2 * Copyright (c) 2012 Sandvine, Inc.
3 * Copyright (c) 2012 NetApp, Inc.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
34 #include <sys/param.h>
36 #include <sys/systm.h>
41 #include <machine/vmparam.h>
42 #include <machine/vmm.h>
44 #include <sys/types.h>
45 #include <sys/errno.h>
47 #include <machine/vmm.h>
52 /* struct vie_op.op_type */
64 /* struct vie_op.op_flags */
65 #define VIE_OP_F_IMM (1 << 0) /* immediate operand present */
66 #define VIE_OP_F_IMM8 (1 << 1) /* 8-bit immediate operand */
68 static const struct vie_op two_byte_opcodes[256] = {
71 .op_type = VIE_OP_TYPE_MOVZX,
75 .op_type = VIE_OP_TYPE_MOVSX,
79 static const struct vie_op one_byte_opcodes[256] = {
82 .op_type = VIE_OP_TYPE_TWO_BYTE
86 .op_type = VIE_OP_TYPE_MOV,
90 .op_type = VIE_OP_TYPE_MOV,
94 .op_type = VIE_OP_TYPE_MOV,
98 .op_type = VIE_OP_TYPE_MOV,
102 .op_type = VIE_OP_TYPE_MOV,
103 .op_flags = VIE_OP_F_IMM,
107 .op_type = VIE_OP_TYPE_AND,
110 /* XXX Group 1 extended opcode - not just AND */
112 .op_type = VIE_OP_TYPE_AND,
113 .op_flags = VIE_OP_F_IMM,
116 /* XXX Group 1 extended opcode - not just OR */
118 .op_type = VIE_OP_TYPE_OR,
119 .op_flags = VIE_OP_F_IMM8,
124 #define VIE_MOD_INDIRECT 0
125 #define VIE_MOD_INDIRECT_DISP8 1
126 #define VIE_MOD_INDIRECT_DISP32 2
127 #define VIE_MOD_DIRECT 3
131 #define VIE_RM_DISP32 5
133 #define GB (1024 * 1024 * 1024)
135 static enum vm_reg_name gpr_map[16] = {
154 static uint64_t size2mask[] = {
158 [8] = 0xffffffffffffffff,
162 vie_read_register(void *vm, int vcpuid, enum vm_reg_name reg, uint64_t *rval)
166 error = vm_get_register(vm, vcpuid, reg, rval);
172 vie_read_bytereg(void *vm, int vcpuid, struct vie *vie, uint8_t *rval)
176 enum vm_reg_name reg;
179 reg = gpr_map[vie->reg];
182 * 64-bit mode imposes limitations on accessing legacy byte registers.
184 * The legacy high-byte registers cannot be addressed if the REX
185 * prefix is present. In this case the values 4, 5, 6 and 7 of the
186 * 'ModRM:reg' field address %spl, %bpl, %sil and %dil respectively.
188 * If the REX prefix is not present then the values 4, 5, 6 and 7
189 * of the 'ModRM:reg' field address the legacy high-byte registers,
190 * %ah, %ch, %dh and %bh respectively.
192 if (!vie->rex_present) {
193 if (vie->reg & 0x4) {
195 * Obtain the value of %ah by reading %rax and shifting
196 * right by 8 bits (same for %bh, %ch and %dh).
199 reg = gpr_map[vie->reg & 0x3];
203 error = vm_get_register(vm, vcpuid, reg, &val);
204 *rval = val >> rshift;
209 vie_update_register(void *vm, int vcpuid, enum vm_reg_name reg,
210 uint64_t val, int size)
218 error = vie_read_register(vm, vcpuid, reg, &origval);
221 val &= size2mask[size];
222 val |= origval & ~size2mask[size];
233 error = vm_set_register(vm, vcpuid, reg, val);
238 * The following simplifying assumptions are made during emulation:
240 * - guest is in 64-bit mode
241 * - default address size is 64-bits
242 * - default operand size is 32-bits
244 * - operand size override is not supported
246 * - address size override is not supported
249 emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
250 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
253 enum vm_reg_name reg;
260 switch (vie->op.op_byte) {
263 * MOV byte from reg (ModRM:reg) to mem (ModRM:r/m)
265 * REX + 88/r: mov r/m8, r8 (%ah, %ch, %dh, %bh not available)
268 error = vie_read_bytereg(vm, vcpuid, vie, &byte);
270 error = memwrite(vm, vcpuid, gpa, byte, size, arg);
274 * MOV from reg (ModRM:reg) to mem (ModRM:r/m)
275 * 89/r: mov r/m32, r32
276 * REX.W + 89/r mov r/m64, r64
280 reg = gpr_map[vie->reg];
281 error = vie_read_register(vm, vcpuid, reg, &val);
283 val &= size2mask[size];
284 error = memwrite(vm, vcpuid, gpa, val, size, arg);
290 * MOV from mem (ModRM:r/m) to reg (ModRM:reg)
292 * REX + 8A/r: mov r/m8, r8
293 * 8B/r: mov r32, r/m32
294 * REX.W 8B/r: mov r64, r/m64
296 if (vie->op.op_byte == 0x8A)
300 error = memread(vm, vcpuid, gpa, &val, size, arg);
302 reg = gpr_map[vie->reg];
303 error = vie_update_register(vm, vcpuid, reg, val, size);
308 * MOV from imm32 to mem (ModRM:r/m)
309 * C7/0 mov r/m32, imm32
310 * REX.W + C7/0 mov r/m64, imm32 (sign-extended to 64-bits)
312 val = vie->immediate; /* already sign-extended */
318 val &= size2mask[size];
320 error = memwrite(vm, vcpuid, gpa, val, size, arg);
330 * The following simplifying assumptions are made during emulation:
332 * - guest is in 64-bit mode
333 * - default address size is 64-bits
334 * - default operand size is 32-bits
336 * - operand size override is not supported
338 * - address size override is not supported
341 emulate_movx(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
342 mem_region_read_t memread, mem_region_write_t memwrite,
346 enum vm_reg_name reg;
352 switch (vie->op.op_byte) {
355 * MOV and zero extend byte from mem (ModRM:r/m) to
358 * 0F B6/r movzx r/m8, r32
359 * REX.W + 0F B6/r movzx r/m8, r64
362 /* get the first operand */
363 error = memread(vm, vcpuid, gpa, &val, 1, arg);
367 /* get the second operand */
368 reg = gpr_map[vie->reg];
373 /* write the result */
374 error = vie_update_register(vm, vcpuid, reg, val, size);
378 * MOV and sign extend byte from mem (ModRM:r/m) to
381 * 0F BE/r movsx r/m8, r32
382 * REX.W + 0F BE/r movsx r/m8, r64
385 /* get the first operand */
386 error = memread(vm, vcpuid, gpa, &val, 1, arg);
390 /* get the second operand */
391 reg = gpr_map[vie->reg];
396 /* sign extend byte */
399 /* write the result */
400 error = vie_update_register(vm, vcpuid, reg, val, size);
409 emulate_and(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
410 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
413 enum vm_reg_name reg;
419 switch (vie->op.op_byte) {
422 * AND reg (ModRM:reg) and mem (ModRM:r/m) and store the
425 * 23/r and r32, r/m32
426 * REX.W + 23/r and r64, r/m64
431 /* get the first operand */
432 reg = gpr_map[vie->reg];
433 error = vie_read_register(vm, vcpuid, reg, &val1);
437 /* get the second operand */
438 error = memread(vm, vcpuid, gpa, &val2, size, arg);
442 /* perform the operation and write the result */
444 error = vie_update_register(vm, vcpuid, reg, val1, size);
448 * AND mem (ModRM:r/m) with immediate and store the
451 * 81/ and r/m32, imm32
452 * REX.W + 81/ and r/m64, imm32 sign-extended to 64
454 * Currently, only the AND operation of the 0x81 opcode
455 * is implemented (ModRM:reg = b100).
457 if ((vie->reg & 7) != 4)
463 /* get the first operand */
464 error = memread(vm, vcpuid, gpa, &val1, size, arg);
469 * perform the operation with the pre-fetched immediate
470 * operand and write the result
472 val1 &= vie->immediate;
473 error = memwrite(vm, vcpuid, gpa, val1, size, arg);
482 emulate_or(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
483 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
491 switch (vie->op.op_byte) {
494 * OR mem (ModRM:r/m) with immediate and store the
497 * 83/ OR r/m32, imm8 sign-extended to 32
498 * REX.W + 83/ OR r/m64, imm8 sign-extended to 64
500 * Currently, only the OR operation of the 0x83 opcode
501 * is implemented (ModRM:reg = b001).
503 if ((vie->reg & 7) != 1)
509 /* get the first operand */
510 error = memread(vm, vcpuid, gpa, &val1, size, arg);
515 * perform the operation with the pre-fetched immediate
516 * operand and write the result
518 val1 |= vie->immediate;
519 error = memwrite(vm, vcpuid, gpa, val1, size, arg);
528 vmm_emulate_instruction(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
529 mem_region_read_t memread, mem_region_write_t memwrite,
537 switch (vie->op.op_type) {
538 case VIE_OP_TYPE_MOV:
539 error = emulate_mov(vm, vcpuid, gpa, vie,
540 memread, memwrite, memarg);
542 case VIE_OP_TYPE_MOVSX:
543 case VIE_OP_TYPE_MOVZX:
544 error = emulate_movx(vm, vcpuid, gpa, vie,
545 memread, memwrite, memarg);
547 case VIE_OP_TYPE_AND:
548 error = emulate_and(vm, vcpuid, gpa, vie,
549 memread, memwrite, memarg);
552 error = emulate_or(vm, vcpuid, gpa, vie,
553 memread, memwrite, memarg);
565 vie_init(struct vie *vie)
568 bzero(vie, sizeof(struct vie));
570 vie->base_register = VM_REG_LAST;
571 vie->index_register = VM_REG_LAST;
575 gla2gpa(struct vm *vm, uint64_t gla, uint64_t ptpphys,
576 uint64_t *gpa, enum vie_paging_mode paging_mode)
578 int nlevels, ptpshift, ptpindex;
579 uint64_t *ptpbase, pte, pgsize;
580 uint32_t *ptpbase32, pte32;
583 if (paging_mode == PAGING_MODE_FLAT) {
588 if (paging_mode == PAGING_MODE_32) {
590 while (--nlevels >= 0) {
591 /* Zero out the lower 12 bits. */
594 ptpbase32 = vm_gpa_hold(vm, ptpphys, PAGE_SIZE,
595 VM_PROT_READ, &cookie);
597 if (ptpbase32 == NULL)
600 ptpshift = PAGE_SHIFT + nlevels * 10;
601 ptpindex = (gla >> ptpshift) & 0x3FF;
602 pgsize = 1UL << ptpshift;
604 pte32 = ptpbase32[ptpindex];
606 vm_gpa_release(cookie);
608 if ((pte32 & PG_V) == 0)
617 /* Zero out the lower 'ptpshift' bits */
618 pte32 >>= ptpshift; pte32 <<= ptpshift;
619 *gpa = pte32 | (gla & (pgsize - 1));
623 if (paging_mode == PAGING_MODE_PAE) {
624 /* Zero out the lower 5 bits and the upper 12 bits */
625 ptpphys >>= 5; ptpphys <<= 17; ptpphys >>= 12;
627 ptpbase = vm_gpa_hold(vm, ptpphys, sizeof(*ptpbase) * 4,
628 VM_PROT_READ, &cookie);
632 ptpindex = (gla >> 30) & 0x3;
634 pte = ptpbase[ptpindex];
636 vm_gpa_release(cookie);
638 if ((pte & PG_V) == 0)
646 while (--nlevels >= 0) {
647 /* Zero out the lower 12 bits and the upper 12 bits */
648 ptpphys >>= 12; ptpphys <<= 24; ptpphys >>= 12;
650 ptpbase = vm_gpa_hold(vm, ptpphys, PAGE_SIZE, VM_PROT_READ,
655 ptpshift = PAGE_SHIFT + nlevels * 9;
656 ptpindex = (gla >> ptpshift) & 0x1FF;
657 pgsize = 1UL << ptpshift;
659 pte = ptpbase[ptpindex];
661 vm_gpa_release(cookie);
663 if ((pte & PG_V) == 0)
676 /* Zero out the lower 'ptpshift' bits and the upper 12 bits */
677 pte >>= ptpshift; pte <<= (ptpshift + 12); pte >>= 12;
678 *gpa = pte | (gla & (pgsize - 1));
686 vmm_fetch_instruction(struct vm *vm, int cpuid, uint64_t rip, int inst_length,
687 uint64_t cr3, enum vie_paging_mode paging_mode,
695 * XXX cache previously fetched instructions using 'rip' as the tag
698 prot = VM_PROT_READ | VM_PROT_EXECUTE;
699 if (inst_length > VIE_INST_SIZE)
700 panic("vmm_fetch_instruction: invalid length %d", inst_length);
702 /* Copy the instruction into 'vie' */
703 while (vie->num_valid < inst_length) {
704 err = gla2gpa(vm, rip, cr3, &gpa, paging_mode);
708 off = gpa & PAGE_MASK;
709 n = min(inst_length - vie->num_valid, PAGE_SIZE - off);
711 if ((hpa = vm_gpa_hold(vm, gpa, n, prot, &cookie)) == NULL)
714 bcopy(hpa, &vie->inst[vie->num_valid], n);
716 vm_gpa_release(cookie);
722 if (vie->num_valid == inst_length)
729 vie_peek(struct vie *vie, uint8_t *x)
732 if (vie->num_processed < vie->num_valid) {
733 *x = vie->inst[vie->num_processed];
740 vie_advance(struct vie *vie)
743 vie->num_processed++;
747 decode_rex(struct vie *vie)
751 if (vie_peek(vie, &x))
754 if (x >= 0x40 && x <= 0x4F) {
755 vie->rex_present = 1;
757 vie->rex_w = x & 0x8 ? 1 : 0;
758 vie->rex_r = x & 0x4 ? 1 : 0;
759 vie->rex_x = x & 0x2 ? 1 : 0;
760 vie->rex_b = x & 0x1 ? 1 : 0;
769 decode_two_byte_opcode(struct vie *vie)
773 if (vie_peek(vie, &x))
776 vie->op = two_byte_opcodes[x];
778 if (vie->op.op_type == VIE_OP_TYPE_NONE)
786 decode_opcode(struct vie *vie)
790 if (vie_peek(vie, &x))
793 vie->op = one_byte_opcodes[x];
795 if (vie->op.op_type == VIE_OP_TYPE_NONE)
800 if (vie->op.op_type == VIE_OP_TYPE_TWO_BYTE)
801 return (decode_two_byte_opcode(vie));
807 decode_modrm(struct vie *vie, enum vie_cpu_mode cpu_mode)
811 if (vie_peek(vie, &x))
814 vie->mod = (x >> 6) & 0x3;
815 vie->rm = (x >> 0) & 0x7;
816 vie->reg = (x >> 3) & 0x7;
819 * A direct addressing mode makes no sense in the context of an EPT
820 * fault. There has to be a memory access involved to cause the
823 if (vie->mod == VIE_MOD_DIRECT)
826 if ((vie->mod == VIE_MOD_INDIRECT && vie->rm == VIE_RM_DISP32) ||
827 (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)) {
829 * Table 2-5: Special Cases of REX Encodings
831 * mod=0, r/m=5 is used in the compatibility mode to
832 * indicate a disp32 without a base register.
834 * mod!=3, r/m=4 is used in the compatibility mode to
835 * indicate that the SIB byte is present.
837 * The 'b' bit in the REX prefix is don't care in
841 vie->rm |= (vie->rex_b << 3);
844 vie->reg |= (vie->rex_r << 3);
847 if (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)
850 vie->base_register = gpr_map[vie->rm];
853 case VIE_MOD_INDIRECT_DISP8:
856 case VIE_MOD_INDIRECT_DISP32:
859 case VIE_MOD_INDIRECT:
860 if (vie->rm == VIE_RM_DISP32) {
863 * Table 2-7. RIP-Relative Addressing
865 * In 64-bit mode mod=00 r/m=101 implies [rip] + disp32
866 * whereas in compatibility mode it just implies disp32.
869 if (cpu_mode == CPU_MODE_64BIT)
870 vie->base_register = VM_REG_GUEST_RIP;
872 vie->base_register = VM_REG_LAST;
884 decode_sib(struct vie *vie)
888 /* Proceed only if SIB byte is present */
889 if (vie->mod == VIE_MOD_DIRECT || vie->rm != VIE_RM_SIB)
892 if (vie_peek(vie, &x))
895 /* De-construct the SIB byte */
896 vie->ss = (x >> 6) & 0x3;
897 vie->index = (x >> 3) & 0x7;
898 vie->base = (x >> 0) & 0x7;
900 /* Apply the REX prefix modifiers */
901 vie->index |= vie->rex_x << 3;
902 vie->base |= vie->rex_b << 3;
905 case VIE_MOD_INDIRECT_DISP8:
908 case VIE_MOD_INDIRECT_DISP32:
913 if (vie->mod == VIE_MOD_INDIRECT &&
914 (vie->base == 5 || vie->base == 13)) {
916 * Special case when base register is unused if mod = 0
917 * and base = %rbp or %r13.
920 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
921 * Table 2-5: Special Cases of REX Encodings
925 vie->base_register = gpr_map[vie->base];
929 * All encodings of 'index' are valid except for %rsp (4).
932 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
933 * Table 2-5: Special Cases of REX Encodings
936 vie->index_register = gpr_map[vie->index];
938 /* 'scale' makes sense only in the context of an index register */
939 if (vie->index_register < VM_REG_LAST)
940 vie->scale = 1 << vie->ss;
948 decode_displacement(struct vie *vie)
959 if ((n = vie->disp_bytes) == 0)
962 if (n != 1 && n != 4)
963 panic("decode_displacement: invalid disp_bytes %d", n);
965 for (i = 0; i < n; i++) {
966 if (vie_peek(vie, &x))
974 vie->displacement = u.signed8; /* sign-extended */
976 vie->displacement = u.signed32; /* sign-extended */
982 decode_immediate(struct vie *vie)
992 /* Figure out immediate operand size (if any) */
993 if (vie->op.op_flags & VIE_OP_F_IMM)
995 else if (vie->op.op_flags & VIE_OP_F_IMM8)
998 if ((n = vie->imm_bytes) == 0)
1001 if (n != 1 && n != 4)
1002 panic("decode_immediate: invalid imm_bytes %d", n);
1004 for (i = 0; i < n; i++) {
1005 if (vie_peek(vie, &x))
1013 vie->immediate = u.signed8; /* sign-extended */
1015 vie->immediate = u.signed32; /* sign-extended */
1021 * Verify that all the bytes in the instruction buffer were consumed.
1024 verify_inst_length(struct vie *vie)
1027 if (vie->num_processed == vie->num_valid)
1034 * Verify that the 'guest linear address' provided as collateral of the nested
1035 * page table fault matches with our instruction decoding.
1038 verify_gla(struct vm *vm, int cpuid, uint64_t gla, struct vie *vie)
1043 /* Skip 'gla' verification */
1044 if (gla == VIE_INVALID_GLA)
1048 if (vie->base_register != VM_REG_LAST) {
1049 error = vm_get_register(vm, cpuid, vie->base_register, &base);
1051 printf("verify_gla: error %d getting base reg %d\n",
1052 error, vie->base_register);
1057 * RIP-relative addressing starts from the following
1060 if (vie->base_register == VM_REG_GUEST_RIP)
1061 base += vie->num_valid;
1065 if (vie->index_register != VM_REG_LAST) {
1066 error = vm_get_register(vm, cpuid, vie->index_register, &idx);
1068 printf("verify_gla: error %d getting index reg %d\n",
1069 error, vie->index_register);
1074 if (base + vie->scale * idx + vie->displacement != gla) {
1075 printf("verify_gla mismatch: "
1076 "base(0x%0lx), scale(%d), index(0x%0lx), "
1077 "disp(0x%0lx), gla(0x%0lx)\n",
1078 base, vie->scale, idx, vie->displacement, gla);
1086 vmm_decode_instruction(struct vm *vm, int cpuid, uint64_t gla,
1087 enum vie_cpu_mode cpu_mode, struct vie *vie)
1090 if (cpu_mode == CPU_MODE_64BIT) {
1091 if (decode_rex(vie))
1095 if (decode_opcode(vie))
1098 if (decode_modrm(vie, cpu_mode))
1101 if (decode_sib(vie))
1104 if (decode_displacement(vie))
1107 if (decode_immediate(vie))
1110 if (verify_inst_length(vie))
1113 if (verify_gla(vm, cpuid, gla, vie))
1116 vie->decoded = 1; /* success */
1120 #endif /* _KERNEL */
projects / FreeBSD / stable / 10.git / blob