Source code + manual + development/application. It takes time to learn vt technology. Last year, I learned the protection mode and did a simple study of vt. After a long time, I still forgot the knowledge.
The source code uses the ke_github open source code, chapters 19 to 31 of the Intel manual, from 0 to 1 understanding + writing code, application development VT-EPT_API-Monitor.
Learning method: stand on the shoulders of giants
- Read and comprehend chapters 19~31 carefully, write code in modular fragments, and exercise your English reading ability by the way.
- The main thing is to understand the idea and write the code according to the manual first. Application-oriented, develop your own vt api monitoring.
Chapter 19:
- IA-32 extension supports Virtual-machine monitors (VMM)/Guest software. VMM fully controls the processor and other platform hardware, and can reserve processor resources, physical memory, interrupt management and IO. The guest here is briefly understood as a node virtual machine
- There are two types of VMX. VMM runs on VMX root, and guest software runs on non-root. The conversion to VMX non-root is called VM entry, and the conversion from VMX non-root to VMX is called VMX exit. This process is like two concepts of entering and exiting.
Understanding the VMM life cycle
-
Software enters VMX operation with VMXON instruction
-
Use VM to enter, use VMLAUNCH VMRESUME to enter Guest virtual machines, VM exit to regain control
-
VM transmission control exits to the designated entry point of VMM, and the vm entry is returned to the virtual machine according to the exit reason.
- VMXOFF realizes closing and leaving the virtual machine
VMX non-root conversion VMX is controlled by virtual-machine control structure (VMCS). The VMSC pointer is used to access the structure (64bit). Use VMPTRST/VMPTRLD to read and write the structure respectively. VMREAD/VMWRITE/VMCLEAR instruction configuration. Before the software enters VMX operation, Must support VMX.
if(CPUID.1:ECX.VMX[bit 5] == 1)
{
支持VMX
}Turn on VMX through CR4.VMXE[bit 13] == 1, and enter through VMXON. If VMXE==0, an exception will be triggered
VMXON is controlled by IA32_FEATRUE_CONTROL_MSR.
VMX limit operation, can not be in A20 mode, INIT signal will be blocked, VMX needs CR0.PE/CR0.NE/CR0.PG/CR4.VMXE flag bit to be 1, protection mode/page mode can run MVX operation, This means that guests cannot be in non-paged mode.
This chapter will introduce the concept of VMM/VMX/Guest, VMX life cycle instructions, and most importantly, VMX support conditions.
Chapter 20
VMX non-root operations, VMCLEAR/CMPTRLD/VMREAD/VMWRITE, each processor associates an area in the memory with VMCS, called VMCS regIon. Referred by a 64-bit address, this is the VMCS pointer.
The pointer must be on the 4kb boundary (bit 11:0 must be 0), VMPTRLD can make VMCS active, and some other instructions are related to VMCS.
VMCS area up to 4kb, area format
The first 32 Bit of VMCS is the revision identifier. Different formats maintain the VMCS. Before using the VMCS, you need to fill in the VMCS revision identifier. If it is different from the processor flag version, VMPTRLD will fail.
The 32-bit recorded is the abort indicator. These bits will not interfere with the processor. If a VMX abort occurs, these bits will be executed. This area records the abort related data.
The remaining area is VMCS data, used to control non-root VMX disecover VMX, etc., the specific format is implemented, and it will continue tomorrow.
VMCS
1) Guest-state area:
Each VM entry loads the processor state from these fields and is stored in the fields of the VM exit.
Register
Control register CR0, CR3, CR4 64-bit
Debug register DR7 64-bit
RSP,RIP,RFLAGS 64-bit
CS, SS, DS, ES, FS, GS, LDTR, TR, introduction to segment registers
Non-Register
Activity status (32bit):
| 0 | The processor executes normally when Active |
|---|---|
| 1 | HLT executes the HLT instruction, the processor is not active |
| 2 | Shutdown processing inactivity, serious error with triple failure |
| 3 | Wait-for-SIPI processing is not active, waiting for IPI to restart |
Interruptible state (32bit)
0 STL interrupt, EFLAGS (IF-bit) RFLAGS.IF set by STL = 0
1 MOV SS question:
2 SMI
3 NMI
31:4
Wait for exception debugging (64-bit):
3:0 B3-B0 Even without DR7 support, every bit can be identified
11:4 This flag bit is reserved, if it is not 0, VM entry fails
12 bit open breakpoint
13 reserved
14 BS single step trigger
63:15
VMCS link pointer (64bit) is set to FFFFFFFF_FFFFFFFFH to avoid failure to enter the VM
2) Host-state area:
Load status
CR0, CR3, CR4, RSP, RIP from VM exits
3) VM-execution control fields:
VM execution controls VMX non-root operations, which determines the reason for VM exit (to a certain extent),
constructs 32 vectors to handle asynchronous events (such as interrupts)
Pin-based VM execution
VMX non-root
0: The extended interrupt exits. If it is 1, the VM external interrupt exits, otherwise it will be delivered to IDT. If it is 1, RFLAGS.IF has no effect.
3: NMI extension, if it is 1, non-masked interruption causes the VM to exit.
5: Virtual NML, if it is 1, it means that NMI blocking is violated.
Processor-based VM execution
Abnormal bitmap
I/O bitmap address
Timestamp offset
Guest/Host CR0 CR4
CR3-Target Controls
If the MOV CR3 is executed under VM non-root, it will not cause the VM to exit. If the CR3 target count is 0, it will cause the VM to exit, the target count is greater than 4, the VM entry fails, MSR IA32_VMX_MISC. VMCS-pointer is used to manage interrupt SMI and system management mode SMM.
4) VM-exit control fields: VM exit
Generate a 32-bit vector, responsible for VM exit
9: Host address space size, if Inetl 64 is not supported, it must be 0
15: Confirm interrupt when exiting
5) VM-entry control fields:VM入口
9 IA-32e mode guest
10 Enter SMM
11 Disable dual monitoring
6) VM-exit information fields
7) VM execution/exit/enter collectively referred to as VMX controls
Rules to follow to access VMCS
- Whether the processor provides VM exit information MSR IA32_VMX_BASIC to determine, it cannot be active in multiple logical processors,
MVCS migrates to another processor, the first processor VMCS executes VMCLEAR to ensure that it is inactive and before VMPTRLD. - VMREAD/VMWRITE should be used to access VMCS data
- All entries should be initialized before vm entries enter VMCS
Chapter 24
System Management mode (SMM) Overvlew
SMM is a special mode, such as processing power management, system hardware control or proprietary OEM design code. It is used by system hardware. The advantage is that it provides a unique and easy-to-isolate processor environment and transparent operation.
When the SMM is called through a system interrupt (SMI), the processor context is saved, the processor switches to a separate address control, and the SMM specified code is executed transparently, such as the disk is not closed. After the SMI processing is completed, the RSM instruction makes the processor Reload the saved context, switch back to the actual mode, and resume execution of interrupted applications or tasks.
- The only way to enter SMM is SMI.
- The processor executes the SMM code in a separate address to control the SMRAM, others have no right to access.
- Entering SMM, the processor saves the interrupted program or task online text.
- When entering SMM, all interrupts are usually disabled by the operating system.
- RSM can only be executed in SMM.
- In SMM processing, the introduced physical extension PAE mechanism is not supported.
- SMM, like real mode, has no privilege level and address mapping.
System management mode and Virtual-machine extensions Operation
Default mode: The system firmware processes the SMI, the processor saves the VMX state when entering the SMM, the SMI processing is completed, and the RSM is used to restore the VMX operation.
Dual-slave monitor: Two VM monitors co-process SMIs: one VMM runs outside of SMM to provide support for the Guest, and the other runs inside SMM to support system management functions
System Management Interrupt(SMI)
When the processor is in SMM SMI disabled state:
enter SMM, when SMI is received, wait for all instructions to exit/storage completed, save the online text of the processor to SMRAM, and enter SMM to execute the SMI processing program. After entering the processor, the SMM processor sends a signal to the outside to tell that it has started to process SMM, and SMI has the highest priority
SMRAM
The size of SMRAM mapped to physical memory can reach 4GB, the default 64kb, 30000H, SMBASE+8000H find the first SMI instruction, and store the processor state in SMBASE+FE00H~SMBASE+FFFFH.
I found a translation of SMM when I was reading related documents on Baidu, and I found that my English was too bad, so I learned to translate this chapter
https://blog.csdn.net/humanof/article/details/94621498
Chapter 25
VMX system programming overview, each VM is like a complete virtual machine, running the most privileged level, and has the ownership of the underlying hardware. VMM controls the creation of VMs and manages the conversion between VMs and VMs. VMM allows VMs to share underlying hardware and isolation.
Guest mode in real mode:
- Use fast instruction set simulator through VMM
Before entering VMX, you must apply for a VMXON area. VMM reads VMCS through IA32_VMX_BASIC MSR, and uses 4KByte aligned physical memory area to create a VMCS area of this size. Software cannot read and write VMCS area.
VMM identifies the current VMCS through the VMPTRLD instruction, and can only read and write VMCS through VMREAD/VMWRITE.
a) VMX processing and conversion, from external VMX operation VMXON, enter to root VMX operation, VM entry entry means root VMX is converted to non-root VMX, VM entry exit is converted from VMX non-root to VMX.
VMM installation and uninstallation
Before VMX, you need to ensure that it runs under paging:
- Check if CPUID supports VMX
- Confirm that the processor supports VMX through MSRs
- MSR specifies the size of IA32_VMX_BASIC to create a non-paged VMXON area, to the 4kb boundary.
- The software reads the MSR and determines the physical range of the available VMXON area. VMXON must be hosted in cache related memory
- Initialize the first 32bit version number in VMXON
- Meet PE/PG=1,
- CR4.VMXE=1 enables VMX operation to ensure that the generated CR4 value belongs to the fixed value of IA32_VMX_CR4_FIXDE0 and FIXDE1
- IA32_FEATURE_CONTROL MSR sets bit(0) = 1;
- Use EFLAGS.CF = 0/VMXON to
complete the above steps, and the processor enters and exits the VMX root.
Prepare and start the virtual machine
VMM setup and start guest Vm steps
- Create a VMCS area IA32_VMX_BASIC and align to 4KBytes in the non-pageable memory of the size specified by the VMX capability MSR
- 32Bit before IA32_VMX_BASIC initialization
- The guest-VMCS address executes the VMCLEAR structure, initializes the new VMCS in the memory, and sets it to clear. Also need to check RFLAGS.CF=0/RFLAGS.ZF=0
- VMCS address executes VMPTRLD instruction initialization work
- A series of VMWRITEs are issued to initialize the host state (various types of registers).
- VM entry consistency check
Process VM exit
- VMREAD read to determine the reason for exit
- Valid qualifications provide more details
- VMCS get and exit other fields
- VMM handles exit conditions appropriately.
Multi-processor considerations:
- Symmetric VMM? ---Asymmetric VMM refers to the CPU
Chapter 26 System Resource Virtualization
When VMM hosts multiple guests, debugging facilities/address translation/physical memory/microcode update facilities, debugging facilities virtualization support, Inetl64 and IA-32 provide breakpoint instructions, exception conditions, register flags, debug registers, control registers and Storage buffer, debugging system software.
- Can handle exceptions, such as int3
- Can inject exceptions like Gust
- DR0~DR7
Memory virtualization
- VMM must control physical memory, ensure physical isolation, and remap the memory address relationship between the host and the guest.
- Need to support guest virtualization, including all modes, VMM can use the paging structure to support virtualized memory. VMM can map a flat page table between guest and linear address.
- VMX provides VMM with full VM monitoring (PAT/MSR/MTRR), and VMM provides VM with continuous memory control, starting from 0 to the maximum address supported by the VM.
- In order to solve the problem that the guest software can modify the page table (VMM) at will, so the structure of the active page table and the guest page table may be different, so the TLB can solve this problem. Guests are allowed to freely access page directories and page tables. The trap occurs in CR3 access and execution. On INVLPG, VMM maintains an optional page table hierarchy, and VMM supports TLB.
Chapter 28
Virtual-processor identfiers VIPDs can switch linear addresses through VPID, and VMX will save cache information.
When the current VPID is 0:
- VMX root operation
- When the VMX non-root
EPT is used, the physical address of the guest is used to access the physical address of the memory by traversing a set of EPT pages. - If CR0.PG=0, each linear address will be regarded as a guest address
- If CR0.PG=1, both are the addresses derived from the guest page
- If PG=1/CR4.PAE = CR4.PSE = 0
VM programming
1) Check the system version
2) Check whether VMX is supported
// See: DISCOVERING SUPPORT FOR VMX
// See: BASIC VMX INFORMATION
// Turn on VMX, CR4.VMXE =1 & If you turn on VMX in BIOS, you also need to set lock and 1/2bit
