* [PATCH v3 0/2] execlog TCG plugin to log instructions
@ 2021-07-02 8:13 Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 1/2] contrib/plugins: add execlog to log instruction execution and memory access Alexandre Iooss
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alexandre Iooss @ 2021-07-02 8:13 UTC (permalink / raw)
To: open list : All patches CC here
Cc: Alexandre Iooss, Mahmoud Mandour, Alex Bennée
execlog is a plugin that logs executed instructions with some useful
metadata including memory access.
The output of the plugin is designed to be usable with other tools. For
example it could be used with a side-channel leakage model to create
side-channel traces from QEMU for security evaluation.
Changes since v2:
- Fix typo "tvg-plugins" to "tcg-plugins" in commit title.
- Add warning about plugin output size in documentation.
- Fix user mode tracing by using a dynamic list.
- Fix last instructions not being logged.
- Remove empty first line in plugin output.
Changes since v1:
- The output is now easier to parse.
- Use QEMU logging API rather than FILE* to write output.
- Don't reject memory information in user mode.
- Merge memory information with instruction execution. Now one line
means one instruction.
- Add documentation.
Alexandre Iooss (2):
contrib/plugins: add execlog to log instruction execution and memory
access
docs/devel: tcg-plugins: add execlog plugin description
MAINTAINERS | 1 +
contrib/plugins/Makefile | 1 +
contrib/plugins/execlog.c | 153 +++++++++++++++++++++++++++++++++++++
docs/devel/tcg-plugins.rst | 24 ++++++
4 files changed, 179 insertions(+)
create mode 100644 contrib/plugins/execlog.c
--
2.31.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v3 1/2] contrib/plugins: add execlog to log instruction execution and memory access
2021-07-02 8:13 [PATCH v3 0/2] execlog TCG plugin to log instructions Alexandre Iooss
@ 2021-07-02 8:13 ` Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 2/2] docs/devel: tcg-plugins: add execlog plugin description Alexandre Iooss
2021-07-05 15:29 ` [PATCH v3 0/2] execlog TCG plugin to log instructions Alex Bennée
2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Iooss @ 2021-07-02 8:13 UTC (permalink / raw)
To: open list : All patches CC here
Cc: Alexandre Iooss, Mahmoud Mandour, Alex Bennée
Log instruction execution and memory access to a file.
This plugin can be used for reverse engineering or for side-channel analysis
using QEMU.
Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
---
MAINTAINERS | 1 +
contrib/plugins/Makefile | 1 +
contrib/plugins/execlog.c | 153 ++++++++++++++++++++++++++++++++++++++
3 files changed, 155 insertions(+)
create mode 100644 contrib/plugins/execlog.c
diff --git a/MAINTAINERS b/MAINTAINERS
index cfbf7ef79b..709ae43864 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2978,6 +2978,7 @@ F: include/tcg/
TCG Plugins
M: Alex Bennée <alex.bennee@linaro.org>
+R: Alexandre Iooss <erdnaxe@crans.org>
S: Maintained
F: docs/devel/tcg-plugins.rst
F: plugins/
diff --git a/contrib/plugins/Makefile b/contrib/plugins/Makefile
index b9d7935e5e..51093acd17 100644
--- a/contrib/plugins/Makefile
+++ b/contrib/plugins/Makefile
@@ -13,6 +13,7 @@ include $(BUILD_DIR)/config-host.mak
VPATH += $(SRC_PATH)/contrib/plugins
NAMES :=
+NAMES += execlog
NAMES += hotblocks
NAMES += hotpages
NAMES += howvec
diff --git a/contrib/plugins/execlog.c b/contrib/plugins/execlog.c
new file mode 100644
index 0000000000..2de9f0d7d4
--- /dev/null
+++ b/contrib/plugins/execlog.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2021, Alexandre Iooss <erdnaxe@crans.org>
+ *
+ * Log instruction execution with memory access.
+ *
+ * License: GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+#include <glib.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <qemu-plugin.h>
+
+QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION;
+
+/* Store last executed instruction on each vCPU as a GString */
+GArray *last_exec;
+
+/**
+ * Add memory read or write information to current instruction log
+ */
+static void vcpu_mem(unsigned int cpu_index, qemu_plugin_meminfo_t info,
+ uint64_t vaddr, void *udata)
+{
+ GString *s;
+
+ /* Find vCPU in array */
+ g_assert(cpu_index < last_exec->len);
+ s = g_array_index(last_exec, GString *, cpu_index);
+
+ /* Indicate type of memory access */
+ if (qemu_plugin_mem_is_store(info)) {
+ g_string_append(s, ", store");
+ } else {
+ g_string_append(s, ", load");
+ }
+
+ /* If full system emulation log physical address and device name */
+ struct qemu_plugin_hwaddr *hwaddr = qemu_plugin_get_hwaddr(info, vaddr);
+ if (hwaddr) {
+ uint64_t addr = qemu_plugin_hwaddr_phys_addr(hwaddr);
+ const char *name = qemu_plugin_hwaddr_device_name(hwaddr);
+ g_string_append_printf(s, ", 0x%08"PRIx64", %s", addr, name);
+ } else {
+ g_string_append_printf(s, ", 0x%08"PRIx64, vaddr);
+ }
+}
+
+/**
+ * Log instruction execution
+ */
+static void vcpu_insn_exec(unsigned int cpu_index, void *udata)
+{
+ GString *s;
+
+ /* Find or create vCPU in array */
+ while (cpu_index >= last_exec->len) {
+ s = g_string_new(NULL);
+ g_array_append_val(last_exec, s);
+ }
+ s = g_array_index(last_exec, GString *, cpu_index);
+
+ /* Print previous instruction in cache */
+ if (s->len) {
+ qemu_plugin_outs(s->str);
+ qemu_plugin_outs("s\n");
+ }
+
+ /* Store new instruction in cache */
+ /* vcpu_mem will add memory access information to last_exec */
+ g_string_printf(s, "%u, ", cpu_index);
+ g_string_append(s, (char *)udata);
+}
+
+/**
+ * On translation block new translation
+ *
+ * QEMU convert code by translation block (TB). By hooking here we can then hook
+ * a callback on each instruction and memory access.
+ */
+static void vcpu_tb_trans(qemu_plugin_id_t id, struct qemu_plugin_tb *tb)
+{
+ struct qemu_plugin_insn *insn;
+ uint64_t insn_vaddr;
+ uint32_t insn_opcode;
+ char *insn_disas;
+
+ size_t n = qemu_plugin_tb_n_insns(tb);
+ for (size_t i = 0; i < n; i++) {
+ /*
+ * `insn` is shared between translations in QEMU, copy needed data here.
+ * `output` is never freed as it might be used multiple times during
+ * the emulation lifetime.
+ * We only consider the first 32 bits of the instruction, this may be
+ * a limitation for CISC architectures.
+ */
+ insn = qemu_plugin_tb_get_insn(tb, i);
+ insn_vaddr = qemu_plugin_insn_vaddr(insn);
+ insn_opcode = *((uint32_t *)qemu_plugin_insn_data(insn));
+ insn_disas = qemu_plugin_insn_disas(insn);
+ char *output = g_strdup_printf("0x%"PRIx64", 0x%"PRIx32", \"%s\"",
+ insn_vaddr, insn_opcode, insn_disas);
+
+ /* Register callback on memory read or write */
+ qemu_plugin_register_vcpu_mem_cb(insn, vcpu_mem,
+ QEMU_PLUGIN_CB_NO_REGS,
+ QEMU_PLUGIN_MEM_RW, NULL);
+
+ /* Register callback on instruction */
+ qemu_plugin_register_vcpu_insn_exec_cb(insn, vcpu_insn_exec,
+ QEMU_PLUGIN_CB_NO_REGS, output);
+ }
+}
+
+/**
+ * On plugin exit, print last instruction in cache
+ */
+static void plugin_exit(qemu_plugin_id_t id, void *p)
+{
+ guint i;
+ GString *s;
+ for (i = 0; i < last_exec->len; i++) {
+ s = g_array_index(last_exec, GString *, i);
+ if (s->str) {
+ qemu_plugin_outs(s->str);
+ qemu_plugin_outs("\n");
+ }
+ }
+}
+
+/**
+ * Install the plugin
+ */
+QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id,
+ const qemu_info_t *info, int argc,
+ char **argv)
+{
+ /*
+ * Initialize dynamic array to cache vCPU instruction. In user mode
+ * we don't know the size before emulation.
+ */
+ last_exec = g_array_new(FALSE, FALSE, sizeof(GString *));
+
+ /* Register translation block and exit callbacks */
+ qemu_plugin_register_vcpu_tb_trans_cb(id, vcpu_tb_trans);
+ qemu_plugin_register_atexit_cb(id, plugin_exit, NULL);
+
+ return 0;
+}
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 2/2] docs/devel: tcg-plugins: add execlog plugin description
2021-07-02 8:13 [PATCH v3 0/2] execlog TCG plugin to log instructions Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 1/2] contrib/plugins: add execlog to log instruction execution and memory access Alexandre Iooss
@ 2021-07-02 8:13 ` Alexandre Iooss
2021-07-05 15:29 ` [PATCH v3 0/2] execlog TCG plugin to log instructions Alex Bennée
2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Iooss @ 2021-07-02 8:13 UTC (permalink / raw)
To: open list : All patches CC here
Cc: Alexandre Iooss, Mahmoud Mandour, Alex Bennée
This adds description of the execlog TCG plugin with an example.
Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
---
docs/devel/tcg-plugins.rst | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/docs/devel/tcg-plugins.rst b/docs/devel/tcg-plugins.rst
index 18c6581d85..c1e589693c 100644
--- a/docs/devel/tcg-plugins.rst
+++ b/docs/devel/tcg-plugins.rst
@@ -319,3 +319,27 @@ the user to see what hardware is accessed how often. It has a number of options:
off:0000001c, 1, 2
off:00000020, 1, 2
...
+
+- contrib/plugins/execlog.c
+
+The execlog tool traces executed instructions with memory access. It can be used
+for debugging and security analysis purposes.
+Please be aware that this will generate a lot of output.
+
+The plugin takes no argument::
+
+ qemu-system-arm $(QEMU_ARGS) \
+ -plugin ./contrib/plugins/libexeclog.so -d plugin
+
+which will output an execution trace following this structure::
+
+ # vCPU, vAddr, opcode, disassembly[, load/store, memory addr, device]...
+ 0, 0xa12, 0xf8012400, "movs r4, #0"
+ 0, 0xa14, 0xf87f42b4, "cmp r4, r6"
+ 0, 0xa16, 0xd206, "bhs #0xa26"
+ 0, 0xa18, 0xfff94803, "ldr r0, [pc, #0xc]", load, 0x00010a28, RAM
+ 0, 0xa1a, 0xf989f000, "bl #0xd30"
+ 0, 0xd30, 0xfff9b510, "push {r4, lr}", store, 0x20003ee0, RAM, store, 0x20003ee4, RAM
+ 0, 0xd32, 0xf9893014, "adds r0, #0x14"
+ 0, 0xd34, 0xf9c8f000, "bl #0x10c8"
+ 0, 0x10c8, 0xfff96c43, "ldr r3, [r0, #0x44]", load, 0x200000e4, RAM
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v3 0/2] execlog TCG plugin to log instructions
2021-07-02 8:13 [PATCH v3 0/2] execlog TCG plugin to log instructions Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 1/2] contrib/plugins: add execlog to log instruction execution and memory access Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 2/2] docs/devel: tcg-plugins: add execlog plugin description Alexandre Iooss
@ 2021-07-05 15:29 ` Alex Bennée
2 siblings, 0 replies; 4+ messages in thread
From: Alex Bennée @ 2021-07-05 15:29 UTC (permalink / raw)
To: Alexandre Iooss; +Cc: Mahmoud Mandour, open list : All patches CC here
Alexandre Iooss <erdnaxe@crans.org> writes:
> execlog is a plugin that logs executed instructions with some useful
> metadata including memory access.
>
> The output of the plugin is designed to be usable with other tools. For
> example it could be used with a side-channel leakage model to create
> side-channel traces from QEMU for security evaluation.
Queued to plugins/next, thanks.
>
> Changes since v2:
> - Fix typo "tvg-plugins" to "tcg-plugins" in commit title.
> - Add warning about plugin output size in documentation.
> - Fix user mode tracing by using a dynamic list.
> - Fix last instructions not being logged.
> - Remove empty first line in plugin output.
>
> Changes since v1:
> - The output is now easier to parse.
> - Use QEMU logging API rather than FILE* to write output.
> - Don't reject memory information in user mode.
> - Merge memory information with instruction execution. Now one line
> means one instruction.
> - Add documentation.
>
> Alexandre Iooss (2):
> contrib/plugins: add execlog to log instruction execution and memory
> access
> docs/devel: tcg-plugins: add execlog plugin description
>
> MAINTAINERS | 1 +
> contrib/plugins/Makefile | 1 +
> contrib/plugins/execlog.c | 153 +++++++++++++++++++++++++++++++++++++
> docs/devel/tcg-plugins.rst | 24 ++++++
> 4 files changed, 179 insertions(+)
> create mode 100644 contrib/plugins/execlog.c
--
Alex Bennée
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-05 15:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-02 8:13 [PATCH v3 0/2] execlog TCG plugin to log instructions Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 1/2] contrib/plugins: add execlog to log instruction execution and memory access Alexandre Iooss
2021-07-02 8:13 ` [PATCH v3 2/2] docs/devel: tcg-plugins: add execlog plugin description Alexandre Iooss
2021-07-05 15:29 ` [PATCH v3 0/2] execlog TCG plugin to log instructions Alex Bennée
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).