Anonymous user
VMX: Difference between revisions
no edit summary
| [unchecked revision] | [unchecked revision] |
No edit summary |
No edit summary |
||
Line 99:
The structure of the VMCS is covered in detail in Chapter 20 of the Intel SDM volume 3B (see link below). Field encodings for VMWRITE and VMREAD are covered in Appendix H of the same manual.
== Peripheral Emulation ==
=== IO framework emulation ===
In x86, there are two kinds of IO channels: Port-Based IO(aka '''PIO''' ) and Memory-Mapped IO(aka '''MMIO'''). PIO has separate address space and special instructions to do IO jobs. while with MMIO, the device IO space is backed with the memory address space, you can use memory data move instructions to do IO jobs.
==== PIO emulation ====
with Intel VT-x, the hypervisor is able to determine whether the guest's IO instructions trap into vmx root mode by setting the primary processor based control bit 24. if this bit is set, all the guest's IO instructions will causes vm exits. otherwise, you have to setup the two IO bitmap regions to capture the vm exits you are interested with.
the IO causes vm exit with basic reason number as 30, you can retrieve the IO operation size, direction, port id and etc. for more please refer to the vmx_pio.c in reference pages.
==== MMIO emulation ====
MMIO emulation in x86 is a bit different: we are going to exploit EPT in order to capture MMIO events.
VMX provides two kinds of EPT involved vm exits: EPT violation and EPT misconfiguration. In general, when guest is accessing memory which is not backed correctly(e.g. the memory is '''writable''' but '''not readable'''!), VMX results in vm exits with EPT misconfiguration.
the hypervisor must do the following steps to do MMIO operation:
<source lang="bash">
1). decode the memory move instruction to determine the memory involved instruction length, access size, direction, operations, registers index/immediates and memory address,
2). search the MMIO devices regions to see whether the address is backed with a DEVICE.
3). store the result in destination register if necessary.
4). advance to next instruction by add guest RIP by instruction length resolved in step 1.
</source>
=== Devices emulation examples===
{| {{wikitable}}
|-
! Device !! IO type !! Refference
|-
| Intel 8259 PIC || PIO ||https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/device_8259pic.c
|-
| Intel 8253 PIT || PIO ||https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/device_8253pit.c
|-
| Intel 8042 keyboard || PIO ||https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/device_keyboard.c
|-
| serial port controller || PIO ||https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/device_serial.c
|-
| 16-colors video controller || MMIO ||https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/device_video.c
|-
|}
== References ==
Line 108 ⟶ 142:
BOCHS's VMX.c (LGPLv2): http://bochs.cvs.sourceforge.net/viewvc/bochs/bochs/cpu/vmx.cc
PIO sub handler: https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/vmx_pio.c
Memory move instruction decode: https://github.com/chillancezen/ZeldaOS.x86_64/blob/master/vm_monitor/vmx_instruction_decoding.c
== Other examples ==
Vmx implementation in home made OS:
| |||