Trap and Emulate RDTSC Instructions

Trap and Emulate RDTSC Instructions

[Musa Ünal]

Hello all,
For an academic project we need to trap and emulate each RDTSC
instruction executed in a virtual machine. (Our main aim is to
calculate how many rdtsc instructions are executed in a virtual
machine.) Currently we can intercept each of them. But we have a
problem to give the correct tsc values (values are not stable). So we
don't want to mess up the rdtsc reads. We just need to count rdtscs.
Our current approach looks like this.

static int handle_rdtsc(struct kvm_vcpu *vcpu)
{
counter += 1;
vcpu->arch.regs[VCPU_REGS_RAX] = (rdtsc() - VM_EXIT_COS) & -1u;
vcpu->arch.regs[VCPU_REGS_RDX] = ((rdtsc() -  VM_EXIT_COST) >> 32) & -1u;
return skip_emulated_instruction(vcpu);

}

VM_EXIT_COST calculated by how many clock cycles are executed during
host to guest transition (for RDTSC exits only). Can KVM handle these
operations built-in or do you have any idea how we can achieve this?

Thanks a lot.

Re: Trap and Emulate RDTSC Instructions

[Jim Mattson]

On Sat, Dec 4, 2021 at 6:09 AM Musa Ünal <umusasadik@gmail.com> wrote:
>
> Hello all,
> For an academic project we need to trap and emulate each RDTSC
> instruction executed in a virtual machine. (Our main aim is to
> calculate how many rdtsc instructions are executed in a virtual
> machine.) Currently we can intercept each of them. But we have a
> problem to give the correct tsc values (values are not stable). So we
> don't want to mess up the rdtsc reads. We just need to count rdtscs.
> Our current approach looks like this.
>
> static int handle_rdtsc(struct kvm_vcpu *vcpu)
> {
> counter += 1;

Where is this counter? Shouldn't it be per-VCPU (or per-VM and
incremented atomically)?

> vcpu->arch.regs[VCPU_REGS_RAX] = (rdtsc() - VM_EXIT_COS) & -1u;
> vcpu->arch.regs[VCPU_REGS_RDX] = ((rdtsc() -  VM_EXIT_COST) >> 32) & -1u;

It looks like you want guest time to stop while the logical processor
is in kvm handling a RDTSC exit. Stopping guest time is not as easy as
just stopping the TSC. The guest has multiple clocks, and if you want
to stop guest time, you need to stop them all. Otherwise, some agent
in the guest is likely to conclude that your TSC is broken. Moreover,
even just stopping the TSC isn't this easy. If, for example, the guest
has set the IA32_TSC_DEADLINE MSR to trigger an interrupt at some
point in the future, then kvm has no doubt armed an hrtimer in the
host kernel to go off at the specified time. If you stop the guest
TSC, you need to change that hrtimer, or it will fire too early.
Furthermore, if your guest has network access, good luck! At the very
least, ntp or other network time services are going to be very
unhappy.

All of these issues aside, you don't even have the right adjustment
here to make this RDTSC-handling time disappear. Even if VM-entry and
VM-exit costs were deterministic and fixed--which they aren't--you
need to accumulate adjustments over multiple RDTSC VM-exits. Something
like:

adjustment = counter * VM_EXIT_COST + (counter - 1) * VM_ENTRY_COST;

> return skip_emulated_instruction(vcpu);
>
> }
>
> VM_EXIT_COST calculated by how many clock cycles are executed during
> host to guest transition (for RDTSC exits only). Can KVM handle these

I assume you mean guest to host transition for VM_EXIT_COST. Host to
guest transition would be VM_ENTRY_COST.

> operations built-in or do you have any idea how we can achieve this?

I'd suggest running the guest under qemu with tcg emulation rather
than kvm acceleration, and just adding your counter to qemu's
helper_rdtsc().