2 * TPR optimization for 32-bit Windows guests (XP and Server 2003)
4 * Copyright (C) 2007-2008 Qumranet Technologies
5 * Copyright (C) 2012 Jan Kiszka, Siemens AG
7 * This work is licensed under the terms of the GNU GPL version 2, or
8 * (at your option) any later version. See the COPYING file in the
11 #include "sysemu/sysemu.h"
12 #include "sysemu/cpus.h"
13 #include "sysemu/kvm.h"
14 #include "hw/i386/apic_internal.h"
16 #define VAPIC_IO_PORT 0x7e
18 #define VAPIC_CPU_SHIFT 7
20 #define ROM_BLOCK_SIZE 512
21 #define ROM_BLOCK_MASK (~(ROM_BLOCK_SIZE - 1))
23 typedef enum VAPICMode {
29 typedef struct VAPICHandlers {
33 uint32_t get_tpr_stack;
34 } QEMU_PACKED VAPICHandlers;
36 typedef struct GuestROMState {
44 uint32_t real_tpr_addr;
47 } QEMU_PACKED GuestROMState;
49 typedef struct VAPICROMState {
54 uint32_t rom_state_paddr;
55 uint32_t rom_state_vaddr;
57 uint32_t real_tpr_addr;
58 GuestROMState rom_state;
60 bool rom_mapped_writable;
63 #define TPR_INSTR_ABS_MODRM 0x1
64 #define TPR_INSTR_MATCH_MODRM_REG 0x2
66 typedef struct TPRInstruction {
75 /* must be sorted by length, shortest first */
76 static const TPRInstruction tpr_instr[] = {
77 { /* mov abs to eax */
79 .access = TPR_ACCESS_READ,
83 { /* mov eax to abs */
85 .access = TPR_ACCESS_WRITE,
89 { /* mov r32 to r/m32 */
91 .flags = TPR_INSTR_ABS_MODRM,
92 .access = TPR_ACCESS_WRITE,
96 { /* mov r/m32 to r32 */
98 .flags = TPR_INSTR_ABS_MODRM,
99 .access = TPR_ACCESS_READ,
106 .flags = TPR_INSTR_ABS_MODRM | TPR_INSTR_MATCH_MODRM_REG,
107 .access = TPR_ACCESS_READ,
111 { /* mov imm32, r/m32 (c7/0) */
114 .flags = TPR_INSTR_ABS_MODRM | TPR_INSTR_MATCH_MODRM_REG,
115 .access = TPR_ACCESS_WRITE,
121 static void read_guest_rom_state(VAPICROMState *s)
123 cpu_physical_memory_rw(s->rom_state_paddr, (void *)&s->rom_state,
124 sizeof(GuestROMState), 0);
127 static void write_guest_rom_state(VAPICROMState *s)
129 cpu_physical_memory_rw(s->rom_state_paddr, (void *)&s->rom_state,
130 sizeof(GuestROMState), 1);
133 static void update_guest_rom_state(VAPICROMState *s)
135 read_guest_rom_state(s);
137 s->rom_state.real_tpr_addr = cpu_to_le32(s->real_tpr_addr);
138 s->rom_state.vcpu_shift = cpu_to_le32(VAPIC_CPU_SHIFT);
140 write_guest_rom_state(s);
143 static int find_real_tpr_addr(VAPICROMState *s, CPUX86State *env)
148 if (s->state == VAPIC_ACTIVE) {
152 * If there is no prior TPR access instruction we could analyze (which is
153 * the case after resume from hibernation), we need to scan the possible
154 * virtual address space for the APIC mapping.
156 for (addr = 0xfffff000; addr >= 0x80000000; addr -= TARGET_PAGE_SIZE) {
157 paddr = cpu_get_phys_page_debug(env, addr);
158 if (paddr != APIC_DEFAULT_ADDRESS) {
161 s->real_tpr_addr = addr + 0x80;
162 update_guest_rom_state(s);
168 static uint8_t modrm_reg(uint8_t modrm)
170 return (modrm >> 3) & 7;
173 static bool is_abs_modrm(uint8_t modrm)
175 return (modrm & 0xc7) == 0x05;
178 static bool opcode_matches(uint8_t *opcode, const TPRInstruction *instr)
180 return opcode[0] == instr->opcode &&
181 (!(instr->flags & TPR_INSTR_ABS_MODRM) || is_abs_modrm(opcode[1])) &&
182 (!(instr->flags & TPR_INSTR_MATCH_MODRM_REG) ||
183 modrm_reg(opcode[1]) == instr->modrm_reg);
186 static int evaluate_tpr_instruction(VAPICROMState *s, CPUX86State *env,
187 target_ulong *pip, TPRAccess access)
189 const TPRInstruction *instr;
190 target_ulong ip = *pip;
192 uint32_t real_tpr_addr;
195 if ((ip & 0xf0000000ULL) != 0x80000000ULL &&
196 (ip & 0xf0000000ULL) != 0xe0000000ULL) {
201 * Early Windows 2003 SMP initialization contains a
205 * instruction that is patched by TPR optimization. The problem is that
206 * RSP, used by the patched instruction, is zero, so the guest gets a
207 * double fault and dies.
209 if (env->regs[R_ESP] == 0) {
213 if (kvm_enabled() && !kvm_irqchip_in_kernel()) {
215 * KVM without kernel-based TPR access reporting will pass an IP that
216 * points after the accessing instruction. So we need to look backward
217 * to find the reason.
219 for (i = 0; i < ARRAY_SIZE(tpr_instr); i++) {
220 instr = &tpr_instr[i];
221 if (instr->access != access) {
224 if (cpu_memory_rw_debug(env, ip - instr->length, opcode,
225 sizeof(opcode), 0) < 0) {
228 if (opcode_matches(opcode, instr)) {
235 if (cpu_memory_rw_debug(env, ip, opcode, sizeof(opcode), 0) < 0) {
238 for (i = 0; i < ARRAY_SIZE(tpr_instr); i++) {
239 instr = &tpr_instr[i];
240 if (opcode_matches(opcode, instr)) {
249 * Grab the virtual TPR address from the instruction
250 * and update the cached values.
252 if (cpu_memory_rw_debug(env, ip + instr->addr_offset,
253 (void *)&real_tpr_addr,
254 sizeof(real_tpr_addr), 0) < 0) {
257 real_tpr_addr = le32_to_cpu(real_tpr_addr);
258 if ((real_tpr_addr & 0xfff) != 0x80) {
261 s->real_tpr_addr = real_tpr_addr;
262 update_guest_rom_state(s);
268 static int update_rom_mapping(VAPICROMState *s, CPUX86State *env, target_ulong ip)
271 uint32_t rom_state_vaddr;
272 uint32_t pos, patch, offset;
274 /* nothing to do if already activated */
275 if (s->state == VAPIC_ACTIVE) {
279 /* bail out if ROM init code was not executed (missing ROM?) */
280 if (s->state == VAPIC_INACTIVE) {
284 /* find out virtual address of the ROM */
285 rom_state_vaddr = s->rom_state_paddr + (ip & 0xf0000000);
286 paddr = cpu_get_phys_page_debug(env, rom_state_vaddr);
290 paddr += rom_state_vaddr & ~TARGET_PAGE_MASK;
291 if (paddr != s->rom_state_paddr) {
294 read_guest_rom_state(s);
295 if (memcmp(s->rom_state.signature, "kvm aPiC", 8) != 0) {
298 s->rom_state_vaddr = rom_state_vaddr;
300 /* fixup addresses in ROM if needed */
301 if (rom_state_vaddr == le32_to_cpu(s->rom_state.vaddr)) {
304 for (pos = le32_to_cpu(s->rom_state.fixup_start);
305 pos < le32_to_cpu(s->rom_state.fixup_end);
307 cpu_physical_memory_rw(paddr + pos - s->rom_state.vaddr,
308 (void *)&offset, sizeof(offset), 0);
309 offset = le32_to_cpu(offset);
310 cpu_physical_memory_rw(paddr + offset, (void *)&patch,
312 patch = le32_to_cpu(patch);
313 patch += rom_state_vaddr - le32_to_cpu(s->rom_state.vaddr);
314 patch = cpu_to_le32(patch);
315 cpu_physical_memory_rw(paddr + offset, (void *)&patch,
318 read_guest_rom_state(s);
319 s->vapic_paddr = paddr + le32_to_cpu(s->rom_state.vapic_vaddr) -
320 le32_to_cpu(s->rom_state.vaddr);
326 * Tries to read the unique processor number from the Kernel Processor Control
327 * Region (KPCR) of 32-bit Windows XP and Server 2003. Returns -1 if the KPCR
328 * cannot be accessed or is considered invalid. This also ensures that we are
329 * not patching the wrong guest.
331 static int get_kpcr_number(CPUX86State *env)
340 if (cpu_memory_rw_debug(env, env->segs[R_FS].base,
341 (void *)&kpcr, sizeof(kpcr), 0) < 0 ||
342 kpcr.self != env->segs[R_FS].base) {
348 static int vapic_enable(VAPICROMState *s, CPUX86State *env)
350 int cpu_number = get_kpcr_number(env);
352 static const uint8_t enabled = 1;
354 if (cpu_number < 0) {
357 vapic_paddr = s->vapic_paddr +
358 (((hwaddr)cpu_number) << VAPIC_CPU_SHIFT);
359 cpu_physical_memory_rw(vapic_paddr + offsetof(VAPICState, enabled),
360 (void *)&enabled, sizeof(enabled), 1);
361 apic_enable_vapic(env->apic_state, vapic_paddr);
363 s->state = VAPIC_ACTIVE;
368 static void patch_byte(CPUX86State *env, target_ulong addr, uint8_t byte)
370 cpu_memory_rw_debug(env, addr, &byte, 1, 1);
373 static void patch_call(VAPICROMState *s, CPUX86State *env, target_ulong ip,
378 offset = cpu_to_le32(target - ip - 5);
379 patch_byte(env, ip, 0xe8); /* call near */
380 cpu_memory_rw_debug(env, ip + 1, (void *)&offset, sizeof(offset), 1);
383 static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
385 CPUState *cs = CPU(cpu);
386 CPUX86State *env = &cpu->env;
387 VAPICHandlers *handlers;
390 target_ulong current_pc = 0;
391 target_ulong current_cs_base = 0;
392 int current_flags = 0;
395 handlers = &s->rom_state.up;
397 handlers = &s->rom_state.mp;
400 if (!kvm_enabled()) {
401 cpu_restore_state(env, env->mem_io_pc);
402 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
408 cpu_memory_rw_debug(env, ip, opcode, sizeof(opcode), 0);
411 case 0x89: /* mov r32 to r/m32 */
412 patch_byte(env, ip, 0x50 + modrm_reg(opcode[1])); /* push reg */
413 patch_call(s, env, ip + 1, handlers->set_tpr);
415 case 0x8b: /* mov r/m32 to r32 */
416 patch_byte(env, ip, 0x90);
417 patch_call(s, env, ip + 1, handlers->get_tpr[modrm_reg(opcode[1])]);
419 case 0xa1: /* mov abs to eax */
420 patch_call(s, env, ip, handlers->get_tpr[0]);
422 case 0xa3: /* mov eax to abs */
423 patch_call(s, env, ip, handlers->set_tpr_eax);
425 case 0xc7: /* mov imm32, r/m32 (c7/0) */
426 patch_byte(env, ip, 0x68); /* push imm32 */
427 cpu_memory_rw_debug(env, ip + 6, (void *)&imm32, sizeof(imm32), 0);
428 cpu_memory_rw_debug(env, ip + 1, (void *)&imm32, sizeof(imm32), 1);
429 patch_call(s, env, ip + 5, handlers->set_tpr);
431 case 0xff: /* push r/m32 */
432 patch_byte(env, ip, 0x50); /* push eax */
433 patch_call(s, env, ip + 1, handlers->get_tpr_stack);
441 if (!kvm_enabled()) {
442 cs->current_tb = NULL;
443 tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
444 cpu_resume_from_signal(env, NULL);
448 void vapic_report_tpr_access(DeviceState *dev, CPUState *cs, target_ulong ip,
451 VAPICROMState *s = DO_UPCAST(VAPICROMState, busdev.qdev, dev);
452 X86CPU *cpu = X86_CPU(cs);
453 CPUX86State *env = &cpu->env;
455 cpu_synchronize_state(env);
457 if (evaluate_tpr_instruction(s, env, &ip, access) < 0) {
458 if (s->state == VAPIC_ACTIVE) {
459 vapic_enable(s, env);
463 if (update_rom_mapping(s, env, ip) < 0) {
466 if (vapic_enable(s, env) < 0) {
469 patch_instruction(s, cpu, ip);
472 typedef struct VAPICEnableTPRReporting {
475 } VAPICEnableTPRReporting;
477 static void vapic_do_enable_tpr_reporting(void *data)
479 VAPICEnableTPRReporting *info = data;
481 apic_enable_tpr_access_reporting(info->apic, info->enable);
484 static void vapic_enable_tpr_reporting(bool enable)
486 VAPICEnableTPRReporting info = {
492 for (env = first_cpu; env != NULL; env = env->next_cpu) {
493 cpu = x86_env_get_cpu(env);
494 info.apic = env->apic_state;
495 run_on_cpu(CPU(cpu), vapic_do_enable_tpr_reporting, &info);
499 static void vapic_reset(DeviceState *dev)
501 VAPICROMState *s = DO_UPCAST(VAPICROMState, busdev.qdev, dev);
503 if (s->state == VAPIC_ACTIVE) {
504 s->state = VAPIC_STANDBY;
506 vapic_enable_tpr_reporting(false);
510 * Set the IRQ polling hypercalls to the supported variant:
511 * - vmcall if using KVM in-kernel irqchip
512 * - 32-bit VAPIC port write otherwise
514 static int patch_hypercalls(VAPICROMState *s)
516 hwaddr rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK;
517 static const uint8_t vmcall_pattern[] = { /* vmcall */
518 0xb8, 0x1, 0, 0, 0, 0xf, 0x1, 0xc1
520 static const uint8_t outl_pattern[] = { /* nop; outl %eax,0x7e */
521 0xb8, 0x1, 0, 0, 0, 0x90, 0xe7, 0x7e
523 uint8_t alternates[2];
524 const uint8_t *pattern;
525 const uint8_t *patch;
530 rom = g_malloc(s->rom_size);
531 cpu_physical_memory_rw(rom_paddr, rom, s->rom_size, 0);
533 for (pos = 0; pos < s->rom_size - sizeof(vmcall_pattern); pos++) {
534 if (kvm_irqchip_in_kernel()) {
535 pattern = outl_pattern;
536 alternates[0] = outl_pattern[7];
537 alternates[1] = outl_pattern[7];
538 patch = &vmcall_pattern[5];
540 pattern = vmcall_pattern;
541 alternates[0] = vmcall_pattern[7];
542 alternates[1] = 0xd9; /* AMD's VMMCALL */
543 patch = &outl_pattern[5];
545 if (memcmp(rom + pos, pattern, 7) == 0 &&
546 (rom[pos + 7] == alternates[0] || rom[pos + 7] == alternates[1])) {
547 cpu_physical_memory_rw(rom_paddr + pos + 5, (uint8_t *)patch,
550 * Don't flush the tb here. Under ordinary conditions, the patched
551 * calls are miles away from the current IP. Under malicious
552 * conditions, the guest could trick us to crash.
559 if (patches != 0 && patches != 2) {
567 * For TCG mode or the time KVM honors read-only memory regions, we need to
568 * enable write access to the option ROM so that variables can be updated by
571 static void vapic_map_rom_writable(VAPICROMState *s)
573 hwaddr rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK;
574 MemoryRegionSection section;
579 as = sysbus_address_space(&s->busdev);
581 if (s->rom_mapped_writable) {
582 memory_region_del_subregion(as, &s->rom);
583 memory_region_destroy(&s->rom);
586 /* grab RAM memory region (region @rom_paddr may still be pc.rom) */
587 section = memory_region_find(as, 0, 1);
589 /* read ROM size from RAM region */
590 ram = memory_region_get_ram_ptr(section.mr);
591 rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
592 s->rom_size = rom_size;
594 /* We need to round to avoid creating subpages
595 * from which we cannot run code. */
596 rom_size += rom_paddr & ~TARGET_PAGE_MASK;
597 rom_paddr &= TARGET_PAGE_MASK;
598 rom_size = TARGET_PAGE_ALIGN(rom_size);
600 memory_region_init_alias(&s->rom, "kvmvapic-rom", section.mr, rom_paddr,
602 memory_region_add_subregion_overlap(as, rom_paddr, &s->rom, 1000);
603 s->rom_mapped_writable = true;
606 static int vapic_prepare(VAPICROMState *s)
608 vapic_map_rom_writable(s);
610 if (patch_hypercalls(s) < 0) {
614 vapic_enable_tpr_reporting(true);
619 static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
622 CPUX86State *env = cpu_single_env;
624 VAPICROMState *s = opaque;
626 cpu_synchronize_state(env);
629 * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
630 * o 16-bit write access:
631 * Reports the option ROM initialization to the hypervisor. Written
632 * value is the offset of the state structure in the ROM.
633 * o 8-bit write access:
634 * Reactivates the VAPIC after a guest hibernation, i.e. after the
635 * option ROM content has been re-initialized by a guest power cycle.
636 * o 32-bit write access:
637 * Poll for pending IRQs, considering the current VAPIC state.
641 if (s->state == VAPIC_INACTIVE) {
642 rom_paddr = (env->segs[R_CS].base + env->eip) & ROM_BLOCK_MASK;
643 s->rom_state_paddr = rom_paddr + data;
645 s->state = VAPIC_STANDBY;
647 if (vapic_prepare(s) < 0) {
648 s->state = VAPIC_INACTIVE;
655 * Disable triggering instruction in ROM by writing a NOP.
657 * We cannot do this in TCG mode as the reported IP is not
661 patch_byte(env, env->eip - 2, 0x66);
662 patch_byte(env, env->eip - 1, 0x90);
666 if (s->state == VAPIC_ACTIVE) {
669 if (update_rom_mapping(s, env, env->eip) < 0) {
672 if (find_real_tpr_addr(s, env) < 0) {
675 vapic_enable(s, env);
679 if (!kvm_irqchip_in_kernel()) {
680 apic_poll_irq(env->apic_state);
686 static const MemoryRegionOps vapic_ops = {
687 .write = vapic_write,
688 .endianness = DEVICE_NATIVE_ENDIAN,
691 static int vapic_init(SysBusDevice *dev)
693 VAPICROMState *s = FROM_SYSBUS(VAPICROMState, dev);
695 memory_region_init_io(&s->io, &vapic_ops, s, "kvmvapic", 2);
696 sysbus_add_io(dev, VAPIC_IO_PORT, &s->io);
697 sysbus_init_ioports(dev, VAPIC_IO_PORT, 2);
699 option_rom[nb_option_roms].name = "kvmvapic.bin";
700 option_rom[nb_option_roms].bootindex = -1;
706 static void do_vapic_enable(void *data)
708 VAPICROMState *s = data;
710 vapic_enable(s, first_cpu);
713 static int vapic_post_load(void *opaque, int version_id)
715 VAPICROMState *s = opaque;
719 * The old implementation of qemu-kvm did not provide the state
720 * VAPIC_STANDBY. Reconstruct it.
722 if (s->state == VAPIC_INACTIVE && s->rom_state_paddr != 0) {
723 s->state = VAPIC_STANDBY;
726 if (s->state != VAPIC_INACTIVE) {
727 if (vapic_prepare(s) < 0) {
731 if (s->state == VAPIC_ACTIVE) {
733 run_on_cpu(ENV_GET_CPU(first_cpu), do_vapic_enable, s);
735 zero = g_malloc0(s->rom_state.vapic_size);
736 cpu_physical_memory_rw(s->vapic_paddr, zero,
737 s->rom_state.vapic_size, 1);
745 static const VMStateDescription vmstate_handlers = {
746 .name = "kvmvapic-handlers",
748 .minimum_version_id = 1,
749 .minimum_version_id_old = 1,
750 .fields = (VMStateField[]) {
751 VMSTATE_UINT32(set_tpr, VAPICHandlers),
752 VMSTATE_UINT32(set_tpr_eax, VAPICHandlers),
753 VMSTATE_UINT32_ARRAY(get_tpr, VAPICHandlers, 8),
754 VMSTATE_UINT32(get_tpr_stack, VAPICHandlers),
755 VMSTATE_END_OF_LIST()
759 static const VMStateDescription vmstate_guest_rom = {
760 .name = "kvmvapic-guest-rom",
762 .minimum_version_id = 1,
763 .minimum_version_id_old = 1,
764 .fields = (VMStateField[]) {
765 VMSTATE_UNUSED(8), /* signature */
766 VMSTATE_UINT32(vaddr, GuestROMState),
767 VMSTATE_UINT32(fixup_start, GuestROMState),
768 VMSTATE_UINT32(fixup_end, GuestROMState),
769 VMSTATE_UINT32(vapic_vaddr, GuestROMState),
770 VMSTATE_UINT32(vapic_size, GuestROMState),
771 VMSTATE_UINT32(vcpu_shift, GuestROMState),
772 VMSTATE_UINT32(real_tpr_addr, GuestROMState),
773 VMSTATE_STRUCT(up, GuestROMState, 0, vmstate_handlers, VAPICHandlers),
774 VMSTATE_STRUCT(mp, GuestROMState, 0, vmstate_handlers, VAPICHandlers),
775 VMSTATE_END_OF_LIST()
779 static const VMStateDescription vmstate_vapic = {
780 .name = "kvm-tpr-opt", /* compatible with qemu-kvm VAPIC */
782 .minimum_version_id = 1,
783 .minimum_version_id_old = 1,
784 .post_load = vapic_post_load,
785 .fields = (VMStateField[]) {
786 VMSTATE_STRUCT(rom_state, VAPICROMState, 0, vmstate_guest_rom,
788 VMSTATE_UINT32(state, VAPICROMState),
789 VMSTATE_UINT32(real_tpr_addr, VAPICROMState),
790 VMSTATE_UINT32(rom_state_vaddr, VAPICROMState),
791 VMSTATE_UINT32(vapic_paddr, VAPICROMState),
792 VMSTATE_UINT32(rom_state_paddr, VAPICROMState),
793 VMSTATE_END_OF_LIST()
797 static void vapic_class_init(ObjectClass *klass, void *data)
799 SysBusDeviceClass *sc = SYS_BUS_DEVICE_CLASS(klass);
800 DeviceClass *dc = DEVICE_CLASS(klass);
803 dc->reset = vapic_reset;
804 dc->vmsd = &vmstate_vapic;
805 sc->init = vapic_init;
808 static const TypeInfo vapic_type = {
810 .parent = TYPE_SYS_BUS_DEVICE,
811 .instance_size = sizeof(VAPICROMState),
812 .class_init = vapic_class_init,
815 static void vapic_register(void)
817 type_register_static(&vapic_type);
820 type_init(vapic_register);
projects / qemu.git / blob