#
338427 |
|
02-Sep-2018 |
kib |
MFC r338068, r338113: Update L1TF workaround to sustain L1D pollution from NMI.
|
#
337794 |
|
14-Aug-2018 |
kib |
MFC r337785: Provide part of the mitigation for L1TF-VMM.
Security: CVE-2018-3646 Approved by: so (insta-MFC)
|
#
336190 |
|
11-Jul-2018 |
araujo |
MFC r335030:
Add SPDX tags to vmm(4).
Sponsored by: iXsystems Inc.
|
#
330704 |
|
09-Mar-2018 |
tychon |
MFC r328011,329162
r328011:
Provide some mitigation against CVE-2017-5715 by clearing registers upon returning from the guest which aren't immediately clobbered by the host. This eradicates any remaining guest contents limiting their usefulness in an exploit gadget.
r329162:
Provide further mitigation against CVE-2017-5715 by flushing the return stack buffer (RSB) upon returning from the guest.
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
273214 |
|
17-Oct-2014 |
imp |
Fix build to not bogusly always rebuild vmm.ko.
Rename vmx_assym.s to vmx_assym.h to reflect that file's actual use and update vmx_support.S's include to match. Add vmx_assym.h to the SRCS to that it gets properly added to the dependency list. Add vmx_support.S to SRCS as well, so it gets built and needs fewer special-case goo. Remove now-redundant special-case goo. Finally, vmx_genassym.o doesn't need to depend on a hand expanded ${_ILINKS} explicitly, that's all taken care of by beforedepend.
With these items fixed, we no longer build vmm.ko every single time through the modules on a KERNFAST build.
Sponsored by: Netflix
|
#
266390 |
|
18-May-2014 |
grehan |
Make the vmx asm code dtrace-fbt-friendly by - inserting frame enter/leave sequences - restructuring the vmx_enter_guest routine so that it subsumes the vm_exit_guest block, which was the #vmexit RIP and not a callable routine.
Reviewed by: neel MFC after: 3 weeks
|
#
264353 |
|
11-Apr-2014 |
neel |
There is no need to save and restore the host's return address in the 'struct vmxctx'. It is preserved on the host stack across a guest entry and exit and just restoring the host's '%rsp' is sufficient.
Pointed out by: grehan@
|
#
261453 |
|
04-Feb-2014 |
neel |
Avoid doing unnecessary nested TLB invalidations.
Prior to this change the cached value of 'pm_eptgen' was tracked per-vcpu and per-hostcpu. In the degenerate case where 'N' vcpus were sharing a single hostcpu this could result in 'N - 1' unnecessary TLB invalidations. Since an 'invept' invalidates mappings for all VPIDs the first 'invept' is sufficient.
Fix this by moving the 'eptgen[MAXCPU]' array from 'vmxctx' to 'struct vmx'.
If it is known that an 'invept' is going to be done before entering the guest then it is safe to skip the 'invvpid'. The stat VPU_INVVPID_SAVED counts the number of 'invvpid' invalidations that were avoided because they were subsumed by an 'invept'.
Discussed with: grehan
|
#
260531 |
|
11-Jan-2014 |
neel |
Enable the "Acknowledge Interrupt on VM exit" VM-exit control.
This control is needed to enable "Posted Interrupts" and is present in all the Intel VT-x implementations supported by bhyve so enable it as the default.
With this VM-exit control enabled the processor will acknowledge the APIC and store the vector number in the "VM-Exit Interruption Information" field. We now call the interrupt handler "by hand" through the IDT entry associated with the vector.
|
#
260238 |
|
03-Jan-2014 |
neel |
Use the same label name for ENTRY() and END() macros for 'vmx_enter_guest'.
Pointed out by: rmh@
|
#
260167 |
|
01-Jan-2014 |
neel |
Restructure the VMX code to enter and exit the guest. In large part this change hides the setjmp/longjmp semantics of VM enter/exit. vmx_enter_guest() is used to enter guest context and vmx_exit_guest() is used to transition back into host context.
Fix a longstanding race where a vcpu interrupt notification might be ignored if it happens after vmx_inject_interrupts() but before host interrupts are disabled in vmx_resume/vmx_launch. We now called vmx_inject_interrupts() with host interrupts disabled to prevent this.
Suggested by: grehan@
|
#
256072 |
|
05-Oct-2013 |
neel |
Merge projects/bhyve_npt_pmap into head.
Make the amd64/pmap code aware of nested page table mappings used by bhyve guests. This allows bhyve to associate each guest with its own vmspace and deal with nested page faults in the context of that vmspace. This also enables features like accessed/dirty bit tracking, swapping to disk and transparent superpage promotions of guest memory.
Guest vmspace: Each bhyve guest has a unique vmspace to represent the physical memory allocated to the guest. Each memory segment allocated by the guest is mapped into the guest's address space via the 'vmspace->vm_map' and is backed by an object of type OBJT_DEFAULT.
pmap types: The amd64/pmap now understands two types of pmaps: PT_X86 and PT_EPT.
The PT_X86 pmap type is used by the vmspace associated with the host kernel as well as user processes executing on the host. The PT_EPT pmap is used by the vmspace associated with a bhyve guest.
Page Table Entries: The EPT page table entries as mostly similar in functionality to regular page table entries although there are some differences in terms of what bits are used to express that functionality. For e.g. the dirty bit is represented by bit 9 in the nested PTE as opposed to bit 6 in the regular x86 PTE. Therefore the bitmask representing the dirty bit is now computed at runtime based on the type of the pmap. Thus PG_M that was previously a macro now becomes a local variable that is initialized at runtime using 'pmap_modified_bit(pmap)'.
An additional wrinkle associated with EPT mappings is that older Intel processors don't have hardware support for tracking accessed/dirty bits in the PTE. This means that the amd64/pmap code needs to emulate these bits to provide proper accounting to the VM subsystem. This is achieved by using the following mapping for EPT entries that need emulation of A/D bits: Bit Position Interpreted By PG_V 52 software (accessed bit emulation handler) PG_RW 53 software (dirty bit emulation handler) PG_A 0 hardware (aka EPT_PG_RD) PG_M 1 hardware (aka EPT_PG_WR)
The idea to use the mapping listed above for A/D bit emulation came from Alan Cox (alc@).
The final difference with respect to x86 PTEs is that some EPT implementations do not support superpage mappings. This is recorded in the 'pm_flags' field of the pmap.
TLB invalidation: The amd64/pmap code has a number of ways to do invalidation of mappings that may be cached in the TLB: single page, multiple pages in a range or the entire TLB. All of these funnel into a single EPT invalidation routine called 'pmap_invalidate_ept()'. This routine bumps up the EPT generation number and sends an IPI to the host cpus that are executing the guest's vcpus. On a subsequent entry into the guest it will detect that the EPT has changed and invalidate the mappings from the TLB.
Guest memory access: Since the guest memory is no longer wired we need to hold the host physical page that backs the guest physical page before we can access it. The helper functions 'vm_gpa_hold()/vm_gpa_release()' are available for this purpose.
PCI passthru: Guest's with PCI passthru devices will wire the entire guest physical address space. The MMIO BAR associated with the passthru device is backed by a vm_object of type OBJT_SG. An IOMMU domain is created only for guest's that have one or more PCI passthru devices attached to them.
Limitations: There isn't a way to map a guest physical page without execute permissions. This is because the amd64/pmap code interprets the guest physical mappings as user mappings since they are numerically below VM_MAXUSER_ADDRESS. Since PG_U shares the same bit position as EPT_PG_EXECUTE all guest mappings become automatically executable.
Thanks to Alan Cox and Konstantin Belousov for their rigorous code reviews as well as their support and encouragement.
Thanks for John Baldwin for reviewing the use of OBJT_SG as the backing object for pci passthru mmio regions.
Special thanks to Peter Holm for testing the patch on short notice.
Approved by: re Discussed with: grehan Reviewed by: alc, kib Tested by: pho
|
#
245678 |
|
20-Jan-2013 |
neel |
Add svn properties to the recently merged bhyve source files.
The pre-commit hook will not allow any commits without the svn:keywords property in head.
|
#
245652 |
|
19-Jan-2013 |
neel |
Merge projects/bhyve to head.
'bhyve' was developed by grehan@ and myself at NetApp (thanks!).
Special thanks to Peter Snyder, Joe Caradonna and Michael Dexter for their support and encouragement.
Obtained from: NetApp
|
#
241921 |
|
23-Oct-2012 |
neel |
Test for AST pending with interrupts disabled right before entering the guest.
If an IPI was delivered to this cpu before interrupts were disabled then return right away via vmx_setjmp() with a return value of VMX_RETURN_AST.
Obtained from: NetApp
|
#
222112 |
|
20-May-2011 |
neel |
Fix a long standing bug in VMXCTX_GUEST_RESTORE().
There was an assumption by the "callers" of this macro that on "return" the %rsp will be pointing to the 'vmxctx'. The macro was not doing this and thus when trying to restore host state on an error from "vmlaunch" or "vmresume" we were treating the memory locations on the host stack as 'struct vmxctx'. This led to all sorts of weird bugs like double faults or invalid instruction faults.
This bug is exposed by the -O2 option used to compile the kernel module. With the -O2 flag the compiler will optimize the following piece of code:
int loopstart = 1; ... if (loopstart) { loopstart = 0; vmx_launch(); } else vmx_resume();
into this:
vmx_launch();
Since vmx_launch() and vmx_resume() are declared to be __dead2 functions the compiler is free to do this. The compiler has no way to know that the functions return indirectly through vmx_setjmp(). This optimization in turn leads us to trigger the bug in VMXCTX_GUEST_RESTORE().
With this change we can boot a 8.1 guest on a 9.0 host.
Reported by: jhb@
|
#
221914 |
|
14-May-2011 |
jhb |
First cut at porting the kernel portions of 221828 and 221905 from the BHyVe reference branch to HEAD.
|
#
221828 |
|
13-May-2011 |
grehan |
Import of bhyve hypervisor and utilities, part 1. vmm.ko - kernel module for VT-x, VT-d and hypervisor control bhyve - user-space sequencer and i/o emulation vmmctl - dump of hypervisor register state libvmm - front-end to vmm.ko chardev interface
bhyve was designed and implemented by Neel Natu.
Thanks to the following folk from NetApp who helped to make this available: Joe CaraDonna Peter Snyder Jeff Heller Sandeep Mann Steve Miller Brian Pawlowski
|