1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
// SPDX-License-Identifier: GPL-2.0
/*
* KVM dirty page logging test
*
* Copyright (C) 2018, Red Hat, Inc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <linux/bitmap.h>
#include <linux/bitops.h>
#include "test_util.h"
#include "kvm_util.h"
#include "processor.h"
#include "svm_util.h"
#include "vmx.h"
/* The memory slot index to track dirty pages */
#define TEST_MEM_SLOT_INDEX 1
/*
* Allocate four pages total. Two pages are used to verify that the KVM marks
* the accessed page/GFN as marked dirty, but not the "other" page. Times two
* so that each "normal" page can be accessed from L2 via an aliased L2 GVA+GPA
* (when TDP is enabled), to verify KVM marks _L1's_ page/GFN as dirty (to
* detect failures, L2 => L1 GPAs can't be identity mapped in the TDP page
* tables, as marking L2's GPA dirty would get a false pass if L1 == L2).
*/
#define TEST_MEM_PAGES 4
#define TEST_MEM_BASE 0xc0000000
#define TEST_MEM_ALIAS_BASE 0xc0002000
#define TEST_GUEST_ADDR(base, idx) ((base) + (idx) * PAGE_SIZE)
#define TEST_GVA(idx) TEST_GUEST_ADDR(TEST_MEM_BASE, idx)
#define TEST_GPA(idx) TEST_GUEST_ADDR(TEST_MEM_BASE, idx)
#define TEST_ALIAS_GPA(idx) TEST_GUEST_ADDR(TEST_MEM_ALIAS_BASE, idx)
#define TEST_HVA(vm, idx) addr_gpa2hva(vm, TEST_GPA(idx))
#define L2_GUEST_STACK_SIZE 64
/* Use the page offset bits to communicate the access+fault type. */
#define TEST_SYNC_READ_FAULT BIT(0)
#define TEST_SYNC_WRITE_FAULT BIT(1)
#define TEST_SYNC_NO_FAULT BIT(2)
static void l2_guest_code(vm_vaddr_t base)
{
vm_vaddr_t page0 = TEST_GUEST_ADDR(base, 0);
vm_vaddr_t page1 = TEST_GUEST_ADDR(base, 1);
READ_ONCE(*(u64 *)page0);
GUEST_SYNC(page0 | TEST_SYNC_READ_FAULT);
WRITE_ONCE(*(u64 *)page0, 1);
GUEST_SYNC(page0 | TEST_SYNC_WRITE_FAULT);
READ_ONCE(*(u64 *)page0);
GUEST_SYNC(page0 | TEST_SYNC_NO_FAULT);
WRITE_ONCE(*(u64 *)page1, 1);
GUEST_SYNC(page1 | TEST_SYNC_WRITE_FAULT);
WRITE_ONCE(*(u64 *)page1, 1);
GUEST_SYNC(page1 | TEST_SYNC_WRITE_FAULT);
READ_ONCE(*(u64 *)page1);
GUEST_SYNC(page1 | TEST_SYNC_NO_FAULT);
/* Exit to L1 and never come back. */
vmcall();
}
static void l2_guest_code_tdp_enabled(void)
{
/*
* Use the aliased virtual addresses when running with TDP to verify
* that KVM correctly handles the case where a page is dirtied via a
* different GPA than would be used by L1.
*/
l2_guest_code(TEST_MEM_ALIAS_BASE);
}
static void l2_guest_code_tdp_disabled(void)
{
/*
* Use the "normal" virtual addresses when running without TDP enabled,
* in which case L2 will use the same page tables as L1, and thus needs
* to use the same virtual addresses that are mapped into L1.
*/
l2_guest_code(TEST_MEM_BASE);
}
void l1_vmx_code(struct vmx_pages *vmx)
{
unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE];
void *l2_rip;
GUEST_ASSERT(vmx->vmcs_gpa);
GUEST_ASSERT(prepare_for_vmx_operation(vmx));
GUEST_ASSERT(load_vmcs(vmx));
if (vmx->eptp_gpa)
l2_rip = l2_guest_code_tdp_enabled;
else
l2_rip = l2_guest_code_tdp_disabled;
prepare_vmcs(vmx, l2_rip, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
GUEST_SYNC(TEST_SYNC_NO_FAULT);
GUEST_ASSERT(!vmlaunch());
GUEST_SYNC(TEST_SYNC_NO_FAULT);
GUEST_ASSERT_EQ(vmreadz(VM_EXIT_REASON), EXIT_REASON_VMCALL);
GUEST_DONE();
}
static void l1_svm_code(struct svm_test_data *svm)
{
unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE];
void *l2_rip;
if (svm->ncr3_gpa)
l2_rip = l2_guest_code_tdp_enabled;
else
l2_rip = l2_guest_code_tdp_disabled;
generic_svm_setup(svm, l2_rip, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
GUEST_SYNC(TEST_SYNC_NO_FAULT);
run_guest(svm->vmcb, svm->vmcb_gpa);
GUEST_SYNC(TEST_SYNC_NO_FAULT);
GUEST_ASSERT_EQ(svm->vmcb->control.exit_code, SVM_EXIT_VMMCALL);
GUEST_DONE();
}
static void l1_guest_code(void *data)
{
if (this_cpu_has(X86_FEATURE_VMX))
l1_vmx_code(data);
else
l1_svm_code(data);
}
static void test_handle_ucall_sync(struct kvm_vm *vm, u64 arg,
unsigned long *bmap)
{
vm_vaddr_t gva = arg & ~(PAGE_SIZE - 1);
int page_nr, i;
/*
* Extract the page number of underlying physical page, which is also
* the _L1_ page number. The dirty bitmap _must_ be updated based on
* the L1 GPA, not L2 GPA, i.e. whether or not L2 used an aliased GPA
* (i.e. if TDP enabled for L2) is irrelevant with respect to the dirty
* bitmap and which underlying physical page is accessed.
*
* Note, gva will be '0' if there was no access, i.e. if the purpose of
* the sync is to verify all pages are clean.
*/
if (!gva)
page_nr = 0;
else if (gva >= TEST_MEM_ALIAS_BASE)
page_nr = (gva - TEST_MEM_ALIAS_BASE) >> PAGE_SHIFT;
else
page_nr = (gva - TEST_MEM_BASE) >> PAGE_SHIFT;
TEST_ASSERT(page_nr == 0 || page_nr == 1,
"Test bug, unexpected frame number '%u' for arg = %lx", page_nr, arg);
TEST_ASSERT(gva || (arg & TEST_SYNC_NO_FAULT),
"Test bug, gva must be valid if a fault is expected");
kvm_vm_get_dirty_log(vm, TEST_MEM_SLOT_INDEX, bmap);
/*
* Check all pages to verify the correct physical page was modified (or
* not), and that all pages are clean/dirty as expected.
*
* If a fault of any kind is expected, the target page should be dirty
* as the Dirty bit is set in the gPTE. KVM should create a writable
* SPTE even on a read fault, *and* KVM must mark the GFN as dirty
* when doing so.
*/
for (i = 0; i < TEST_MEM_PAGES; i++) {
if (i == page_nr && (arg & TEST_SYNC_WRITE_FAULT))
TEST_ASSERT(*(u64 *)TEST_HVA(vm, i) == 1,
"Page %u incorrectly not written by guest", i);
else
TEST_ASSERT(*(u64 *)TEST_HVA(vm, i) == 0xaaaaaaaaaaaaaaaaULL,
"Page %u incorrectly written by guest", i);
if (i == page_nr && !(arg & TEST_SYNC_NO_FAULT))
TEST_ASSERT(test_bit(i, bmap),
"Page %u incorrectly reported clean on %s fault",
i, arg & TEST_SYNC_READ_FAULT ? "read" : "write");
else
TEST_ASSERT(!test_bit(i, bmap),
"Page %u incorrectly reported dirty", i);
}
}
static void test_dirty_log(bool nested_tdp)
{
vm_vaddr_t nested_gva = 0;
unsigned long *bmap;
struct kvm_vcpu *vcpu;
struct kvm_vm *vm;
struct ucall uc;
bool done = false;
pr_info("Nested TDP: %s\n", nested_tdp ? "enabled" : "disabled");
/* Create VM */
vm = vm_create_with_one_vcpu(&vcpu, l1_guest_code);
if (nested_tdp)
vm_enable_tdp(vm);
if (kvm_cpu_has(X86_FEATURE_VMX))
vcpu_alloc_vmx(vm, &nested_gva);
else
vcpu_alloc_svm(vm, &nested_gva);
vcpu_args_set(vcpu, 1, nested_gva);
/* Add an extra memory slot for testing dirty logging */
vm_userspace_mem_region_add(vm, VM_MEM_SRC_ANONYMOUS,
TEST_MEM_BASE,
TEST_MEM_SLOT_INDEX,
TEST_MEM_PAGES,
KVM_MEM_LOG_DIRTY_PAGES);
/*
* Add an identity map for GVA range [0xc0000000, 0xc0004000). This
* affects both L1 and L2. However...
*/
virt_map(vm, TEST_MEM_BASE, TEST_MEM_BASE, TEST_MEM_PAGES);
/*
* ... pages in the L2 GPA address range [0xc0002000, 0xc0004000) will
* map to [0xc0000000, 0xc0002000) when TDP is enabled (for L2).
*
* When TDP is disabled, the L2 guest code will still access the same L1
* GPAs as the TDP enabled case.
*
* Set the Dirty bit in the PTEs used by L2 so that KVM will create
* writable SPTEs when handling read faults (if the Dirty bit isn't
* set, KVM must intercept the next write to emulate the Dirty bit
* update).
*/
if (nested_tdp) {
tdp_identity_map_default_memslots(vm);
tdp_map(vm, TEST_ALIAS_GPA(0), TEST_GPA(0), PAGE_SIZE);
tdp_map(vm, TEST_ALIAS_GPA(1), TEST_GPA(1), PAGE_SIZE);
*tdp_get_pte(vm, TEST_ALIAS_GPA(0)) |= PTE_DIRTY_MASK(&vm->stage2_mmu);
*tdp_get_pte(vm, TEST_ALIAS_GPA(1)) |= PTE_DIRTY_MASK(&vm->stage2_mmu);
} else {
*vm_get_pte(vm, TEST_GVA(0)) |= PTE_DIRTY_MASK(&vm->mmu);
*vm_get_pte(vm, TEST_GVA(1)) |= PTE_DIRTY_MASK(&vm->mmu);
}
bmap = bitmap_zalloc(TEST_MEM_PAGES);
while (!done) {
memset(TEST_HVA(vm, 0), 0xaa, TEST_MEM_PAGES * PAGE_SIZE);
vcpu_run(vcpu);
TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO);
switch (get_ucall(vcpu, &uc)) {
case UCALL_ABORT:
REPORT_GUEST_ASSERT(uc);
/* NOT REACHED */
case UCALL_SYNC:
test_handle_ucall_sync(vm, uc.args[1], bmap);
break;
case UCALL_DONE:
done = true;
break;
default:
TEST_FAIL("Unknown ucall %lu", uc.cmd);
}
}
}
int main(int argc, char *argv[])
{
TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_VMX) || kvm_cpu_has(X86_FEATURE_SVM));
test_dirty_log(/*nested_tdp=*/false);
if (kvm_cpu_has_tdp())
test_dirty_log(/*nested_tdp=*/true);
return 0;
}
|
