root / hw / kvmvapic.c @ 8294a64d
History | View | Annotate | Download (22.6 kB)
1 |
/*
|
---|---|
2 |
* TPR optimization for 32-bit Windows guests (XP and Server 2003)
|
3 |
*
|
4 |
* Copyright (C) 2007-2008 Qumranet Technologies
|
5 |
* Copyright (C) 2012 Jan Kiszka, Siemens AG
|
6 |
*
|
7 |
* This work is licensed under the terms of the GNU GPL version 2, or
|
8 |
* (at your option) any later version. See the COPYING file in the
|
9 |
* top-level directory.
|
10 |
*/
|
11 |
#include "sysemu.h" |
12 |
#include "cpus.h" |
13 |
#include "kvm.h" |
14 |
#include "apic_internal.h" |
15 |
|
16 |
#define APIC_DEFAULT_ADDRESS 0xfee00000 |
17 |
|
18 |
#define VAPIC_IO_PORT 0x7e |
19 |
|
20 |
#define VAPIC_CPU_SHIFT 7 |
21 |
|
22 |
#define ROM_BLOCK_SIZE 512 |
23 |
#define ROM_BLOCK_MASK (~(ROM_BLOCK_SIZE - 1)) |
24 |
|
25 |
typedef enum VAPICMode { |
26 |
VAPIC_INACTIVE = 0,
|
27 |
VAPIC_ACTIVE = 1,
|
28 |
VAPIC_STANDBY = 2,
|
29 |
} VAPICMode; |
30 |
|
31 |
typedef struct VAPICHandlers { |
32 |
uint32_t set_tpr; |
33 |
uint32_t set_tpr_eax; |
34 |
uint32_t get_tpr[8];
|
35 |
uint32_t get_tpr_stack; |
36 |
} QEMU_PACKED VAPICHandlers; |
37 |
|
38 |
typedef struct GuestROMState { |
39 |
char signature[8]; |
40 |
uint32_t vaddr; |
41 |
uint32_t fixup_start; |
42 |
uint32_t fixup_end; |
43 |
uint32_t vapic_vaddr; |
44 |
uint32_t vapic_size; |
45 |
uint32_t vcpu_shift; |
46 |
uint32_t real_tpr_addr; |
47 |
VAPICHandlers up; |
48 |
VAPICHandlers mp; |
49 |
} QEMU_PACKED GuestROMState; |
50 |
|
51 |
typedef struct VAPICROMState { |
52 |
SysBusDevice busdev; |
53 |
MemoryRegion io; |
54 |
MemoryRegion rom; |
55 |
uint32_t state; |
56 |
uint32_t rom_state_paddr; |
57 |
uint32_t rom_state_vaddr; |
58 |
uint32_t vapic_paddr; |
59 |
uint32_t real_tpr_addr; |
60 |
GuestROMState rom_state; |
61 |
size_t rom_size; |
62 |
bool rom_mapped_writable;
|
63 |
} VAPICROMState; |
64 |
|
65 |
#define TPR_INSTR_ABS_MODRM 0x1 |
66 |
#define TPR_INSTR_MATCH_MODRM_REG 0x2 |
67 |
|
68 |
typedef struct TPRInstruction { |
69 |
uint8_t opcode; |
70 |
uint8_t modrm_reg; |
71 |
unsigned int flags; |
72 |
TPRAccess access; |
73 |
size_t length; |
74 |
off_t addr_offset; |
75 |
} TPRInstruction; |
76 |
|
77 |
/* must be sorted by length, shortest first */
|
78 |
static const TPRInstruction tpr_instr[] = { |
79 |
{ /* mov abs to eax */
|
80 |
.opcode = 0xa1,
|
81 |
.access = TPR_ACCESS_READ, |
82 |
.length = 5,
|
83 |
.addr_offset = 1,
|
84 |
}, |
85 |
{ /* mov eax to abs */
|
86 |
.opcode = 0xa3,
|
87 |
.access = TPR_ACCESS_WRITE, |
88 |
.length = 5,
|
89 |
.addr_offset = 1,
|
90 |
}, |
91 |
{ /* mov r32 to r/m32 */
|
92 |
.opcode = 0x89,
|
93 |
.flags = TPR_INSTR_ABS_MODRM, |
94 |
.access = TPR_ACCESS_WRITE, |
95 |
.length = 6,
|
96 |
.addr_offset = 2,
|
97 |
}, |
98 |
{ /* mov r/m32 to r32 */
|
99 |
.opcode = 0x8b,
|
100 |
.flags = TPR_INSTR_ABS_MODRM, |
101 |
.access = TPR_ACCESS_READ, |
102 |
.length = 6,
|
103 |
.addr_offset = 2,
|
104 |
}, |
105 |
{ /* push r/m32 */
|
106 |
.opcode = 0xff,
|
107 |
.modrm_reg = 6,
|
108 |
.flags = TPR_INSTR_ABS_MODRM | TPR_INSTR_MATCH_MODRM_REG, |
109 |
.access = TPR_ACCESS_READ, |
110 |
.length = 6,
|
111 |
.addr_offset = 2,
|
112 |
}, |
113 |
{ /* mov imm32, r/m32 (c7/0) */
|
114 |
.opcode = 0xc7,
|
115 |
.modrm_reg = 0,
|
116 |
.flags = TPR_INSTR_ABS_MODRM | TPR_INSTR_MATCH_MODRM_REG, |
117 |
.access = TPR_ACCESS_WRITE, |
118 |
.length = 10,
|
119 |
.addr_offset = 2,
|
120 |
}, |
121 |
}; |
122 |
|
123 |
static void read_guest_rom_state(VAPICROMState *s) |
124 |
{ |
125 |
cpu_physical_memory_rw(s->rom_state_paddr, (void *)&s->rom_state,
|
126 |
sizeof(GuestROMState), 0); |
127 |
} |
128 |
|
129 |
static void write_guest_rom_state(VAPICROMState *s) |
130 |
{ |
131 |
cpu_physical_memory_rw(s->rom_state_paddr, (void *)&s->rom_state,
|
132 |
sizeof(GuestROMState), 1); |
133 |
} |
134 |
|
135 |
static void update_guest_rom_state(VAPICROMState *s) |
136 |
{ |
137 |
read_guest_rom_state(s); |
138 |
|
139 |
s->rom_state.real_tpr_addr = cpu_to_le32(s->real_tpr_addr); |
140 |
s->rom_state.vcpu_shift = cpu_to_le32(VAPIC_CPU_SHIFT); |
141 |
|
142 |
write_guest_rom_state(s); |
143 |
} |
144 |
|
145 |
static int find_real_tpr_addr(VAPICROMState *s, CPUX86State *env) |
146 |
{ |
147 |
target_phys_addr_t paddr; |
148 |
target_ulong addr; |
149 |
|
150 |
if (s->state == VAPIC_ACTIVE) {
|
151 |
return 0; |
152 |
} |
153 |
/*
|
154 |
* If there is no prior TPR access instruction we could analyze (which is
|
155 |
* the case after resume from hibernation), we need to scan the possible
|
156 |
* virtual address space for the APIC mapping.
|
157 |
*/
|
158 |
for (addr = 0xfffff000; addr >= 0x80000000; addr -= TARGET_PAGE_SIZE) { |
159 |
paddr = cpu_get_phys_page_debug(env, addr); |
160 |
if (paddr != APIC_DEFAULT_ADDRESS) {
|
161 |
continue;
|
162 |
} |
163 |
s->real_tpr_addr = addr + 0x80;
|
164 |
update_guest_rom_state(s); |
165 |
return 0; |
166 |
} |
167 |
return -1; |
168 |
} |
169 |
|
170 |
static uint8_t modrm_reg(uint8_t modrm)
|
171 |
{ |
172 |
return (modrm >> 3) & 7; |
173 |
} |
174 |
|
175 |
static bool is_abs_modrm(uint8_t modrm) |
176 |
{ |
177 |
return (modrm & 0xc7) == 0x05; |
178 |
} |
179 |
|
180 |
static bool opcode_matches(uint8_t *opcode, const TPRInstruction *instr) |
181 |
{ |
182 |
return opcode[0] == instr->opcode && |
183 |
(!(instr->flags & TPR_INSTR_ABS_MODRM) || is_abs_modrm(opcode[1])) &&
|
184 |
(!(instr->flags & TPR_INSTR_MATCH_MODRM_REG) || |
185 |
modrm_reg(opcode[1]) == instr->modrm_reg);
|
186 |
} |
187 |
|
188 |
static int evaluate_tpr_instruction(VAPICROMState *s, CPUX86State *env, |
189 |
target_ulong *pip, TPRAccess access) |
190 |
{ |
191 |
const TPRInstruction *instr;
|
192 |
target_ulong ip = *pip; |
193 |
uint8_t opcode[2];
|
194 |
uint32_t real_tpr_addr; |
195 |
int i;
|
196 |
|
197 |
if ((ip & 0xf0000000ULL) != 0x80000000ULL && |
198 |
(ip & 0xf0000000ULL) != 0xe0000000ULL) { |
199 |
return -1; |
200 |
} |
201 |
|
202 |
/*
|
203 |
* Early Windows 2003 SMP initialization contains a
|
204 |
*
|
205 |
* mov imm32, r/m32
|
206 |
*
|
207 |
* instruction that is patched by TPR optimization. The problem is that
|
208 |
* RSP, used by the patched instruction, is zero, so the guest gets a
|
209 |
* double fault and dies.
|
210 |
*/
|
211 |
if (env->regs[R_ESP] == 0) { |
212 |
return -1; |
213 |
} |
214 |
|
215 |
if (kvm_enabled() && !kvm_irqchip_in_kernel()) {
|
216 |
/*
|
217 |
* KVM without kernel-based TPR access reporting will pass an IP that
|
218 |
* points after the accessing instruction. So we need to look backward
|
219 |
* to find the reason.
|
220 |
*/
|
221 |
for (i = 0; i < ARRAY_SIZE(tpr_instr); i++) { |
222 |
instr = &tpr_instr[i]; |
223 |
if (instr->access != access) {
|
224 |
continue;
|
225 |
} |
226 |
if (cpu_memory_rw_debug(env, ip - instr->length, opcode,
|
227 |
sizeof(opcode), 0) < 0) { |
228 |
return -1; |
229 |
} |
230 |
if (opcode_matches(opcode, instr)) {
|
231 |
ip -= instr->length; |
232 |
goto instruction_ok;
|
233 |
} |
234 |
} |
235 |
return -1; |
236 |
} else {
|
237 |
if (cpu_memory_rw_debug(env, ip, opcode, sizeof(opcode), 0) < 0) { |
238 |
return -1; |
239 |
} |
240 |
for (i = 0; i < ARRAY_SIZE(tpr_instr); i++) { |
241 |
instr = &tpr_instr[i]; |
242 |
if (opcode_matches(opcode, instr)) {
|
243 |
goto instruction_ok;
|
244 |
} |
245 |
} |
246 |
return -1; |
247 |
} |
248 |
|
249 |
instruction_ok:
|
250 |
/*
|
251 |
* Grab the virtual TPR address from the instruction
|
252 |
* and update the cached values.
|
253 |
*/
|
254 |
if (cpu_memory_rw_debug(env, ip + instr->addr_offset,
|
255 |
(void *)&real_tpr_addr,
|
256 |
sizeof(real_tpr_addr), 0) < 0) { |
257 |
return -1; |
258 |
} |
259 |
real_tpr_addr = le32_to_cpu(real_tpr_addr); |
260 |
if ((real_tpr_addr & 0xfff) != 0x80) { |
261 |
return -1; |
262 |
} |
263 |
s->real_tpr_addr = real_tpr_addr; |
264 |
update_guest_rom_state(s); |
265 |
|
266 |
*pip = ip; |
267 |
return 0; |
268 |
} |
269 |
|
270 |
static int update_rom_mapping(VAPICROMState *s, CPUX86State *env, target_ulong ip) |
271 |
{ |
272 |
target_phys_addr_t paddr; |
273 |
uint32_t rom_state_vaddr; |
274 |
uint32_t pos, patch, offset; |
275 |
|
276 |
/* nothing to do if already activated */
|
277 |
if (s->state == VAPIC_ACTIVE) {
|
278 |
return 0; |
279 |
} |
280 |
|
281 |
/* bail out if ROM init code was not executed (missing ROM?) */
|
282 |
if (s->state == VAPIC_INACTIVE) {
|
283 |
return -1; |
284 |
} |
285 |
|
286 |
/* find out virtual address of the ROM */
|
287 |
rom_state_vaddr = s->rom_state_paddr + (ip & 0xf0000000);
|
288 |
paddr = cpu_get_phys_page_debug(env, rom_state_vaddr); |
289 |
if (paddr == -1) { |
290 |
return -1; |
291 |
} |
292 |
paddr += rom_state_vaddr & ~TARGET_PAGE_MASK; |
293 |
if (paddr != s->rom_state_paddr) {
|
294 |
return -1; |
295 |
} |
296 |
read_guest_rom_state(s); |
297 |
if (memcmp(s->rom_state.signature, "kvm aPiC", 8) != 0) { |
298 |
return -1; |
299 |
} |
300 |
s->rom_state_vaddr = rom_state_vaddr; |
301 |
|
302 |
/* fixup addresses in ROM if needed */
|
303 |
if (rom_state_vaddr == le32_to_cpu(s->rom_state.vaddr)) {
|
304 |
return 0; |
305 |
} |
306 |
for (pos = le32_to_cpu(s->rom_state.fixup_start);
|
307 |
pos < le32_to_cpu(s->rom_state.fixup_end); |
308 |
pos += 4) {
|
309 |
cpu_physical_memory_rw(paddr + pos - s->rom_state.vaddr, |
310 |
(void *)&offset, sizeof(offset), 0); |
311 |
offset = le32_to_cpu(offset); |
312 |
cpu_physical_memory_rw(paddr + offset, (void *)&patch,
|
313 |
sizeof(patch), 0); |
314 |
patch = le32_to_cpu(patch); |
315 |
patch += rom_state_vaddr - le32_to_cpu(s->rom_state.vaddr); |
316 |
patch = cpu_to_le32(patch); |
317 |
cpu_physical_memory_rw(paddr + offset, (void *)&patch,
|
318 |
sizeof(patch), 1); |
319 |
} |
320 |
read_guest_rom_state(s); |
321 |
s->vapic_paddr = paddr + le32_to_cpu(s->rom_state.vapic_vaddr) - |
322 |
le32_to_cpu(s->rom_state.vaddr); |
323 |
|
324 |
return 0; |
325 |
} |
326 |
|
327 |
/*
|
328 |
* Tries to read the unique processor number from the Kernel Processor Control
|
329 |
* Region (KPCR) of 32-bit Windows XP and Server 2003. Returns -1 if the KPCR
|
330 |
* cannot be accessed or is considered invalid. This also ensures that we are
|
331 |
* not patching the wrong guest.
|
332 |
*/
|
333 |
static int get_kpcr_number(CPUX86State *env) |
334 |
{ |
335 |
struct kpcr {
|
336 |
uint8_t fill1[0x1c];
|
337 |
uint32_t self; |
338 |
uint8_t fill2[0x31];
|
339 |
uint8_t number; |
340 |
} QEMU_PACKED kpcr; |
341 |
|
342 |
if (cpu_memory_rw_debug(env, env->segs[R_FS].base,
|
343 |
(void *)&kpcr, sizeof(kpcr), 0) < 0 || |
344 |
kpcr.self != env->segs[R_FS].base) { |
345 |
return -1; |
346 |
} |
347 |
return kpcr.number;
|
348 |
} |
349 |
|
350 |
static int vapic_enable(VAPICROMState *s, CPUX86State *env) |
351 |
{ |
352 |
int cpu_number = get_kpcr_number(env);
|
353 |
target_phys_addr_t vapic_paddr; |
354 |
static const uint8_t enabled = 1; |
355 |
|
356 |
if (cpu_number < 0) { |
357 |
return -1; |
358 |
} |
359 |
vapic_paddr = s->vapic_paddr + |
360 |
(((target_phys_addr_t)cpu_number) << VAPIC_CPU_SHIFT); |
361 |
cpu_physical_memory_rw(vapic_paddr + offsetof(VAPICState, enabled), |
362 |
(void *)&enabled, sizeof(enabled), 1); |
363 |
apic_enable_vapic(env->apic_state, vapic_paddr); |
364 |
|
365 |
s->state = VAPIC_ACTIVE; |
366 |
|
367 |
return 0; |
368 |
} |
369 |
|
370 |
static void patch_byte(CPUX86State *env, target_ulong addr, uint8_t byte) |
371 |
{ |
372 |
cpu_memory_rw_debug(env, addr, &byte, 1, 1); |
373 |
} |
374 |
|
375 |
static void patch_call(VAPICROMState *s, CPUX86State *env, target_ulong ip, |
376 |
uint32_t target) |
377 |
{ |
378 |
uint32_t offset; |
379 |
|
380 |
offset = cpu_to_le32(target - ip - 5);
|
381 |
patch_byte(env, ip, 0xe8); /* call near */ |
382 |
cpu_memory_rw_debug(env, ip + 1, (void *)&offset, sizeof(offset), 1); |
383 |
} |
384 |
|
385 |
static void patch_instruction(VAPICROMState *s, CPUX86State *env, target_ulong ip) |
386 |
{ |
387 |
target_phys_addr_t paddr; |
388 |
VAPICHandlers *handlers; |
389 |
uint8_t opcode[2];
|
390 |
uint32_t imm32; |
391 |
|
392 |
if (smp_cpus == 1) { |
393 |
handlers = &s->rom_state.up; |
394 |
} else {
|
395 |
handlers = &s->rom_state.mp; |
396 |
} |
397 |
|
398 |
pause_all_vcpus(); |
399 |
|
400 |
cpu_memory_rw_debug(env, ip, opcode, sizeof(opcode), 0); |
401 |
|
402 |
switch (opcode[0]) { |
403 |
case 0x89: /* mov r32 to r/m32 */ |
404 |
patch_byte(env, ip, 0x50 + modrm_reg(opcode[1])); /* push reg */ |
405 |
patch_call(s, env, ip + 1, handlers->set_tpr);
|
406 |
break;
|
407 |
case 0x8b: /* mov r/m32 to r32 */ |
408 |
patch_byte(env, ip, 0x90);
|
409 |
patch_call(s, env, ip + 1, handlers->get_tpr[modrm_reg(opcode[1])]); |
410 |
break;
|
411 |
case 0xa1: /* mov abs to eax */ |
412 |
patch_call(s, env, ip, handlers->get_tpr[0]);
|
413 |
break;
|
414 |
case 0xa3: /* mov eax to abs */ |
415 |
patch_call(s, env, ip, handlers->set_tpr_eax); |
416 |
break;
|
417 |
case 0xc7: /* mov imm32, r/m32 (c7/0) */ |
418 |
patch_byte(env, ip, 0x68); /* push imm32 */ |
419 |
cpu_memory_rw_debug(env, ip + 6, (void *)&imm32, sizeof(imm32), 0); |
420 |
cpu_memory_rw_debug(env, ip + 1, (void *)&imm32, sizeof(imm32), 1); |
421 |
patch_call(s, env, ip + 5, handlers->set_tpr);
|
422 |
break;
|
423 |
case 0xff: /* push r/m32 */ |
424 |
patch_byte(env, ip, 0x50); /* push eax */ |
425 |
patch_call(s, env, ip + 1, handlers->get_tpr_stack);
|
426 |
break;
|
427 |
default:
|
428 |
abort(); |
429 |
} |
430 |
|
431 |
resume_all_vcpus(); |
432 |
|
433 |
paddr = cpu_get_phys_page_debug(env, ip); |
434 |
paddr += ip & ~TARGET_PAGE_MASK; |
435 |
tb_invalidate_phys_page_range(paddr, paddr + 1, 1); |
436 |
} |
437 |
|
438 |
void vapic_report_tpr_access(DeviceState *dev, void *cpu, target_ulong ip, |
439 |
TPRAccess access) |
440 |
{ |
441 |
VAPICROMState *s = DO_UPCAST(VAPICROMState, busdev.qdev, dev); |
442 |
CPUX86State *env = cpu; |
443 |
|
444 |
cpu_synchronize_state(env); |
445 |
|
446 |
if (evaluate_tpr_instruction(s, env, &ip, access) < 0) { |
447 |
if (s->state == VAPIC_ACTIVE) {
|
448 |
vapic_enable(s, env); |
449 |
} |
450 |
return;
|
451 |
} |
452 |
if (update_rom_mapping(s, env, ip) < 0) { |
453 |
return;
|
454 |
} |
455 |
if (vapic_enable(s, env) < 0) { |
456 |
return;
|
457 |
} |
458 |
patch_instruction(s, env, ip); |
459 |
} |
460 |
|
461 |
typedef struct VAPICEnableTPRReporting { |
462 |
DeviceState *apic; |
463 |
bool enable;
|
464 |
} VAPICEnableTPRReporting; |
465 |
|
466 |
static void vapic_do_enable_tpr_reporting(void *data) |
467 |
{ |
468 |
VAPICEnableTPRReporting *info = data; |
469 |
|
470 |
apic_enable_tpr_access_reporting(info->apic, info->enable); |
471 |
} |
472 |
|
473 |
static void vapic_enable_tpr_reporting(bool enable) |
474 |
{ |
475 |
VAPICEnableTPRReporting info = { |
476 |
.enable = enable, |
477 |
}; |
478 |
CPUX86State *env; |
479 |
|
480 |
for (env = first_cpu; env != NULL; env = env->next_cpu) { |
481 |
info.apic = env->apic_state; |
482 |
run_on_cpu(env, vapic_do_enable_tpr_reporting, &info); |
483 |
} |
484 |
} |
485 |
|
486 |
static void vapic_reset(DeviceState *dev) |
487 |
{ |
488 |
VAPICROMState *s = DO_UPCAST(VAPICROMState, busdev.qdev, dev); |
489 |
|
490 |
if (s->state == VAPIC_ACTIVE) {
|
491 |
s->state = VAPIC_STANDBY; |
492 |
} |
493 |
vapic_enable_tpr_reporting(false);
|
494 |
} |
495 |
|
496 |
/*
|
497 |
* Set the IRQ polling hypercalls to the supported variant:
|
498 |
* - vmcall if using KVM in-kernel irqchip
|
499 |
* - 32-bit VAPIC port write otherwise
|
500 |
*/
|
501 |
static int patch_hypercalls(VAPICROMState *s) |
502 |
{ |
503 |
target_phys_addr_t rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK; |
504 |
static const uint8_t vmcall_pattern[] = { /* vmcall */ |
505 |
0xb8, 0x1, 0, 0, 0, 0xf, 0x1, 0xc1 |
506 |
}; |
507 |
static const uint8_t outl_pattern[] = { /* nop; outl %eax,0x7e */ |
508 |
0xb8, 0x1, 0, 0, 0, 0x90, 0xe7, 0x7e |
509 |
}; |
510 |
uint8_t alternates[2];
|
511 |
const uint8_t *pattern;
|
512 |
const uint8_t *patch;
|
513 |
int patches = 0; |
514 |
off_t pos; |
515 |
uint8_t *rom; |
516 |
|
517 |
rom = g_malloc(s->rom_size); |
518 |
cpu_physical_memory_rw(rom_paddr, rom, s->rom_size, 0);
|
519 |
|
520 |
for (pos = 0; pos < s->rom_size - sizeof(vmcall_pattern); pos++) { |
521 |
if (kvm_irqchip_in_kernel()) {
|
522 |
pattern = outl_pattern; |
523 |
alternates[0] = outl_pattern[7]; |
524 |
alternates[1] = outl_pattern[7]; |
525 |
patch = &vmcall_pattern[5];
|
526 |
} else {
|
527 |
pattern = vmcall_pattern; |
528 |
alternates[0] = vmcall_pattern[7]; |
529 |
alternates[1] = 0xd9; /* AMD's VMMCALL */ |
530 |
patch = &outl_pattern[5];
|
531 |
} |
532 |
if (memcmp(rom + pos, pattern, 7) == 0 && |
533 |
(rom[pos + 7] == alternates[0] || rom[pos + 7] == alternates[1])) { |
534 |
cpu_physical_memory_rw(rom_paddr + pos + 5, (uint8_t *)patch,
|
535 |
3, 1); |
536 |
/*
|
537 |
* Don't flush the tb here. Under ordinary conditions, the patched
|
538 |
* calls are miles away from the current IP. Under malicious
|
539 |
* conditions, the guest could trick us to crash.
|
540 |
*/
|
541 |
} |
542 |
} |
543 |
|
544 |
g_free(rom); |
545 |
|
546 |
if (patches != 0 && patches != 2) { |
547 |
return -1; |
548 |
} |
549 |
|
550 |
return 0; |
551 |
} |
552 |
|
553 |
/*
|
554 |
* For TCG mode or the time KVM honors read-only memory regions, we need to
|
555 |
* enable write access to the option ROM so that variables can be updated by
|
556 |
* the guest.
|
557 |
*/
|
558 |
static void vapic_map_rom_writable(VAPICROMState *s) |
559 |
{ |
560 |
target_phys_addr_t rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK; |
561 |
MemoryRegionSection section; |
562 |
MemoryRegion *as; |
563 |
size_t rom_size; |
564 |
uint8_t *ram; |
565 |
|
566 |
as = sysbus_address_space(&s->busdev); |
567 |
|
568 |
if (s->rom_mapped_writable) {
|
569 |
memory_region_del_subregion(as, &s->rom); |
570 |
memory_region_destroy(&s->rom); |
571 |
} |
572 |
|
573 |
/* grab RAM memory region (region @rom_paddr may still be pc.rom) */
|
574 |
section = memory_region_find(as, 0, 1); |
575 |
|
576 |
/* read ROM size from RAM region */
|
577 |
ram = memory_region_get_ram_ptr(section.mr); |
578 |
rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
|
579 |
s->rom_size = rom_size; |
580 |
|
581 |
/* We need to round to avoid creating subpages
|
582 |
* from which we cannot run code. */
|
583 |
rom_size += rom_paddr & ~TARGET_PAGE_MASK; |
584 |
rom_paddr &= TARGET_PAGE_MASK; |
585 |
rom_size = TARGET_PAGE_ALIGN(rom_size); |
586 |
|
587 |
memory_region_init_alias(&s->rom, "kvmvapic-rom", section.mr, rom_paddr,
|
588 |
rom_size); |
589 |
memory_region_add_subregion_overlap(as, rom_paddr, &s->rom, 1000);
|
590 |
s->rom_mapped_writable = true;
|
591 |
} |
592 |
|
593 |
static int vapic_prepare(VAPICROMState *s) |
594 |
{ |
595 |
vapic_map_rom_writable(s); |
596 |
|
597 |
if (patch_hypercalls(s) < 0) { |
598 |
return -1; |
599 |
} |
600 |
|
601 |
vapic_enable_tpr_reporting(true);
|
602 |
|
603 |
return 0; |
604 |
} |
605 |
|
606 |
static void vapic_write(void *opaque, target_phys_addr_t addr, uint64_t data, |
607 |
unsigned int size) |
608 |
{ |
609 |
CPUX86State *env = cpu_single_env; |
610 |
target_phys_addr_t rom_paddr; |
611 |
VAPICROMState *s = opaque; |
612 |
|
613 |
cpu_synchronize_state(env); |
614 |
|
615 |
/*
|
616 |
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
|
617 |
* o 16-bit write access:
|
618 |
* Reports the option ROM initialization to the hypervisor. Written
|
619 |
* value is the offset of the state structure in the ROM.
|
620 |
* o 8-bit write access:
|
621 |
* Reactivates the VAPIC after a guest hibernation, i.e. after the
|
622 |
* option ROM content has been re-initialized by a guest power cycle.
|
623 |
* o 32-bit write access:
|
624 |
* Poll for pending IRQs, considering the current VAPIC state.
|
625 |
*/
|
626 |
switch (size) {
|
627 |
case 2: |
628 |
if (s->state == VAPIC_INACTIVE) {
|
629 |
rom_paddr = (env->segs[R_CS].base + env->eip) & ROM_BLOCK_MASK; |
630 |
s->rom_state_paddr = rom_paddr + data; |
631 |
|
632 |
s->state = VAPIC_STANDBY; |
633 |
} |
634 |
if (vapic_prepare(s) < 0) { |
635 |
s->state = VAPIC_INACTIVE; |
636 |
break;
|
637 |
} |
638 |
break;
|
639 |
case 1: |
640 |
if (kvm_enabled()) {
|
641 |
/*
|
642 |
* Disable triggering instruction in ROM by writing a NOP.
|
643 |
*
|
644 |
* We cannot do this in TCG mode as the reported IP is not
|
645 |
* accurate.
|
646 |
*/
|
647 |
pause_all_vcpus(); |
648 |
patch_byte(env, env->eip - 2, 0x66); |
649 |
patch_byte(env, env->eip - 1, 0x90); |
650 |
resume_all_vcpus(); |
651 |
} |
652 |
|
653 |
if (s->state == VAPIC_ACTIVE) {
|
654 |
break;
|
655 |
} |
656 |
if (update_rom_mapping(s, env, env->eip) < 0) { |
657 |
break;
|
658 |
} |
659 |
if (find_real_tpr_addr(s, env) < 0) { |
660 |
break;
|
661 |
} |
662 |
vapic_enable(s, env); |
663 |
break;
|
664 |
default:
|
665 |
case 4: |
666 |
if (!kvm_irqchip_in_kernel()) {
|
667 |
apic_poll_irq(env->apic_state); |
668 |
} |
669 |
break;
|
670 |
} |
671 |
} |
672 |
|
673 |
static const MemoryRegionOps vapic_ops = { |
674 |
.write = vapic_write, |
675 |
.endianness = DEVICE_NATIVE_ENDIAN, |
676 |
}; |
677 |
|
678 |
static int vapic_init(SysBusDevice *dev) |
679 |
{ |
680 |
VAPICROMState *s = FROM_SYSBUS(VAPICROMState, dev); |
681 |
|
682 |
memory_region_init_io(&s->io, &vapic_ops, s, "kvmvapic", 2); |
683 |
sysbus_add_io(dev, VAPIC_IO_PORT, &s->io); |
684 |
sysbus_init_ioports(dev, VAPIC_IO_PORT, 2);
|
685 |
|
686 |
option_rom[nb_option_roms].name = "kvmvapic.bin";
|
687 |
option_rom[nb_option_roms].bootindex = -1;
|
688 |
nb_option_roms++; |
689 |
|
690 |
return 0; |
691 |
} |
692 |
|
693 |
static void do_vapic_enable(void *data) |
694 |
{ |
695 |
VAPICROMState *s = data; |
696 |
|
697 |
vapic_enable(s, first_cpu); |
698 |
} |
699 |
|
700 |
static int vapic_post_load(void *opaque, int version_id) |
701 |
{ |
702 |
VAPICROMState *s = opaque; |
703 |
uint8_t *zero; |
704 |
|
705 |
/*
|
706 |
* The old implementation of qemu-kvm did not provide the state
|
707 |
* VAPIC_STANDBY. Reconstruct it.
|
708 |
*/
|
709 |
if (s->state == VAPIC_INACTIVE && s->rom_state_paddr != 0) { |
710 |
s->state = VAPIC_STANDBY; |
711 |
} |
712 |
|
713 |
if (s->state != VAPIC_INACTIVE) {
|
714 |
if (vapic_prepare(s) < 0) { |
715 |
return -1; |
716 |
} |
717 |
} |
718 |
if (s->state == VAPIC_ACTIVE) {
|
719 |
if (smp_cpus == 1) { |
720 |
run_on_cpu(first_cpu, do_vapic_enable, s); |
721 |
} else {
|
722 |
zero = g_malloc0(s->rom_state.vapic_size); |
723 |
cpu_physical_memory_rw(s->vapic_paddr, zero, |
724 |
s->rom_state.vapic_size, 1);
|
725 |
g_free(zero); |
726 |
} |
727 |
} |
728 |
|
729 |
return 0; |
730 |
} |
731 |
|
732 |
static const VMStateDescription vmstate_handlers = { |
733 |
.name = "kvmvapic-handlers",
|
734 |
.version_id = 1,
|
735 |
.minimum_version_id = 1,
|
736 |
.minimum_version_id_old = 1,
|
737 |
.fields = (VMStateField[]) { |
738 |
VMSTATE_UINT32(set_tpr, VAPICHandlers), |
739 |
VMSTATE_UINT32(set_tpr_eax, VAPICHandlers), |
740 |
VMSTATE_UINT32_ARRAY(get_tpr, VAPICHandlers, 8),
|
741 |
VMSTATE_UINT32(get_tpr_stack, VAPICHandlers), |
742 |
VMSTATE_END_OF_LIST() |
743 |
} |
744 |
}; |
745 |
|
746 |
static const VMStateDescription vmstate_guest_rom = { |
747 |
.name = "kvmvapic-guest-rom",
|
748 |
.version_id = 1,
|
749 |
.minimum_version_id = 1,
|
750 |
.minimum_version_id_old = 1,
|
751 |
.fields = (VMStateField[]) { |
752 |
VMSTATE_UNUSED(8), /* signature */ |
753 |
VMSTATE_UINT32(vaddr, GuestROMState), |
754 |
VMSTATE_UINT32(fixup_start, GuestROMState), |
755 |
VMSTATE_UINT32(fixup_end, GuestROMState), |
756 |
VMSTATE_UINT32(vapic_vaddr, GuestROMState), |
757 |
VMSTATE_UINT32(vapic_size, GuestROMState), |
758 |
VMSTATE_UINT32(vcpu_shift, GuestROMState), |
759 |
VMSTATE_UINT32(real_tpr_addr, GuestROMState), |
760 |
VMSTATE_STRUCT(up, GuestROMState, 0, vmstate_handlers, VAPICHandlers),
|
761 |
VMSTATE_STRUCT(mp, GuestROMState, 0, vmstate_handlers, VAPICHandlers),
|
762 |
VMSTATE_END_OF_LIST() |
763 |
} |
764 |
}; |
765 |
|
766 |
static const VMStateDescription vmstate_vapic = { |
767 |
.name = "kvm-tpr-opt", /* compatible with qemu-kvm VAPIC */ |
768 |
.version_id = 1,
|
769 |
.minimum_version_id = 1,
|
770 |
.minimum_version_id_old = 1,
|
771 |
.post_load = vapic_post_load, |
772 |
.fields = (VMStateField[]) { |
773 |
VMSTATE_STRUCT(rom_state, VAPICROMState, 0, vmstate_guest_rom,
|
774 |
GuestROMState), |
775 |
VMSTATE_UINT32(state, VAPICROMState), |
776 |
VMSTATE_UINT32(real_tpr_addr, VAPICROMState), |
777 |
VMSTATE_UINT32(rom_state_vaddr, VAPICROMState), |
778 |
VMSTATE_UINT32(vapic_paddr, VAPICROMState), |
779 |
VMSTATE_UINT32(rom_state_paddr, VAPICROMState), |
780 |
VMSTATE_END_OF_LIST() |
781 |
} |
782 |
}; |
783 |
|
784 |
static void vapic_class_init(ObjectClass *klass, void *data) |
785 |
{ |
786 |
SysBusDeviceClass *sc = SYS_BUS_DEVICE_CLASS(klass); |
787 |
DeviceClass *dc = DEVICE_CLASS(klass); |
788 |
|
789 |
dc->no_user = 1;
|
790 |
dc->reset = vapic_reset; |
791 |
dc->vmsd = &vmstate_vapic; |
792 |
sc->init = vapic_init; |
793 |
} |
794 |
|
795 |
static TypeInfo vapic_type = {
|
796 |
.name = "kvmvapic",
|
797 |
.parent = TYPE_SYS_BUS_DEVICE, |
798 |
.instance_size = sizeof(VAPICROMState),
|
799 |
.class_init = vapic_class_init, |
800 |
}; |
801 |
|
802 |
static void vapic_register(void) |
803 |
{ |
804 |
type_register_static(&vapic_type); |
805 |
} |
806 |
|
807 |
type_init(vapic_register); |