Porting the hypapp of I/O kernel

uberXMHF uobject Collection
1

Below is a partial list of APIs needed by the hypapp:

(1) Setup EPT, lend/return pages:

  • static inline void hpt_emhf_get_root_pmo(VCPU *vcpu, hpt_pmo_t *root)
  • static inline void hpt_emhf_set_root_pm(VCPU *vcpu, hpt_pm_t root)
  • int hptw_emhf_host_ctx_init_of_vcpu(hptw_emhf_host_ctx_t *rv, VCPU *vcpu);
  • int hptw_emhf_checked_guest_ctx_init_of_vcpu(hptw_emhf_checked_guest_ctx_t *rv, VCPU *vcpu);
  • int hptw_emhf_host_ctx_init(hptw_emhf_host_ctx_t *ctx, hpt_pa_t root_pa, hpt_type_t t, pagelist_t *pl);
  • void hpt_pmeo_setprot(hpt_pmeo_t *pmeo, hpt_prot_t perms);
  • void hpt_pmeo_setuser(hpt_pmeo_t *pmeo, bool user);
  • void hpt_pmeo_setcache(hpt_pmeo_t *pmeo, hpt_pmt_t pmt); // set cachable // missing in xmhf-v0.2.2
  • void hpt_pmeo_set_address(hpt_pmeo_t *pmeo, hpt_pa_t addr);
  • int hptw_insert_pmeo_alloc( hptw_ctx_t *ctx, const hpt_pmeo_t *pmeo, hpt_va_t va);

(2) TLB shootdown of EPT, which is missing in xmhf-v0.2.2
- Currently I invalidate global contexts instead of a single context, due to the design of the VCPU struct. I see uxmhf supports single context invalidation only, not sure how this modification will impact uxmhf and its proof

(3) VCPU_grflags_set/get, and similar functions for other VMCS/VMCB fields

(4) struct VCPU that used in many functions in xmhf-v0.2.2.

(5) VTd functions

  • void xmhf_dmaprot_arch_protect(u32 start_paddr, u32 size);
  • void xmhf_dmaprot_arch_unprotect(u32 start_paddr, u32 size);
  • void xmhf_dmaprot_arch_invalidate_cache(void);

(6) Callback functions I currently used

  • extern u32 xmhf_app_main(VCPU *vcpu, APP_PARAM_BLOCK *apb);
  • extern u32 xmhf_app_handleintercept_portaccess(VCPU *vcpu, struct regs *r, u16 portnum, u32 access_type, u32 access_size);
  • extern u32 xmhf_app_handleintercept_hwpgtblviolation(VCPU *vcpu, struct regs *r, u64 gpa, u64 gva, u64 violationcode);
  • extern void xmhf_app_handleshutdown(VCPU *vcpu, struct regs *r);
  • extern u32 xmhf_app_handlehypercall(VCPU *vcpu, struct regs *r); //returns APP_SUCCESS if handled, else APP_ERROR
  • extern u32 xmhf_app_handlenmi(VCPU *vcpu, struct regs *r); //Handle NMI
  • extern u32 xmhf_app_handleint1(VCPU *vcpu, struct regs *r);
  • extern u32 xmhf_app_handleint3(VCPU *vcpu, struct regs *r);

(7) CPU quiescing

2

Functions missing in the xmhf-v0.2.2:
(1) EPT TLB shootdown
(2) hypapps should be able to modify IOMMU page tables.
- If hw features like AMD DEV overwrite permissions in IOMMU page tables, then uxmhf can use AMD DEV and never touch IOMMU page tables.
- Otherwise, uxmhf needs to own IOMMU page tables and export page table interfaces to uobjects/hypapps
- It is better to apply the same approach to both Intel and AMD platforms

Possible features worth discussion:
(1) Support x64
(2) Support win10 as the rich guest.
- So uxmhf should use nested virtualization (e.g., hardware nested virtualization and VTd’s nested translation) or Windows’ hypervisor platform, which one?
(3) Remove the need of vPro
- Secure boot and SRTM seems to be more popular. And new hardware have Intel Platform Trust Technology (PTT) as a firmware implementation of hardware TPMs.
- Even the new z390 and z370 do not support vPro

3

EPT requirements: 1 EPT for rich OS partition, and 1 another EPT for the entire green partition.
vt-d PT requirements: 1 PT for rich OS partition, 1 PT for each PCIe device in the green partition. The PTs for the green partition are created/destroyed on-demand.