Setup for VM launch Using ‘vmxwrite’ and ‘vmxread’ for access to state-information in a Virtual Machine Control Structure.

Slides:



Advertisements
Similar presentations
Processor Privilege-Levels
Advertisements

ITCS 3181 Logic and Computer Systems 2015 B. Wilkinson slides3.ppt Modification date: March 16, Addressing Modes The methods used in machine instructions.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Virtualization Technology A first look at some aspects of Intel’s ‘Vanderpool’ initiative.
Intel MP.
Ring-transitions for EM64T How the CPU can accomplish transitions among its differing privilege-levels in 64-bit mode.
CSC 221 Computer Organization and Assembly Language
IA32 Paging Scheme Introduction to the Pentium’s support for “virtual” memory.
Task-Switching How the x86 processor assists with context-switching among multiple program-threads.
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
Processor Exceptions A survey of the x86 exceptions and mechanism for handling faults, traps, and aborts.
EM64T ‘fast’ system-calls A look at the requirements for using Intel’s ‘syscall’ and ‘sysret’ instructions in 64-bit mode.
Page-Faults in Linux How can we study the handling of page-fault exceptions?
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
The various x86 ‘modes’ On understanding key differences among the processor’s several execution-architectures.
Defining protected-mode segment-descriptors An example of a protected-mode bootsector application that draws a message to the video display.
Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels.
Venturing into protected-mode A first look at the CPU registers and instructions which provide the essential supporting infrastructure.
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
Processor Exceptions A survey of the x86 exceptions and mechanism for handling faults, traps, and aborts.
Task-Switching How the x86 processor assists with context-switching among multiple program-threads.
Segment-registers’ hidden bits A look at how segmentation attributes are cached within the CPU’s segment-registers.
Venturing into protected-mode
Model-Specific Registers A look at Intel’s scheme for introducing new CPU features.
Special segment-registers
A ‘protected-mode’ exploration A look at the steps needed to build segment-descriptors for displaying a message while in protected-mode.
ICS312 Set 3 Pentium Registers. Intel 8086 Family of Microprocessors All of the Intel chips from the 8086 to the latest pentium, have similar architectures.
Microprocessor Systems Design I Instructor: Dr. Michael Geiger Spring 2012 Lecture 2: 80386DX Internal Architecture & Data Organization.
Microprocessor Systems Design I Instructor: Dr. Michael Geiger Spring 2014 Lecture 4: x86 memory.
Our planned VMX demo Implementation-code for our ‘Guest’ VM and ‘Host’ VMM.
8086 emulation Using Virtual-8086 mode to execute real-mode procedures in a protected-mode environment.
Venturing into protected-mode A first look at the CPU registers and instructions which provide the essential supporting infrastructure.
Interrupts in Protected-Mode Writing a protected-mode interrupt-service routine for the timer-tick interrupt.
ADDRESSING MODES OF Addressing Modes of  To perform any operation, we have to give the corresponding instructions to the microprocessor.
UNIT 2 Memory Management Unit and Segment Description and Paging
Advanced x86: Virtualization with VT-x Part 2 David Weinstein
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Microprocessor system architectures – IA32 segmentation Jakub Yaghob.
Private & Confidential Property of COSEINC. Who am I? Senior Security Researcher at COSEINC One of the developers of BluePill, a hardware- based virtualization.
Multitasking Mr. Mahendra B. Salunke Asst. Prof. Dept. of Computer Engg., STES SITS, Narhe, Pune-41 STES Sinhgad Institute of Tech. & Science Dept. of.
INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
CSC321 Making a Computer Binary number system → Boolean functions Boolean functions → Combinational circuits Combinational circuits → Sequential circuits.
Interrupts in the guest VM A look at the steps needed to “reflect” hardware interrupts back into the ROM-BIOS for servicing.
System Address Registers/Memory Management Registers Four memory management registers are used to specify the locations of data structures which control.
Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
1 i386 Memory Management Professor Ching-Chi Hsu 1998 年 4 月.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Microprocessor system architectures – IA32 tasks Jakub Yaghob.
80386DX. Programming Model The basic programming model consists of the following aspects: – Registers – Instruction Set – Addressing Modes – Data Types.
Chapter 2 Parts of a Computer System. 2.1 PC Hardware: Memory.
1 Microprocessors CSE Protected Mode Memory Addressing Remember using real mode addressing we were previously able to address 1M Byte of memory.
Chapter 2 The Microprocessor Architecture Microprocessors prepared by Dr. Mohamed A. Shohla.
Paravirtual/HVM linux examples Argentina Software Development Center Software and Solutions Group 31 July 2008.
Introduction to Intel IA-32 and IA-64 Instruction Set Architectures.
Information Security - 2. Descriptor Tables Descriptors are stored in three tables: – Global descriptor table (GDT) Maintains a list of most segments.
Information Security - 2. CISC Vs RISC X86 is CISC while ARM is RISC CISC is Compiler’s heaven while RISC is Architecture’s heaven Orthogonal ISA in RISC.
Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.
The Microprocessor & Its Architecture A Course in Microprocessor Electrical Engineering Department Universitas 17 Agustus 1945 Jakarta.
Computer Science 516 Intel x86 Overview. Intel x86 Family Eight-bit 8080, 8085 – 1970s 16-bit 8086 – was internally 16 bits, externally 8 bits.
EEL 4709C Prof. Watson Herman Group 4 Ali Alshamma, Derek Montgomery, David Ortiz 11/11/2008.
Microprocessor Architecture
16.317: Microprocessor System Design I
Microprocessor Systems Design I
x86 segmentation, page tables, and interrupts
Chapter 2: The Microprocessor and its Architecture
Operating Modes UQ: State and explain the operating modes of X86 family of processors. Show the mode transition diagram highlighting important features.(10.
Chapter 2: The Microprocessor and its Architecture
Information Security - 2
REGISTER ORGANIZATION OF 80386
CS444/544 Operating Systems II Virtual Memory
Presentation transcript:

Setup for VM launch Using ‘vmxwrite’ and ‘vmxread’ for access to state-information in a Virtual Machine Control Structure

VM and VMM A virtual machine, and its Virtual Machine Manager, each need a supporting VMCS Guest VMCS (4K-aligned) VM VM exit Host VMCS (4K-aligned) VM entry VMM VMXon VMXoff

Access to VMCS Software must initialize the first longword with the CPU’s VMX revision-identifier in advance of any use by VMX instructions Get ‘revision-identifier’ from MSR (0x480) Any further access to the VMCS is indirect (because layout varies among processors) The ‘vmwrite’ and ‘vmread’ instructions are used to access the VMCS fields indirectly

Over one hundred fields! Each field within the VMCS is specified by its unique 32-bit field-encoding 31 15 14 13 12 11 10 9 1 0 reserved (=0) W T INDEX A Legend: W (width of field): 00=16-bit, 01=64-bit, 10=32-bit, 11=natural-width T (Type of field): 00=control, 01=read-only, 10=guest-state, 11=host-state A (Access-type): 0= full, 1=high (NOTE: Access-type must be ‘full’ for 16-bit, 32-bit, and ‘natural’ widths)

‘vmwrite’ Source operand is in register or memory Destination operand is the ‘field-encoding’ for a VMCS component and is in a register # Example: the CR3 target-count control has field-encoding 0x0000400A # Here we setup that VMCS-component’s value so it will be equal to 2 .code64 mov $0x0000400A, %rax # field-encoding into RAX mov $2, %rbx # component-value in RBX vmwrite %rbx, %rax # write value to VMCS field

‘vmread’ Source operand is the ‘field encoding’ for a VMCS component and is in a register; the destination operand is register or memory # Example: the Exit Reason component has field-encoding 0x00004402 # Here we read that VMCS-component’s 32-bit value into a memory-variable .code64 mov $0x00004402, %rax # field-encoding into RAX lea Exit_Reason, %rbx # memory-address into RBX vmread %rax, (%rbx) # read value from VMCS field #------------------------------------------------------------------------------------------------------ Exit_Reason: .space 4 # storage for the Exit Reason

Our ‘machine’ array In our ‘vmxstep3.s’ source-file we create a complete set of memory-variables for all the VMCS components, together with an array of (field-encoding, variable-address) pairs; our array is named ‘machine[]’ This allows us to create a program-loop which initializes all the VMCS components in a uniform way, despite varying widths

Categories of variables The components of the VMCS fall into six categories: Guest-state components Host-state components VM-execution Control fieldss VM-entry Control fields VM-exit Control fields VM-exit Information fields

Main Guest-State fields Program memory-segment registers ES, CS, SS, DS, FS, GS System memory-segment registers LDTR, TR, GDTR, IDTR Processor Control Registers CR0, CR3, CR4, DR7 Processor General Registers RSP, RIP, RFLAGS

For a Virtual-8086 guest-task All program memory-segment registers have 64K segment-limits (0xFFFF) with their ‘access-rights’ equal to 0x00F3 (i.e., present, readable, writable, executable, and requested privilege-level equal to 3) Segment base-addresses must be equal to segment-selectors times sixteen (for real-mode style memory-addressing)

Guest System Segments The base-address and segment-limit for LDTR, TR, GDTR, and IDTR registers can be setup using the symbolic addresses and equates defined in our ‘vmxdemo1.s’ Likewise for selector-values for LDTR/TR The ‘access-rights’ for LDTR must be 0x82 and for TR must be 0x8B (‘busy’ 386TSS)

Guest Control Registers Control Register CR0 is required to have its PG, PE, and NE bits all set to 1 (based on the VMX Capability Registers MSRs) Control Register CR4 is required to have its VMXE bit set to 1 (for same reason) Control Register CR3 must get loaded with the physical address of the page-directory that will be in effect in for the guest task

Guest general registers Most of the guest’s general registers will contain values inherited from the VMM at the time of its launch, but three registers need to specified for simultaneous loading RIP = offset to program’s entry-point RSP = offset to the ring3 top-of-stack RFLAGS = must have VM-bit set to 1

Miscellaneous Most other guest-state fields can be left with zero-values for our demo’s purposes But the guest’s VMCS link-pointer field is an exception: it needs to be ‘null’ (i.e., -1) according to Intel VMX documentation (on ‘Checks on Guest Non-Register State’)

Host-State Our ‘Host’ will execute in 64-bit mode, so its control registers CR0 and CR4 must have certain bits set to 1 (PE, NE, PG in CR0; and VMXE, PAE in CR4) and CR3 must get loaded with the physical address of a level4 page-mapping table Host register RIP must get loaded with the address-offset for the VMM entry-point

Controls Most of these can be setup with defaults, derived from the VMX Capability MSRs plus explicit advice from Intel’s manuals Reserved bits must be set properly (but can be checked by software at runtime using values from VMX Capability MSRs)

Example IA32_VMX_PROCBASED_CTLS_MSR (register-index 0x482) 0x67B9FFFE 0401E172 Your proposed value for the corresponding VMCS component must satisfy this condition on a bitwise-comparison basis: 0x67B9FFFE >= your_value >= 0x0401E172 mov $0x482, %rcx rdmsr and your_value, %edx or your_value, %eax cmp %eax, %edx jne invalid_value

‘vmxdemo.s’ You can download, assemble, link, and then execute our ‘vmxdemo.s’ example There are four source-files altogether: vmxstep1.s (our guest component) vmxstep2.s (our host component) vmxstep3.s (our control component) vmxdemo.s (our runtime initializations)

‘mask’ and ‘shadow’ Some special VMCS control-components allow your software to manipulate values read from control registers CR0 and CR4 actual: mask: shadow: apparent: 1 1 1 1 1 1 1 1 Where a bit is masked, the ‘shadow’ bit appears Where a bit is not masked, the ‘actual’ bit appears 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

In-class exercise Try changing the ‘control_CR0_mask’ and ‘control_CR0_shadow’ variables, to see what effects are produced when the guest task executes the ‘smsw’ instruction and outputs its value via the serial-UART

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.