2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2012 Sandvine, Inc.
5 * Copyright (c) 2012 NetApp, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
36 #include <sys/param.h>
38 #include <sys/systm.h>
44 #include <machine/vmparam.h>
45 #include <machine/vmm.h>
47 #include <sys/types.h>
48 #include <sys/errno.h>
49 #include <sys/_iovec.h>
51 #include <machine/vmm.h>
55 #define KASSERT(exp,msg) assert((exp))
58 #include <machine/vmm_instruction_emul.h>
60 #include <x86/specialreg.h>
62 /* struct vie_op.op_type */
79 VIE_OP_TYPE_TWOB_GRP15,
85 /* struct vie_op.op_flags */
86 #define VIE_OP_F_IMM (1 << 0) /* 16/32-bit immediate operand */
87 #define VIE_OP_F_IMM8 (1 << 1) /* 8-bit immediate operand */
88 #define VIE_OP_F_MOFFSET (1 << 2) /* 16/32/64-bit immediate moffset */
89 #define VIE_OP_F_NO_MODRM (1 << 3)
90 #define VIE_OP_F_NO_GLA_VERIFICATION (1 << 4)
92 static const struct vie_op two_byte_opcodes[256] = {
95 .op_type = VIE_OP_TYPE_TWOB_GRP15,
99 .op_type = VIE_OP_TYPE_MOVZX,
103 .op_type = VIE_OP_TYPE_MOVZX,
107 .op_type = VIE_OP_TYPE_BITTEST,
108 .op_flags = VIE_OP_F_IMM8,
112 .op_type = VIE_OP_TYPE_MOVSX,
116 static const struct vie_op one_byte_opcodes[256] = {
119 .op_type = VIE_OP_TYPE_ADD,
123 .op_type = VIE_OP_TYPE_TWO_BYTE
127 .op_type = VIE_OP_TYPE_OR,
131 .op_type = VIE_OP_TYPE_SUB,
135 .op_type = VIE_OP_TYPE_CMP,
139 .op_type = VIE_OP_TYPE_CMP,
143 .op_type = VIE_OP_TYPE_MOV,
147 .op_type = VIE_OP_TYPE_MOV,
151 .op_type = VIE_OP_TYPE_MOV,
155 .op_type = VIE_OP_TYPE_MOV,
159 .op_type = VIE_OP_TYPE_MOV,
160 .op_flags = VIE_OP_F_MOFFSET | VIE_OP_F_NO_MODRM,
164 .op_type = VIE_OP_TYPE_MOV,
165 .op_flags = VIE_OP_F_MOFFSET | VIE_OP_F_NO_MODRM,
169 .op_type = VIE_OP_TYPE_MOVS,
170 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
174 .op_type = VIE_OP_TYPE_MOVS,
175 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
179 .op_type = VIE_OP_TYPE_STOS,
180 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
184 .op_type = VIE_OP_TYPE_STOS,
185 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
188 /* XXX Group 11 extended opcode - not just MOV */
190 .op_type = VIE_OP_TYPE_MOV,
191 .op_flags = VIE_OP_F_IMM8,
195 .op_type = VIE_OP_TYPE_MOV,
196 .op_flags = VIE_OP_F_IMM,
200 .op_type = VIE_OP_TYPE_AND,
203 /* Group 1 extended opcode */
205 .op_type = VIE_OP_TYPE_GROUP1,
206 .op_flags = VIE_OP_F_IMM8,
209 /* Group 1 extended opcode */
211 .op_type = VIE_OP_TYPE_GROUP1,
212 .op_flags = VIE_OP_F_IMM,
215 /* Group 1 extended opcode */
217 .op_type = VIE_OP_TYPE_GROUP1,
218 .op_flags = VIE_OP_F_IMM8,
221 /* XXX Group 1A extended opcode - not just POP */
223 .op_type = VIE_OP_TYPE_POP,
226 /* XXX Group 3 extended opcode - not just TEST */
228 .op_type = VIE_OP_TYPE_TEST,
229 .op_flags = VIE_OP_F_IMM,
232 /* XXX Group 5 extended opcode - not just PUSH */
234 .op_type = VIE_OP_TYPE_PUSH,
239 #define VIE_MOD_INDIRECT 0
240 #define VIE_MOD_INDIRECT_DISP8 1
241 #define VIE_MOD_INDIRECT_DISP32 2
242 #define VIE_MOD_DIRECT 3
246 #define VIE_RM_DISP32 5
248 #define GB (1024 * 1024 * 1024)
250 static enum vm_reg_name gpr_map[16] = {
269 static uint64_t size2mask[] = {
273 [8] = 0xffffffffffffffff,
277 vie_read_register(void *vm, int vcpuid, enum vm_reg_name reg, uint64_t *rval)
281 error = vm_get_register(vm, vcpuid, reg, rval);
287 vie_calc_bytereg(struct vie *vie, enum vm_reg_name *reg, int *lhbr)
290 *reg = gpr_map[vie->reg];
293 * 64-bit mode imposes limitations on accessing legacy high byte
296 * The legacy high-byte registers cannot be addressed if the REX
297 * prefix is present. In this case the values 4, 5, 6 and 7 of the
298 * 'ModRM:reg' field address %spl, %bpl, %sil and %dil respectively.
300 * If the REX prefix is not present then the values 4, 5, 6 and 7
301 * of the 'ModRM:reg' field address the legacy high-byte registers,
302 * %ah, %ch, %dh and %bh respectively.
304 if (!vie->rex_present) {
305 if (vie->reg & 0x4) {
307 *reg = gpr_map[vie->reg & 0x3];
313 vie_read_bytereg(void *vm, int vcpuid, struct vie *vie, uint8_t *rval)
317 enum vm_reg_name reg;
319 vie_calc_bytereg(vie, ®, &lhbr);
320 error = vm_get_register(vm, vcpuid, reg, &val);
323 * To obtain the value of a legacy high byte register shift the
324 * base register right by 8 bits (%ah = %rax >> 8).
334 vie_write_bytereg(void *vm, int vcpuid, struct vie *vie, uint8_t byte)
336 uint64_t origval, val, mask;
338 enum vm_reg_name reg;
340 vie_calc_bytereg(vie, ®, &lhbr);
341 error = vm_get_register(vm, vcpuid, reg, &origval);
347 * Shift left by 8 to store 'byte' in a legacy high
353 val |= origval & ~mask;
354 error = vm_set_register(vm, vcpuid, reg, val);
360 vie_update_register(void *vm, int vcpuid, enum vm_reg_name reg,
361 uint64_t val, int size)
369 error = vie_read_register(vm, vcpuid, reg, &origval);
372 val &= size2mask[size];
373 val |= origval & ~size2mask[size];
384 error = vm_set_register(vm, vcpuid, reg, val);
388 #define RFLAGS_STATUS_BITS (PSL_C | PSL_PF | PSL_AF | PSL_Z | PSL_N | PSL_V)
391 * Return the status flags that would result from doing (x - y).
395 getcc##sz(uint##sz##_t x, uint##sz##_t y) \
399 __asm __volatile("sub %2,%1; pushfq; popq %0" : \
400 "=r" (rflags), "+r" (x) : "m" (y)); \
410 getcc(int opsize, uint64_t x, uint64_t y)
412 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
413 ("getcc: invalid operand size %d", opsize));
416 return (getcc8(x, y));
417 else if (opsize == 2)
418 return (getcc16(x, y));
419 else if (opsize == 4)
420 return (getcc32(x, y));
422 return (getcc64(x, y));
426 * Macro creation of functions getaddflags{8,16,32,64}
428 #define GETADDFLAGS(sz) \
430 getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \
434 __asm __volatile("add %2,%1; pushfq; popq %0" : \
435 "=r" (rflags), "+r" (x) : "m" (y)); \
445 getaddflags(int opsize, uint64_t x, uint64_t y)
447 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
448 ("getaddflags: invalid operand size %d", opsize));
451 return (getaddflags8(x, y));
452 else if (opsize == 2)
453 return (getaddflags16(x, y));
454 else if (opsize == 4)
455 return (getaddflags32(x, y));
457 return (getaddflags64(x, y));
461 * Return the status flags that would result from doing (x & y).
463 #define GETANDFLAGS(sz) \
465 getandflags##sz(uint##sz##_t x, uint##sz##_t y) \
469 __asm __volatile("and %2,%1; pushfq; popq %0" : \
470 "=r" (rflags), "+r" (x) : "m" (y)); \
480 getandflags(int opsize, uint64_t x, uint64_t y)
482 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
483 ("getandflags: invalid operand size %d", opsize));
486 return (getandflags8(x, y));
487 else if (opsize == 2)
488 return (getandflags16(x, y));
489 else if (opsize == 4)
490 return (getandflags32(x, y));
492 return (getandflags64(x, y));
496 emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
497 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
500 enum vm_reg_name reg;
507 switch (vie->op.op_byte) {
510 * MOV byte from reg (ModRM:reg) to mem (ModRM:r/m)
512 * REX + 88/r: mov r/m8, r8 (%ah, %ch, %dh, %bh not available)
514 size = 1; /* override for byte operation */
515 error = vie_read_bytereg(vm, vcpuid, vie, &byte);
517 error = memwrite(vm, vcpuid, gpa, byte, size, arg);
521 * MOV from reg (ModRM:reg) to mem (ModRM:r/m)
522 * 89/r: mov r/m16, r16
523 * 89/r: mov r/m32, r32
524 * REX.W + 89/r mov r/m64, r64
526 reg = gpr_map[vie->reg];
527 error = vie_read_register(vm, vcpuid, reg, &val);
529 val &= size2mask[size];
530 error = memwrite(vm, vcpuid, gpa, val, size, arg);
535 * MOV byte from mem (ModRM:r/m) to reg (ModRM:reg)
537 * REX + 8A/r: mov r8, r/m8
539 size = 1; /* override for byte operation */
540 error = memread(vm, vcpuid, gpa, &val, size, arg);
542 error = vie_write_bytereg(vm, vcpuid, vie, val);
546 * MOV from mem (ModRM:r/m) to reg (ModRM:reg)
547 * 8B/r: mov r16, r/m16
548 * 8B/r: mov r32, r/m32
549 * REX.W 8B/r: mov r64, r/m64
551 error = memread(vm, vcpuid, gpa, &val, size, arg);
553 reg = gpr_map[vie->reg];
554 error = vie_update_register(vm, vcpuid, reg, val, size);
559 * MOV from seg:moffset to AX/EAX/RAX
560 * A1: mov AX, moffs16
561 * A1: mov EAX, moffs32
562 * REX.W + A1: mov RAX, moffs64
564 error = memread(vm, vcpuid, gpa, &val, size, arg);
566 reg = VM_REG_GUEST_RAX;
567 error = vie_update_register(vm, vcpuid, reg, val, size);
572 * MOV from AX/EAX/RAX to seg:moffset
573 * A3: mov moffs16, AX
574 * A3: mov moffs32, EAX
575 * REX.W + A3: mov moffs64, RAX
577 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RAX, &val);
579 val &= size2mask[size];
580 error = memwrite(vm, vcpuid, gpa, val, size, arg);
585 * MOV from imm8 to mem (ModRM:r/m)
586 * C6/0 mov r/m8, imm8
587 * REX + C6/0 mov r/m8, imm8
589 size = 1; /* override for byte operation */
590 error = memwrite(vm, vcpuid, gpa, vie->immediate, size, arg);
594 * MOV from imm16/imm32 to mem (ModRM:r/m)
595 * C7/0 mov r/m16, imm16
596 * C7/0 mov r/m32, imm32
597 * REX.W + C7/0 mov r/m64, imm32 (sign-extended to 64-bits)
599 val = vie->immediate & size2mask[size];
600 error = memwrite(vm, vcpuid, gpa, val, size, arg);
610 emulate_movx(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
611 mem_region_read_t memread, mem_region_write_t memwrite,
615 enum vm_reg_name reg;
621 switch (vie->op.op_byte) {
624 * MOV and zero extend byte from mem (ModRM:r/m) to
627 * 0F B6/r movzx r16, r/m8
628 * 0F B6/r movzx r32, r/m8
629 * REX.W + 0F B6/r movzx r64, r/m8
632 /* get the first operand */
633 error = memread(vm, vcpuid, gpa, &val, 1, arg);
637 /* get the second operand */
638 reg = gpr_map[vie->reg];
640 /* zero-extend byte */
643 /* write the result */
644 error = vie_update_register(vm, vcpuid, reg, val, size);
648 * MOV and zero extend word from mem (ModRM:r/m) to
651 * 0F B7/r movzx r32, r/m16
652 * REX.W + 0F B7/r movzx r64, r/m16
654 error = memread(vm, vcpuid, gpa, &val, 2, arg);
658 reg = gpr_map[vie->reg];
660 /* zero-extend word */
663 error = vie_update_register(vm, vcpuid, reg, val, size);
667 * MOV and sign extend byte from mem (ModRM:r/m) to
670 * 0F BE/r movsx r16, r/m8
671 * 0F BE/r movsx r32, r/m8
672 * REX.W + 0F BE/r movsx r64, r/m8
675 /* get the first operand */
676 error = memread(vm, vcpuid, gpa, &val, 1, arg);
680 /* get the second operand */
681 reg = gpr_map[vie->reg];
683 /* sign extend byte */
686 /* write the result */
687 error = vie_update_register(vm, vcpuid, reg, val, size);
696 * Helper function to calculate and validate a linear address.
699 get_gla(void *vm, int vcpuid, struct vie *vie, struct vm_guest_paging *paging,
700 int opsize, int addrsize, int prot, enum vm_reg_name seg,
701 enum vm_reg_name gpr, uint64_t *gla, int *fault)
703 struct seg_desc desc;
704 uint64_t cr0, val, rflags;
707 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_CR0, &cr0);
708 KASSERT(error == 0, ("%s: error %d getting cr0", __func__, error));
710 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
711 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
713 error = vm_get_seg_desc(vm, vcpuid, seg, &desc);
714 KASSERT(error == 0, ("%s: error %d getting segment descriptor %d",
715 __func__, error, seg));
717 error = vie_read_register(vm, vcpuid, gpr, &val);
718 KASSERT(error == 0, ("%s: error %d getting register %d", __func__,
721 if (vie_calculate_gla(paging->cpu_mode, seg, &desc, val, opsize,
722 addrsize, prot, gla)) {
723 if (seg == VM_REG_GUEST_SS)
724 vm_inject_ss(vm, vcpuid, 0);
726 vm_inject_gp(vm, vcpuid);
730 if (vie_canonical_check(paging->cpu_mode, *gla)) {
731 if (seg == VM_REG_GUEST_SS)
732 vm_inject_ss(vm, vcpuid, 0);
734 vm_inject_gp(vm, vcpuid);
738 if (vie_alignment_check(paging->cpl, opsize, cr0, rflags, *gla)) {
739 vm_inject_ac(vm, vcpuid, 0);
752 emulate_movs(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
753 struct vm_guest_paging *paging, mem_region_read_t memread,
754 mem_region_write_t memwrite, void *arg)
757 struct vm_copyinfo copyinfo[2];
759 struct iovec copyinfo[2];
761 uint64_t dstaddr, srcaddr, dstgpa, srcgpa, val;
762 uint64_t rcx, rdi, rsi, rflags;
763 int error, fault, opsize, seg, repeat;
765 opsize = (vie->op.op_byte == 0xA4) ? 1 : vie->opsize;
770 * XXX although the MOVS instruction is only supposed to be used with
771 * the "rep" prefix some guests like FreeBSD will use "repnz" instead.
773 * Empirically the "repnz" prefix has identical behavior to "rep"
774 * and the zero flag does not make a difference.
776 repeat = vie->repz_present | vie->repnz_present;
779 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RCX, &rcx);
780 KASSERT(!error, ("%s: error %d getting rcx", __func__, error));
783 * The count register is %rcx, %ecx or %cx depending on the
784 * address size of the instruction.
786 if ((rcx & vie_size2mask(vie->addrsize)) == 0) {
793 * Source Destination Comments
794 * --------------------------------------------
795 * (1) memory memory n/a
796 * (2) memory mmio emulated
797 * (3) mmio memory emulated
798 * (4) mmio mmio emulated
800 * At this point we don't have sufficient information to distinguish
801 * between (2), (3) and (4). We use 'vm_copy_setup()' to tease this
802 * out because it will succeed only when operating on regular memory.
804 * XXX the emulation doesn't properly handle the case where 'gpa'
805 * is straddling the boundary between the normal memory and MMIO.
808 seg = vie->segment_override ? vie->segment_register : VM_REG_GUEST_DS;
809 error = get_gla(vm, vcpuid, vie, paging, opsize, vie->addrsize,
810 PROT_READ, seg, VM_REG_GUEST_RSI, &srcaddr, &fault);
814 error = vm_copy_setup(vm, vcpuid, paging, srcaddr, opsize, PROT_READ,
815 copyinfo, nitems(copyinfo), &fault);
818 goto done; /* Resume guest to handle fault */
821 * case (2): read from system memory and write to mmio.
823 vm_copyin(vm, vcpuid, copyinfo, &val, opsize);
824 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
825 error = memwrite(vm, vcpuid, gpa, val, opsize, arg);
830 * 'vm_copy_setup()' is expected to fail for cases (3) and (4)
831 * if 'srcaddr' is in the mmio space.
834 error = get_gla(vm, vcpuid, vie, paging, opsize, vie->addrsize,
835 PROT_WRITE, VM_REG_GUEST_ES, VM_REG_GUEST_RDI, &dstaddr,
840 error = vm_copy_setup(vm, vcpuid, paging, dstaddr, opsize,
841 PROT_WRITE, copyinfo, nitems(copyinfo), &fault);
844 goto done; /* Resume guest to handle fault */
847 * case (3): read from MMIO and write to system memory.
849 * A MMIO read can have side-effects so we
850 * commit to it only after vm_copy_setup() is
851 * successful. If a page-fault needs to be
852 * injected into the guest then it will happen
853 * before the MMIO read is attempted.
855 error = memread(vm, vcpuid, gpa, &val, opsize, arg);
859 vm_copyout(vm, vcpuid, &val, copyinfo, opsize);
860 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
863 * Case (4): read from and write to mmio.
865 * Commit to the MMIO read/write (with potential
866 * side-effects) only after we are sure that the
867 * instruction is not going to be restarted due
868 * to address translation faults.
870 error = vm_gla2gpa(vm, vcpuid, paging, srcaddr,
871 PROT_READ, &srcgpa, &fault);
875 error = vm_gla2gpa(vm, vcpuid, paging, dstaddr,
876 PROT_WRITE, &dstgpa, &fault);
880 error = memread(vm, vcpuid, srcgpa, &val, opsize, arg);
884 error = memwrite(vm, vcpuid, dstgpa, val, opsize, arg);
890 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RSI, &rsi);
891 KASSERT(error == 0, ("%s: error %d getting rsi", __func__, error));
893 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RDI, &rdi);
894 KASSERT(error == 0, ("%s: error %d getting rdi", __func__, error));
896 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
897 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
899 if (rflags & PSL_D) {
907 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RSI, rsi,
909 KASSERT(error == 0, ("%s: error %d updating rsi", __func__, error));
911 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RDI, rdi,
913 KASSERT(error == 0, ("%s: error %d updating rdi", __func__, error));
917 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RCX,
919 KASSERT(!error, ("%s: error %d updating rcx", __func__, error));
922 * Repeat the instruction if the count register is not zero.
924 if ((rcx & vie_size2mask(vie->addrsize)) != 0)
925 vm_restart_instruction(vm, vcpuid);
928 KASSERT(error == 0 || error == EFAULT, ("%s: unexpected error %d",
934 emulate_stos(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
935 struct vm_guest_paging *paging, mem_region_read_t memread,
936 mem_region_write_t memwrite, void *arg)
938 int error, opsize, repeat;
940 uint64_t rcx, rdi, rflags;
942 opsize = (vie->op.op_byte == 0xAA) ? 1 : vie->opsize;
943 repeat = vie->repz_present | vie->repnz_present;
946 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RCX, &rcx);
947 KASSERT(!error, ("%s: error %d getting rcx", __func__, error));
950 * The count register is %rcx, %ecx or %cx depending on the
951 * address size of the instruction.
953 if ((rcx & vie_size2mask(vie->addrsize)) == 0)
957 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RAX, &val);
958 KASSERT(!error, ("%s: error %d getting rax", __func__, error));
960 error = memwrite(vm, vcpuid, gpa, val, opsize, arg);
964 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RDI, &rdi);
965 KASSERT(error == 0, ("%s: error %d getting rdi", __func__, error));
967 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
968 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
975 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RDI, rdi,
977 KASSERT(error == 0, ("%s: error %d updating rdi", __func__, error));
981 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RCX,
983 KASSERT(!error, ("%s: error %d updating rcx", __func__, error));
986 * Repeat the instruction if the count register is not zero.
988 if ((rcx & vie_size2mask(vie->addrsize)) != 0)
989 vm_restart_instruction(vm, vcpuid);
996 emulate_and(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
997 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1000 enum vm_reg_name reg;
1001 uint64_t result, rflags, rflags2, val1, val2;
1006 switch (vie->op.op_byte) {
1009 * AND reg (ModRM:reg) and mem (ModRM:r/m) and store the
1012 * 23/r and r16, r/m16
1013 * 23/r and r32, r/m32
1014 * REX.W + 23/r and r64, r/m64
1017 /* get the first operand */
1018 reg = gpr_map[vie->reg];
1019 error = vie_read_register(vm, vcpuid, reg, &val1);
1023 /* get the second operand */
1024 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1028 /* perform the operation and write the result */
1029 result = val1 & val2;
1030 error = vie_update_register(vm, vcpuid, reg, result, size);
1035 * AND mem (ModRM:r/m) with immediate and store the
1038 * 81 /4 and r/m16, imm16
1039 * 81 /4 and r/m32, imm32
1040 * REX.W + 81 /4 and r/m64, imm32 sign-extended to 64
1042 * 83 /4 and r/m16, imm8 sign-extended to 16
1043 * 83 /4 and r/m32, imm8 sign-extended to 32
1044 * REX.W + 83/4 and r/m64, imm8 sign-extended to 64
1047 /* get the first operand */
1048 error = memread(vm, vcpuid, gpa, &val1, size, arg);
1053 * perform the operation with the pre-fetched immediate
1054 * operand and write the result
1056 result = val1 & vie->immediate;
1057 error = memwrite(vm, vcpuid, gpa, result, size, arg);
1065 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1070 * OF and CF are cleared; the SF, ZF and PF flags are set according
1071 * to the result; AF is undefined.
1073 * The updated status flags are obtained by subtracting 0 from 'result'.
1075 rflags2 = getcc(size, result, 0);
1076 rflags &= ~RFLAGS_STATUS_BITS;
1077 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1079 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1084 emulate_or(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1085 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1088 enum vm_reg_name reg;
1089 uint64_t result, rflags, rflags2, val1, val2;
1094 switch (vie->op.op_byte) {
1097 * OR reg (ModRM:reg) and mem (ModRM:r/m) and store the
1100 * 0b/r or r16, r/m16
1101 * 0b/r or r32, r/m32
1102 * REX.W + 0b/r or r64, r/m64
1105 /* get the first operand */
1106 reg = gpr_map[vie->reg];
1107 error = vie_read_register(vm, vcpuid, reg, &val1);
1111 /* get the second operand */
1112 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1116 /* perform the operation and write the result */
1117 result = val1 | val2;
1118 error = vie_update_register(vm, vcpuid, reg, result, size);
1123 * OR mem (ModRM:r/m) with immediate and store the
1126 * 81 /1 or r/m16, imm16
1127 * 81 /1 or r/m32, imm32
1128 * REX.W + 81 /1 or r/m64, imm32 sign-extended to 64
1130 * 83 /1 or r/m16, imm8 sign-extended to 16
1131 * 83 /1 or r/m32, imm8 sign-extended to 32
1132 * REX.W + 83/1 or r/m64, imm8 sign-extended to 64
1135 /* get the first operand */
1136 error = memread(vm, vcpuid, gpa, &val1, size, arg);
1141 * perform the operation with the pre-fetched immediate
1142 * operand and write the result
1144 result = val1 | vie->immediate;
1145 error = memwrite(vm, vcpuid, gpa, result, size, arg);
1153 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1158 * OF and CF are cleared; the SF, ZF and PF flags are set according
1159 * to the result; AF is undefined.
1161 * The updated status flags are obtained by subtracting 0 from 'result'.
1163 rflags2 = getcc(size, result, 0);
1164 rflags &= ~RFLAGS_STATUS_BITS;
1165 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1167 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1172 emulate_cmp(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1173 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1176 uint64_t regop, memop, op1, op2, rflags, rflags2;
1177 enum vm_reg_name reg;
1180 switch (vie->op.op_byte) {
1184 * 39/r CMP r/m16, r16
1185 * 39/r CMP r/m32, r32
1186 * REX.W 39/r CMP r/m64, r64
1188 * 3B/r CMP r16, r/m16
1189 * 3B/r CMP r32, r/m32
1190 * REX.W + 3B/r CMP r64, r/m64
1192 * Compare the first operand with the second operand and
1193 * set status flags in EFLAGS register. The comparison is
1194 * performed by subtracting the second operand from the first
1195 * operand and then setting the status flags.
1198 /* Get the register operand */
1199 reg = gpr_map[vie->reg];
1200 error = vie_read_register(vm, vcpuid, reg, ®op);
1204 /* Get the memory operand */
1205 error = memread(vm, vcpuid, gpa, &memop, size, arg);
1209 if (vie->op.op_byte == 0x3B) {
1216 rflags2 = getcc(size, op1, op2);
1222 * 80 /7 cmp r/m8, imm8
1223 * REX + 80 /7 cmp r/m8, imm8
1225 * 81 /7 cmp r/m16, imm16
1226 * 81 /7 cmp r/m32, imm32
1227 * REX.W + 81 /7 cmp r/m64, imm32 sign-extended to 64
1229 * 83 /7 cmp r/m16, imm8 sign-extended to 16
1230 * 83 /7 cmp r/m32, imm8 sign-extended to 32
1231 * REX.W + 83 /7 cmp r/m64, imm8 sign-extended to 64
1233 * Compare mem (ModRM:r/m) with immediate and set
1234 * status flags according to the results. The
1235 * comparison is performed by subtracting the
1236 * immediate from the first operand and then setting
1240 if (vie->op.op_byte == 0x80)
1243 /* get the first operand */
1244 error = memread(vm, vcpuid, gpa, &op1, size, arg);
1248 rflags2 = getcc(size, op1, vie->immediate);
1253 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1256 rflags &= ~RFLAGS_STATUS_BITS;
1257 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1259 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1264 emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1265 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1268 uint64_t op1, rflags, rflags2;
1273 switch (vie->op.op_byte) {
1276 * F7 /0 test r/m16, imm16
1277 * F7 /0 test r/m32, imm32
1278 * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64
1280 * Test mem (ModRM:r/m) with immediate and set status
1281 * flags according to the results. The comparison is
1282 * performed by anding the immediate from the first
1283 * operand and then setting the status flags.
1285 if ((vie->reg & 7) != 0)
1288 error = memread(vm, vcpuid, gpa, &op1, size, arg);
1292 rflags2 = getandflags(size, op1, vie->immediate);
1297 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1302 * OF and CF are cleared; the SF, ZF and PF flags are set according
1303 * to the result; AF is undefined.
1305 rflags &= ~RFLAGS_STATUS_BITS;
1306 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1308 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1313 emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1314 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1317 uint64_t nval, rflags, rflags2, val1, val2;
1318 enum vm_reg_name reg;
1323 switch (vie->op.op_byte) {
1326 * ADD r/m to r and store the result in r
1328 * 03/r ADD r16, r/m16
1329 * 03/r ADD r32, r/m32
1330 * REX.W + 03/r ADD r64, r/m64
1333 /* get the first operand */
1334 reg = gpr_map[vie->reg];
1335 error = vie_read_register(vm, vcpuid, reg, &val1);
1339 /* get the second operand */
1340 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1344 /* perform the operation and write the result */
1346 error = vie_update_register(vm, vcpuid, reg, nval, size);
1353 rflags2 = getaddflags(size, val1, val2);
1354 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1359 rflags &= ~RFLAGS_STATUS_BITS;
1360 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1361 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1369 emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1370 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1373 uint64_t nval, rflags, rflags2, val1, val2;
1374 enum vm_reg_name reg;
1379 switch (vie->op.op_byte) {
1382 * SUB r/m from r and store the result in r
1384 * 2B/r SUB r16, r/m16
1385 * 2B/r SUB r32, r/m32
1386 * REX.W + 2B/r SUB r64, r/m64
1389 /* get the first operand */
1390 reg = gpr_map[vie->reg];
1391 error = vie_read_register(vm, vcpuid, reg, &val1);
1395 /* get the second operand */
1396 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1400 /* perform the operation and write the result */
1402 error = vie_update_register(vm, vcpuid, reg, nval, size);
1409 rflags2 = getcc(size, val1, val2);
1410 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1415 rflags &= ~RFLAGS_STATUS_BITS;
1416 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1417 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1425 emulate_stack_op(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1426 struct vm_guest_paging *paging, mem_region_read_t memread,
1427 mem_region_write_t memwrite, void *arg)
1430 struct vm_copyinfo copyinfo[2];
1432 struct iovec copyinfo[2];
1434 struct seg_desc ss_desc;
1435 uint64_t cr0, rflags, rsp, stack_gla, val;
1436 int error, fault, size, stackaddrsize, pushop;
1440 pushop = (vie->op.op_type == VIE_OP_TYPE_PUSH) ? 1 : 0;
1443 * From "Address-Size Attributes for Stack Accesses", Intel SDL, Vol 1
1445 if (paging->cpu_mode == CPU_MODE_REAL) {
1447 } else if (paging->cpu_mode == CPU_MODE_64BIT) {
1449 * "Stack Manipulation Instructions in 64-bit Mode", SDM, Vol 3
1450 * - Stack pointer size is always 64-bits.
1451 * - PUSH/POP of 32-bit values is not possible in 64-bit mode.
1452 * - 16-bit PUSH/POP is supported by using the operand size
1453 * override prefix (66H).
1456 size = vie->opsize_override ? 2 : 8;
1459 * In protected or compatibility mode the 'B' flag in the
1460 * stack-segment descriptor determines the size of the
1463 error = vm_get_seg_desc(vm, vcpuid, VM_REG_GUEST_SS, &ss_desc);
1464 KASSERT(error == 0, ("%s: error %d getting SS descriptor",
1466 if (SEG_DESC_DEF32(ss_desc.access))
1472 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_CR0, &cr0);
1473 KASSERT(error == 0, ("%s: error %d getting cr0", __func__, error));
1475 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1476 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
1478 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RSP, &rsp);
1479 KASSERT(error == 0, ("%s: error %d getting rsp", __func__, error));
1484 if (vie_calculate_gla(paging->cpu_mode, VM_REG_GUEST_SS, &ss_desc,
1485 rsp, size, stackaddrsize, pushop ? PROT_WRITE : PROT_READ,
1487 vm_inject_ss(vm, vcpuid, 0);
1491 if (vie_canonical_check(paging->cpu_mode, stack_gla)) {
1492 vm_inject_ss(vm, vcpuid, 0);
1496 if (vie_alignment_check(paging->cpl, size, cr0, rflags, stack_gla)) {
1497 vm_inject_ac(vm, vcpuid, 0);
1501 error = vm_copy_setup(vm, vcpuid, paging, stack_gla, size,
1502 pushop ? PROT_WRITE : PROT_READ, copyinfo, nitems(copyinfo),
1508 error = memread(vm, vcpuid, mmio_gpa, &val, size, arg);
1510 vm_copyout(vm, vcpuid, &val, copyinfo, size);
1512 vm_copyin(vm, vcpuid, copyinfo, &val, size);
1513 error = memwrite(vm, vcpuid, mmio_gpa, val, size, arg);
1516 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
1519 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RSP, rsp,
1521 KASSERT(error == 0, ("error %d updating rsp", error));
1527 emulate_push(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1528 struct vm_guest_paging *paging, mem_region_read_t memread,
1529 mem_region_write_t memwrite, void *arg)
1534 * Table A-6, "Opcode Extensions", Intel SDM, Vol 2.
1536 * PUSH is part of the group 5 extended opcodes and is identified
1537 * by ModRM:reg = b110.
1539 if ((vie->reg & 7) != 6)
1542 error = emulate_stack_op(vm, vcpuid, mmio_gpa, vie, paging, memread,
1548 emulate_pop(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1549 struct vm_guest_paging *paging, mem_region_read_t memread,
1550 mem_region_write_t memwrite, void *arg)
1555 * Table A-6, "Opcode Extensions", Intel SDM, Vol 2.
1557 * POP is part of the group 1A extended opcodes and is identified
1558 * by ModRM:reg = b000.
1560 if ((vie->reg & 7) != 0)
1563 error = emulate_stack_op(vm, vcpuid, mmio_gpa, vie, paging, memread,
1569 emulate_group1(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1570 struct vm_guest_paging *paging, mem_region_read_t memread,
1571 mem_region_write_t memwrite, void *memarg)
1575 switch (vie->reg & 7) {
1577 error = emulate_or(vm, vcpuid, gpa, vie,
1578 memread, memwrite, memarg);
1581 error = emulate_and(vm, vcpuid, gpa, vie,
1582 memread, memwrite, memarg);
1585 error = emulate_cmp(vm, vcpuid, gpa, vie,
1586 memread, memwrite, memarg);
1597 emulate_bittest(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1598 mem_region_read_t memread, mem_region_write_t memwrite, void *memarg)
1600 uint64_t val, rflags;
1601 int error, bitmask, bitoff;
1604 * 0F BA is a Group 8 extended opcode.
1606 * Currently we only emulate the 'Bit Test' instruction which is
1607 * identified by a ModR/M:reg encoding of 100b.
1609 if ((vie->reg & 7) != 4)
1612 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1613 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
1615 error = memread(vm, vcpuid, gpa, &val, vie->opsize, memarg);
1620 * Intel SDM, Vol 2, Table 3-2:
1621 * "Range of Bit Positions Specified by Bit Offset Operands"
1623 bitmask = vie->opsize * 8 - 1;
1624 bitoff = vie->immediate & bitmask;
1626 /* Copy the bit into the Carry flag in %rflags */
1627 if (val & (1UL << bitoff))
1632 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1633 KASSERT(error == 0, ("%s: error %d updating rflags", __func__, error));
1639 emulate_twob_group15(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1640 mem_region_read_t memread, mem_region_write_t memwrite, void *memarg)
1645 switch (vie->reg & 7) {
1646 case 0x7: /* CLFLUSH, CLFLUSHOPT, and SFENCE */
1647 if (vie->mod == 0x3) {
1649 * SFENCE. Ignore it, VM exit provides enough
1650 * barriers on its own.
1655 * CLFLUSH, CLFLUSHOPT. Only check for access
1658 error = memread(vm, vcpuid, gpa, &buf, 1, memarg);
1670 vmm_emulate_instruction(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1671 struct vm_guest_paging *paging, mem_region_read_t memread,
1672 mem_region_write_t memwrite, void *memarg)
1679 switch (vie->op.op_type) {
1680 case VIE_OP_TYPE_GROUP1:
1681 error = emulate_group1(vm, vcpuid, gpa, vie, paging, memread,
1684 case VIE_OP_TYPE_POP:
1685 error = emulate_pop(vm, vcpuid, gpa, vie, paging, memread,
1688 case VIE_OP_TYPE_PUSH:
1689 error = emulate_push(vm, vcpuid, gpa, vie, paging, memread,
1692 case VIE_OP_TYPE_CMP:
1693 error = emulate_cmp(vm, vcpuid, gpa, vie,
1694 memread, memwrite, memarg);
1696 case VIE_OP_TYPE_MOV:
1697 error = emulate_mov(vm, vcpuid, gpa, vie,
1698 memread, memwrite, memarg);
1700 case VIE_OP_TYPE_MOVSX:
1701 case VIE_OP_TYPE_MOVZX:
1702 error = emulate_movx(vm, vcpuid, gpa, vie,
1703 memread, memwrite, memarg);
1705 case VIE_OP_TYPE_MOVS:
1706 error = emulate_movs(vm, vcpuid, gpa, vie, paging, memread,
1709 case VIE_OP_TYPE_STOS:
1710 error = emulate_stos(vm, vcpuid, gpa, vie, paging, memread,
1713 case VIE_OP_TYPE_AND:
1714 error = emulate_and(vm, vcpuid, gpa, vie,
1715 memread, memwrite, memarg);
1717 case VIE_OP_TYPE_OR:
1718 error = emulate_or(vm, vcpuid, gpa, vie,
1719 memread, memwrite, memarg);
1721 case VIE_OP_TYPE_SUB:
1722 error = emulate_sub(vm, vcpuid, gpa, vie,
1723 memread, memwrite, memarg);
1725 case VIE_OP_TYPE_BITTEST:
1726 error = emulate_bittest(vm, vcpuid, gpa, vie,
1727 memread, memwrite, memarg);
1729 case VIE_OP_TYPE_TWOB_GRP15:
1730 error = emulate_twob_group15(vm, vcpuid, gpa, vie,
1731 memread, memwrite, memarg);
1733 case VIE_OP_TYPE_ADD:
1734 error = emulate_add(vm, vcpuid, gpa, vie, memread,
1737 case VIE_OP_TYPE_TEST:
1738 error = emulate_test(vm, vcpuid, gpa, vie,
1739 memread, memwrite, memarg);
1750 vie_alignment_check(int cpl, int size, uint64_t cr0, uint64_t rf, uint64_t gla)
1752 KASSERT(size == 1 || size == 2 || size == 4 || size == 8,
1753 ("%s: invalid size %d", __func__, size));
1754 KASSERT(cpl >= 0 && cpl <= 3, ("%s: invalid cpl %d", __func__, cpl));
1756 if (cpl != 3 || (cr0 & CR0_AM) == 0 || (rf & PSL_AC) == 0)
1759 return ((gla & (size - 1)) ? 1 : 0);
1763 vie_canonical_check(enum vm_cpu_mode cpu_mode, uint64_t gla)
1767 if (cpu_mode != CPU_MODE_64BIT)
1771 * The value of the bit 47 in the 'gla' should be replicated in the
1772 * most significant 16 bits.
1774 mask = ~((1UL << 48) - 1);
1775 if (gla & (1UL << 47))
1776 return ((gla & mask) != mask);
1778 return ((gla & mask) != 0);
1782 vie_size2mask(int size)
1784 KASSERT(size == 1 || size == 2 || size == 4 || size == 8,
1785 ("vie_size2mask: invalid size %d", size));
1786 return (size2mask[size]);
1790 vie_calculate_gla(enum vm_cpu_mode cpu_mode, enum vm_reg_name seg,
1791 struct seg_desc *desc, uint64_t offset, int length, int addrsize,
1792 int prot, uint64_t *gla)
1794 uint64_t firstoff, low_limit, high_limit, segbase;
1797 KASSERT(seg >= VM_REG_GUEST_ES && seg <= VM_REG_GUEST_GS,
1798 ("%s: invalid segment %d", __func__, seg));
1799 KASSERT(length == 1 || length == 2 || length == 4 || length == 8,
1800 ("%s: invalid operand size %d", __func__, length));
1801 KASSERT((prot & ~(PROT_READ | PROT_WRITE)) == 0,
1802 ("%s: invalid prot %#x", __func__, prot));
1805 if (cpu_mode == CPU_MODE_64BIT) {
1806 KASSERT(addrsize == 4 || addrsize == 8, ("%s: invalid address "
1807 "size %d for cpu_mode %d", __func__, addrsize, cpu_mode));
1810 KASSERT(addrsize == 2 || addrsize == 4, ("%s: invalid address "
1811 "size %d for cpu mode %d", __func__, addrsize, cpu_mode));
1814 * If the segment selector is loaded with a NULL selector
1815 * then the descriptor is unusable and attempting to use
1816 * it results in a #GP(0).
1818 if (SEG_DESC_UNUSABLE(desc->access))
1822 * The processor generates a #NP exception when a segment
1823 * register is loaded with a selector that points to a
1824 * descriptor that is not present. If this was the case then
1825 * it would have been checked before the VM-exit.
1827 KASSERT(SEG_DESC_PRESENT(desc->access),
1828 ("segment %d not present: %#x", seg, desc->access));
1831 * The descriptor type must indicate a code/data segment.
1833 type = SEG_DESC_TYPE(desc->access);
1834 KASSERT(type >= 16 && type <= 31, ("segment %d has invalid "
1835 "descriptor type %#x", seg, type));
1837 if (prot & PROT_READ) {
1838 /* #GP on a read access to a exec-only code segment */
1839 if ((type & 0xA) == 0x8)
1843 if (prot & PROT_WRITE) {
1845 * #GP on a write access to a code segment or a
1846 * read-only data segment.
1848 if (type & 0x8) /* code segment */
1851 if ((type & 0xA) == 0) /* read-only data seg */
1856 * 'desc->limit' is fully expanded taking granularity into
1859 if ((type & 0xC) == 0x4) {
1860 /* expand-down data segment */
1861 low_limit = desc->limit + 1;
1862 high_limit = SEG_DESC_DEF32(desc->access) ?
1863 0xffffffff : 0xffff;
1865 /* code segment or expand-up data segment */
1867 high_limit = desc->limit;
1870 while (length > 0) {
1871 offset &= vie_size2mask(addrsize);
1872 if (offset < low_limit || offset > high_limit)
1880 * In 64-bit mode all segments except %fs and %gs have a segment
1881 * base address of 0.
1883 if (cpu_mode == CPU_MODE_64BIT && seg != VM_REG_GUEST_FS &&
1884 seg != VM_REG_GUEST_GS) {
1887 segbase = desc->base;
1891 * Truncate 'firstoff' to the effective address size before adding
1892 * it to the segment base.
1894 firstoff &= vie_size2mask(addrsize);
1895 *gla = (segbase + firstoff) & vie_size2mask(glasize);
1901 vie_init(struct vie *vie, const char *inst_bytes, int inst_length)
1903 KASSERT(inst_length >= 0 && inst_length <= VIE_INST_SIZE,
1904 ("%s: invalid instruction length (%d)", __func__, inst_length));
1906 bzero(vie, sizeof(struct vie));
1908 vie->base_register = VM_REG_LAST;
1909 vie->index_register = VM_REG_LAST;
1910 vie->segment_register = VM_REG_LAST;
1913 bcopy(inst_bytes, vie->inst, inst_length);
1914 vie->num_valid = inst_length;
1919 pf_error_code(int usermode, int prot, int rsvd, uint64_t pte)
1924 error_code |= PGEX_P;
1925 if (prot & VM_PROT_WRITE)
1926 error_code |= PGEX_W;
1928 error_code |= PGEX_U;
1930 error_code |= PGEX_RSV;
1931 if (prot & VM_PROT_EXECUTE)
1932 error_code |= PGEX_I;
1934 return (error_code);
1938 ptp_release(void **cookie)
1940 if (*cookie != NULL) {
1941 vm_gpa_release(*cookie);
1947 ptp_hold(struct vm *vm, int vcpu, vm_paddr_t ptpphys, size_t len, void **cookie)
1951 ptp_release(cookie);
1952 ptr = vm_gpa_hold(vm, vcpu, ptpphys, len, VM_PROT_RW, cookie);
1957 _vm_gla2gpa(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
1958 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault, bool check_only)
1960 int nlevels, pfcode, ptpshift, ptpindex, retval, usermode, writable;
1962 uint64_t *ptpbase, ptpphys, pte, pgsize;
1963 uint32_t *ptpbase32, pte32;
1968 usermode = (paging->cpl == 3 ? 1 : 0);
1969 writable = prot & VM_PROT_WRITE;
1974 ptpphys = paging->cr3; /* root of the page tables */
1975 ptp_release(&cookie);
1979 if (vie_canonical_check(paging->cpu_mode, gla)) {
1981 * XXX assuming a non-stack reference otherwise a stack fault
1982 * should be generated.
1985 vm_inject_gp(vm, vcpuid);
1989 if (paging->paging_mode == PAGING_MODE_FLAT) {
1994 if (paging->paging_mode == PAGING_MODE_32) {
1996 while (--nlevels >= 0) {
1997 /* Zero out the lower 12 bits. */
2000 ptpbase32 = ptp_hold(vm, vcpuid, ptpphys, PAGE_SIZE,
2003 if (ptpbase32 == NULL)
2006 ptpshift = PAGE_SHIFT + nlevels * 10;
2007 ptpindex = (gla >> ptpshift) & 0x3FF;
2008 pgsize = 1UL << ptpshift;
2010 pte32 = ptpbase32[ptpindex];
2012 if ((pte32 & PG_V) == 0 ||
2013 (usermode && (pte32 & PG_U) == 0) ||
2014 (writable && (pte32 & PG_RW) == 0)) {
2016 pfcode = pf_error_code(usermode, prot, 0,
2018 vm_inject_pf(vm, vcpuid, pfcode, gla);
2024 * Emulate the x86 MMU's management of the accessed
2025 * and dirty flags. While the accessed flag is set
2026 * at every level of the page table, the dirty flag
2027 * is only set at the last level providing the guest
2030 if (!check_only && (pte32 & PG_A) == 0) {
2031 if (atomic_cmpset_32(&ptpbase32[ptpindex],
2032 pte32, pte32 | PG_A) == 0) {
2037 /* XXX must be ignored if CR4.PSE=0 */
2038 if (nlevels > 0 && (pte32 & PG_PS) != 0)
2044 /* Set the dirty bit in the page table entry if necessary */
2045 if (!check_only && writable && (pte32 & PG_M) == 0) {
2046 if (atomic_cmpset_32(&ptpbase32[ptpindex],
2047 pte32, pte32 | PG_M) == 0) {
2052 /* Zero out the lower 'ptpshift' bits */
2053 pte32 >>= ptpshift; pte32 <<= ptpshift;
2054 *gpa = pte32 | (gla & (pgsize - 1));
2058 if (paging->paging_mode == PAGING_MODE_PAE) {
2059 /* Zero out the lower 5 bits and the upper 32 bits */
2060 ptpphys &= 0xffffffe0UL;
2062 ptpbase = ptp_hold(vm, vcpuid, ptpphys, sizeof(*ptpbase) * 4,
2064 if (ptpbase == NULL)
2067 ptpindex = (gla >> 30) & 0x3;
2069 pte = ptpbase[ptpindex];
2071 if ((pte & PG_V) == 0) {
2073 pfcode = pf_error_code(usermode, prot, 0, pte);
2074 vm_inject_pf(vm, vcpuid, pfcode, gla);
2084 while (--nlevels >= 0) {
2085 /* Zero out the lower 12 bits and the upper 12 bits */
2086 ptpphys >>= 12; ptpphys <<= 24; ptpphys >>= 12;
2088 ptpbase = ptp_hold(vm, vcpuid, ptpphys, PAGE_SIZE, &cookie);
2089 if (ptpbase == NULL)
2092 ptpshift = PAGE_SHIFT + nlevels * 9;
2093 ptpindex = (gla >> ptpshift) & 0x1FF;
2094 pgsize = 1UL << ptpshift;
2096 pte = ptpbase[ptpindex];
2098 if ((pte & PG_V) == 0 ||
2099 (usermode && (pte & PG_U) == 0) ||
2100 (writable && (pte & PG_RW) == 0)) {
2102 pfcode = pf_error_code(usermode, prot, 0, pte);
2103 vm_inject_pf(vm, vcpuid, pfcode, gla);
2108 /* Set the accessed bit in the page table entry */
2109 if (!check_only && (pte & PG_A) == 0) {
2110 if (atomic_cmpset_64(&ptpbase[ptpindex],
2111 pte, pte | PG_A) == 0) {
2116 if (nlevels > 0 && (pte & PG_PS) != 0) {
2117 if (pgsize > 1 * GB) {
2119 pfcode = pf_error_code(usermode, prot, 1,
2121 vm_inject_pf(vm, vcpuid, pfcode, gla);
2131 /* Set the dirty bit in the page table entry if necessary */
2132 if (!check_only && writable && (pte & PG_M) == 0) {
2133 if (atomic_cmpset_64(&ptpbase[ptpindex], pte, pte | PG_M) == 0)
2137 /* Zero out the lower 'ptpshift' bits and the upper 12 bits */
2138 pte >>= ptpshift; pte <<= (ptpshift + 12); pte >>= 12;
2139 *gpa = pte | (gla & (pgsize - 1));
2141 ptp_release(&cookie);
2142 KASSERT(retval == 0 || retval == EFAULT, ("%s: unexpected retval %d",
2154 vm_gla2gpa(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2155 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault)
2158 return (_vm_gla2gpa(vm, vcpuid, paging, gla, prot, gpa, guest_fault,
2163 vm_gla2gpa_nofault(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2164 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault)
2167 return (_vm_gla2gpa(vm, vcpuid, paging, gla, prot, gpa, guest_fault,
2172 vmm_fetch_instruction(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2173 uint64_t rip, int inst_length, struct vie *vie, int *faultptr)
2175 struct vm_copyinfo copyinfo[2];
2178 if (inst_length > VIE_INST_SIZE)
2179 panic("vmm_fetch_instruction: invalid length %d", inst_length);
2181 prot = PROT_READ | PROT_EXEC;
2182 error = vm_copy_setup(vm, vcpuid, paging, rip, inst_length, prot,
2183 copyinfo, nitems(copyinfo), faultptr);
2184 if (error || *faultptr)
2187 vm_copyin(vm, vcpuid, copyinfo, vie->inst, inst_length);
2188 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
2189 vie->num_valid = inst_length;
2194 vie_peek(struct vie *vie, uint8_t *x)
2197 if (vie->num_processed < vie->num_valid) {
2198 *x = vie->inst[vie->num_processed];
2205 vie_advance(struct vie *vie)
2208 vie->num_processed++;
2212 segment_override(uint8_t x, int *seg)
2217 *seg = VM_REG_GUEST_CS;
2220 *seg = VM_REG_GUEST_SS;
2223 *seg = VM_REG_GUEST_DS;
2226 *seg = VM_REG_GUEST_ES;
2229 *seg = VM_REG_GUEST_FS;
2232 *seg = VM_REG_GUEST_GS;
2241 decode_prefixes(struct vie *vie, enum vm_cpu_mode cpu_mode, int cs_d)
2246 if (vie_peek(vie, &x))
2250 vie->opsize_override = 1;
2252 vie->addrsize_override = 1;
2254 vie->repz_present = 1;
2256 vie->repnz_present = 1;
2257 else if (segment_override(x, &vie->segment_register))
2258 vie->segment_override = 1;
2266 * From section 2.2.1, "REX Prefixes", Intel SDM Vol 2:
2267 * - Only one REX prefix is allowed per instruction.
2268 * - The REX prefix must immediately precede the opcode byte or the
2269 * escape opcode byte.
2270 * - If an instruction has a mandatory prefix (0x66, 0xF2 or 0xF3)
2271 * the mandatory prefix must come before the REX prefix.
2273 if (cpu_mode == CPU_MODE_64BIT && x >= 0x40 && x <= 0x4F) {
2274 vie->rex_present = 1;
2275 vie->rex_w = x & 0x8 ? 1 : 0;
2276 vie->rex_r = x & 0x4 ? 1 : 0;
2277 vie->rex_x = x & 0x2 ? 1 : 0;
2278 vie->rex_b = x & 0x1 ? 1 : 0;
2283 * Section "Operand-Size And Address-Size Attributes", Intel SDM, Vol 1
2285 if (cpu_mode == CPU_MODE_64BIT) {
2287 * Default address size is 64-bits and default operand size
2290 vie->addrsize = vie->addrsize_override ? 4 : 8;
2293 else if (vie->opsize_override)
2298 /* Default address and operand sizes are 32-bits */
2299 vie->addrsize = vie->addrsize_override ? 2 : 4;
2300 vie->opsize = vie->opsize_override ? 2 : 4;
2302 /* Default address and operand sizes are 16-bits */
2303 vie->addrsize = vie->addrsize_override ? 4 : 2;
2304 vie->opsize = vie->opsize_override ? 4 : 2;
2310 decode_two_byte_opcode(struct vie *vie)
2314 if (vie_peek(vie, &x))
2317 vie->op = two_byte_opcodes[x];
2319 if (vie->op.op_type == VIE_OP_TYPE_NONE)
2327 decode_opcode(struct vie *vie)
2331 if (vie_peek(vie, &x))
2334 vie->op = one_byte_opcodes[x];
2336 if (vie->op.op_type == VIE_OP_TYPE_NONE)
2341 if (vie->op.op_type == VIE_OP_TYPE_TWO_BYTE)
2342 return (decode_two_byte_opcode(vie));
2348 decode_modrm(struct vie *vie, enum vm_cpu_mode cpu_mode)
2352 if (vie->op.op_flags & VIE_OP_F_NO_MODRM)
2355 if (cpu_mode == CPU_MODE_REAL)
2358 if (vie_peek(vie, &x))
2361 vie->mod = (x >> 6) & 0x3;
2362 vie->rm = (x >> 0) & 0x7;
2363 vie->reg = (x >> 3) & 0x7;
2366 * A direct addressing mode makes no sense in the context of an EPT
2367 * fault. There has to be a memory access involved to cause the
2370 if (vie->mod == VIE_MOD_DIRECT)
2373 if ((vie->mod == VIE_MOD_INDIRECT && vie->rm == VIE_RM_DISP32) ||
2374 (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)) {
2376 * Table 2-5: Special Cases of REX Encodings
2378 * mod=0, r/m=5 is used in the compatibility mode to
2379 * indicate a disp32 without a base register.
2381 * mod!=3, r/m=4 is used in the compatibility mode to
2382 * indicate that the SIB byte is present.
2384 * The 'b' bit in the REX prefix is don't care in
2388 vie->rm |= (vie->rex_b << 3);
2391 vie->reg |= (vie->rex_r << 3);
2394 if (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)
2397 vie->base_register = gpr_map[vie->rm];
2400 case VIE_MOD_INDIRECT_DISP8:
2401 vie->disp_bytes = 1;
2403 case VIE_MOD_INDIRECT_DISP32:
2404 vie->disp_bytes = 4;
2406 case VIE_MOD_INDIRECT:
2407 if (vie->rm == VIE_RM_DISP32) {
2408 vie->disp_bytes = 4;
2410 * Table 2-7. RIP-Relative Addressing
2412 * In 64-bit mode mod=00 r/m=101 implies [rip] + disp32
2413 * whereas in compatibility mode it just implies disp32.
2416 if (cpu_mode == CPU_MODE_64BIT)
2417 vie->base_register = VM_REG_GUEST_RIP;
2419 vie->base_register = VM_REG_LAST;
2431 decode_sib(struct vie *vie)
2435 /* Proceed only if SIB byte is present */
2436 if (vie->mod == VIE_MOD_DIRECT || vie->rm != VIE_RM_SIB)
2439 if (vie_peek(vie, &x))
2442 /* De-construct the SIB byte */
2443 vie->ss = (x >> 6) & 0x3;
2444 vie->index = (x >> 3) & 0x7;
2445 vie->base = (x >> 0) & 0x7;
2447 /* Apply the REX prefix modifiers */
2448 vie->index |= vie->rex_x << 3;
2449 vie->base |= vie->rex_b << 3;
2452 case VIE_MOD_INDIRECT_DISP8:
2453 vie->disp_bytes = 1;
2455 case VIE_MOD_INDIRECT_DISP32:
2456 vie->disp_bytes = 4;
2460 if (vie->mod == VIE_MOD_INDIRECT &&
2461 (vie->base == 5 || vie->base == 13)) {
2463 * Special case when base register is unused if mod = 0
2464 * and base = %rbp or %r13.
2467 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
2468 * Table 2-5: Special Cases of REX Encodings
2470 vie->disp_bytes = 4;
2472 vie->base_register = gpr_map[vie->base];
2476 * All encodings of 'index' are valid except for %rsp (4).
2479 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
2480 * Table 2-5: Special Cases of REX Encodings
2482 if (vie->index != 4)
2483 vie->index_register = gpr_map[vie->index];
2485 /* 'scale' makes sense only in the context of an index register */
2486 if (vie->index_register < VM_REG_LAST)
2487 vie->scale = 1 << vie->ss;
2495 decode_displacement(struct vie *vie)
2506 if ((n = vie->disp_bytes) == 0)
2509 if (n != 1 && n != 4)
2510 panic("decode_displacement: invalid disp_bytes %d", n);
2512 for (i = 0; i < n; i++) {
2513 if (vie_peek(vie, &x))
2521 vie->displacement = u.signed8; /* sign-extended */
2523 vie->displacement = u.signed32; /* sign-extended */
2529 decode_immediate(struct vie *vie)
2540 /* Figure out immediate operand size (if any) */
2541 if (vie->op.op_flags & VIE_OP_F_IMM) {
2543 * Section 2.2.1.5 "Immediates", Intel SDM:
2544 * In 64-bit mode the typical size of immediate operands
2545 * remains 32-bits. When the operand size if 64-bits, the
2546 * processor sign-extends all immediates to 64-bits prior
2549 if (vie->opsize == 4 || vie->opsize == 8)
2553 } else if (vie->op.op_flags & VIE_OP_F_IMM8) {
2557 if ((n = vie->imm_bytes) == 0)
2560 KASSERT(n == 1 || n == 2 || n == 4,
2561 ("%s: invalid number of immediate bytes: %d", __func__, n));
2563 for (i = 0; i < n; i++) {
2564 if (vie_peek(vie, &x))
2571 /* sign-extend the immediate value before use */
2573 vie->immediate = u.signed8;
2575 vie->immediate = u.signed16;
2577 vie->immediate = u.signed32;
2583 decode_moffset(struct vie *vie)
2592 if ((vie->op.op_flags & VIE_OP_F_MOFFSET) == 0)
2596 * Section 2.2.1.4, "Direct Memory-Offset MOVs", Intel SDM:
2597 * The memory offset size follows the address-size of the instruction.
2600 KASSERT(n == 2 || n == 4 || n == 8, ("invalid moffset bytes: %d", n));
2603 for (i = 0; i < n; i++) {
2604 if (vie_peek(vie, &x))
2610 vie->displacement = u.u64;
2615 * Verify that the 'guest linear address' provided as collateral of the nested
2616 * page table fault matches with our instruction decoding.
2619 verify_gla(struct vm *vm, int cpuid, uint64_t gla, struct vie *vie,
2620 enum vm_cpu_mode cpu_mode)
2623 uint64_t base, segbase, idx, gla2;
2624 enum vm_reg_name seg;
2625 struct seg_desc desc;
2627 /* Skip 'gla' verification */
2628 if (gla == VIE_INVALID_GLA)
2632 if (vie->base_register != VM_REG_LAST) {
2633 error = vm_get_register(vm, cpuid, vie->base_register, &base);
2635 printf("verify_gla: error %d getting base reg %d\n",
2636 error, vie->base_register);
2641 * RIP-relative addressing starts from the following
2644 if (vie->base_register == VM_REG_GUEST_RIP)
2645 base += vie->num_processed;
2649 if (vie->index_register != VM_REG_LAST) {
2650 error = vm_get_register(vm, cpuid, vie->index_register, &idx);
2652 printf("verify_gla: error %d getting index reg %d\n",
2653 error, vie->index_register);
2659 * From "Specifying a Segment Selector", Intel SDM, Vol 1
2661 * In 64-bit mode, segmentation is generally (but not
2662 * completely) disabled. The exceptions are the FS and GS
2665 * In legacy IA-32 mode, when the ESP or EBP register is used
2666 * as the base, the SS segment is the default segment. For
2667 * other data references, except when relative to stack or
2668 * string destination the DS segment is the default. These
2669 * can be overridden to allow other segments to be accessed.
2671 if (vie->segment_override)
2672 seg = vie->segment_register;
2673 else if (vie->base_register == VM_REG_GUEST_RSP ||
2674 vie->base_register == VM_REG_GUEST_RBP)
2675 seg = VM_REG_GUEST_SS;
2677 seg = VM_REG_GUEST_DS;
2678 if (cpu_mode == CPU_MODE_64BIT && seg != VM_REG_GUEST_FS &&
2679 seg != VM_REG_GUEST_GS) {
2682 error = vm_get_seg_desc(vm, cpuid, seg, &desc);
2684 printf("verify_gla: error %d getting segment"
2685 " descriptor %d", error,
2686 vie->segment_register);
2689 segbase = desc.base;
2692 gla2 = segbase + base + vie->scale * idx + vie->displacement;
2693 gla2 &= size2mask[vie->addrsize];
2695 printf("verify_gla mismatch: segbase(0x%0lx)"
2696 "base(0x%0lx), scale(%d), index(0x%0lx), "
2697 "disp(0x%0lx), gla(0x%0lx), gla2(0x%0lx)\n",
2698 segbase, base, vie->scale, idx, vie->displacement,
2707 vmm_decode_instruction(struct vm *vm, int cpuid, uint64_t gla,
2708 enum vm_cpu_mode cpu_mode, int cs_d, struct vie *vie)
2711 if (decode_prefixes(vie, cpu_mode, cs_d))
2714 if (decode_opcode(vie))
2717 if (decode_modrm(vie, cpu_mode))
2720 if (decode_sib(vie))
2723 if (decode_displacement(vie))
2726 if (decode_immediate(vie))
2729 if (decode_moffset(vie))
2732 if ((vie->op.op_flags & VIE_OP_F_NO_GLA_VERIFICATION) == 0) {
2733 if (verify_gla(vm, cpuid, gla, vie, cpu_mode))
2737 vie->decoded = 1; /* success */
2741 #endif /* _KERNEL */
projects / FreeBSD / FreeBSD.git / blob