[PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

I've decided to include a cover-letter for this patch to ask for some feedback
on a few matters (and also to detail the changes that were done here instead
of writing that in the commit message).

First,
DETAILS OF CHANGES:

== Moved to common-side:
  1) monitor_ctrlreg_bitmask macro

  2) hvm_event_cr->vm_event_monitor_cr

  3) XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG handling (moved from X86
      arch_monitor_domctl_event to common monitor_domctl)

== ARM implementations:

  1) add VM_EVENT_ARM_{SCTLR,TTBR{0,1},TTBCR} as possible
    vm_event_write_ctrlreg indexes

  2) add write_ctrlreg_* bits in arch_domain

  3) vm_event_monitor_get_capabilities updated to reflect support
    for XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG

  4) on the scheduling tail, p2m_restore_state sets the HCR_TVM bit if
    write_ctrlreg_enabled <> 0 for the domain

  5) traps.c, traps.h:
        do_cp15_32, do_cp15_64 and do_sysreg now handle HCR_TVM traps,
        emulating writes as needed and also calling vm_event_monitor_cr in
        the process for the targeted monitored registers

The patch was currently tested on an ARMv8 (CONFIG_ARM_64) machine (after
applying a fix I'll send soon). With CONFIG_ARM_32 I only checked that Xen
clean-builds ok.

Then,
QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):

Q1) Getting rid of the "#ifdef CONFIG_X86" @
    monitor_domctl->XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG case.
    To trap targeted control-registers writes, on ARM we check if
    write_ctrlreg_enabled is non-zero on the scheduling tail and set/unset the
    HCR_TVM bit accordingly (see the p2m_restore_state function).

    I see that on X86 for CR3 that's done @ vmx_update_guest_cr by this code:
   
        /* Trap CR3 updates if CR3 memory events are enabled. */
        if ( v->domain->arch.monitor.write_ctrlreg_enabled &
             monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
            v->arch.hvm_vmx.exec_control |= CPU_BASED_CR3_LOAD_EXITING;

    Couldn't we move this part on the X86 scheduling tail as it is done for ARM
    in this changeset?

Q2) About VM_EVENT_FLAG_DENY

  Q2.1)
    Doesn't it require sync = 1 (i.e. the vcpu to be paused) to work?
    If so, shouldn't we call vm_event_register_write_resume only after checking
    that VM_EVENT_FLAG_VCPU_PAUSED flag is set (vm_event_resume). Moreover, if
    we do that, wouldn't it be 'cleaner' to rename
    vm_event_register_write_resume->vm_event_deny, check for the
    VM_EVENT_FLAG_DENY flag in vm_event_resume instead and call vm_event_deny
    from there after this check?

  Q2.2)
    VM_EVENT_FLAG_DENY functionality is not implemented w/ this change-set.
    What is done instead is that the control-register write is done *before*
    sending the vm-event (vm_event_put_request). This way, the user can
    override the written register value after receiving the vm-event, which
    in effect provides the same flexibility as VM_EVENT_FLAG_DENY does.
    Using this strategy instead would simplify both Xen's code and the libxc
    user's code.
    Thoughts?

Q3) About security: i.e. making sure I don't crash Xen :)

    When a system-register write is trapped in Xen due to the HCR_TVM bit,
    besides triggering the vm-event where it's the case, we also need to emulate
    this write operation. This is done with the WRITE_SYSREG* macros (see
    TVM_EMUL/TVM_EMUL_VMEVT macros and their usage).

    A potential security issue I see here is a case where WRITE_SYSREG* would
    cause some kind of hardware fault/exception from EL2 that I did not take
    into account. Since the value that must be written is determined by the
    domain, that would mean that a 'bad' domain could willingly cause Xen to
    crash.

    I've read the ARM manuals and of course I've kept this in mind while doing
    the emulation, but I still need some clarifications.
    Concretely, this is the information I haven't found while reading the docs:
        Q3.1)
            If an AArch64 domain does:

                MSR SCTLR_EL1, <Xt>

            and given that SCTLR_EL1 is a 32-bit system register and that Xt is
            a 64-bit register, what happens if the *high* 32-bits of Xt are not
            set to zero? Are they simply ignored or would that cause a fault? If
            so, would that fault happen before trapping to EL2?

        Q3.2)
            What would happen if a domain writes an invalid value to these regs.
            By invalid I mean writing 1 to RES0/UNK/SBZP/RAZ/SBZP bits or
            vice-versa (0 to RES1,etc). Again, could such behavior cause faults
            when doing WRITE_SYSREG*? Note that this also concerns functions
            like xc_vcpu_setcontext.

Q4) The ARMv7 manual doesn't include AMAIR0/AMAIR1 in the list of registers that
    cause HYP traps on write when the HCR.TVM bit is set. Is that correct?
    If so, should I surround parts relevant to them in this changeset w/ CONFIG_ARM_64?

Corneliu ZUZU (1):
  arm/monitor vm-events: implement write-ctrlreg support

 xen/arch/arm/p2m.c              |   5 +
 xen/arch/arm/traps.c            | 128 +++++++++++++++++++++-
 xen/arch/x86/hvm/event.c        |  27 -----
 xen/arch/x86/hvm/hvm.c          |   2 +-
 xen/arch/x86/hvm/vmx/vmx.c      |   2 +-
 xen/arch/x86/monitor.c          |  45 --------
 xen/common/monitor.c            |  48 +++++++++
 xen/common/vm_event.c           |  29 +++++
 xen/include/asm-arm/domain.h    |   8 ++
 xen/include/asm-arm/traps.h     | 227 ++++++++++++++++++++++++++++++++++++++++
 xen/include/asm-arm/vm_event.h  |   4 +-
 xen/include/asm-x86/hvm/event.h |  13 +--
 xen/include/asm-x86/monitor.h   |   2 -
 xen/include/public/vm_event.h   |   8 +-
 xen/include/xen/monitor.h       |   2 +
 xen/include/xen/vm_event.h      |   8 ++
 16 files changed, 467 insertions(+), 91 deletions(-)
 create mode 100644 xen/include/asm-arm/traps.h

-- 
2.5.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[PATCH 1/1] arm/monitor vm-events: implement write-ctrlreg support

[Corneliu ZUZU]

This patch adds ARM support for write-ctrlreg monitor vm-events.
The ARM control-registers that can be monitored are:
 - VM_EVENT_ARM_SCTLR:      AArch32 SCTLR, AArch64 SCTLR_EL1
 - VM_EVENT_ARM_TTBR{0,1}:  AArch32 TTBR{0,1}, AArch64 TTBR{0,1}_EL1
 - VM_EVENT_ARM_TTBCR:      AArch32 TTBCR, AArch64 TCR_EL1

Trapping of write operations for these registers was attained
by setting the HCR_EL2.TVM / HCR.TVM bit.

Signed-off-by: Corneliu ZUZU <czuzu@bitdefender.com>
---
 xen/arch/arm/p2m.c              |   5 +
 xen/arch/arm/traps.c            | 128 +++++++++++++++++++++-
 xen/arch/x86/hvm/event.c        |  27 -----
 xen/arch/x86/hvm/hvm.c          |   2 +-
 xen/arch/x86/hvm/vmx/vmx.c      |   2 +-
 xen/arch/x86/monitor.c          |  45 --------
 xen/common/monitor.c            |  48 +++++++++
 xen/common/vm_event.c           |  29 +++++
 xen/include/asm-arm/domain.h    |   8 ++
 xen/include/asm-arm/traps.h     | 227 ++++++++++++++++++++++++++++++++++++++++
 xen/include/asm-arm/vm_event.h  |   4 +-
 xen/include/asm-x86/hvm/event.h |  13 +--
 xen/include/asm-x86/monitor.h   |   2 -
 xen/include/public/vm_event.h   |   8 +-
 xen/include/xen/monitor.h       |   2 +
 xen/include/xen/vm_event.h      |   8 ++
 16 files changed, 467 insertions(+), 91 deletions(-)
 create mode 100644 xen/include/asm-arm/traps.h

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index a2a9c4b..a32dfdd 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -108,6 +108,11 @@ void p2m_restore_state(struct vcpu *n)
     else
         hcr |= HCR_RW;
 
+    if ( likely(0 == n->domain->arch.monitor.write_ctrlreg_enabled) )
+        hcr &= ~HCR_TVM;
+    else
+        hcr |= HCR_TVM;
+
     WRITE_SYSREG(n->arch.sctlr, SCTLR_EL1);
     isb();
 
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 83744e8..3e1c8ee 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -31,8 +31,10 @@
 #include <xen/softirq.h>
 #include <xen/domain_page.h>
 #include <xen/perfc.h>
+#include <xen/vm_event.h>
 #include <public/sched.h>
 #include <public/xen.h>
+#include <public/vm_event.h>
 #include <asm/debugger.h>
 #include <asm/event.h>
 #include <asm/regs.h>
@@ -41,6 +43,7 @@
 #include <asm/mmio.h>
 #include <asm/cpufeature.h>
 #include <asm/flushtlb.h>
+#include <asm/traps.h>
 
 #include "decode.h"
 #include "vtimer.h"
@@ -122,7 +125,12 @@ void init_traps(void)
     WRITE_SYSREG((HCPTR_CP_MASK & ~(HCPTR_CP(10) | HCPTR_CP(11))) | HCPTR_TTA,
                  CPTR_EL2);
 
-    /* Setup hypervisor traps */
+    /* Setup hypervisor traps
+     *
+     * Note: HCR_TVM bit is also set for system-register write monitoring
+     * purposes (see vm_event_monitor_cr), but (for performance reasons) that's
+     * done selectively (i.e. on the scheduling tail, see p2m_restore_state).
+     */
     WRITE_SYSREG(HCR_PTW|HCR_BSU_INNER|HCR_AMO|HCR_IMO|HCR_FMO|HCR_VM|
                  HCR_TWE|HCR_TWI|HCR_TSC|HCR_TAC|HCR_SWIO|HCR_TIDCP, HCR_EL2);
     isb();
@@ -398,7 +406,6 @@ static void inject_abt32_exception(struct cpu_user_regs *regs,
         far |= addr << 32;
         WRITE_SYSREG(far, FAR_EL1);
         WRITE_SYSREG(fsr, IFSR32_EL2);
-
 #endif
     }
     else
@@ -1686,6 +1693,61 @@ static void do_cp15_32(struct cpu_user_regs *regs,
     switch ( hsr.bits & HSR_CP32_REGS_MASK )
     {
     /*
+     * HCR_EL2.TVM / HCR.TVM
+     *
+     * ARMv7 (DDI 0406C.b): B1.14.13
+     * ARMv8 (DDI 0487A.e): D1-1569 Table D1-34
+     */
+    case HSR_CPREG32(SCTLR):
+        TVM_EMUL_VMEVT(regs, hsr, *r, VM_EVENT_ARM_SCTLR, SCTLR);
+        break;
+    case HSR_CPREG32(TTBR0_32):
+        TVM_EMUL_VMEVT(regs, hsr, *r, VM_EVENT_ARM_TTBR0, TTBR0_32);
+        break;
+    case HSR_CPREG32(TTBR1_32):
+        TVM_EMUL_VMEVT(regs, hsr, *r, VM_EVENT_ARM_TTBR1, TTBR1_32);
+        break;
+    case HSR_CPREG32(TTBCR):
+        TVM_EMUL_VMEVT(regs, hsr, *r, VM_EVENT_ARM_TTBCR, TTBCR);
+        break;
+    case HSR_CPREG32(DACR):
+        TVM_EMUL(regs, hsr, *r, DACR);
+        break;
+    case HSR_CPREG32(DFSR):
+        TVM_EMUL(regs, hsr, *r, DFSR);
+        break;
+    case HSR_CPREG32(IFSR):
+        TVM_EMUL(regs, hsr, *r, IFSR);
+        break;
+    case HSR_CPREG32(DFAR):
+        TVM_EMUL(regs, hsr, *r, DFAR);
+        break;
+    case HSR_CPREG32(IFAR):
+        TVM_EMUL(regs, hsr, *r, IFAR);
+        break;
+    case HSR_CPREG32(ADFSR):
+        TVM_EMUL(regs, hsr, *r, ADFSR);
+        break;
+    case HSR_CPREG32(AIFSR):
+        TVM_EMUL(regs, hsr, *r, AIFSR);
+        break;
+    case HSR_CPREG32(MAIR0):
+        TVM_EMUL(regs, hsr, *r, MAIR0);
+        break;
+    case HSR_CPREG32(MAIR1):
+        TVM_EMUL(regs, hsr, *r, MAIR1);
+        break;
+    case HSR_CPREG32(AMAIR0):
+        TVM_EMUL(regs, hsr, *r, AMAIR0);
+        break;
+    case HSR_CPREG32(AMAIR1):
+        TVM_EMUL(regs, hsr, *r, AMAIR1);
+        break;
+    case HSR_CPREG32(CONTEXTIDR):
+        TVM_EMUL(regs, hsr, *r, CONTEXTIDR);
+        break;
+
+    /*
      * !CNTHCTL_EL2.EL1PCEN / !CNTHCTL.PL1PCEN
      *
      * ARMv7 (DDI 0406C.b): B4.1.22
@@ -1809,6 +1871,14 @@ static void do_cp15_32(struct cpu_user_regs *regs,
 static void do_cp15_64(struct cpu_user_regs *regs,
                        const union hsr hsr)
 {
+    const struct hsr_cp64 cp64 = hsr.cp64;
+    register_t *r1 = select_user_reg(regs, cp64.reg1);
+    register_t *r2 = select_user_reg(regs, cp64.reg2);
+    sysreg64_t sr64 = {
+        .l = (uint32_t) *r1,
+        .h = (uint32_t) *r2
+    };
+
     if ( !check_conditional_instr(regs, hsr) )
     {
         advance_pc(regs, hsr);
@@ -1818,6 +1888,19 @@ static void do_cp15_64(struct cpu_user_regs *regs,
     switch ( hsr.bits & HSR_CP64_REGS_MASK )
     {
     /*
+     * HCR_EL2.TVM / HCR.TVM
+     *
+     * ARMv7 (DDI 0406C.b): B1.14.13
+     * ARMv8 (DDI 0487A.e): D1-1569 Table D1-34
+     */
+    case HSR_CPREG64(TTBR0):
+        TVM_EMUL_VMEVT(regs, hsr, sr64.v, VM_EVENT_ARM_TTBR0, TTBR0_64);
+        break;
+    case HSR_CPREG64(TTBR1):
+        TVM_EMUL_VMEVT(regs, hsr, sr64.v, VM_EVENT_ARM_TTBR1, TTBR1_64);
+        break;
+
+    /*
      * !CNTHCTL_EL2.EL1PCEN / !CNTHCTL.PL1PCEN
      *
      * ARMv7 (DDI 0406C.b): B4.1.22
@@ -1847,8 +1930,6 @@ static void do_cp15_64(struct cpu_user_regs *regs,
      */
     default:
         {
-            const struct hsr_cp64 cp64 = hsr.cp64;
-
             gdprintk(XENLOG_ERR,
                      "%s p15, %d, r%d, r%d, cr%d @ 0x%"PRIregister"\n",
                      cp64.read ? "mrrc" : "mcrr",
@@ -2082,6 +2163,45 @@ static void do_sysreg(struct cpu_user_regs *regs,
     switch ( hsr.bits & HSR_SYSREG_REGS_MASK )
     {
     /*
+     * HCR_EL2.TVM
+     *
+     * ARMv8 (DDI 0487A.e): D1-1569 Table D1-34
+     */
+    case HSR_SYSREG_SCTLR_EL1:
+        TVM_EMUL_VMEVT(regs, hsr, *x, VM_EVENT_ARM_SCTLR, SCTLR_EL1);
+        break;
+    case HSR_SYSREG_TTBR0_EL1:
+        TVM_EMUL_VMEVT(regs, hsr, *x, VM_EVENT_ARM_TTBR0, TTBR0_EL1);
+        break;
+    case HSR_SYSREG_TTBR1_EL1:
+        TVM_EMUL_VMEVT(regs, hsr, *x, VM_EVENT_ARM_TTBR1, TTBR1_EL1);
+        break;
+    case HSR_SYSREG_TCR_EL1:
+        TVM_EMUL_VMEVT(regs, hsr, *x, VM_EVENT_ARM_TTBCR, TCR_EL1);
+        break;
+    case HSR_SYSREG_ESR_EL1:
+        TVM_EMUL(regs, hsr, *x, ESR_EL1);
+        break;
+    case HSR_SYSREG_FAR_EL1:
+        TVM_EMUL(regs, hsr, *x, FAR_EL1);
+        break;
+    case HSR_SYSREG_AFSR0_EL1:
+        TVM_EMUL(regs, hsr, *x, AFSR0_EL1);
+        break;
+    case HSR_SYSREG_AFSR1_EL1:
+        TVM_EMUL(regs, hsr, *x, AFSR1_EL1);
+        break;
+    case HSR_SYSREG_MAIR_EL1:
+        TVM_EMUL(regs, hsr, *x, MAIR_EL1);
+        break;
+    case HSR_SYSREG_AMAIR_EL1:
+        TVM_EMUL(regs, hsr, *x, AMAIR_EL1);
+        break;
+    case HSR_SYSREG_CONTEXTIDR_EL1:
+        TVM_EMUL(regs, hsr, *x, CONTEXTIDR_EL1);
+        break;
+
+    /*
      * HCR_EL2.TACR
      *
      * ARMv8 (DDI 0487A.d): D7.2.1
diff --git a/xen/arch/x86/hvm/event.c b/xen/arch/x86/hvm/event.c
index 56c5514..f6be80f 100644
--- a/xen/arch/x86/hvm/event.c
+++ b/xen/arch/x86/hvm/event.c
@@ -27,33 +27,6 @@
 #include <asm/vm_event.h>
 #include <public/vm_event.h>
 
-bool_t hvm_event_cr(unsigned int index, unsigned long value, unsigned long old)
-{
-    struct vcpu *curr = current;
-    struct arch_domain *ad = &curr->domain->arch;
-    unsigned int ctrlreg_bitmask = monitor_ctrlreg_bitmask(index);
-
-    if ( (ad->monitor.write_ctrlreg_enabled & ctrlreg_bitmask) &&
-         (!(ad->monitor.write_ctrlreg_onchangeonly & ctrlreg_bitmask) ||
-          value != old) )
-    {
-        bool_t sync = !!(ad->monitor.write_ctrlreg_sync & ctrlreg_bitmask);
-
-        vm_event_request_t req = {
-            .reason = VM_EVENT_REASON_WRITE_CTRLREG,
-            .vcpu_id = curr->vcpu_id,
-            .u.write_ctrlreg.index = index,
-            .u.write_ctrlreg.new_value = value,
-            .u.write_ctrlreg.old_value = old
-        };
-
-        vm_event_monitor_traps(curr, sync, &req);
-        return 1;
-    }
-
-    return 0;
-}
-
 void hvm_event_msr(unsigned int msr, uint64_t value)
 {
     struct vcpu *curr = current;
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 5bc2812..fc8cf12 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -37,6 +37,7 @@
 #include <xen/mem_access.h>
 #include <xen/rangeset.h>
 #include <xen/vm_event.h>
+#include <xen/monitor.h>
 #include <asm/shadow.h>
 #include <asm/hap.h>
 #include <asm/current.h>
@@ -52,7 +53,6 @@
 #include <asm/traps.h>
 #include <asm/mc146818rtc.h>
 #include <asm/mce.h>
-#include <asm/monitor.h>
 #include <asm/hvm/hvm.h>
 #include <asm/hvm/vpt.h>
 #include <asm/hvm/support.h>
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9c5a388..b5cba00 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -25,6 +25,7 @@
 #include <xen/domain_page.h>
 #include <xen/hypercall.h>
 #include <xen/perfc.h>
+#include <xen/monitor.h>
 #include <asm/current.h>
 #include <asm/io.h>
 #include <asm/iocap.h>
@@ -57,7 +58,6 @@
 #include <asm/hvm/nestedhvm.h>
 #include <asm/altp2m.h>
 #include <asm/event.h>
-#include <asm/monitor.h>
 #include <public/arch-x86/cpuid.h>
 
 static bool_t __initdata opt_force_ept;
diff --git a/xen/arch/x86/monitor.c b/xen/arch/x86/monitor.c
index 1fec412..2f66f27 100644
--- a/xen/arch/x86/monitor.c
+++ b/xen/arch/x86/monitor.c
@@ -30,51 +30,6 @@ int arch_monitor_domctl_event(struct domain *d,
 
     switch ( mop->event )
     {
-    case XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG:
-    {
-        unsigned int ctrlreg_bitmask;
-        bool_t old_status;
-
-        /* sanity check: avoid left-shift undefined behavior */
-        if ( unlikely(mop->u.mov_to_cr.index > 31) )
-            return -EINVAL;
-
-        ctrlreg_bitmask = monitor_ctrlreg_bitmask(mop->u.mov_to_cr.index);
-        old_status = !!(ad->monitor.write_ctrlreg_enabled & ctrlreg_bitmask);
-
-        if ( unlikely(old_status == requested_status) )
-            return -EEXIST;
-
-        domain_pause(d);
-
-        if ( mop->u.mov_to_cr.sync )
-            ad->monitor.write_ctrlreg_sync |= ctrlreg_bitmask;
-        else
-            ad->monitor.write_ctrlreg_sync &= ~ctrlreg_bitmask;
-
-        if ( mop->u.mov_to_cr.onchangeonly )
-            ad->monitor.write_ctrlreg_onchangeonly |= ctrlreg_bitmask;
-        else
-            ad->monitor.write_ctrlreg_onchangeonly &= ~ctrlreg_bitmask;
-
-        if ( requested_status )
-            ad->monitor.write_ctrlreg_enabled |= ctrlreg_bitmask;
-        else
-            ad->monitor.write_ctrlreg_enabled &= ~ctrlreg_bitmask;
-
-        if ( VM_EVENT_X86_CR3 == mop->u.mov_to_cr.index )
-        {
-            struct vcpu *v;
-            /* Latches new CR3 mask through CR0 code. */
-            for_each_vcpu ( d, v )
-                hvm_update_guest_cr(v, 0);
-        }
-
-        domain_unpause(d);
-
-        break;
-    }
-
     case XEN_DOMCTL_MONITOR_EVENT_MOV_TO_MSR:
     {
         bool_t old_status = ad->monitor.mov_to_msr_enabled;
diff --git a/xen/common/monitor.c b/xen/common/monitor.c
index d950a7c..e1e51a1 100644
--- a/xen/common/monitor.c
+++ b/xen/common/monitor.c
@@ -77,6 +77,54 @@ int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *mop)
         break;
     }
 
+    case XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG:
+    {
+        struct arch_domain *ad = &d->arch;
+        unsigned int ctrlreg_bitmask;
+        bool_t old_status;
+
+        /* sanity check: avoid left-shift undefined behavior */
+        if ( unlikely(mop->u.mov_to_cr.index > 31) )
+            return -EINVAL;
+
+        ctrlreg_bitmask = monitor_ctrlreg_bitmask(mop->u.mov_to_cr.index);
+        old_status = !!(ad->monitor.write_ctrlreg_enabled & ctrlreg_bitmask);
+
+        if ( unlikely(old_status == requested_status) )
+            return -EEXIST;
+
+        domain_pause(d);
+
+        if ( mop->u.mov_to_cr.sync )
+            ad->monitor.write_ctrlreg_sync |= ctrlreg_bitmask;
+        else
+            ad->monitor.write_ctrlreg_sync &= ~ctrlreg_bitmask;
+
+        if ( mop->u.mov_to_cr.onchangeonly )
+            ad->monitor.write_ctrlreg_onchangeonly |= ctrlreg_bitmask;
+        else
+            ad->monitor.write_ctrlreg_onchangeonly &= ~ctrlreg_bitmask;
+
+        if ( requested_status )
+            ad->monitor.write_ctrlreg_enabled |= ctrlreg_bitmask;
+        else
+            ad->monitor.write_ctrlreg_enabled &= ~ctrlreg_bitmask;
+
+#if CONFIG_X86
+        if ( VM_EVENT_X86_CR3 == mop->u.mov_to_cr.index )
+        {
+            struct vcpu *v;
+            /* Latches new CR3 mask through CR0 code. */
+            for_each_vcpu ( d, v )
+                hvm_update_guest_cr(v, 0);
+        }
+#endif
+
+        domain_unpause(d);
+
+        break;
+    }
+
     default:
         /* Give arch-side the chance to handle this event */
         return arch_monitor_domctl_event(d, mop);
diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c
index 2906407..63c87e5 100644
--- a/xen/common/vm_event.c
+++ b/xen/common/vm_event.c
@@ -25,6 +25,7 @@
 #include <xen/wait.h>
 #include <xen/vm_event.h>
 #include <xen/mem_access.h>
+#include <xen/monitor.h>
 #include <asm/p2m.h>
 #include <asm/altp2m.h>
 #include <asm/vm_event.h>
@@ -824,6 +825,34 @@ int vm_event_monitor_traps(struct vcpu *v, uint8_t sync,
     return 1;
 }
 
+bool_t vm_event_monitor_cr(unsigned int index, unsigned long value,
+                           unsigned long old)
+{
+    struct vcpu *curr = current;
+    struct arch_domain *ad = &curr->domain->arch;
+    unsigned int ctrlreg_bitmask = monitor_ctrlreg_bitmask(index);
+
+    if ( (ad->monitor.write_ctrlreg_enabled & ctrlreg_bitmask) &&
+         (!(ad->monitor.write_ctrlreg_onchangeonly & ctrlreg_bitmask) ||
+          value != old) )
+    {
+        bool_t sync = !!(ad->monitor.write_ctrlreg_sync & ctrlreg_bitmask);
+
+        vm_event_request_t req = {
+            .reason = VM_EVENT_REASON_WRITE_CTRLREG,
+            .vcpu_id = curr->vcpu_id,
+            .u.write_ctrlreg.index = index,
+            .u.write_ctrlreg.new_value = value,
+            .u.write_ctrlreg.old_value = old
+        };
+
+        vm_event_monitor_traps(curr, sync, &req);
+        return 1;
+    }
+
+    return 0;
+}
+
 void vm_event_monitor_guest_request(void)
 {
     struct vcpu *curr = current;
diff --git a/xen/include/asm-arm/domain.h b/xen/include/asm-arm/domain.h
index c35ed40..53c1d5b 100644
--- a/xen/include/asm-arm/domain.h
+++ b/xen/include/asm-arm/domain.h
@@ -129,6 +129,14 @@ struct arch_domain
     paddr_t efi_acpi_gpa;
     paddr_t efi_acpi_len;
 #endif
+
+    /* Arch-specific monitor options */
+    struct {
+        unsigned int write_ctrlreg_enabled       : 4;
+        unsigned int write_ctrlreg_sync          : 4;
+        unsigned int write_ctrlreg_onchangeonly  : 4;
+    } monitor;
+
 }  __cacheline_aligned;
 
 struct arch_vcpu
diff --git a/xen/include/asm-arm/traps.h b/xen/include/asm-arm/traps.h
new file mode 100644
index 0000000..8f2b06b
--- /dev/null
+++ b/xen/include/asm-arm/traps.h
@@ -0,0 +1,227 @@
+/*
+ * include/asm-arm/traps.h
+ *
+ * ARM Trap handlers
+ *
+ * Copyright (c) 2016 BitDefender S.R.L.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __ASM_ARM_TRAPS_H__
+#define __ASM_ARM_TRAPS_H__
+
+#include <xen/vm_event.h>
+#include <asm/regs.h>
+
+/* used to force expansion of args before calling macro */
+#define CALL_MACRO(macro, args...)     macro(args)
+
+/* used for easy manipulation of low/high 32-bits of 64-bit system registers */
+typedef union {
+    uint64_t v;
+    struct {
+        uint32_t l;
+        uint32_t h;
+    };
+} sysreg64_t;
+
+#if CONFIG_ARM_64
+
+/*
+ * Emulation of system-register trapped writes that do not cause
+ * VM_EVENT_REASON_WRITE_CTRLREG monitor vm-events.
+ * Such writes are collaterally trapped due to setting the HCR_EL2.TVM bit.
+ *
+ * Regarding AArch32 domains, note that from Xen's perspective system-registers
+ * of such domains are architecturally-mapped to AArch64 registers in one of
+ * three ways:
+ *  - low 32-bits mapping   (e.g. AArch32 DFAR -> AArch64 FAR_EL1[31:0])
+ *  - high 32-bits mapping  (e.g. AArch32 IFAR -> AArch64 FAR_EL1[63:32])
+ *  - full mapping          (e.g. AArch32 SCTLR -> AArch64 SCTLR_EL1)
+ *
+ * Hence we define 2 macro variants:
+ *  - TVM_EMUL_SZ variant, for full mappings
+ *  - TVM_EMUL_LH variant, for low/high 32-bits mappings
+ */
+#define TVM_EMUL_SZ(regs, hsr, val, sz, r)                      \
+{                                                               \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    WRITE_SYSREG##sz((uint##sz##_t) (val), r);                  \
+}
+#define TVM_EMUL_LH(regs, hsr, val, l_or_h, r)                  \
+{                                                               \
+    sysreg64_t _new;                                            \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    _new.v = READ_SYSREG64(r);                                  \
+    _new.l_or_h = (uint32_t) (val);                             \
+    WRITE_SYSREG64(_new.v, r);                                  \
+}
+
+/*
+ * Emulation of system-register writes that might cause
+ * VM_EVENT_REASON_WRITE_CTRLREG monitor vm-events.
+ * SZ/LH variants, reasoning is the same as above.
+ */
+#define TVM_EMUL_SZ_VMEVT(regs, hsr, val, vmevt_r, sz, r)       \
+{                                                               \
+    unsigned long _old;                                         \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    _old = (unsigned long) READ_SYSREG##sz(r);                  \
+    WRITE_SYSREG##sz((uint##sz##_t) (val), r);                  \
+    vm_event_monitor_cr(vmevt_r,                                \
+                        (unsigned long) (uint##sz##_t) (val),   \
+                        _old);                                  \
+}
+#define TVM_EMUL_LH_VMEVT(regs, hsr, val, vmevt_r, l_or_h, r)   \
+{                                                               \
+    sysreg64_t _old, _new;                                      \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    _new.v = (_old.v = READ_SYSREG64(r));                       \
+    _new.l_or_h = (uint32_t) (val);                             \
+    WRITE_SYSREG64(_new.v, r);                                  \
+    vm_event_monitor_cr(vmevt_r,                                \
+                        (unsigned long) _new.v,                 \
+                        (unsigned long) _old.v);                \
+}
+
+#define PART_FULL32     SZ,32   /* SZ variant, equivalent 32-bit counterpart */
+#define PART_FULL64     SZ,64   /* SZ variant, equivalent 64-bit counterpart */
+#define PART_LOW        LH,l    /* LH variant, low 32-bits (sysreg64.l) */
+#define PART_HIGH       LH,h    /* LH variant, high 32-bits (sysreg64.h) */
+
+/*
+ * HCR_EL2.TVM trapped registers info (size in bits) for an AArch64 domain.
+ *
+ * ARMv8 (DDI 0487A.e): D1-1569 Table D1-34 (traps from AArch64 state)
+ */
+#define TVMINF_SCTLR_EL1        PART_FULL32,    SCTLR_EL1
+#define TVMINF_TTBR0_EL1        PART_FULL64,    TTBR0_EL1
+#define TVMINF_TTBR1_EL1        PART_FULL64,    TTBR1_EL1
+#define TVMINF_TCR_EL1          PART_FULL64,    TCR_EL1
+#define TVMINF_ESR_EL1          PART_FULL32,    ESR_EL1
+#define TVMINF_FAR_EL1          PART_FULL64,    FAR_EL1
+#define TVMINF_AFSR0_EL1        PART_FULL32,    AFSR0_EL1
+#define TVMINF_AFSR1_EL1        PART_FULL32,    AFSR1_EL1
+#define TVMINF_MAIR_EL1         PART_FULL64,    MAIR_EL1
+#define TVMINF_AMAIR_EL1        PART_FULL64,    AMAIR_EL1
+#define TVMINF_CONTEXTIDR_EL1   PART_FULL32,    CONTEXTIDR_EL1
+
+/*
+ * HCR_EL2.TVM trapped registers info for an AArch32 domain.
+ * Specifies the architecturally-mapped AArch64 counterpart register
+ * as well as the actual part of it the AArch32 register is mapped-to.
+ *
+ * ARMv8 (DDI 0487A.e): D1-1569 Table D1-34 (traps from AArch32 state)
+ */
+#define TVMINF_SCTLR            PART_FULL32,    SCTLR_EL1
+#define TVMINF_TTBR0_64         PART_FULL64,    TTBR0_EL1
+#define TVMINF_TTBR1_64         PART_FULL64,    TTBR1_EL1
+#define TVMINF_TTBR0_32         PART_LOW,       TTBR0_EL1
+#define TVMINF_TTBR1_32         PART_LOW,       TTBR1_EL1
+#define TVMINF_TTBCR            PART_LOW,       TCR_EL1
+#define TVMINF_DACR             PART_FULL32,    DACR32_EL2
+#define TVMINF_DFSR             PART_FULL32,    ESR_EL1
+#define TVMINF_IFSR             PART_FULL32,    IFSR32_EL2
+#define TVMINF_DFAR             PART_LOW,       FAR_EL1
+#define TVMINF_IFAR             PART_HIGH,      FAR_EL1
+#define TVMINF_ADFSR            PART_FULL32,    AFSR0_EL1
+#define TVMINF_AIFSR            PART_FULL32,    AFSR1_EL1
+#define TVMINF_MAIR0            PART_LOW,       MAIR_EL1        /* AKA PRRR */
+#define TVMINF_MAIR1            PART_HIGH,      MAIR_EL1        /* AKA NMRR */
+#define TVMINF_AMAIR0           PART_LOW,       AMAIR_EL1
+#define TVMINF_AMAIR1           PART_HIGH,      AMAIR_EL1
+#define TVMINF_CONTEXTIDR       PART_FULL32,    CONTEXTIDR_EL1
+
+#define TVM_EMUL_VARIANT(regs, hsr, val, variant, sz_or_lh, r) \
+        TVM_EMUL_##variant(regs, hsr, val, sz_or_lh, r)
+#define TVM_EMUL_VARIANT_VMEVT(regs, hsr, val, vmevt_r, variant, sz_or_lh, r) \
+        TVM_EMUL_##variant##_VMEVT(regs, hsr, val, vmevt_r, sz_or_lh, r)
+
+/*
+ * Wrappers over TVM_EMUL_{SZ,LH}/TVM_EMUL_{SZ,LH}_VMEVT variants which use
+ * the TVMINF_* defs.
+ */
+#define TVM_EMUL(regs, hsr, val, r) \
+        CALL_MACRO(TVM_EMUL_VARIANT, regs, hsr, val, TVMINF_##r)
+#define TVM_EMUL_VMEVT(regs, hsr, val, vmevt_r, r) \
+        CALL_MACRO(TVM_EMUL_VARIANT_VMEVT, regs, hsr, val, vmevt_r, TVMINF_##r)
+
+#elif CONFIG_ARM_32
+
+/*
+ * Emulation of system-register trapped writes that do not cause
+ * VM_EVENT_REASON_WRITE_CTRLREG monitor vm-events.
+ * Such writes are collaterally trapped due to setting HCR.TVM bit.
+ */
+#define TVM_EMUL_SZ(regs, hsr, val, sz, r...)                   \
+{                                                               \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    WRITE_SYSREG##sz((uint##sz##_t) (val), r);                  \
+}
+
+/*
+ * Emulation of system-register writes that might cause
+ * VM_EVENT_REASON_WRITE_CTRLREG monitor vm-events.
+ */
+#define TVM_EMUL_SZ_VMEVT(regs, hsr, val, vmevt_r, sz, r...)    \
+{                                                               \
+    unsigned long _old;                                         \
+    if ( psr_mode_is_user(regs) )                               \
+        return inject_undef_exception(regs, hsr);               \
+    _old = (unsigned long) READ_SYSREG##sz(r);                  \
+    WRITE_SYSREG##sz((uint##sz##_t) (val), r);                  \
+    vm_event_monitor_cr(vmevt_r,                                \
+                        (unsigned long) (uint##sz##_t) (val),   \
+                        _old);                                  \
+}
+
+/*
+ * HCR.TVM trapped registers info (size in bits and register to access)
+ *
+ * ARMv7 (DDI 0406C.b): B1.14.13
+ */
+#define TVMINF_SCTLR        32,SCTLR
+#define TVMINF_TTBR0_64     64,TTBR0
+#define TVMINF_TTBR1_64     64,TTBR1
+#define TVMINF_TTBR0_32     32,TTBR0_32
+#define TVMINF_TTBR1_32     32,TTBR1_32
+#define TVMINF_TTBCR        32,TTBCR
+#define TVMINF_DACR         32,DACR
+#define TVMINF_DFSR         32,DFSR
+#define TVMINF_IFSR         32,IFSR
+#define TVMINF_DFAR         32,DFAR
+#define TVMINF_IFAR         32,IFAR
+#define TVMINF_ADFSR        32,ADFSR
+#define TVMINF_AIFSR        32,AIFSR
+#define TVMINF_MAIR0        32,MAIR0        /* AKA PRRR */
+#define TVMINF_MAIR1        32,MAIR1        /* AKA NMRR */
+#define TVMINF_AMAIR0       32,AMAIR0
+#define TVMINF_AMAIR1       32,AMAIR1
+#define TVMINF_CONTEXTIDR   32,CONTEXTIDR
+
+/* Wrappers over TVM_EMUL_SZ/TVM_EMUL_SZ_VMEVT which use the TVMINF_* defs. */
+#define TVM_EMUL(regs, hsr, val, r...) \
+        CALL_MACRO(TVM_EMUL_SZ, regs, hsr, val, TVMINF_##r)
+#define TVM_EMUL_VMEVT(regs, hsr, val, vmevt_r, r...) \
+        CALL_MACRO(TVM_EMUL_SZ_VMEVT, regs, hsr, val, vmevt_r, TVMINF_##r)
+
+#endif
+
+#endif /* __ASM_ARM_TRAPS_H__ */
diff --git a/xen/include/asm-arm/vm_event.h b/xen/include/asm-arm/vm_event.h
index 014d9ba..a1b9f5b 100644
--- a/xen/include/asm-arm/vm_event.h
+++ b/xen/include/asm-arm/vm_event.h
@@ -33,6 +33,7 @@ int vm_event_init_domain(struct domain *d)
 static inline
 void vm_event_cleanup_domain(struct domain *d)
 {
+    memset(&d->arch.monitor, 0, sizeof(d->arch.monitor));
     memset(&d->monitor, 0, sizeof(d->monitor));
 }
 
@@ -63,7 +64,8 @@ static inline uint32_t vm_event_monitor_get_capabilities(struct domain *d)
 {
     uint32_t capabilities = 0;
 
-    capabilities = (1U << XEN_DOMCTL_MONITOR_EVENT_GUEST_REQUEST);
+    capabilities = (1U << XEN_DOMCTL_MONITOR_EVENT_WRITE_CTRLREG) |
+                   (1U << XEN_DOMCTL_MONITOR_EVENT_GUEST_REQUEST);
 
     return capabilities;
 }
diff --git a/xen/include/asm-x86/hvm/event.h b/xen/include/asm-x86/hvm/event.h
index 03f7fee..923d970 100644
--- a/xen/include/asm-x86/hvm/event.h
+++ b/xen/include/asm-x86/hvm/event.h
@@ -21,6 +21,7 @@
 
 #include <xen/sched.h>
 #include <xen/paging.h>
+#include <xen/vm_event.h>
 #include <public/vm_event.h>
 
 enum hvm_event_breakpoint_type
@@ -29,19 +30,13 @@ enum hvm_event_breakpoint_type
     HVM_EVENT_SINGLESTEP_BREAKPOINT,
 };
 
-/*
- * Called for current VCPU on crX/MSR changes by guest.
- * The event might not fire if the client has subscribed to it in onchangeonly
- * mode, hence the bool_t return type for control register write events.
- */
-bool_t hvm_event_cr(unsigned int index, unsigned long value,
-                    unsigned long old);
-#define hvm_event_crX(cr, new, old) \
-    hvm_event_cr(VM_EVENT_X86_##cr, new, old)
 void hvm_event_msr(unsigned int msr, uint64_t value);
 int hvm_event_breakpoint(unsigned long rip,
                          enum hvm_event_breakpoint_type type);
 
+#define hvm_event_crX(cr, new, old) \
+    vm_event_monitor_cr(VM_EVENT_X86_##cr, new, old)
+
 #endif /* __ASM_X86_HVM_EVENT_H__ */
 
 /*
diff --git a/xen/include/asm-x86/monitor.h b/xen/include/asm-x86/monitor.h
index 0954b59..4c0dc2e 100644
--- a/xen/include/asm-x86/monitor.h
+++ b/xen/include/asm-x86/monitor.h
@@ -27,8 +27,6 @@
 #include <asm/cpufeature.h>
 #include <asm/hvm/hvm.h>
 
-#define monitor_ctrlreg_bitmask(ctrlreg_index) (1U << (ctrlreg_index))
-
 static inline
 int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop)
 {
diff --git a/xen/include/public/vm_event.h b/xen/include/public/vm_event.h
index 9270d52..864d72d 100644
--- a/xen/include/public/vm_event.h
+++ b/xen/include/public/vm_event.h
@@ -120,12 +120,18 @@
 /* An event has been requested via HVMOP_guest_request_vm_event. */
 #define VM_EVENT_REASON_GUEST_REQUEST           8
 
-/* Supported values for the vm_event_write_ctrlreg index. */
+/* Supported values for the vm_event_write_ctrlreg index (x86). */
 #define VM_EVENT_X86_CR0    0
 #define VM_EVENT_X86_CR3    1
 #define VM_EVENT_X86_CR4    2
 #define VM_EVENT_X86_XCR0   3
 
+/* Supported values for the vm_event_write_ctrlreg index (arm). */
+#define VM_EVENT_ARM_SCTLR  0       /* SCTLR_EL1 (aarch64), SCTLR (aarch32) */
+#define VM_EVENT_ARM_TTBR0  1       /* TTBR0_EL1 (aarch64), TTBR0 (aarch32) */
+#define VM_EVENT_ARM_TTBR1  2       /* TTBR1_EL1 (aarch64), TTBR1 (aarch32) */
+#define VM_EVENT_ARM_TTBCR  3       /* TCR_EL1   (aarch64), TTBCR (aarch32) */
+
 /*
  * Using a custom struct (not hvm_hw_cpu) so as to not fill
  * the vm_event ring buffer too quickly.
diff --git a/xen/include/xen/monitor.h b/xen/include/xen/monitor.h
index 7015e6d..dc5b9d7 100644
--- a/xen/include/xen/monitor.h
+++ b/xen/include/xen/monitor.h
@@ -25,6 +25,8 @@
 struct domain;
 struct xen_domctl_monitor_op;
 
+#define monitor_ctrlreg_bitmask(ctrlreg_index) (1U << (ctrlreg_index))
+
 int monitor_domctl(struct domain *d, struct xen_domctl_monitor_op *op);
 
 #endif /* __XEN_MONITOR_H__ */
diff --git a/xen/include/xen/vm_event.h b/xen/include/xen/vm_event.h
index beda9fe..3eb7e9a 100644
--- a/xen/include/xen/vm_event.h
+++ b/xen/include/xen/vm_event.h
@@ -81,6 +81,14 @@ void vm_event_vcpu_unpause(struct vcpu *v);
 int vm_event_monitor_traps(struct vcpu *v, uint8_t sync,
                            vm_event_request_t *req);
 
+/*
+ * Called for current VCPU on control-register changes by guest.
+ * The event might not fire if the client has subscribed to it in onchangeonly
+ * mode, hence the bool_t return type for control register write events.
+ */
+bool_t vm_event_monitor_cr(unsigned int index, unsigned long value,
+                           unsigned long old);
+
 void vm_event_monitor_guest_request(void);
 
 #endif /* __VM_EVENT_H__ */
-- 
2.5.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
> The patch was currently tested on an ARMv8 (CONFIG_ARM_64) machine (after
> applying a fix I'll send soon).

Shannon beat me to it with the fix ;) See "[PATCH] arm/timer: fix panic 
when booting with DT".

Corneliu.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Razvan Cojocaru]

On 03/03/2016 04:10 PM, Corneliu ZUZU wrote:
> Q2) About VM_EVENT_FLAG_DENY
> 
>   Q2.1)
>     Doesn't it require sync = 1 (i.e. the vcpu to be paused) to work?
>     If so, shouldn't we call vm_event_register_write_resume only after checking
>     that VM_EVENT_FLAG_VCPU_PAUSED flag is set (vm_event_resume). Moreover, if
>     we do that, wouldn't it be 'cleaner' to rename
>     vm_event_register_write_resume->vm_event_deny, check for the
>     VM_EVENT_FLAG_DENY flag in vm_event_resume instead and call vm_event_deny
>     from there after this check?

Yes, it does require the VCPU to be paused to work, and yes, it's a good
idea to check that that flag is set in the response.

Beyond that, I'd prefer we keep vm_event_register_write_resume()
because, while today all we do there is check that VM_EVENT_FLAG_DENY is
set, we might want do to other things as well there as well (for
example, maybe validate the content of some register). That was really
the point of the "bigger-named" function.

But that's just my opinion, if Tamas prefers your rename suggestion I'll
consider myself outnumbered.

>   Q2.2)
>     VM_EVENT_FLAG_DENY functionality is not implemented w/ this change-set.
>     What is done instead is that the control-register write is done *before*
>     sending the vm-event (vm_event_put_request). This way, the user can
>     override the written register value after receiving the vm-event, which
>     in effect provides the same flexibility as VM_EVENT_FLAG_DENY does.
>     Using this strategy instead would simplify both Xen's code and the libxc
>     user's code.
>     Thoughts?

That's how I initially did it with CR events, but with an application
dealing with huge numbers of events, an extra hypercall (to re-set the
register) can be quite expensive, so I had to rework it to the present
state. On these grounds I'm opposed to it - and for consistency I would
prefer that all register write events are pre-write events, and deniable
with a single vm_event reply.


HTH,
Razvan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

On 3/3/2016 6:15 PM, Razvan Cojocaru wrote:
> On 03/03/2016 04:10 PM, Corneliu ZUZU wrote:
>> Q2) About VM_EVENT_FLAG_DENY
>>
>>    Q2.1)
>>      Doesn't it require sync = 1 (i.e. the vcpu to be paused) to work?
>>      If so, shouldn't we call vm_event_register_write_resume only after checking
>>      that VM_EVENT_FLAG_VCPU_PAUSED flag is set (vm_event_resume). Moreover, if
>>      we do that, wouldn't it be 'cleaner' to rename
>>      vm_event_register_write_resume->vm_event_deny, check for the
>>      VM_EVENT_FLAG_DENY flag in vm_event_resume instead and call vm_event_deny
>>      from there after this check?
> Yes, it does require the VCPU to be paused to work, and yes, it's a good
> idea to check that that flag is set in the response.
>
> Beyond that, I'd prefer we keep vm_event_register_write_resume()
> because, while today all we do there is check that VM_EVENT_FLAG_DENY is
> set, we might want do to other things as well there as well (for
> example, maybe validate the content of some register). That was really
> the point of the "bigger-named" function.
>
> But that's just my opinion, if Tamas prefers your rename suggestion I'll
> consider myself outnumbered.

Oh, ok, then the check for VM_EVENT_FLAG_VCPU_PAUSED would be done in 
vm_event_register_write_resume instead of vm_event_resume,
since I suppose vm_event_register_write_resume shouldn't be called only 
when the vcpu is paused, we only apply that to the DENY flag, correct?

>>    Q2.2)
>>      VM_EVENT_FLAG_DENY functionality is not implemented w/ this change-set.
>>      What is done instead is that the control-register write is done *before*
>>      sending the vm-event (vm_event_put_request). This way, the user can
>>      override the written register value after receiving the vm-event, which
>>      in effect provides the same flexibility as VM_EVENT_FLAG_DENY does.
>>      Using this strategy instead would simplify both Xen's code and the libxc
>>      user's code.
>>      Thoughts?
> That's how I initially did it with CR events, but with an application
> dealing with huge numbers of events, an extra hypercall (to re-set the
> register) can be quite expensive, so I had to rework it to the present
> state. On these grounds I'm opposed to it - and for consistency I would
> prefer that all register write events are pre-write events, and deniable
> with a single vm_event reply.
>

Ah, I understand. I figured the utility of the DENY flag was only for 
cases where you'd want to actively
override the value written to the register (set register to overridden 
value + resume w/ DENY), instead
of just forbidding the write and leaving the register untouched (i.e. 
set on the old value).
If the latter is a  desirable functionality then it indeed makes sense 
to have a DENY flag.

With that said, another thing crossed my mind. Since the DENY flag will 
be implemented for ARM w/ the next
revision and the actual write will be done on the scheduler tail, 
similarly to X86 ((hvm_do_resume), wouldn't
it be good if we separated the code that checks monitor_write_data from 
there into an arch-dependent function,
e.g. vm_event_monitor_write_data? That way the scheduler tail function 
won't be 'polluted' w/ that code and IMHO
it will make the vm-events design more clear (since that functionality 
will also be in vm_event.c along w/ the other
vm_event_* functions).

> HTH,
> Razvan
>

Thanks,
Corneliu.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Razvan Cojocaru]

On 03/03/2016 08:04 PM, Corneliu ZUZU wrote:
> On 3/3/2016 6:15 PM, Razvan Cojocaru wrote:
>> On 03/03/2016 04:10 PM, Corneliu ZUZU wrote:
>>> Q2) About VM_EVENT_FLAG_DENY
>>>
>>>    Q2.1)
>>>      Doesn't it require sync = 1 (i.e. the vcpu to be paused) to work?
>>>      If so, shouldn't we call vm_event_register_write_resume only
>>> after checking
>>>      that VM_EVENT_FLAG_VCPU_PAUSED flag is set (vm_event_resume).
>>> Moreover, if
>>>      we do that, wouldn't it be 'cleaner' to rename
>>>      vm_event_register_write_resume->vm_event_deny, check for the
>>>      VM_EVENT_FLAG_DENY flag in vm_event_resume instead and call
>>> vm_event_deny
>>>      from there after this check?
>> Yes, it does require the VCPU to be paused to work, and yes, it's a good
>> idea to check that that flag is set in the response.
>>
>> Beyond that, I'd prefer we keep vm_event_register_write_resume()
>> because, while today all we do there is check that VM_EVENT_FLAG_DENY is
>> set, we might want do to other things as well there as well (for
>> example, maybe validate the content of some register). That was really
>> the point of the "bigger-named" function.
>>
>> But that's just my opinion, if Tamas prefers your rename suggestion I'll
>> consider myself outnumbered.
> 
> Oh, ok, then the check for VM_EVENT_FLAG_VCPU_PAUSED would be done in
> vm_event_register_write_resume instead of vm_event_resume,
> since I suppose vm_event_register_write_resume shouldn't be called only
> when the vcpu is paused, we only apply that to the DENY flag, correct?

Yes, I think that's the path of least resistance.

>>>    Q2.2)
>>>      VM_EVENT_FLAG_DENY functionality is not implemented w/ this
>>> change-set.
>>>      What is done instead is that the control-register write is done
>>> *before*
>>>      sending the vm-event (vm_event_put_request). This way, the user can
>>>      override the written register value after receiving the
>>> vm-event, which
>>>      in effect provides the same flexibility as VM_EVENT_FLAG_DENY does.
>>>      Using this strategy instead would simplify both Xen's code and
>>> the libxc
>>>      user's code.
>>>      Thoughts?
>> That's how I initially did it with CR events, but with an application
>> dealing with huge numbers of events, an extra hypercall (to re-set the
>> register) can be quite expensive, so I had to rework it to the present
>> state. On these grounds I'm opposed to it - and for consistency I would
>> prefer that all register write events are pre-write events, and deniable
>> with a single vm_event reply.
>>
> 
> Ah, I understand. I figured the utility of the DENY flag was only for
> cases where you'd want to actively
> override the value written to the register (set register to overridden
> value + resume w/ DENY), instead
> of just forbidding the write and leaving the register untouched (i.e.
> set on the old value).
> If the latter is a  desirable functionality then it indeed makes sense
> to have a DENY flag.

Yes, that's the goal.

> With that said, another thing crossed my mind. Since the DENY flag will
> be implemented for ARM w/ the next
> revision and the actual write will be done on the scheduler tail,
> similarly to X86 ((hvm_do_resume), wouldn't
> it be good if we separated the code that checks monitor_write_data from
> there into an arch-dependent function,
> e.g. vm_event_monitor_write_data? That way the scheduler tail function
> won't be 'polluted' w/ that code and IMHO
> it will make the vm-events design more clear (since that functionality
> will also be in vm_event.c along w/ the other
> vm_event_* functions).

Sounds good, except perhaps for the function name but I'm not sure what
a better one might be unfortunately, maybe someone else with chime in
with a suggestion.


Thanks,
Razvan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

On 3/3/2016 8:51 PM, Razvan Cojocaru wrote:
> On 03/03/2016 08:04 PM, Corneliu ZUZU wrote:
>> On 3/3/2016 6:15 PM, Razvan Cojocaru wrote:
>>> On 03/03/2016 04:10 PM, Corneliu ZUZU wrote:
>>>> Q2) About VM_EVENT_FLAG_DENY
>>>>
>>>>     Q2.1)
>>>>       Doesn't it require sync = 1 (i.e. the vcpu to be paused) to work?
>>>>       If so, shouldn't we call vm_event_register_write_resume only
>>>> after checking
>>>>       that VM_EVENT_FLAG_VCPU_PAUSED flag is set (vm_event_resume).
>>>> Moreover, if
>>>>       we do that, wouldn't it be 'cleaner' to rename
>>>>       vm_event_register_write_resume->vm_event_deny, check for the
>>>>       VM_EVENT_FLAG_DENY flag in vm_event_resume instead and call
>>>> vm_event_deny
>>>>       from there after this check?
>>> Yes, it does require the VCPU to be paused to work, and yes, it's a good
>>> idea to check that that flag is set in the response.
>>>
>>> Beyond that, I'd prefer we keep vm_event_register_write_resume()
>>> because, while today all we do there is check that VM_EVENT_FLAG_DENY is
>>> set, we might want do to other things as well there as well (for
>>> example, maybe validate the content of some register). That was really
>>> the point of the "bigger-named" function.
>>>
>>> But that's just my opinion, if Tamas prefers your rename suggestion I'll
>>> consider myself outnumbered.
>> Oh, ok, then the check for VM_EVENT_FLAG_VCPU_PAUSED would be done in
>> vm_event_register_write_resume instead of vm_event_resume,
>> since I suppose vm_event_register_write_resume shouldn't be called only
>> when the vcpu is paused, we only apply that to the DENY flag, correct?
> Yes, I think that's the path of least resistance.
>
>>>>     Q2.2)
>>>>       VM_EVENT_FLAG_DENY functionality is not implemented w/ this
>>>> change-set.
>>>>       What is done instead is that the control-register write is done
>>>> *before*
>>>>       sending the vm-event (vm_event_put_request). This way, the user can
>>>>       override the written register value after receiving the
>>>> vm-event, which
>>>>       in effect provides the same flexibility as VM_EVENT_FLAG_DENY does.
>>>>       Using this strategy instead would simplify both Xen's code and
>>>> the libxc
>>>>       user's code.
>>>>       Thoughts?
>>> That's how I initially did it with CR events, but with an application
>>> dealing with huge numbers of events, an extra hypercall (to re-set the
>>> register) can be quite expensive, so I had to rework it to the present
>>> state. On these grounds I'm opposed to it - and for consistency I would
>>> prefer that all register write events are pre-write events, and deniable
>>> with a single vm_event reply.
>>>
>> Ah, I understand. I figured the utility of the DENY flag was only for
>> cases where you'd want to actively
>> override the value written to the register (set register to overridden
>> value + resume w/ DENY), instead
>> of just forbidding the write and leaving the register untouched (i.e.
>> set on the old value).
>> If the latter is a  desirable functionality then it indeed makes sense
>> to have a DENY flag.
> Yes, that's the goal.
>
>> With that said, another thing crossed my mind. Since the DENY flag will
>> be implemented for ARM w/ the next
>> revision and the actual write will be done on the scheduler tail,
>> similarly to X86 ((hvm_do_resume), wouldn't
>> it be good if we separated the code that checks monitor_write_data from
>> there into an arch-dependent function,
>> e.g. vm_event_monitor_write_data? That way the scheduler tail function
>> won't be 'polluted' w/ that code and IMHO
>> it will make the vm-events design more clear (since that functionality
>> will also be in vm_event.c along w/ the other
>> vm_event_* functions).
> Sounds good, except perhaps for the function name but I'm not sure what
> a better one might be unfortunately, maybe someone else with chime in
> with a suggestion.
>
>
> Thanks,
> Razvan
>
>

I was thinking of the option of giving this function the significance of 
it being called by the
scheduler tail, i.e. just before "entering" a vcpu, in which case we 
could use a name
like vm_event_schedtail.
To me this sounds pretty good since it generalizes the function and it 
makes sense to have
a vm_event_* function that is called just before a vcpu is scheduled, 
i.e. a vm-events function
that would add-in a "final touch" before the "final stage" of actually 
entering the vcpu.

Let me know what you think.

Thanks,
Corneliu.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Razvan Cojocaru]

>>> With that said, another thing crossed my mind. Since the DENY flag will
>>> be implemented for ARM w/ the next
>>> revision and the actual write will be done on the scheduler tail,
>>> similarly to X86 ((hvm_do_resume), wouldn't
>>> it be good if we separated the code that checks monitor_write_data from
>>> there into an arch-dependent function,
>>> e.g. vm_event_monitor_write_data? That way the scheduler tail function
>>> won't be 'polluted' w/ that code and IMHO
>>> it will make the vm-events design more clear (since that functionality
>>> will also be in vm_event.c along w/ the other
>>> vm_event_* functions).
>> Sounds good, except perhaps for the function name but I'm not sure what
>> a better one might be unfortunately, maybe someone else with chime in
>> with a suggestion.
> 
> I was thinking of the option of giving this function the significance of
> it being called by the
> scheduler tail, i.e. just before "entering" a vcpu, in which case we
> could use a name
> like vm_event_schedtail.
> To me this sounds pretty good since it generalizes the function and it
> makes sense to have
> a vm_event_* function that is called just before a vcpu is scheduled,
> i.e. a vm-events function
> that would add-in a "final touch" before the "final stage" of actually
> entering the vcpu.
> 
> Let me know what you think.

Sounds good to me. Let's see if somebody else objects.


Thanks,
Razvan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
> Then,
> QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>
> Q1) [...]
>
> Q2) [...]
>
> Q3) [...]
>
> Q4) [...]


JSYK, I've realized I can find the answer for these easily (besides Q2, 
for which
Razvan already gave feedback) with some tests (as soon as I get access to my
ARMv8 machine). So, no need to think of that anymore ;)

Thanks,
Corneliu.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
> Then,
> QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>
> Q1) [...]
>
> Q2) [...]
>
> Q3) [...]
>
> Q4) [...]

Hey all,

I have a question relating to this part of code @ vmx_update_guest_cr:

         if ( paging_mode_hap(v->domain) )
         {
             /* Manage GUEST_CR3 when CR0.PE=0. */
             uint32_t cr3_ctls = (CPU_BASED_CR3_LOAD_EXITING |
                                  CPU_BASED_CR3_STORE_EXITING);
             v->arch.hvm_vmx.exec_control &= ~cr3_ctls;
             if ( !hvm_paging_enabled(v) && !vmx_unrestricted_guest(v) )
                 v->arch.hvm_vmx.exec_control |= cr3_ctls;

             /* Trap CR3 updates if CR3 memory events are enabled. */
             if ( v->domain->arch.monitor.write_ctrlreg_enabled &
                  monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
                 v->arch.hvm_vmx.exec_control |= CPU_BASED_CR3_LOAD_EXITING;

             vmx_update_cpu_exec_control(v);
         }

While trying to move the check for VM_EVENT_X86_CR3 to the scheduling 
tail, a few questions came to my mind.

1). Tamas, Razvan, maybe you guys could clarify this. I noticed this 
part of code is only executed if paging_mode_hap(v->domain). Is EPT 
mandatory to monitor CR3 writes or is it just that when shadow paging is 
enabled, CR3 r/w are unconditionally trapped? If the former is true, 
shouldn't we do a check like this in vm_event_monitor_get_capabilities 
instead?

2). I was also wondering why CR3 load/stores are trapped if paging is 
disabled for a domain.

Thanks,
Corneliu.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Tamas K Lengyel]

[-- Attachment #1.1: Type: text/plain, Size: 2281 bytes --]

On Mon, Mar 7, 2016 at 9:22 AM, Corneliu ZUZU <czuzu@bitdefender.com> wrote:

> On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
>
>> Then,
>> QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>>
>> Q1) [...]
>>
>> Q2) [...]
>>
>> Q3) [...]
>>
>> Q4) [...]
>>
>
> Hey all,
>
> I have a question relating to this part of code @ vmx_update_guest_cr:
>
>         if ( paging_mode_hap(v->domain) )
>         {
>             /* Manage GUEST_CR3 when CR0.PE=0. */
>             uint32_t cr3_ctls = (CPU_BASED_CR3_LOAD_EXITING |
>                                  CPU_BASED_CR3_STORE_EXITING);
>             v->arch.hvm_vmx.exec_control &= ~cr3_ctls;
>             if ( !hvm_paging_enabled(v) && !vmx_unrestricted_guest(v) )
>                 v->arch.hvm_vmx.exec_control |= cr3_ctls;
>
>             /* Trap CR3 updates if CR3 memory events are enabled. */
>             if ( v->domain->arch.monitor.write_ctrlreg_enabled &
>                  monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
>                 v->arch.hvm_vmx.exec_control |= CPU_BASED_CR3_LOAD_EXITING;
>
>             vmx_update_cpu_exec_control(v);
>         }
>
> While trying to move the check for VM_EVENT_X86_CR3 to the scheduling
> tail, a few questions came to my mind.
>
> 1). Tamas, Razvan, maybe you guys could clarify this. I noticed this part
> of code is only executed if paging_mode_hap(v->domain). Is EPT mandatory to
> monitor CR3 writes or is it just that when shadow paging is enabled, CR3
> r/w are unconditionally trapped?


EPT is not really required for CR3 monitoring, it just has been the case
that vm_events have been only implemented for hap-enabled domains. AFAIK
for non-hap case CR3 needs to be trapped unconditionally, yes.


> If the former is true, shouldn't we do a check like this in
> vm_event_monitor_get_capabilities instead?
>

Yes, it should now, this code was just written before
vm_event_monitor_get_capabilities was introduced and we haven't gotten
around converting this check to it.


>
> 2). I was also wondering why CR3 load/stores are trapped if paging is
> disabled for a domain.
>

Good question, I was wondering about that myself at some point but I
haven't found an answer to it. Maybe some git archaeology can help
determining when that was added and why ;)

Cheers,
Tamas

[-- Attachment #1.2: Type: text/html, Size: 3452 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

[-- Attachment #1.1: Type: text/plain, Size: 1295 bytes --]

On 3/7/2016 11:12 AM, Tamas K Lengyel wrote:
> EPT is not really required for CR3 monitoring, it just has been the 
> case that vm_events have been only implemented for hap-enabled domains.

I suppose this is not valid for vm-events in their entirety, right? I 
mean it seems to me that @ least for monitor vm-events VMX is enough.

> AFAIK for non-hap case CR3 needs to be trapped unconditionally, yes.
>
>     If the former is true, shouldn't we do a check like this in
>     vm_event_monitor_get_capabilities instead?
>
>
> Yes, it should now, this code was just written before 
> vm_event_monitor_get_capabilities was introduced and we haven't gotten 
> around converting this check to it.

Is there any reason why monitor vm-events in their current state 
wouldn't work on non-hap domains?
If they would work, shouldn't we instead simply move the 
monitor.write_ctrlreg_enabled part out of the if ( paging_mode_hap(...) ) ?

>
>     2). I was also wondering why CR3 load/stores are trapped if paging
>     is disabled for a domain.
>
>
> Good question, I was wondering about that myself at some point but I 
> haven't found an answer to it. Maybe some git archaeology can help 
> determining when that was added and why ;)
>
> Cheers,
> Tamas

Yep, will "blame into it".

Thanks,
Corneliu.

[-- Attachment #1.2: Type: text/html, Size: 3126 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Tamas K Lengyel]

[-- Attachment #1.1: Type: text/plain, Size: 1312 bytes --]

On Mon, Mar 7, 2016 at 10:31 AM, Corneliu ZUZU <czuzu@bitdefender.com>
wrote:

> On 3/7/2016 11:12 AM, Tamas K Lengyel wrote:
>
> EPT is not really required for CR3 monitoring, it just has been the case
> that vm_events have been only implemented for hap-enabled domains.
>
>
> I suppose this is not valid for vm-events in their entirety, right? I mean
> it seems to me that @ least for monitor vm-events VMX is enough.
>

Yes. OTOH I don't think you can find any CPUs on the market today that
support VMX but have no EPT so this hasn't really caused any issues for
anyone using vm_events, but technically yes VMX is enough for these events.

> AFAIK for non-hap case CR3 needs to be trapped unconditionally, yes.
>
>
>> If the former is true, shouldn't we do a check like this in
>> vm_event_monitor_get_capabilities instead?
>>
>
> Yes, it should now, this code was just written before
> vm_event_monitor_get_capabilities was introduced and we haven't gotten
> around converting this check to it.
>
>
> Is there any reason why monitor vm-events in their current state wouldn't
> work on non-hap domains?
> If they would work, shouldn't we instead simply move the
> monitor.write_ctrlreg_enabled part out of the if ( paging_mode_hap(...) ) ?
>

Yeap, that sounds like the right place to have that check.

Tamas

[-- Attachment #1.2: Type: text/html, Size: 2774 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

[-- Attachment #1.1: Type: text/plain, Size: 2053 bytes --]

On 3/7/2016 11:45 AM, Tamas K Lengyel wrote:
>
>
> On Mon, Mar 7, 2016 at 10:31 AM, Corneliu ZUZU <czuzu@bitdefender.com 
> <mailto:czuzu@bitdefender.com>> wrote:
>
>     On 3/7/2016 11:12 AM, Tamas K Lengyel wrote:
>>     EPT is not really required for CR3 monitoring, it just has been
>>     the case that vm_events have been only implemented for
>>     hap-enabled domains.
>
>     I suppose this is not valid for vm-events in their entirety,
>     right? I mean it seems to me that @ least for monitor vm-events
>     VMX is enough.
>
>
> Yes. OTOH I don't think you can find any CPUs on the market today that 
> support VMX but have no EPT so this hasn't really caused any issues 
> for anyone using vm_events, but technically yes VMX is enough for 
> these events.
>
>>     AFAIK for non-hap case CR3 needs to be trapped unconditionally, yes.
>>
>>         If the former is true, shouldn't we do a check like this in
>>         vm_event_monitor_get_capabilities instead?
>>
>>
>>     Yes, it should now, this code was just written before
>>     vm_event_monitor_get_capabilities was introduced and we haven't
>>     gotten around converting this check to it.
>
>     Is there any reason why monitor vm-events in their current state
>     wouldn't work on non-hap domains?
>     If they would work, shouldn't we instead simply move the
>     monitor.write_ctrlreg_enabled part out of the if (
>     paging_mode_hap(...) ) ?
>
>
> Yeap, that sounds like the right place to have that check.
>
> Tamas

Good, with that out of the way, one more issue to solve. What I'm 
actually trying to do is to move that part of the code to the scheduling 
tail - i.e. enabling/disabling CPU_BASED_CR3_LOAD_EXITING only when we 
actually enter the vcpu.
To do this I also need to know exactly in what cases 
CPU_BASED_CR3_LOAD_EXITING can/is enabled, besides the already mentioned 
case when a domain's paging is disabled.

I'm searching through the codebase right now but it's a bit dizzying, 
can someone provide some feedback on this matter?

Thanks,
Corneliu.

[-- Attachment #1.2: Type: text/html, Size: 4912 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

[-- Attachment #1.1: Type: text/plain, Size: 3581 bytes --]

On 3/7/2016 2:07 PM, Corneliu ZUZU wrote:
> On 3/7/2016 11:45 AM, Tamas K Lengyel wrote:
>>
>>
>> On Mon, Mar 7, 2016 at 10:31 AM, Corneliu ZUZU <czuzu@bitdefender.com 
>> <mailto:czuzu@bitdefender.com>> wrote:
>>
>>     On 3/7/2016 11:12 AM, Tamas K Lengyel wrote:
>>>     EPT is not really required for CR3 monitoring, it just has been
>>>     the case that vm_events have been only implemented for
>>>     hap-enabled domains.
>>
>>     I suppose this is not valid for vm-events in their entirety,
>>     right? I mean it seems to me that @ least for monitor vm-events
>>     VMX is enough.
>>
>>
>> Yes. OTOH I don't think you can find any CPUs on the market today 
>> that support VMX but have no EPT so this hasn't really caused any 
>> issues for anyone using vm_events, but technically yes VMX is enough 
>> for these events.
>>
>>>     AFAIK for non-hap case CR3 needs to be trapped unconditionally, yes.
>>>
>>>         If the former is true, shouldn't we do a check like this in
>>>         vm_event_monitor_get_capabilities instead?
>>>
>>>
>>>     Yes, it should now, this code was just written before
>>>     vm_event_monitor_get_capabilities was introduced and we haven't
>>>     gotten around converting this check to it.
>>
>>     Is there any reason why monitor vm-events in their current state
>>     wouldn't work on non-hap domains?
>>     If they would work, shouldn't we instead simply move the
>>     monitor.write_ctrlreg_enabled part out of the if (
>>     paging_mode_hap(...) ) ?
>>
>>
>> Yeap, that sounds like the right place to have that check.
>>
>> Tamas
>
> Good, with that out of the way, one more issue to solve. What I'm 
> actually trying to do is to move that part of the code to the 
> scheduling tail - i.e. enabling/disabling CPU_BASED_CR3_LOAD_EXITING 
> only when we actually enter the vcpu.
> To do this I also need to know exactly in what cases 
> CPU_BASED_CR3_LOAD_EXITING can/is enabled, besides the already 
> mentioned case when a domain's paging is disabled.
>
> I'm searching through the codebase right now but it's a bit dizzying, 
> can someone provide some feedback on this matter?
>
> Thanks,
> Corneliu.

Ok, by searching for places v->arch.hvm_vmx.exec_control is set, it 
seems that vmx_update_guest_cr is the only place where CR3 load-exiting 
is set/unset.

It also seems that in non-hap case CPU_BASED_CR3_LOAD_EXITING is indeed 
unconditionally enabled, i.e. @ vmx_vcpu_initialise -> vmx_create_vmcs 
-> construct_vmcs:

     v->arch.hvm_vmx.secondary_exec_control = vmx_secondary_exec_control;

     /* Disable VPID for now: we decide when to enable it on VMENTER. */
     v->arch.hvm_vmx.secondary_exec_control &= ~SECONDARY_EXEC_ENABLE_VPID;

     if ( paging_mode_hap(d) )
     {
         v->arch.hvm_vmx.exec_control &= ~(CPU_BASED_INVLPG_EXITING |
                                           CPU_BASED_CR3_LOAD_EXITING |
CPU_BASED_CR3_STORE_EXITING);
     }

Can somebody else confirm this, just to be sure?

Tamas, if this were true, that would mean that we can move that part to 
the scheduling tail, and we could write there smth like this pseudocode:

     /* if ! hap => CR3 writes unconditionally trap */
     if (paging_mode_hap) return;
     if  (monitor.write_ctrlreg_enabled for CR3) and 
(CPU_BASED_CR3_LOAD_EXITING currently disabled)
         enable CPU_BASED_CR3_LOAD_EXITING;
    else if (NOT monitor.write_ctrlreg_enabled for CR3) and 
(CPU_BASED_CR3_LOAD_EXITING currently enabled) and (paging is enabled)
         disable CPU_BASED_CR3_LOAD_EXITING;

Would that be suitable?

Thanks,
Corneliu.

[-- Attachment #1.2: Type: text/html, Size: 7410 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Andrew Cooper]

[-- Attachment #1.1: Type: text/plain, Size: 3037 bytes --]

On 07/03/16 09:12, Tamas K Lengyel wrote:
>
>
> On Mon, Mar 7, 2016 at 9:22 AM, Corneliu ZUZU <czuzu@bitdefender.com
> <mailto:czuzu@bitdefender.com>> wrote:
>
>     On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
>
>         Then,
>         QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>
>         Q1) [...]
>
>         Q2) [...]
>
>         Q3) [...]
>
>         Q4) [...]
>
>
>     Hey all,
>
>     I have a question relating to this part of code @ vmx_update_guest_cr:
>
>             if ( paging_mode_hap(v->domain) )
>             {
>                 /* Manage GUEST_CR3 when CR0.PE <http://CR0.PE>=0. */
>                 uint32_t cr3_ctls = (CPU_BASED_CR3_LOAD_EXITING |
>                                      CPU_BASED_CR3_STORE_EXITING);
>                 v->arch.hvm_vmx.exec_control &= ~cr3_ctls;
>                 if ( !hvm_paging_enabled(v) &&
>     !vmx_unrestricted_guest(v) )
>                     v->arch.hvm_vmx.exec_control |= cr3_ctls;
>
>                 /* Trap CR3 updates if CR3 memory events are enabled. */
>                 if ( v->domain->arch.monitor.write_ctrlreg_enabled &
>                      monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
>                     v->arch.hvm_vmx.exec_control |=
>     CPU_BASED_CR3_LOAD_EXITING;
>
>                 vmx_update_cpu_exec_control(v);
>             }
>
>     While trying to move the check for VM_EVENT_X86_CR3 to the
>     scheduling tail, a few questions came to my mind.
>
>     1). Tamas, Razvan, maybe you guys could clarify this. I noticed
>     this part of code is only executed if paging_mode_hap(v->domain).
>     Is EPT mandatory to monitor CR3 writes or is it just that when
>     shadow paging is enabled, CR3 r/w are unconditionally trapped?
>
>
> EPT is not really required for CR3 monitoring, it just has been the
> case that vm_events have been only implemented for hap-enabled
> domains. AFAIK for non-hap case CR3 needs to be trapped
> unconditionally, yes.

Specifically, the shadow pagetable code needs to swap shadows when the
guest switches cr3.

>  
>
>     If the former is true, shouldn't we do a check like this in
>     vm_event_monitor_get_capabilities instead?
>
>
> Yes, it should now, this code was just written before
> vm_event_monitor_get_capabilities was introduced and we haven't gotten
> around converting this check to it.
>  
>
>
>     2). I was also wondering why CR3 load/stores are trapped if paging
>     is disabled for a domain.
>
>
> Good question, I was wondering about that myself at some point but I
> haven't found an answer to it. Maybe some git archaeology can help
> determining when that was added and why ;)

Gen1 VT-x didn't support running a guest in non-paged mode.  Gen2
introduced "unrestricted-guest" which works as intended, but Gen1 has to
fake non-pagad mode using identity paging.  As a result, CR3 cannot be
used as scratch space like it can in non-paged mode, and the guest must
be prevented from moving CR3 away from the gfn set up by the domain
builder in HVM_PARAM_IDENT_PT.

~Andrew

[-- Attachment #1.2: Type: text/html, Size: 6210 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 0/1] ARM: Implement support for write-ctrlreg vm-events

[Corneliu ZUZU]

[-- Attachment #1.1: Type: text/plain, Size: 3171 bytes --]

On 3/7/2016 2:38 PM, Andrew Cooper wrote:
> On 07/03/16 09:12, Tamas K Lengyel wrote:
>>
>>
>> On Mon, Mar 7, 2016 at 9:22 AM, Corneliu ZUZU <czuzu@bitdefender.com 
>> <mailto:czuzu@bitdefender.com>> wrote:
>>
>>     On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
>>
>>         Then,
>>         QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>>
>>         Q1) [...]
>>
>>         Q2) [...]
>>
>>         Q3) [...]
>>
>>         Q4) [...]
>>
>>
>>     Hey all,
>>
>>     I have a question relating to this part of code @
>>     vmx_update_guest_cr:
>>
>>             if ( paging_mode_hap(v->domain) )
>>             {
>>                 /* Manage GUEST_CR3 when CR0.PE <http://CR0.PE>=0. */
>>                 uint32_t cr3_ctls = (CPU_BASED_CR3_LOAD_EXITING |
>>      CPU_BASED_CR3_STORE_EXITING);
>>                 v->arch.hvm_vmx.exec_control &= ~cr3_ctls;
>>                 if ( !hvm_paging_enabled(v) &&
>>     !vmx_unrestricted_guest(v) )
>>                     v->arch.hvm_vmx.exec_control |= cr3_ctls;
>>
>>                 /* Trap CR3 updates if CR3 memory events are enabled. */
>>                 if ( v->domain->arch.monitor.write_ctrlreg_enabled &
>>      monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
>>                     v->arch.hvm_vmx.exec_control |=
>>     CPU_BASED_CR3_LOAD_EXITING;
>>
>>                 vmx_update_cpu_exec_control(v);
>>             }
>>
>>     While trying to move the check for VM_EVENT_X86_CR3 to the
>>     scheduling tail, a few questions came to my mind.
>>
>>     1). Tamas, Razvan, maybe you guys could clarify this. I noticed
>>     this part of code is only executed if paging_mode_hap(v->domain).
>>     Is EPT mandatory to monitor CR3 writes or is it just that when
>>     shadow paging is enabled, CR3 r/w are unconditionally trapped?
>>
>>
>> EPT is not really required for CR3 monitoring, it just has been the 
>> case that vm_events have been only implemented for hap-enabled 
>> domains. AFAIK for non-hap case CR3 needs to be trapped 
>> unconditionally, yes.
>
> Specifically, the shadow pagetable code needs to swap shadows when the 
> guest switches cr3.
>
>>     If the former is true, shouldn't we do a check like this in
>>     vm_event_monitor_get_capabilities instead?
>>
>>
>> Yes, it should now, this code was just written before 
>> vm_event_monitor_get_capabilities was introduced and we haven't 
>> gotten around converting this check to it.
>>
>>
>>     2). I was also wondering why CR3 load/stores are trapped if
>>     paging is disabled for a domain.
>>
>>
>> Good question, I was wondering about that myself at some point but I 
>> haven't found an answer to it. Maybe some git archaeology can help 
>> determining when that was added and why ;)
>
> Gen1 VT-x didn't support running a guest in non-paged mode.  Gen2 
> introduced "unrestricted-guest" which works as intended, but Gen1 has 
> to fake non-pagad mode using identity paging.  As a result, CR3 cannot 
> be used as scratch space like it can in non-paged mode, and the guest 
> must be prevented from moving CR3 away from the gfn set up by the 
> domain builder in HVM_PARAM_IDENT_PT.
>
> ~Andrew

Nice, thanks a bunch.

Corneliu.

[-- Attachment #1.2: Type: text/html, Size: 6834 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel