ldt

vmfunc

nested-vmx: exceptions take priority over VMFail*

The way the instruction invocations are coded, it is compiler version
dependent whether things work: With old gcc, fail_{,in}valid will not
get touched and hence remain at their initial values, while with newer
gcc evaluation of the status flags occurs outside of the asm(), i.e.
also when an exception was received (in which case EFLAGS didn't change
from its value before the faulting instruction).

Since it is more logical anyway to check for a possible exception first,
do so uniformly instead of trying to fiddle with the asm() in some way.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-278 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

debug-regs: Check the vcpu's initial register state

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

debug-regs: Detect the PV IO shadow handling bugs

Also fix up some poor choice of constant names.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-269 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-265 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

TSX intrinsics

These are implemented to the GCC API, but are compatible with older
toolchains.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-260: Work around toolchain problems with older GCC

GCC 4.4.7 of RHEL/CentOS 6 vintage can't cope with an ebp/rbp register clobber
when compiling with frame pointers enabled.  Switch to ebx/rbx instead.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Glenn Enright <glenn@rimuhosting.com>

XSA-261 PoC

This requires adding some basic IO APIC and HPET functionality.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Compile fixes, misc cleanup and consistency improvements, and written
documentation.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-260 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/msr: Clean up MSR field declarations

 * Consistently use ULL for the benefit of 32bit builds
 * Drop leading MSR_ prefixes from bit names
 * Drop unnecessary bit-position defines

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: mov to/from sreg can be encoded with a memory operand

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-259 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Properly bracket EXINFO()'s parameters before operating on them

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Rudimentary syscall handling for PV guests

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce __user_data

Fix up the missing __user_text in Doxyfile, and the missing linker assertions
that the user bss boundaries are page aligned.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/io-apic: Fix 64bit MMIO accesses

While most of the IO-APIC registers are 64 bits wide, the spec states that
they must be accessed with 32bit accesses.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce some basic IO-APIC infrastructure

Replace some opencoded IOAPIC_DEFAULT_BASE constants.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce some basic HPET infrastructure

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce __{KERN,USER}_{CS,DS}32 selector constants

These are intended to facilitate 64bit compatiblity mode segments, but are
exposed in 32bit builds as straight aliases of __{KERN,USER}_{CS,DS} for the
benefit of common code.

Fix up one opencoded use in the XSA-196 PoC.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce and use __user_page_aligned_bss

This avoids special casing user_stack[] as data, and allows the
!test_wants_user_mappings remapping logic to become entirely generic.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Use a linker ASSERT() to check that the mappings are within l1_identmap[]

This avoids needing the runtime checks in hvm's arch_init_traps()

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce and use __maybe_unused

This allows for the 32bit ifdefary of ex_pf_user to be dropped without
suffering a warning in the 64bit build, while still allowing LTO to drop the
function.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-255 PoC

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Fix latent bug in 64bit exec_user_param()

Use a full %rsp reference rather than %esp.  Only a latent bug as the upper
bits will be clear.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce a basic test for debugging infrastructure

To begin with, this just checks that the PV %dr7 latch issue is resolved.
There are many more bugs to fix.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce new debug register definitions and helpers

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Factor out debug register infrastructure into a new header

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce update_desc() for updates to live descriptor entries

GCC 4.4 from CentOS 6 is clever enough to turn the invlpg test's

  gdt[GDTE_AVAIL0] = GDTE_SYM(0, 1, COMMON, DATA, DPL0, B, W);
  write_fs(GDTE_AVAIL0 << 3);

into

  103927:       b8 48 00 00 00                  mov    $0x48,%eax
  10392c:       c7 05 48 f0 10 00 01 00 00 00   movl   $0x1,0x10f048
  103936:       8e e0                           mov    %eax,%fs
  103938:       c7 05 4c f0 10 00 00 93 c0 00   movl   $0xc09300,0x10f04c

which hardware rightfully complains about, as the descriptor isn't valid at
the point that %fs is loaded.

Introduce update_desc() which copes with PV and HVM differences, and enforces
a compiler barrier to prevent reordering of later operations.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Add more helpful GDTE() helpers

All tests and some setup infrastructure need explicitly typed versions of
INIT_GDTE() and INIT_GDTE_SYM().  Introduce GDTE() and GDTE_SYM() to do just
this, and update the impacted users.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vmx: Don't create strings[] on the stack of every vmx_insn_err_strerror() call

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/apic: Set SPIV.EN in apic_init() so the device is ready for use

This is more useful behaviour than forcing all tests which call apic_init() to
set up SPIV themselves to actually receive interrupts.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

selftest: test x2apic basic initialisation as well if possible

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Fix cdefs.h conflict with __section

On FreeBSD the build fails with:

/root/src/xtf/include/xtf/compiler.h:13:9: error: '__section' macro redefined
      [-Werror,-Wmacro-redefined]
        ^
/usr/include/sys/cdefs.h:229:9: note: previous definition is here
        ^
1 error generated.

Only define __section if it's undefined in order to prevent conflicts.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

Memory operand and segment emulation tests

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Support the use of GDTs in PV guests

GDT frames in PV guests need to be page aligned, and like pagetables, mapped
read-only.  Move gdt[] into __page_aligned_{data,bss} and leave it empty for
PV guests to begin with.

The PV arch_init_traps() code registers the frame with Xen, and tests wanting
to make use of it need to use hypercall_update_descriptor().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Allow for fine tuning of the exec_user_* infrastructure

At the moment, %cs, %ss and eflags are hard coded.  Introduce
exec_user_{cs,ss,efl_{and,or}_mask} with suitable defaults.

This allows for the complete removal of exec_user_with_iopl() from the pv-iopl
test, which can now use the common infrastructure.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Move more includes into arch/xtf.h to ease writing tests

It is currently very hit and miss whether functionality is included, and some
current inclusions are already unnecessary.  Make it easier for tests by
putting all common includes in arch/xtf.h, so tests only have to include xtf.h

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

32bit: Save and restore %ds and %es when handling exceptions

For tests which play with segments (especially those which reduce %ds.limit),
failing to restore usable segments can result in cascade failures (most
obviously when trying to poke characters into the console ring).

Remove the vm86 special case in handle_exception() and load __KERN_DS into %ds
and %es unconditionally.  Forgo the unconditional loading of %fs and %gs as
they are unreferenced in exception context.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce and use xenstore_init()

This really should have been introduced along with xenstore_read(), but the
problem only becomes apparent when booting an XTF test as the initial domain.
The presence of xenstore must not be assumed.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce a nested-svm skeleton test

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Rename the vvmx test to nested-vmx

In preparation for introducing nested-svm as well.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Cope being booting as the initial domain

When booted as the initial domain (most commonly in PV-shim mode), the console
and xenbus rings aren't configured, as it is the responsibility of the initial
domain to provide xenconsole/xenstored services for other domains.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce support for booting with the PVH ABI

All XTF HVM guests are compatible with the PVH ABI.  Populate the PHYS32_ENTRY
elfnote and stash the pvh_start_info pointer provided by the domain builder.

Skip the Qemu console setup when booting PVH.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Rename start_info to pv_start_info

In preparation to introduce pvh_start_info.  Rename the type to match, fix up
the accidental double extern, and move the variable into pv/traps.c to match
with its declaration in traps.h.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

xtf-runner: Sort tests by variation as well

This removes instability in the running order of tests with multiple
variations.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/msr: Introduce xtf_msr_consistency_test()

To help with testing the correctness of MSRs which may be passed directly
through to a guest.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: Split out new msr.h header

Move the {rd,wr}msr wrappers from lib.h and bitfield unions from msr-index.h
to here, leaving msr-index.h to be purely name definitions.

Correct an XFT typo in the msr-index.h header guards, and include msr.h in
arch/xtf.h to avoid tests needing to include msr-index.h manually

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

xtf-runner: Adjust whitespace when running multiple tests

This visually distinguishes the one test run from the next.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-239 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Update XSA-182 PoC to cope with linear pagetables being globally disabled

One mitigation for XSA-240 is a global disable of linear pagetables.  Cope in
such configurations by skipping the test.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

libc: Fix strcpy() assignment mistake

the strcpy function was doing a comparison instead of doing an
assignment.

Signed-off-by: Paul Semel <phentex@amazon.de>
Reviewed-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Bjoern Doebel <doebel@amazon.de>
Reviewed-by: Martin Pohlack <mpohlack@amazon.de>
Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

Update xl.cfg files for Xen 4.10 support

From 4.10 onwards, the configuration file should use type= in preference to
builder/loader.  Leave the older options for legacy compatability.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

build: Avoid using initialisers for anonymous unions

GCC 4.4 of CentOS 6 vintage can't cope.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

build: Opencode vmfunc as bytes

Binutils 2.20 of CentOS 6 vintage doesn't understand the mnemonic.  The
instruction doesn't encode any operands, so we don't lose any flexibility.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

build: Drop unnecessary register clobbers

The code in question is executing __HYPERVISOR_multicall which is 2-parameter
hypercall, which means that args 3-6 are preserved (as opposed to the
arguments in the multicall_entry_t list, which are clobbered).

GCC 4.4 in CentOS 6 can't cope with the ebp clobber.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

build: Support BUILD_BUG_ON() with compilers lacking _Static_assert()

Implement enough compatibility so the code can use Clang's __has_extension()
logic when compiled with GCC.

Reported-by: Glenn Enright <glenn@rimuhosting.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-234 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-232 PoC

Based on an example provided by Matthew Daley.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-231 PoC

Based on an example provided by Matthew Daley.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce VCPU_OP and vcpu_*_context hypercall ABI

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

gitignore: add local vimrc

Signed-off-by: Petre Pircalabu <ppircalabu@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-227 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Functional: Add a UMIP test

Add a "umip" test for the User-Model Instruction Prevention. The test
simply tries to run sgdt/sidt/sldt/str/smsw in guest user-mode with
CR4_UMIP = 1.

Signed-off-by: Boqun Feng (Intel) <boqun.feng@gmail.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
[Whitespace and docs fixups]
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Replace uses of x86_decode_exinfo() with %pe

x86_exc_decode_ec() and x86_decode_exinfo() are awkward to use, as they
require a local buffer of (unknown) sufficient size.

Make the functions local to decode.c and refactor the callsites to use %pe
instead.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Implement arch_fmt_pointer() for custom %pe handling

This allows %pe to be used to print an exinfo_t.  The implementation uses
x86_decode_exinfo() under the hook.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Export some vsprintf() internals

Rename number() to fmt_number() and export it.  Carve fmt_string() out of
vsnprintf() and export it.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Fix xtf_init_grant_table() to actually work on older versions of Xen

(Now that such testing has taken place.)

On such versions of Xen, GNTTABOP_set_version will return -ENOSYS even when
trying to set a version of 1.  In such a case, v1 is the only version known to
Xen, so treat this condition non-fatally.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

XSA-224 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Basic grant table infrastructure

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Implement xtf_get_domid() for tests which need to know their own domid

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Basic xenstore read implementation

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Infrastructure for connecting the xenbus ring

Extra ABI and setup to obtain the xenstore ring location.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Provide non-PV compatability for mfn related functions

Similar to non-paged compatability.  This allows for extra #ifdef'ary removal
from setup.c

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

build: append -fno-pic to CFLAGS

It appears that Stretch's gcc has this on by default, which causes the
generating of several get_pc_thunk's, which breaks xsa-192 test.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Further LTO cleanup

Drop __used annotations for extable handlers, and use an "X" constraint.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Implement pv_read_some

Implement reading from PV console. Making use of polling.

Signed-off-by: Felix Schmoll <eggi.innovations@gmail.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce hypercall_poll() infrastructure for the console

The current write() path stays using yield() until the xl/xenconsoled race
condition it tickles is understood.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

docs: Fix up the doxygen formatting for _ASM_TRAP_OK()

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

cleanup to nmi-taskswitch-priv

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

docs: Fix the list of changeset in the history section

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Functional test for an NMI-triggered task switch which increases privilege

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Split existing Gate Descriptor infrastructure out into x86-gate.h

Following in the style of the TSS work:

 * Rename gate_desc to env_gate
 * Rename seg_gate{32,64} to x86_gate{32,64}

In addition,

 * Expose call gate parameter counts for completeness.
 * Introduce pack_gate() which works on the appropriate type of gate, which
   allows for removal of #ifdef'ary during HVM setup.
 * Introduce pack_task_gate() which wraps pack_gate(), and allows for further
   #ifdef'ary removal in setup_doublefault().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

hvm32: Fill in tss.cr3 for the default task

This is necessary for 32bit tests in, which end up task switching back to the
default task.  %cr3 gets reloaded as part of a task switch, which causes a
triple fault for 32bit paged environments.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Add declarations for l?_table_offset() in unpaged environments

This helps with writing code with reduced #ifdef'ary.  Remove stray externs
from other compatibility functions.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Extend APIC infrastructure with ICR helpers

Abstract away the split MMIO write.  While adding the MSR side, fix the broken
constraints for apic_msr_write().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Introduce locked bt* operations

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon in VMX root w/ CPL = 3 and w/ current VMCS

Fault #GP(0) is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon in VMX root w/ CPL = 0 and w/ current VMCS

VMfailvalid() is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon in VMX root w/ CPL = 3 and w/o current VMCS

Fault #GP(0) is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon in VMX root w/ CPL = 0 and w/o current VMCS

VMfailInvalid is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test the correct vmxon

No error is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon with bit 31 of VMCS revision ID set

VMfailInvalid is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon with mismatched VMCS revision ID

VMfailInvalid is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon with unaligned VMXON region address

VMfailInvalid is expected in this case.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon with invalidly wide VMXON region address

VMfailInvalid is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon in CPL=3 inside and outside of VMX operation

Faults #UD and #GP(0) are expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Introduce a second test, checking both #UD and #GP(0)

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

vvmx: Test vmxon with CR4.VMXE cleared

Fault #UD is expected in this test.

Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Rebase and cleanup.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>