmx->vm, vcpu))
992 interruptibility = vmcs_read(VMCS_GUEST_INTERRUPTIBILITY);
993 if (interruptibility & nmi_blocking_bits)
997 * Inject the virtual NMI. The vector must be the NMI IDT entry
998 * or the VMCS entry check will fail.
1000 info = VMCS_INTERRUPTION_INFO_NMI | VMCS_INTERRUPTION_INFO_VALID;
1002 vmcs_write(VMCS_ENTRY_INTR_INFO, info);
1004 VCPU_CTR0(vmx->vm, vcpu, "Injecting vNMI");
1006 /* Clear the request */
1007 vm_nmi_clear(vmx->vm, vcpu);
1012 * Set the NMI Window Exiting execution control so we can inject
1013 * the virtual NMI as soon as blocking condition goes away.
1015 vmx_set_nmi_window_exiting(vmx, vcpu);
1017 VCPU_CTR0(vmx->vm, vcpu, "Enabling NMI window exiting");
1022 vmx_inject_interrupts(struct vmx *vmx, int vcpu, struct vlapic *vlapic)
1025 uint64_t info, rflags, interruptibility;
1027 const int HWINTR_BLOCKED = VMCS_INTERRUPTIBILITY_STI_BLOCKING |
1028 VMCS_INTERRUPTIBILITY_MOVSS_BLOCKING;
1031 * If there is already an interrupt pending then just return.
1033 * This could happen if an interrupt was injected on a prior
1034 * VM entry but the actual entry into guest mode was aborted
1035 * because of a pending AST.
1037 info = vmcs_read(VMCS_ENTRY_INTR_INFO);
1038 if (info & VMCS_INTERRUPTION_INFO_VALID)
1042 * NMI injection has priority so deal with those first
1044 if (vmx_inject_nmi(vmx, vcpu))
1047 if (virtual_interrupt_delivery) {
1048 vmx_inject_pir(vlapic);
1052 /* Ask the local apic for a vector to inject */
1053 if (!vlapic_pending_intr(vlapic, &vector))
1056 if (vector < 32 || vector > 255)
1057 panic("vmx_inject_interrupts: invalid vector %d\n", vector);
1059 /* Check RFLAGS.IF and the interruptibility state of the guest */
1060 rflags = vmcs_read(VMCS_GUEST_RFLAGS);
1061 if ((rflags & PSL_I) == 0)
1064 interruptibility = vmcs_read(VMCS_GUEST_INTERRUPTIBILITY);
1065 if (interruptibility & HWINTR_BLOCKED)
1068 /* Inject the interrupt */
1069 info = VMCS_INTERRUPTION_INFO_HW_INTR | VMCS_INTERRUPTION_INFO_VALID;
1071 vmcs_write(VMCS_ENTRY_INTR_INFO, info);
1073 /* Update the Local APIC ISR */
1074 vlapic_intr_accepted(vlapic, vector);
1076 VCPU_CTR1(vmx->vm, vcpu, "Injecting hwintr at vector %d", vector);
1082 * Set the Interrupt Window Exiting execution control so we can inject
1083 * the interrupt as soon as blocking condition goes away.
1085 vmx_set_int_window_exiting(vmx, vcpu);
1087 VCPU_CTR0(vmx->vm, vcpu, "Enabling interrupt window exiting");
1091 vmx_emulate_cr_access(struct vmx *vmx, int vcpu, uint64_t exitqual)
1093 int cr, vmcs_guest_cr, vmcs_shadow_cr;
1094 uint64_t crval, regval, ones_mask, zeros_mask;
1095 const struct vmxctx *vmxctx;
1097 /* We only handle mov to %cr0 or %cr4 at this time */
1098 if ((exitqual & 0xf0) != 0x00)
1101 cr = exitqual & 0xf;
1102 if (cr != 0 && cr != 4)
1105 regval = 0; /* silence gcc */
1106 vmxctx = &vmx->ctx[vcpu];
1109 * We must use vmcs_write() directly here because vmcs_setreg() will
1110 * call vmclear(vmcs) as a side-effect which we certainly don't want.
1112 switch ((exitqual >> 8) & 0xf) {
1114 regval = vmxctx->guest_rax;
1117 regval = vmxctx->guest_rcx;
1120 regval = vmxctx->guest_rdx;
1123 regval = vmxctx->guest_rbx;
1126 regval = vmcs_read(VMCS_GUEST_RSP);
1129 regval = vmxctx->guest_rbp;
1132 regval = vmxctx->guest_rsi;
1135 regval = vmxctx->guest_rdi;
1138 regval = vmxctx->guest_r8;
1141 regval = vmxctx->guest_r9;
1144 regval = vmxctx->guest_r10;
1147 regval = vmxctx->guest_r11;
1150 regval = vmxctx->guest_r12;
1153 regval = vmxctx->guest_r13;
1156 regval = vmxctx->guest_r14;
1159 regval = vmxctx->guest_r15;
1164 ones_mask = cr0_ones_mask;
1165 zeros_mask = cr0_zeros_mask;
1166 vmcs_guest_cr = VMCS_GUEST_CR0;
1167 vmcs_shadow_cr = VMCS_CR0_SHADOW;
1169 ones_mask = cr4_ones_mask;
1170 zeros_mask = cr4_zeros_mask;
1171 vmcs_guest_cr = VMCS_GUEST_CR4;
1172 vmcs_shadow_cr = VMCS_CR4_SHADOW;
1174 vmcs_write(vmcs_shadow_cr, regval);
1176 crval = regval | ones_mask;
1177 crval &= ~zeros_mask;
1178 vmcs_write(vmcs_guest_cr, crval);
1180 if (cr == 0 && regval & CR0_PG) {
1181 uint64_t efer, entry_ctls;
1184 * If CR0.PG is 1 and EFER.LME is 1 then EFER.LMA and
1185 * the "IA-32e mode guest" bit in VM-entry control must be
1188 efer = vmcs_read(VMCS_GUEST_IA32_EFER);
1189 if (efer & EFER_LME) {
1191 vmcs_write(VMCS_GUEST_IA32_EFER, efer);
1192 entry_ctls = vmcs_read(VMCS_ENTRY_CTLS);
1193 entry_ctls |= VM_ENTRY_GUEST_LMA;
1194 vmcs_write(VMCS_ENTRY_CTLS, entry_ctls);
1202 ept_fault_type(uint64_t ept_qual)
1206 if (ept_qual & EPT_VIOLATION_DATA_WRITE)
1207 fault_type = VM_PROT_WRITE;
1208 else if (ept_qual & EPT_VIOLATION_INST_FETCH)
1209 fault_type = VM_PROT_EXECUTE;
1211 fault_type= VM_PROT_READ;
1213 return (fault_type);
1217 ept_emulation_fault(uint64_t ept_qual)
1221 /* EPT fault on an instruction fetch doesn't make sense here */
1222 if (ept_qual & EPT_VIOLATION_INST_FETCH)
1225 /* EPT fault must be a read fault or a write fault */
1226 read = ept_qual & EPT_VIOLATION_DATA_READ ? 1 : 0;
1227 write = ept_qual & EPT_VIOLATION_DATA_WRITE ? 1 : 0;
1228 if ((read | write) == 0)
1232 * The EPT violation must have been caused by accessing a
1233 * guest-physical address that is a translation of a guest-linear
1236 if ((ept_qual & EPT_VIOLATION_GLA_VALID) == 0 ||
1237 (ept_qual & EPT_VIOLATION_XLAT_VALID) == 0) {
1245 vmx_handle_apic_write(struct vlapic *vlapic, uint64_t qual)
1247 int error, handled, offset;
1250 if (!virtual_interrupt_delivery)
1254 offset = APIC_WRITE_OFFSET(qual);
1256 case APIC_OFFSET_ID:
1257 vlapic_id_write_handler(vlapic);
1259 case APIC_OFFSET_LDR:
1260 vlapic_ldr_write_handler(vlapic);
1262 case APIC_OFFSET_DFR:
1263 vlapic_dfr_write_handler(vlapic);
1265 case APIC_OFFSET_SVR:
1266 vlapic_svr_write_handler(vlapic);
1268 case APIC_OFFSET_ESR:
1269 vlapic_esr_write_handler(vlapic);
1271 case APIC_OFFSET_ICR_LOW:
1273 error = vlapic_icrlo_write_handler(vlapic, &retu);
1274 if (error != 0 || retu)
1277 case APIC_OFFSET_CMCI_LVT:
1278 case APIC_OFFSET_TIMER_LVT ... APIC_OFFSET_ERROR_LVT:
1279 vlapic_lvt_write_handler(vlapic, offset);
1281 case APIC_OFFSET_TIMER_ICR:
1282 vlapic_icrtmr_write_handler(vlapic);
1284 case APIC_OFFSET_TIMER_DCR:
1285 vlapic_dcr_write_handler(vlapic);
1295 apic_access_fault(uint64_t gpa)
1298 if (virtual_interrupt_delivery &&
1299 (gpa >= DEFAULT_APIC_BASE && gpa < DEFAULT_APIC_BASE + PAGE_SIZE))
1306 vmx_handle_apic_access(struct vmx *vmx, int vcpuid, struct vm_exit *vmexit)
1309 int access_type, offset, allowed;
1311 if (!virtual_interrupt_delivery)
1314 qual = vmexit->u.vmx.exit_qualification;
1315 access_type = APIC_ACCESS_TYPE(qual);
1316 offset = APIC_ACCESS_OFFSET(qual);
1319 if (access_type == 0) {
1321 * Read data access to the following registers is expected.
1324 case APIC_OFFSET_APR:
1325 case APIC_OFFSET_PPR:
1326 case APIC_OFFSET_RRR:
1327 case APIC_OFFSET_CMCI_LVT:
1328 case APIC_OFFSET_TIMER_CCR:
1334 } else if (access_type == 1) {
1336 * Write data access to the following registers is expected.
1339 case APIC_OFFSET_VER:
1340 case APIC_OFFSET_APR:
1341 case APIC_OFFSET_PPR:
1342 case APIC_OFFSET_RRR:
1343 case APIC_OFFSET_ISR0 ... APIC_OFFSET_ISR7:
1344 case APIC_OFFSET_TMR0 ... APIC_OFFSET_TMR7:
1345 case APIC_OFFSET_IRR0 ... APIC_OFFSET_IRR7:
1346 case APIC_OFFSET_CMCI_LVT:
1347 case APIC_OFFSET_TIMER_CCR:
1356 vmexit->exitcode = VM_EXITCODE_INST_EMUL;
1357 vmexit->u.inst_emul.gpa = DEFAULT_APIC_BASE + offset;
1358 vmexit->u.inst_emul.gla = VIE_INVALID_GLA;
1359 vmexit->u.inst_emul.cr3 = vmcs_guest_cr3();
1363 * Regardless of whether the APIC-access is allowed this handler
1364 * always returns UNHANDLED:
1365 * - if the access is allowed then it is handled by emulating the
1366 * instruction that caused the VM-exit (outside the critical section)
1367 * - if the access is not allowed then it will be converted to an
1368 * exitcode of VM_EXITCODE_VMX and will be dealt with in userland.
1374 vmx_exit_process(struct vmx *vmx, int vcpu, struct vm_exit *vmexit)
1377 struct vmxctx *vmxctx;
1378 struct vlapic *vlapic;
1379 uint32_t eax, ecx, edx, idtvec_info, idtvec_err, reason;
1384 vmxctx = &vmx->ctx[vcpu];
1386 qual = vmexit->u.vmx.exit_qualification;
1387 reason = vmexit->u.vmx.exit_reason;
1388 vmexit->exitcode = VM_EXITCODE_BOGUS;
1390 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_COUNT, 1);
1393 * VM exits that could be triggered during event injection on the
1394 * previous VM entry need to be handled specially by re-injecting
1397 * See "Information for VM Exits During Event Delivery" in Intel SDM
1401 case EXIT_REASON_EPT_FAULT:
1402 case EXIT_REASON_EPT_MISCONFIG:
1403 case EXIT_REASON_APIC_ACCESS:
1404 case EXIT_REASON_TASK_SWITCH:
1405 case EXIT_REASON_EXCEPTION:
1406 idtvec_info = vmcs_idt_vectoring_info();
1407 if (idtvec_info & VMCS_IDT_VEC_VALID) {
1408 idtvec_info &= ~(1 << 12); /* clear undefined bit */
1409 vmcs_write(VMCS_ENTRY_INTR_INFO, idtvec_info);
1410 if (idtvec_info & VMCS_IDT_VEC_ERRCODE_VALID) {
1411 idtvec_err = vmcs_idt_vectoring_err();
1412 vmcs_write(VMCS_ENTRY_EXCEPTION_ERROR,
1415 vmcs_write(VMCS_ENTRY_INST_LENGTH, vmexit->inst_length);
1422 case EXIT_REASON_CR_ACCESS:
1423 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_CR_ACCESS, 1);
1424 handled = vmx_emulate_cr_access(vmx, vcpu, qual);
1426 case EXIT_REASON_RDMSR:
1427 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_RDMSR, 1);
1429 ecx = vmxctx->guest_rcx;
1430 error = emulate_rdmsr(vmx->vm, vcpu, ecx, &retu);
1432 vmexit->exitcode = VM_EXITCODE_RDMSR;
1433 vmexit->u.msr.code = ecx;
1437 /* Return to userspace with a valid exitcode */
1438 KASSERT(vmexit->exitcode != VM_EXITCODE_BOGUS,
1439 ("emulate_wrmsr retu with bogus exitcode"));
1442 case EXIT_REASON_WRMSR:
1443 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_WRMSR, 1);
1445 eax = vmxctx->guest_rax;
1446 ecx = vmxctx->guest_rcx;
1447 edx = vmxctx->guest_rdx;
1448 error = emulate_wrmsr(vmx->vm, vcpu, ecx,
1449 (uint64_t)edx << 32 | eax, &retu);
1451 vmexit->exitcode = VM_EXITCODE_WRMSR;
1452 vmexit->u.msr.code = ecx;
1453 vmexit->u.msr.wval = (uint64_t)edx << 32 | eax;
1457 /* Return to userspace with a valid exitcode */
1458 KASSERT(vmexit->exitcode != VM_EXITCODE_BOGUS,
1459 ("emulate_wrmsr retu with bogus exitcode"));
1462 case EXIT_REASON_HLT:
1463 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_HLT, 1);
1464 vmexit->exitcode = VM_EXITCODE_HLT;
1465 vmexit->u.hlt.rflags = vmcs_read(VMCS_GUEST_RFLAGS);
1467 case EXIT_REASON_MTF:
1468 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_MTRAP, 1);
1469 vmexit->exitcode = VM_EXITCODE_MTRAP;
1471 case EXIT_REASON_PAUSE:
1472 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_PAUSE, 1);
1473 vmexit->exitcode = VM_EXITCODE_PAUSE;
1475 case EXIT_REASON_INTR_WINDOW:
1476 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_INTR_WINDOW, 1);
1477 vmx_clear_int_window_exiting(vmx, vcpu);
1478 VCPU_CTR0(vmx->vm, vcpu, "Disabling interrupt window exiting");
1480 case EXIT_REASON_EXT_INTR:
1482 * External interrupts serve only to cause VM exits and allow
1483 * the host interrupt handler to run.
1485 * If this external interrupt triggers a virtual interrupt
1486 * to a VM, then that state will be recorded by the
1487 * host interrupt handler in the VM's softc. We will inject
1488 * this virtual interrupt during the subsequent VM enter.
1492 * This is special. We want to treat this as an 'handled'
1493 * VM-exit but not increment the instruction pointer.
1495 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_EXTINT, 1);
1497 case EXIT_REASON_NMI_WINDOW:
1498 /* Exit to allow the pending virtual NMI to be injected */
1499 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_NMI_WINDOW, 1);
1500 vmx_clear_nmi_window_exiting(vmx, vcpu);
1501 VCPU_CTR0(vmx->vm, vcpu, "Disabling NMI window exiting");
1503 case EXIT_REASON_INOUT:
1504 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_INOUT, 1);
1505 vmexit->exitcode = VM_EXITCODE_INOUT;
1506 vmexit->u.inout.bytes = (qual & 0x7) + 1;
1507 vmexit->u.inout.in = (qual & 0x8) ? 1 : 0;
1508 vmexit->u.inout.string = (qual & 0x10) ? 1 : 0;
1509 vmexit->u.inout.rep = (qual & 0x20) ? 1 : 0;
1510 vmexit->u.inout.port = (uint16_t)(qual >> 16);
1511 vmexit->u.inout.eax = (uint32_t)(vmxctx->guest_rax);
1513 case EXIT_REASON_CPUID:
1514 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_CPUID, 1);
1515 handled = vmx_handle_cpuid(vmx->vm, vcpu, vmxctx);
1517 case EXIT_REASON_EPT_FAULT:
1518 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_EPT_FAULT, 1);
1520 * If 'gpa' lies within the address space allocated to
1521 * memory then this must be a nested page fault otherwise
1522 * this must be an instruction that accesses MMIO space.
1525 if (vm_mem_allocated(vmx->vm, gpa) || apic_access_fault(gpa)) {
1526 vmexit->exitcode = VM_EXITCODE_PAGING;
1527 vmexit->u.paging.gpa = gpa;
1528 vmexit->u.paging.fault_type = ept_fault_type(qual);
1529 } else if (ept_emulation_fault(qual)) {
1530 vmexit->exitcode = VM_EXITCODE_INST_EMUL;
1531 vmexit->u.inst_emul.gpa = gpa;
1532 vmexit->u.inst_emul.gla = vmcs_gla();
1533 vmexit->u.inst_emul.cr3 = vmcs_guest_cr3();
1536 case EXIT_REASON_APIC_ACCESS:
1537 handled = vmx_handle_apic_access(vmx, vcpu, vmexit);
1539 case EXIT_REASON_APIC_WRITE:
1541 * APIC-write VM exit is trap-like so the %rip is already
1542 * pointing to the next instruction.
1544 vmexit->inst_length = 0;
1545 vlapic = vm_lapic(vmx->vm, vcpu);
1546 handled = vmx_handle_apic_write(vlapic, qual);
1549 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_UNKNOWN, 1);
1555 * It is possible that control is returned to userland
1556 * even though we were able to handle the VM exit in the
1559 * In such a case we want to make sure that the userland
1560 * restarts guest execution at the instruction *after*
1561 * the one we just processed. Therefore we update the
1562 * guest rip in the VMCS and in 'vmexit'.
1564 vmexit->rip += vmexit->inst_length;
1565 vmexit->inst_length = 0;
1566 vmcs_write(VMCS_GUEST_RIP, vmexit->rip);
1568 if (vmexit->exitcode == VM_EXITCODE_BOGUS) {
1570 * If this VM exit was not claimed by anybody then
1571 * treat it as a generic VMX exit.
1573 vmexit->exitcode = VM_EXITCODE_VMX;
1574 vmexit->u.vmx.status = VM_SUCCESS;
1577 * The exitcode and collateral have been populated.
1578 * The VM exit will be processed further in userland.
1586 vmx_exit_astpending(struct vmx *vmx, int vcpu, struct vm_exit *vmexit)
1589 vmexit->rip = vmcs_guest_rip();
1590 vmexit->inst_length = 0;
1591 vmexit->exitcode = VM_EXITCODE_BOGUS;
1592 vmx_astpending_trace(vmx, vcpu, vmexit->rip);
1593 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_ASTPENDING, 1);
1599 vmx_exit_inst_error(struct vmxctx *vmxctx, int rc, struct vm_exit *vmexit)
1602 KASSERT(vmxctx->inst_fail_status != VM_SUCCESS,
1603 ("vmx_exit_inst_error: invalid inst_fail_status %d",
1604 vmxctx->inst_fail_status));
1606 vmexit->inst_length = 0;
1607 vmexit->exitcode = VM_EXITCODE_VMX;
1608 vmexit->u.vmx.status = vmxctx->inst_fail_status;
1609 vmexit->u.vmx.inst_error = vmcs_instruction_error();
1610 vmexit->u.vmx.exit_reason = ~0;
1611 vmexit->u.vmx.exit_qualification = ~0;
1614 case VMX_VMRESUME_ERROR:
1615 case VMX_VMLAUNCH_ERROR:
1616 case VMX_INVEPT_ERROR:
1617 vmexit->u.vmx.inst_type = rc;
1620 panic("vm_exit_inst_error: vmx_enter_guest returned %d", rc);
1627 vmx_run(void *arg, int vcpu, register_t startrip, pmap_t pmap)
1629 int rc, handled, launched;
1631 struct vmxctx *vmxctx;
1633 struct vm_exit *vmexit;
1634 struct vlapic *vlapic;
1636 uint32_t exit_reason;
1639 vmcs = &vmx->vmcs[vcpu];
1640 vmxctx = &vmx->ctx[vcpu];
1641 vlapic = vm_lapic(vmx->vm, vcpu);
1642 vmexit = vm_exitinfo(vmx->vm, vcpu);
1645 KASSERT(vmxctx->pmap == pmap,
1646 ("pmap %p different than ctx pmap %p", pmap, vmxctx->pmap));
1647 KASSERT(vmxctx->eptp == vmx->eptp,
1648 ("eptp %p different than ctx eptp %#lx", eptp, vmxctx->eptp));
1654 * We do this every time because we may setup the virtual machine
1655 * from a different process than the one that actually runs it.
1657 * If the life of a virtual machine was spent entirely in the context
1658 * of a single process we could do this once in vmx_vminit().
1660 vmcs_write(VMCS_HOST_CR3, rcr3());
1662 vmcs_write(VMCS_GUEST_RIP, startrip);
1663 vmx_set_pcpu_defaults(vmx, vcpu);
1666 * Interrupts are disabled from this point on until the
1667 * guest starts executing. This is done for the following
1670 * If an AST is asserted on this thread after the check below,
1671 * then the IPI_AST notification will not be lost, because it
1672 * will cause a VM exit due to external interrupt as soon as
1673 * the guest state is loaded.
1675 * A posted interrupt after 'vmx_inject_interrupts()' will
1676 * not be "lost" because it will be held pending in the host
1677 * APIC because interrupts are disabled. The pending interrupt
1678 * will be recognized as soon as the guest state is loaded.
1680 * The same reasoning applies to the IPI generated by
1681 * pmap_invalidate_ept().
1684 if (curthread->td_flags & (TDF_ASTPENDING | TDF_NEEDRESCHED)) {
1686 handled = vmx_exit_astpending(vmx, vcpu, vmexit);
1690 vmx_inject_interrupts(vmx, vcpu, vlapic);
1691 vmx_run_trace(vmx, vcpu);
1692 rc = vmx_enter_guest(vmxctx, launched);
1696 /* Collect some information for VM exit processing */
1697 vmexit->rip = rip = vmcs_guest_rip();
1698 vmexit->inst_length = vmexit_instruction_length();
1699 vmexit->u.vmx.exit_reason = exit_reason = vmcs_exit_reason();
1700 vmexit->u.vmx.exit_qualification = vmcs_exit_qualification();
1702 if (rc == VMX_GUEST_VMEXIT) {
1704 handled = vmx_exit_process(vmx, vcpu, vmexit);
1706 handled = vmx_exit_inst_error(vmxctx, rc, vmexit);
1709 vmx_exit_trace(vmx, vcpu, rip, exit_reason, handled);
1713 * If a VM exit has been handled then the exitcode must be BOGUS
1714 * If a VM exit is not handled then the exitcode must not be BOGUS
1716 if ((handled && vmexit->exitcode != VM_EXITCODE_BOGUS) ||
1717 (!handled && vmexit->exitcode == VM_EXITCODE_BOGUS)) {
1718 panic("Mismatch between handled (%d) and exitcode (%d)",
1719 handled, vmexit->exitcode);
1723 vmm_stat_incr(vmx->vm, vcpu, VMEXIT_USERSPACE, 1);
1725 VCPU_CTR1(vmx->vm, vcpu, "returning from vmx_run: exitcode %d",
1733 vmx_vmcleanup(void *arg)
1736 struct vmx *vmx = arg;
1738 if (virtual_interrupt_delivery)
1739 vm_unmap_mmio(vmx->vm, DEFAULT_APIC_BASE, PAGE_SIZE);
1741 for (i = 0; i < VM_MAXCPU; i++)
1742 vpid_free(vmx->state[i].vpid);
1745 * XXXSMP we also need to clear the VMCS active on the other vcpus.
1747 error = vmclear(&vmx->vmcs[0]);
1749 panic("vmx_vmcleanup: vmclear error %d on vcpu 0", error);
1757 vmxctx_regptr(struct vmxctx *vmxctx, int reg)
1761 case VM_REG_GUEST_RAX:
1762 return (&vmxctx->guest_rax);
1763 case VM_REG_GUEST_RBX:
1764 return (&vmxctx->guest_rbx);
1765 case VM_REG_GUEST_RCX:
1766 return (&vmxctx->guest_rcx);
1767 case VM_REG_GUEST_RDX:
1768 return (&vmxctx->guest_rdx);
1769 case VM_REG_GUEST_RSI:
1770 return (&vmxctx->guest_rsi);
1771 case VM_REG_GUEST_RDI:
1772 return (&vmxctx->guest_rdi);
1773 case VM_REG_GUEST_RBP:
1774 return (&vmxctx->guest_rbp);
1775 case VM_REG_GUEST_R8:
1776 return (&vmxctx->guest_r8);
1777 case VM_REG_GUEST_R9:
1778 return (&vmxctx->guest_r9);
1779 case VM_REG_GUEST_R10:
1780 return (&vmxctx->guest_r10);
1781 case VM_REG_GUEST_R11:
1782 return (&vmxctx->guest_r11);
1783 case VM_REG_GUEST_R12:
1784 return (&vmxctx->guest_r12);
1785 case VM_REG_GUEST_R13:
1786 return (&vmxctx->guest_r13);
1787 case VM_REG_GUEST_R14:
1788 return (&vmxctx->guest_r14);
1789 case VM_REG_GUEST_R15:
1790 return (&vmxctx->guest_r15);
1798 vmxctx_getreg(struct vmxctx *vmxctx, int reg, uint64_t *retval)
1802 if ((regp = vmxctx_regptr(vmxctx, reg)) != NULL) {
1810 vmxctx_setreg(struct vmxctx *vmxctx, int reg, uint64_t val)
1814 if ((regp = vmxctx_regptr(vmxctx, reg)) != NULL) {
1822 vmx_shadow_reg(int reg)
1829 case VM_REG_GUEST_CR0:
1830 shreg = VMCS_CR0_SHADOW;
1832 case VM_REG_GUEST_CR4:
1833 shreg = VMCS_CR4_SHADOW;
1843 vmx_getreg(void *arg, int vcpu, int reg, uint64_t *retval)
1845 int running, hostcpu;
1846 struct vmx *vmx = arg;
1848 running = vcpu_is_running(vmx->vm, vcpu, &hostcpu);
1849 if (running && hostcpu != curcpu)
1850 panic("vmx_getreg: %s%d is running", vm_name(vmx->vm), vcpu);
1852 if (vmxctx_getreg(&vmx->ctx[vcpu], reg, retval) == 0)
1855 return (vmcs_getreg(&vmx->vmcs[vcpu], running, reg, retval));
1859 vmx_setreg(void *arg, int vcpu, int reg, uint64_t val)
1861 int error, hostcpu, running, shadow;
1863 struct vmx *vmx = arg;
1865 running = vcpu_is_running(vmx->vm, vcpu, &hostcpu);
1866 if (running && hostcpu != curcpu)
1867 panic("vmx_setreg: %s%d is running", vm_name(vmx->vm), vcpu);
1869 if (vmxctx_setreg(&vmx->ctx[vcpu], reg, val) == 0)
1872 error = vmcs_setreg(&vmx->vmcs[vcpu], running, reg, val);
1876 * If the "load EFER" VM-entry control is 1 then the
1877 * value of EFER.LMA must be identical to "IA-32e mode guest"
1878 * bit in the VM-entry control.
1880 if ((entry_ctls & VM_ENTRY_LOAD_EFER) != 0 &&
1881 (reg == VM_REG_GUEST_EFER)) {
1882 vmcs_getreg(&vmx->vmcs[vcpu], running,
1883 VMCS_IDENT(VMCS_ENTRY_CTLS), &ctls);
1885 ctls |= VM_ENTRY_GUEST_LMA;
1887 ctls &= ~VM_ENTRY_GUEST_LMA;
1888 vmcs_setreg(&vmx->vmcs[vcpu], running,
1889 VMCS_IDENT(VMCS_ENTRY_CTLS), ctls);
1892 shadow = vmx_shadow_reg(reg);
1895 * Store the unmodified value in the shadow
1897 error = vmcs_setreg(&vmx->vmcs[vcpu], running,
1898 VMCS_IDENT(shadow), val);
1906 vmx_getdesc(void *arg, int vcpu, int reg, struct seg_desc *desc)
1908 struct vmx *vmx = arg;
1910 return (vmcs_getdesc(&vmx->vmcs[vcpu], reg, desc));
1914 vmx_setdesc(void *arg, int vcpu, int reg, struct seg_desc *desc)
1916 struct vmx *vmx = arg;
1918 return (vmcs_setdesc(&vmx->vmcs[vcpu], reg, desc));
1922 vmx_inject(void *arg, int vcpu, int type, int vector, uint32_t code,
1927 struct vmx *vmx = arg;
1928 struct vmcs *vmcs = &vmx->vmcs[vcpu];
1930 static uint32_t type_map[VM_EVENT_MAX] = {
1931 0x1, /* VM_EVENT_NONE */
1932 0x0, /* VM_HW_INTR */
1934 0x3, /* VM_HW_EXCEPTION */
1935 0x4, /* VM_SW_INTR */
1936 0x5, /* VM_PRIV_SW_EXCEPTION */
1937 0x6, /* VM_SW_EXCEPTION */
1941 * If there is already an exception pending to be delivered to the
1942 * vcpu then just return.
1944 error = vmcs_getreg(vmcs, 0, VMCS_IDENT(VMCS_ENTRY_INTR_INFO), &info);
1948 if (info & VMCS_INTERRUPTION_INFO_VALID)
1951 info = vector | (type_map[type] << 8) | (code_valid ? 1 << 11 : 0);
1952 info |= VMCS_INTERRUPTION_INFO_VALID;
1953 error = vmcs_setreg(vmcs, 0, VMCS_IDENT(VMCS_ENTRY_INTR_INFO), info);
1958 error = vmcs_setreg(vmcs, 0,
1959 VMCS_IDENT(VMCS_ENTRY_EXCEPTION_ERROR),
1966 vmx_getcap(void *arg, int vcpu, int type, int *retval)
1968 struct vmx *vmx = arg;
1974 vcap = vmx->cap[vcpu].set;
1977 case VM_CAP_HALT_EXIT:
1981 case VM_CAP_PAUSE_EXIT:
1985 case VM_CAP_MTRAP_EXIT:
1986 if (cap_monitor_trap)
1989 case VM_CAP_UNRESTRICTED_GUEST:
1990 if (cap_unrestricted_guest)
1993 case VM_CAP_ENABLE_INVPCID:
2002 *retval = (vcap & (1 << type)) ? 1 : 0;
2008 vmx_setcap(void *arg, int vcpu, int type, int val)
2010 struct vmx *vmx = arg;
2011 struct vmcs *vmcs = &vmx->vmcs[vcpu];
2023 case VM_CAP_HALT_EXIT:
2024 if (cap_halt_exit) {
2026 pptr = &vmx->cap[vcpu].proc_ctls;
2028 flag = PROCBASED_HLT_EXITING;
2029 reg = VMCS_PRI_PROC_BASED_CTLS;
2032 case VM_CAP_MTRAP_EXIT:
2033 if (cap_monitor_trap) {
2035 pptr = &vmx->cap[vcpu].proc_ctls;
2037 flag = PROCBASED_MTF;
2038 reg = VMCS_PRI_PROC_BASED_CTLS;
2041 case VM_CAP_PAUSE_EXIT:
2042 if (cap_pause_exit) {
2044 pptr = &vmx->cap[vcpu].proc_ctls;
2046 flag = PROCBASED_PAUSE_EXITING;
2047 reg = VMCS_PRI_PROC_BASED_CTLS;
2050 case VM_CAP_UNRESTRICTED_GUEST:
2051 if (cap_unrestricted_guest) {
2053 pptr = &vmx->cap[vcpu].proc_ctls2;
2055 flag = PROCBASED2_UNRESTRICTED_GUEST;
2056 reg = VMCS_SEC_PROC_BASED_CTLS;
2059 case VM_CAP_ENABLE_INVPCID:
2062 pptr = &vmx->cap[vcpu].proc_ctls2;
2064 flag = PROCBASED2_ENABLE_INVPCID;
2065 reg = VMCS_SEC_PROC_BASED_CTLS;
2079 error = vmwrite(reg, baseval);
2086 * Update optional stored flags, and record
2094 vmx->cap[vcpu].set |= (1 << type);
2096 vmx->cap[vcpu].set &= ~(1 << type);
2105 * Posted Interrupt Descriptor (described in section 29.6 of the Intel SDM).
2112 CTASSERT(sizeof(struct pir_desc) == 64);
2115 struct vlapic vlapic;
2116 struct pir_desc pir_desc;
2119 #define VMX_CTR_PIR(vm, vcpuid, pir_desc, notify, vector, level, msg) \
2121 VCPU_CTR2(vm, vcpuid, msg " assert %s-triggered vector %d", \
2122 level ? "level" : "edge", vector); \
2123 VCPU_CTR1(vm, vcpuid, msg " pir0 0x%016lx", pir_desc->pir[0]); \
2124 VCPU_CTR1(vm, vcpuid, msg " pir1 0x%016lx", pir_desc->pir[1]); \
2125 VCPU_CTR1(vm, vcpuid, msg " pir2 0x%016lx", pir_desc->pir[2]); \
2126 VCPU_CTR1(vm, vcpuid, msg " pir3 0x%016lx", pir_desc->pir[3]); \
2127 VCPU_CTR1(vm, vcpuid, msg " notify: %s", notify ? "yes" : "no");\
2131 * vlapic->ops handlers that utilize the APICv hardware assist described in
2132 * Chapter 29 of the Intel SDM.
2135 vmx_set_intr_ready(struct vlapic *vlapic, int vector, bool level)
2137 struct vlapic_vtx *vlapic_vtx;
2138 struct pir_desc *pir_desc;
2143 * XXX need to deal with level triggered interrupts
2145 vlapic_vtx = (struct vlapic_vtx *)vlapic;
2146 pir_desc = &vlapic_vtx->pir_desc;
2149 * Keep track of interrupt requests in the PIR descriptor. This is
2150 * because the virtual APIC page pointed to by the VMCS cannot be
2151 * modified if the vcpu is running.
2154 mask = 1UL << (vector % 64);
2155 atomic_set_long(&pir_desc->pir[idx], mask);
2156 notify = atomic_cmpset_long(&pir_desc->pending, 0, 1);
2158 VMX_CTR_PIR(vlapic->vm, vlapic->vcpuid, pir_desc, notify, vector,
2159 level, "vmx_set_intr_ready");
2164 vmx_pending_intr(struct vlapic *vlapic, int *vecptr)
2166 struct vlapic_vtx *vlapic_vtx;
2167 struct pir_desc *pir_desc;
2168 struct LAPIC *lapic;
2169 uint64_t pending, pirval;
2174 * This function is only expected to be called from the 'HLT' exit
2175 * handler which does not care about the vector that is pending.
2177 KASSERT(vecptr == NULL, ("vmx_pending_intr: vecptr must be NULL"));
2179 vlapic_vtx = (struct vlapic_vtx *)vlapic;
2180 pir_desc = &vlapic_vtx->pir_desc;
2182 pending = atomic_load_acq_long(&pir_desc->pending);
2184 return (0); /* common case */
2187 * If there is an interrupt pending then it will be recognized only
2188 * if its priority is greater than the processor priority.
2190 * Special case: if the processor priority is zero then any pending
2191 * interrupt will be recognized.
2193 lapic = vlapic->apic_page;
2194 ppr = lapic->ppr & 0xf0;
2198 VCPU_CTR1(vlapic->vm, vlapic->vcpuid, "HLT with non-zero PPR %d",
2201 for (i = 3; i >= 0; i--) {
2202 pirval = pir_desc->pir[i];
2204 vpr = (i * 64 + flsl(pirval) - 1) & 0xf0;
2212 vmx_intr_accepted(struct vlapic *vlapic, int vector)
2215 panic("vmx_intr_accepted: not expected to be called");
2219 * Transfer the pending interrupts in the PIR descriptor to the IRR
2220 * in the virtual APIC page.
2223 vmx_inject_pir(struct vlapic *vlapic)
2225 struct vlapic_vtx *vlapic_vtx;
2226 struct pir_desc *pir_desc;
2227 struct LAPIC *lapic;
2228 uint64_t val, pirval;
2230 uint16_t intr_status_old, intr_status_new;
2232 vlapic_vtx = (struct vlapic_vtx *)vlapic;
2233 pir_desc = &vlapic_vtx->pir_desc;
2234 if (atomic_cmpset_long(&pir_desc->pending, 1, 0) == 0) {
2235 VCPU_CTR0(vlapic->vm, vlapic->vcpuid, "vmx_inject_pir: "
2236 "no posted interrupt pending");
2241 lapic = vlapic->apic_page;
2243 val = atomic_readandclear_long(&pir_desc->pir[0]);
2246 lapic->irr1 |= val >> 32;
2251 val = atomic_readandclear_long(&pir_desc->pir[1]);
2254 lapic->irr3 |= val >> 32;
2259 val = atomic_readandclear_long(&pir_desc->pir[2]);
2262 lapic->irr5 |= val >> 32;
2267 val = atomic_readandclear_long(&pir_desc->pir[3]);
2270 lapic->irr7 |= val >> 32;
2274 VLAPIC_CTR_IRR(vlapic, "vmx_inject_pir");
2277 * Update RVI so the processor can evaluate pending virtual
2278 * interrupts on VM-entry.
2281 rvi = pirbase + flsl(pirval) - 1;
2282 intr_status_old = vmcs_read(VMCS_GUEST_INTR_STATUS);
2283 intr_status_new = (intr_status_old & 0xFF00) | rvi;
2284 if (intr_status_new > intr_status_old) {
2285 vmcs_write(VMCS_GUEST_INTR_STATUS, intr_status_new);
2286 VCPU_CTR2(vlapic->vm, vlapic->vcpuid, "vmx_inject_pir: "
2287 "guest_intr_status changed from 0x%04x to 0x%04x",
2288 intr_status_old, intr_status_new);
2293 static struct vlapic *
2294 vmx_vlapic_init(void *arg, int vcpuid)
2297 struct vlapic *vlapic;
2301 vlapic = malloc(sizeof(struct vlapic_vtx), M_VLAPIC, M_WAITOK | M_ZERO);
2302 vlapic->vm = vmx->vm;
2303 vlapic->vcpuid = vcpuid;
2304 vlapic->apic_page = (struct LAPIC *)&vmx->apic_page[vcpuid];
2306 if (virtual_interrupt_delivery) {
2307 vlapic->ops.set_intr_ready = vmx_set_intr_ready;
2308 vlapic->ops.pending_intr = vmx_pending_intr;
2309 vlapic->ops.intr_accepted = vmx_intr_accepted;
2312 vlapic_init(vlapic);
2318 vmx_vlapic_cleanup(void *arg, struct vlapic *vlapic)
2321 vlapic_cleanup(vlapic);
2322 free(vlapic, M_VLAPIC);
2325 struct vmm_ops vmm_ops_intel = {
projects / FreeBSD / FreeBSD.git / blob