1/*P:100 2 * This is the Launcher code, a simple program which lays out the "physical" 3 * memory for the new Guest by mapping the kernel image and the virtual 4 * devices, then opens /dev/lguest to tell the kernel about the Guest and 5 * control it. 6:*/ 7#define _LARGEFILE64_SOURCE 8#define _GNU_SOURCE 9#include <stdio.h> 10#include <string.h> 11#include <unistd.h> 12#include <err.h> 13#include <stdint.h> 14#include <stdlib.h> 15#include <elf.h> 16#include <sys/mman.h> 17#include <sys/param.h> 18#include <sys/types.h> 19#include <sys/stat.h> 20#include <sys/wait.h> 21#include <sys/eventfd.h> 22#include <fcntl.h> 23#include <stdbool.h> 24#include <errno.h> 25#include <ctype.h> 26#include <sys/socket.h> 27#include <sys/ioctl.h> 28#include <sys/time.h> 29#include <time.h> 30#include <netinet/in.h> 31#include <net/if.h> 32#include <linux/sockios.h> 33#include <linux/if_tun.h> 34#include <sys/uio.h> 35#include <termios.h> 36#include <getopt.h> 37#include <assert.h> 38#include <sched.h> 39#include <limits.h> 40#include <stddef.h> 41#include <signal.h> 42#include <linux/virtio_config.h> 43#include <linux/virtio_net.h> 44#include <linux/virtio_blk.h> 45#include <linux/virtio_console.h> 46#include <linux/virtio_rng.h> 47#include <linux/virtio_ring.h> 48#include <asm/bootparam.h> 49#include "../../include/linux/lguest_launcher.h" 50/*L:110 51 * We can ignore the 42 include files we need for this program, but I do want 52 * to draw attention to the use of kernel-style types. 53 * 54 * As Linus said, "C is a Spartan language, and so should your naming be." I 55 * like these abbreviations, so we define them here. Note that u64 is always 56 * unsigned long long, which works on all Linux systems: this means that we can 57 * use %llu in printf for any u64. 58 */ 59typedef unsigned long long u64; 60typedef uint32_t u32; 61typedef uint16_t u16; 62typedef uint8_t u8; 63/*:*/ 64 65#define PAGE_PRESENT 0x7 /* Present, RW, Execute */ 66#define BRIDGE_PFX "bridge:" 67#ifndef SIOCBRADDIF 68#define SIOCBRADDIF 0x89a2 /* add interface to bridge */ 69#endif 70/* We can have up to 256 pages for devices. */ 71#define DEVICE_PAGES 256 72/* This will occupy 3 pages: it must be a power of 2. */ 73#define VIRTQUEUE_NUM 256 74 75/*L:120 76 * verbose is both a global flag and a macro. The C preprocessor allows 77 * this, and although I wouldn't recommend it, it works quite nicely here. 78 */ 79static bool verbose; 80#define verbose(args...) \ 81 do { if (verbose) printf(args); } while(0) 82/*:*/ 83 84/* The pointer to the start of guest memory. */ 85static void *guest_base; 86/* The maximum guest physical address allowed, and maximum possible. */ 87static unsigned long guest_limit, guest_max; 88/* The /dev/lguest file descriptor. */ 89static int lguest_fd; 90 91/* a per-cpu variable indicating whose vcpu is currently running */ 92static unsigned int __thread cpu_id; 93 94/* This is our list of devices. */ 95struct device_list { 96 /* Counter to assign interrupt numbers. */ 97 unsigned int next_irq; 98 99 /* Counter to print out convenient device numbers. */ 100 unsigned int device_num; 101 102 /* The descriptor page for the devices. */ 103 u8 *descpage; 104 105 /* A single linked list of devices. */ 106 struct device *dev; 107 /* And a pointer to the last device for easy append. */ 108 struct device *lastdev; 109}; 110 111/* The list of Guest devices, based on command line arguments. */ 112static struct device_list devices; 113 114/* The device structure describes a single device. */ 115struct device { 116 /* The linked-list pointer. */ 117 struct device *next; 118 119 /* The device's descriptor, as mapped into the Guest. */ 120 struct lguest_device_desc *desc; 121 122 /* We can't trust desc values once Guest has booted: we use these. */ 123 unsigned int feature_len; 124 unsigned int num_vq; 125 126 /* The name of this device, for --verbose. */ 127 const char *name; 128 129 /* Any queues attached to this device */ 130 struct virtqueue *vq; 131 132 /* Is it operational */ 133 bool running; 134 135 /* Does Guest want an intrrupt on empty? */ 136 bool irq_on_empty; 137 138 /* Device-specific data. */ 139 void *priv; 140}; 141 142/* The virtqueue structure describes a queue attached to a device. */ 143struct virtqueue { 144 struct virtqueue *next; 145 146 /* Which device owns me. */ 147 struct device *dev; 148 149 /* The configuration for this queue. */ 150 struct lguest_vqconfig config; 151 152 /* The actual ring of buffers. */ 153 struct vring vring; 154 155 /* Last available index we saw. */ 156 u16 last_avail_idx; 157 158 /* How many are used since we sent last irq? */ 159 unsigned int pending_used; 160 161 /* Eventfd where Guest notifications arrive. */ 162 int eventfd; 163 164 /* Function for the thread which is servicing this virtqueue. */ 165 void (*service)(struct virtqueue *vq); 166 pid_t thread; 167}; 168 169/* Remember the arguments to the program so we can "reboot" */ 170static char **main_args; 171 172/* The original tty settings to restore on exit. */ 173static struct termios orig_term; 174 175/* 176 * We have to be careful with barriers: our devices are all run in separate 177 * threads and so we need to make sure that changes visible to the Guest happen 178 * in precise order. 179 */ 180#define wmb() __asm__ __volatile__("" : : : "memory") 181#define mb() __asm__ __volatile__("" : : : "memory") 182 183/* 184 * Convert an iovec element to the given type. 185 * 186 * This is a fairly ugly trick: we need to know the size of the type and 187 * alignment requirement to check the pointer is kosher. It's also nice to 188 * have the name of the type in case we report failure. 189 * 190 * Typing those three things all the time is cumbersome and error prone, so we 191 * have a macro which sets them all up and passes to the real function. 192 */ 193#define convert(iov, type) \ 194 ((type *)_convert((iov), sizeof(type), __alignof__(type), #type)) 195 196static void *_convert(struct iovec *iov, size_t size, size_t align, 197 const char *name) 198{ 199 if (iov->iov_len != size) 200 errx(1, "Bad iovec size %zu for %s", iov->iov_len, name); 201 if ((unsigned long)iov->iov_base % align != 0) 202 errx(1, "Bad alignment %p for %s", iov->iov_base, name); 203 return iov->iov_base; 204} 205 206/* Wrapper for the last available index. Makes it easier to change. */ 207#define lg_last_avail(vq) ((vq)->last_avail_idx) 208 209/* 210 * The virtio configuration space is defined to be little-endian. x86 is 211 * little-endian too, but it's nice to be explicit so we have these helpers. 212 */ 213#define cpu_to_le16(v16) (v16) 214#define cpu_to_le32(v32) (v32) 215#define cpu_to_le64(v64) (v64) 216#define le16_to_cpu(v16) (v16) 217#define le32_to_cpu(v32) (v32) 218#define le64_to_cpu(v64) (v64) 219 220/* Is this iovec empty? */ 221static bool iov_empty(const struct iovec iov[], unsigned int num_iov) 222{ 223 unsigned int i; 224 225 for (i = 0; i < num_iov; i++) 226 if (iov[i].iov_len) 227 return false; 228 return true; 229} 230 231/* Take len bytes from the front of this iovec. */ 232static void iov_consume(struct iovec iov[], unsigned num_iov, unsigned len) 233{ 234 unsigned int i; 235 236 for (i = 0; i < num_iov; i++) { 237 unsigned int used; 238 239 used = iov[i].iov_len < len ? iov[i].iov_len : len; 240 iov[i].iov_base += used; 241 iov[i].iov_len -= used; 242 len -= used; 243 } 244 assert(len == 0); 245} 246 247/* The device virtqueue descriptors are followed by feature bitmasks. */ 248static u8 *get_feature_bits(struct device *dev) 249{ 250 return (u8 *)(dev->desc + 1) 251 + dev->num_vq * sizeof(struct lguest_vqconfig); 252} 253 254/*L:100 255 * The Launcher code itself takes us out into userspace, that scary place where 256 * pointers run wild and free! Unfortunately, like most userspace programs, 257 * it's quite boring (which is why everyone likes to hack on the kernel!). 258 * Perhaps if you make up an Lguest Drinking Game at this point, it will get 259 * you through this section. Or, maybe not. 260 * 261 * The Launcher sets up a big chunk of memory to be the Guest's "physical" 262 * memory and stores it in "guest_base". In other words, Guest physical == 263 * Launcher virtual with an offset. 264 * 265 * This can be tough to get your head around, but usually it just means that we 266 * use these trivial conversion functions when the Guest gives us its 267 * "physical" addresses: 268 */ 269static void *from_guest_phys(unsigned long addr) 270{ 271 return guest_base + addr; 272} 273 274static unsigned long to_guest_phys(const void *addr) 275{ 276 return (addr - guest_base); 277} 278 279/*L:130 280 * Loading the Kernel. 281 * 282 * We start with couple of simple helper routines. open_or_die() avoids 283 * error-checking code cluttering the callers: 284 */ 285static int open_or_die(const char *name, int flags) 286{ 287 int fd = open(name, flags); 288 if (fd < 0) 289 err(1, "Failed to open %s", name); 290 return fd; 291} 292 293/* map_zeroed_pages() takes a number of pages. */ 294static void *map_zeroed_pages(unsigned int num) 295{ 296 int fd = open_or_die("/dev/zero", O_RDONLY); 297 void *addr; 298 299 /* 300 * We use a private mapping (ie. if we write to the page, it will be 301 * copied). 302 */ 303 addr = mmap(NULL, getpagesize() * num, 304 PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, fd, 0); 305 if (addr == MAP_FAILED) 306 err(1, "Mmapping %u pages of /dev/zero", num); 307 308 /* 309 * One neat mmap feature is that you can close the fd, and it 310 * stays mapped. 311 */ 312 close(fd); 313 314 return addr; 315} 316 317/* Get some more pages for a device. */ 318static void *get_pages(unsigned int num) 319{ 320 void *addr = from_guest_phys(guest_limit); 321 322 guest_limit += num * getpagesize(); 323 if (guest_limit > guest_max) 324 errx(1, "Not enough memory for devices"); 325 return addr; 326} 327 328/* 329 * This routine is used to load the kernel or initrd. It tries mmap, but if 330 * that fails (Plan 9's kernel file isn't nicely aligned on page boundaries), 331 * it falls back to reading the memory in. 332 */ 333static void map_at(int fd, void *addr, unsigned long offset, unsigned long len) 334{ 335 ssize_t r; 336 337 /* 338 * We map writable even though for some segments are marked read-only. 339 * The kernel really wants to be writable: it patches its own 340 * instructions. 341 * 342 * MAP_PRIVATE means that the page won't be copied until a write is 343 * done to it. This allows us to share untouched memory between 344 * Guests. 345 */ 346 if (mmap(addr, len, PROT_READ|PROT_WRITE|PROT_EXEC, 347 MAP_FIXED|MAP_PRIVATE, fd, offset) != MAP_FAILED) 348 return; 349 350 /* pread does a seek and a read in one shot: saves a few lines. */ 351 r = pread(fd, addr, len, offset); 352 if (r != len) 353 err(1, "Reading offset %lu len %lu gave %zi", offset, len, r); 354} 355 356/* 357 * This routine takes an open vmlinux image, which is in ELF, and maps it into 358 * the Guest memory. ELF = Embedded Linking Format, which is the format used 359 * by all modern binaries on Linux including the kernel. 360 * 361 * The ELF headers give *two* addresses: a physical address, and a virtual 362 * address. We use the physical address; the Guest will map itself to the 363 * virtual address. 364 * 365 * We return the starting address. 366 */ 367static unsigned long map_elf(int elf_fd, const Elf32_Ehdr *ehdr) 368{ 369 Elf32_Phdr phdr[ehdr->e_phnum]; 370 unsigned int i; 371 372 /* 373 * Sanity checks on the main ELF header: an x86 executable with a 374 * reasonable number of correctly-sized program headers. 375 */ 376 if (ehdr->e_type != ET_EXEC 377 || ehdr->e_machine != EM_386 378 || ehdr->e_phentsize != sizeof(Elf32_Phdr) 379 || ehdr->e_phnum < 1 || ehdr->e_phnum > 65536U/sizeof(Elf32_Phdr)) 380 errx(1, "Malformed elf header"); 381 382 /* 383 * An ELF executable contains an ELF header and a number of "program" 384 * headers which indicate which parts ("segments") of the program to 385 * load where. 386 */ 387 388 /* We read in all the program headers at once: */ 389 if (lseek(elf_fd, ehdr->e_phoff, SEEK_SET) < 0) 390 err(1, "Seeking to program headers"); 391 if (read(elf_fd, phdr, sizeof(phdr)) != sizeof(phdr)) 392 err(1, "Reading program headers"); 393 394 /* 395 * Try all the headers: there are usually only three. A read-only one, 396 * a read-write one, and a "note" section which we don't load. 397 */ 398 for (i = 0; i < ehdr->e_phnum; i++) { 399 /* If this isn't a loadable segment, we ignore it */ 400 if (phdr[i].p_type != PT_LOAD) 401 continue; 402 403 verbose("Section %i: size %i addr %p\n", 404 i, phdr[i].p_memsz, (void *)phdr[i].p_paddr); 405 406 /* We map this section of the file at its physical address. */ 407 map_at(elf_fd, from_guest_phys(phdr[i].p_paddr), 408 phdr[i].p_offset, phdr[i].p_filesz); 409 } 410 411 /* The entry point is given in the ELF header. */ 412 return ehdr->e_entry; 413} 414 415/*L:150 416 * A bzImage, unlike an ELF file, is not meant to be loaded. You're supposed 417 * to jump into it and it will unpack itself. We used to have to perform some 418 * hairy magic because the unpacking code scared me. 419 * 420 * Fortunately, Jeremy Fitzhardinge convinced me it wasn't that hard and wrote 421 * a small patch to jump over the tricky bits in the Guest, so now we just read 422 * the funky header so we know where in the file to load, and away we go! 423 */ 424static unsigned long load_bzimage(int fd) 425{ 426 struct boot_params boot; 427 int r; 428 /* Modern bzImages get loaded at 1M. */ 429 void *p = from_guest_phys(0x100000); 430 431 /* 432 * Go back to the start of the file and read the header. It should be 433 * a Linux boot header (see Documentation/x86/i386/boot.txt) 434 */ 435 lseek(fd, 0, SEEK_SET); 436 read(fd, &boot, sizeof(boot)); 437 438 /* Inside the setup_hdr, we expect the magic "HdrS" */ 439 if (memcmp(&boot.hdr.header, "HdrS", 4) != 0) 440 errx(1, "This doesn't look like a bzImage to me"); 441 442 /* Skip over the extra sectors of the header. */ 443 lseek(fd, (boot.hdr.setup_sects+1) * 512, SEEK_SET); 444 445 /* Now read everything into memory. in nice big chunks. */ 446 while ((r = read(fd, p, 65536)) > 0) 447 p += r; 448 449 /* Finally, code32_start tells us where to enter the kernel. */ 450 return boot.hdr.code32_start; 451} 452 453/*L:140 454 * Loading the kernel is easy when it's a "vmlinux", but most kernels 455 * come wrapped up in the self-decompressing "bzImage" format. With a little 456 * work, we can load those, too. 457 */ 458static unsigned long load_kernel(int fd) 459{ 460 Elf32_Ehdr hdr; 461 462 /* Read in the first few bytes. */ 463 if (read(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) 464 err(1, "Reading kernel"); 465 466 /* If it's an ELF file, it starts with "\177ELF" */ 467 if (memcmp(hdr.e_ident, ELFMAG, SELFMAG) == 0) 468 return map_elf(fd, &hdr); 469 470 /* Otherwise we assume it's a bzImage, and try to load it. */ 471 return load_bzimage(fd); 472} 473 474/* 475 * This is a trivial little helper to align pages. Andi Kleen hated it because 476 * it calls getpagesize() twice: "it's dumb code." 477 * 478 * Kernel guys get really het up about optimization, even when it's not 479 * necessary. I leave this code as a reaction against that. 480 */ 481static inline unsigned long page_align(unsigned long addr) 482{ 483 /* Add upwards and truncate downwards. */ 484 return ((addr + getpagesize()-1) & ~(getpagesize()-1)); 485} 486 487/*L:180 488 * An "initial ram disk" is a disk image loaded into memory along with the 489 * kernel which the kernel can use to boot from without needing any drivers. 490 * Most distributions now use this as standard: the initrd contains the code to 491 * load the appropriate driver modules for the current machine. 492 * 493 * Importantly, James Morris works for RedHat, and Fedora uses initrds for its 494 * kernels. He sent me this (and tells me when I break it). 495 */ 496static unsigned long load_initrd(const char *name, unsigned long mem) 497{ 498 int ifd; 499 struct stat st; 500 unsigned long len; 501 502 ifd = open_or_die(name, O_RDONLY); 503 /* fstat() is needed to get the file size. */ 504 if (fstat(ifd, &st) < 0) 505 err(1, "fstat() on initrd '%s'", name); 506 507 /* 508 * We map the initrd at the top of memory, but mmap wants it to be 509 * page-aligned, so we round the size up for that. 510 */ 511 len = page_align(st.st_size); 512 map_at(ifd, from_guest_phys(mem - len), 0, st.st_size); 513 /* 514 * Once a file is mapped, you can close the file descriptor. It's a 515 * little odd, but quite useful. 516 */ 517 close(ifd); 518 verbose("mapped initrd %s size=%lu @ %p\n", name, len, (void*)mem-len); 519 520 /* We return the initrd size. */ 521 return len; 522} 523/*:*/ 524 525/* 526 * Simple routine to roll all the commandline arguments together with spaces 527 * between them. 528 */ 529static void concat(char *dst, char *args[]) 530{ 531 unsigned int i, len = 0; 532 533 for (i = 0; args[i]; i++) { 534 if (i) { 535 strcat(dst+len, " "); 536 len++; 537 } 538 strcpy(dst+len, args[i]); 539 len += strlen(args[i]); 540 } 541 /* In case it's empty. */ 542 dst[len] = '\0'; 543} 544 545/*L:185 546 * This is where we actually tell the kernel to initialize the Guest. We 547 * saw the arguments it expects when we looked at initialize() in lguest_user.c: 548 * the base of Guest "physical" memory, the top physical page to allow and the 549 * entry point for the Guest. 550 */ 551static void tell_kernel(unsigned long start) 552{ 553 unsigned long args[] = { LHREQ_INITIALIZE, 554 (unsigned long)guest_base, 555 guest_limit / getpagesize(), start }; 556 verbose("Guest: %p - %p (%#lx)\n", 557 guest_base, guest_base + guest_limit, guest_limit); 558 lguest_fd = open_or_die("/dev/lguest", O_RDWR); 559 if (write(lguest_fd, args, sizeof(args)) < 0) 560 err(1, "Writing to /dev/lguest"); 561} 562/*:*/ 563 564/*L:200 565 * Device Handling. 566 * 567 * When the Guest gives us a buffer, it sends an array of addresses and sizes. 568 * We need to make sure it's not trying to reach into the Launcher itself, so 569 * we have a convenient routine which checks it and exits with an error message 570 * if something funny is going on: 571 */ 572static void *_check_pointer(unsigned long addr, unsigned int size, 573 unsigned int line) 574{ 575 /* 576 * We have to separately check addr and addr+size, because size could 577 * be huge and addr + size might wrap around. 578 */ 579 if (addr >= guest_limit || addr + size >= guest_limit) 580 errx(1, "%s:%i: Invalid address %#lx", __FILE__, line, addr); 581 /* 582 * We return a pointer for the caller's convenience, now we know it's 583 * safe to use. 584 */ 585 return from_guest_phys(addr); 586} 587/* A macro which transparently hands the line number to the real function. */ 588#define check_pointer(addr,size) _check_pointer(addr, size, __LINE__) 589 590/* 591 * Each buffer in the virtqueues is actually a chain of descriptors. This 592 * function returns the next descriptor in the chain, or vq->vring.num if we're 593 * at the end. 594 */ 595static unsigned next_desc(struct vring_desc *desc, 596 unsigned int i, unsigned int max) 597{ 598 unsigned int next; 599 600 /* If this descriptor says it doesn't chain, we're done. */ 601 if (!(desc[i].flags & VRING_DESC_F_NEXT)) 602 return max; 603 604 /* Check they're not leading us off end of descriptors. */ 605 next = desc[i].next; 606 /* Make sure compiler knows to grab that: we don't want it changing! */ 607 wmb(); 608 609 if (next >= max) 610 errx(1, "Desc next is %u", next); 611 612 return next; 613} 614 615/* 616 * This actually sends the interrupt for this virtqueue, if we've used a 617 * buffer. 618 */ 619static void trigger_irq(struct virtqueue *vq) 620{ 621 unsigned long buf[] = { LHREQ_IRQ, vq->config.irq }; 622 623 /* Don't inform them if nothing used. */ 624 if (!vq->pending_used) 625 return; 626 vq->pending_used = 0; 627 628 /* If they don't want an interrupt, don't send one... */ 629 if (vq->vring.avail->flags & VRING_AVAIL_F_NO_INTERRUPT) { 630 /* ... unless they've asked us to force one on empty. */ 631 if (!vq->dev->irq_on_empty 632 || lg_last_avail(vq) != vq->vring.avail->idx) 633 return; 634 } 635 636 /* Send the Guest an interrupt tell them we used something up. */ 637 if (write(lguest_fd, buf, sizeof(buf)) != 0) 638 err(1, "Triggering irq %i", vq->config.irq); 639} 640 641/* 642 * This looks in the virtqueue for the first available buffer, and converts 643 * it to an iovec for convenient access. Since descriptors consist of some 644 * number of output then some number of input descriptors, it's actually two 645 * iovecs, but we pack them into one and note how many of each there were. 646 * 647 * This function waits if necessary, and returns the descriptor number found. 648 */ 649static unsigned wait_for_vq_desc(struct virtqueue *vq, 650 struct iovec iov[], 651 unsigned int *out_num, unsigned int *in_num) 652{ 653 unsigned int i, head, max; 654 struct vring_desc *desc; 655 u16 last_avail = lg_last_avail(vq); 656 657 /* There's nothing available? */ 658 while (last_avail == vq->vring.avail->idx) { 659 u64 event; 660 661 /* 662 * Since we're about to sleep, now is a good time to tell the 663 * Guest about what we've used up to now. 664 */ 665 trigger_irq(vq); 666 667 /* OK, now we need to know about added descriptors. */ 668 vq->vring.used->flags &= ~VRING_USED_F_NO_NOTIFY; 669 670 /* 671 * They could have slipped one in as we were doing that: make 672 * sure it's written, then check again. 673 */ 674 mb(); 675 if (last_avail != vq->vring.avail->idx) { 676 vq->vring.used->flags |= VRING_USED_F_NO_NOTIFY; 677 break; 678 } 679 680 /* Nothing new? Wait for eventfd to tell us they refilled. */ 681 if (read(vq->eventfd, &event, sizeof(event)) != sizeof(event)) 682 errx(1, "Event read failed?"); 683 684 /* We don't need to be notified again. */ 685 vq->vring.used->flags |= VRING_USED_F_NO_NOTIFY; 686 } 687 688 /* Check it isn't doing very strange things with descriptor numbers. */ 689 if ((u16)(vq->vring.avail->idx - last_avail) > vq->vring.num) 690 errx(1, "Guest moved used index from %u to %u", 691 last_avail, vq->vring.avail->idx); 692 693 /* 694 * Grab the next descriptor number they're advertising, and increment 695 * the index we've seen. 696 */ 697 head = vq->vring.avail->ring[last_avail % vq->vring.num]; 698 lg_last_avail(vq)++; 699 700 /* If their number is silly, that's a fatal mistake. */ 701 if (head >= vq->vring.num) 702 errx(1, "Guest says index %u is available", head); 703 704 /* When we start there are none of either input nor output. */ 705 *out_num = *in_num = 0; 706 707 max = vq->vring.num; 708 desc = vq->vring.desc; 709 i = head; 710 711 /* 712 * If this is an indirect entry, then this buffer contains a descriptor 713 * table which we handle as if it's any normal descriptor chain. 714 */ 715 if (desc[i].flags & VRING_DESC_F_INDIRECT) { 716 if (desc[i].len % sizeof(struct vring_desc)) 717 errx(1, "Invalid size for indirect buffer table"); 718 719 max = desc[i].len / sizeof(struct vring_desc); 720 desc = check_pointer(desc[i].addr, desc[i].len); 721 i = 0; 722 } 723 724 do { 725 /* Grab the first descriptor, and check it's OK. */ 726 iov[*out_num + *in_num].iov_len = desc[i].len; 727 iov[*out_num + *in_num].iov_base 728 = check_pointer(desc[i].addr, desc[i].len); 729 /* If this is an input descriptor, increment that count. */ 730 if (desc[i].flags & VRING_DESC_F_WRITE) 731 (*in_num)++; 732 else { 733 /* 734 * If it's an output descriptor, they're all supposed 735 * to come before any input descriptors. 736 */ 737 if (*in_num) 738 errx(1, "Descriptor has out after in"); 739 (*out_num)++; 740 } 741 742 /* If we've got too many, that implies a descriptor loop. */ 743 if (*out_num + *in_num > max) 744 errx(1, "Looped descriptor"); 745 } while ((i = next_desc(desc, i, max)) != max); 746 747 return head; 748} 749 750/* 751 * After we've used one of their buffers, we tell the Guest about it. Sometime 752 * later we'll want to send them an interrupt using trigger_irq(); note that 753 * wait_for_vq_desc() does that for us if it has to wait. 754 */ 755static void add_used(struct virtqueue *vq, unsigned int head, int len) 756{ 757 struct vring_used_elem *used; 758 759 /* 760 * The virtqueue contains a ring of used buffers. Get a pointer to the 761 * next entry in that used ring. 762 */ 763 used = &vq->vring.used->ring[vq->vring.used->idx % vq->vring.num]; 764 used->id = head; 765 used->len = len; 766 /* Make sure buffer is written before we update index. */ 767 wmb(); 768 vq->vring.used->idx++; 769 vq->pending_used++; 770} 771 772/* And here's the combo meal deal. Supersize me! */ 773static void add_used_and_trigger(struct virtqueue *vq, unsigned head, int len) 774{ 775 add_used(vq, head, len); 776 trigger_irq(vq); 777} 778 779/* 780 * The Console 781 * 782 * We associate some data with the console for our exit hack. 783 */ 784struct console_abort { 785 /* How many times have they hit ^C? */ 786 int count; 787 /* When did they start? */ 788 struct timeval start; 789}; 790 791/* This is the routine which handles console input (ie. stdin). */ 792static void console_input(struct virtqueue *vq) 793{ 794 int len; 795 unsigned int head, in_num, out_num; 796 struct console_abort *abort = vq->dev->priv; 797 struct iovec iov[vq->vring.num]; 798 799 /* Make sure there's a descriptor available. */ 800 head = wait_for_vq_desc(vq, iov, &out_num, &in_num); 801 if (out_num) 802 errx(1, "Output buffers in console in queue?"); 803 804 /* Read into it. This is where we usually wait. */ 805 len = readv(STDIN_FILENO, iov, in_num); 806 if (len <= 0) { 807 /* Ran out of input? */ 808 warnx("Failed to get console input, ignoring console."); 809 /* 810 * For simplicity, dying threads kill the whole Launcher. So 811 * just nap here. 812 */ 813 for (;;) 814 pause(); 815 } 816 817 /* Tell the Guest we used a buffer. */ 818 add_used_and_trigger(vq, head, len); 819 820 /* 821 * Three ^C within one second? Exit. 822 * 823 * This is such a hack, but works surprisingly well. Each ^C has to 824 * be in a buffer by itself, so they can't be too fast. But we check 825 * that we get three within about a second, so they can't be too 826 * slow. 827 */ 828 if (len != 1 || ((char *)iov[0].iov_base)[0] != 3) { 829 abort->count = 0; 830 return; 831 } 832 833 abort->count++; 834 if (abort->count == 1) 835 gettimeofday(&abort->start, NULL); 836 else if (abort->count == 3) { 837 struct timeval now; 838 gettimeofday(&now, NULL); 839 /* Kill all Launcher processes with SIGINT, like normal ^C */ 840 if (now.tv_sec <= abort->start.tv_sec+1) 841 kill(0, SIGINT); 842 abort->count = 0; 843 } 844} 845 846/* This is the routine which handles console output (ie. stdout). */ 847static void console_output(struct virtqueue *vq) 848{ 849 unsigned int head, out, in; 850 struct iovec iov[vq->vring.num]; 851 852 /* We usually wait in here, for the Guest to give us something. */ 853 head = wait_for_vq_desc(vq, iov, &out, &in); 854 if (in) 855 errx(1, "Input buffers in console output queue?"); 856 857 /* writev can return a partial write, so we loop here. */ 858 while (!iov_empty(iov, out)) { 859 int len = writev(STDOUT_FILENO, iov, out); 860 if (len <= 0) 861 err(1, "Write to stdout gave %i", len); 862 iov_consume(iov, out, len); 863 } 864 865 /* 866 * We're finished with that buffer: if we're going to sleep, 867 * wait_for_vq_desc() will prod the Guest with an interrupt. 868 */ 869 add_used(vq, head, 0); 870} 871 872/* 873 * The Network 874 * 875 * Handling output for network is also simple: we get all the output buffers 876 * and write them to /dev/net/tun. 877 */ 878struct net_info { 879 int tunfd; 880}; 881 882static void net_output(struct virtqueue *vq) 883{ 884 struct net_info *net_info = vq->dev->priv; 885 unsigned int head, out, in; 886 struct iovec iov[vq->vring.num]; 887 888 /* We usually wait in here for the Guest to give us a packet. */ 889 head = wait_for_vq_desc(vq, iov, &out, &in); 890 if (in) 891 errx(1, "Input buffers in net output queue?"); 892 /* 893 * Send the whole thing through to /dev/net/tun. It expects the exact 894 * same format: what a coincidence! 895 */ 896 if (writev(net_info->tunfd, iov, out) < 0) 897 errx(1, "Write to tun failed?"); 898 899 /* 900 * Done with that one; wait_for_vq_desc() will send the interrupt if 901 * all packets are processed. 902 */ 903 add_used(vq, head, 0); 904} 905 906/* 907 * Handling network input is a bit trickier, because I've tried to optimize it. 908 * 909 * First we have a helper routine which tells is if from this file descriptor 910 * (ie. the /dev/net/tun device) will block: 911 */ 912static bool will_block(int fd) 913{ 914 fd_set fdset; 915 struct timeval zero = { 0, 0 }; 916 FD_ZERO(&fdset); 917 FD_SET(fd, &fdset); 918 return select(fd+1, &fdset, NULL, NULL, &zero) != 1; 919} 920 921/* 922 * This handles packets coming in from the tun device to our Guest. Like all 923 * service routines, it gets called again as soon as it returns, so you don't 924 * see a while(1) loop here. 925 */ 926static void net_input(struct virtqueue *vq) 927{ 928 int len; 929 unsigned int head, out, in; 930 struct iovec iov[vq->vring.num]; 931 struct net_info *net_info = vq->dev->priv; 932 933 /* 934 * Get a descriptor to write an incoming packet into. This will also 935 * send an interrupt if they're out of descriptors. 936 */ 937 head = wait_for_vq_desc(vq, iov, &out, &in); 938 if (out) 939 errx(1, "Output buffers in net input queue?"); 940 941 /* 942 * If it looks like we'll block reading from the tun device, send them 943 * an interrupt. 944 */ 945 if (vq->pending_used && will_block(net_info->tunfd)) 946 trigger_irq(vq); 947 948 /* 949 * Read in the packet. This is where we normally wait (when there's no 950 * incoming network traffic). 951 */ 952 len = readv(net_info->tunfd, iov, in); 953 if (len <= 0) 954 err(1, "Failed to read from tun."); 955 956 /* 957 * Mark that packet buffer as used, but don't interrupt here. We want 958 * to wait until we've done as much work as we can. 959 */ 960 add_used(vq, head, len); 961} 962/*:*/ 963 964/* This is the helper to create threads: run the service routine in a loop. */ 965static int do_thread(void *_vq) 966{ 967 struct virtqueue *vq = _vq; 968 969 for (;;) 970 vq->service(vq); 971 return 0; 972} 973 974/* 975 * When a child dies, we kill our entire process group with SIGTERM. This 976 * also has the side effect that the shell restores the console for us! 977 */ 978static void kill_launcher(int signal) 979{ 980 kill(0, SIGTERM); 981} 982 983static void reset_device(struct device *dev) 984{ 985 struct virtqueue *vq; 986 987 verbose("Resetting device %s\n", dev->name); 988 989 /* Clear any features they've acked. */ 990 memset(get_feature_bits(dev) + dev->feature_len, 0, dev->feature_len); 991 992 /* We're going to be explicitly killing threads, so ignore them. */ 993 signal(SIGCHLD, SIG_IGN); 994 995 /* Zero out the virtqueues, get rid of their threads */ 996 for (vq = dev->vq; vq; vq = vq->next) { 997 if (vq->thread != (pid_t)-1) { 998 kill(vq->thread, SIGTERM); 999 waitpid(vq->thread, NULL, 0); 1000 vq->thread = (pid_t)-1; 1001 } 1002 memset(vq->vring.desc, 0, 1003 vring_size(vq->config.num, LGUEST_VRING_ALIGN)); 1004 lg_last_avail(vq) = 0; 1005 } 1006 dev->running = false; 1007 1008 /* Now we care if threads die. */ 1009 signal(SIGCHLD, (void *)kill_launcher); 1010} 1011 1012/*L:216 1013 * This actually creates the thread which services the virtqueue for a device. 1014 */ 1015static void create_thread(struct virtqueue *vq) 1016{ 1017 /* 1018 * Create stack for thread. Since the stack grows upwards, we point 1019 * the stack pointer to the end of this region. 1020 */ 1021 char *stack = malloc(32768); 1022 unsigned long args[] = { LHREQ_EVENTFD, 1023 vq->config.pfn*getpagesize(), 0 }; 1024 1025 /* Create a zero-initialized eventfd. */ 1026 vq->eventfd = eventfd(0, 0); 1027 if (vq->eventfd < 0) 1028 err(1, "Creating eventfd"); 1029 args[2] = vq->eventfd; 1030 1031 /* 1032 * Attach an eventfd to this virtqueue: it will go off when the Guest 1033 * does an LHCALL_NOTIFY for this vq. 1034 */ 1035 if (write(lguest_fd, &args, sizeof(args)) != 0) 1036 err(1, "Attaching eventfd"); 1037 1038 /* 1039 * CLONE_VM: because it has to access the Guest memory, and SIGCHLD so 1040 * we get a signal if it dies. 1041 */ 1042 vq->thread = clone(do_thread, stack + 32768, CLONE_VM | SIGCHLD, vq); 1043 if (vq->thread == (pid_t)-1) 1044 err(1, "Creating clone"); 1045 1046 /* We close our local copy now the child has it. */ 1047 close(vq->eventfd); 1048} 1049 1050static bool accepted_feature(struct device *dev, unsigned int bit) 1051{ 1052 const u8 *features = get_feature_bits(dev) + dev->feature_len; 1053 1054 if (dev->feature_len < bit / CHAR_BIT) 1055 return false; 1056 return features[bit / CHAR_BIT] & (1 << (bit % CHAR_BIT)); 1057} 1058 1059static void start_device(struct device *dev) 1060{ 1061 unsigned int i; 1062 struct virtqueue *vq; 1063 1064 verbose("Device %s OK: offered", dev->name); 1065 for (i = 0; i < dev->feature_len; i++) 1066 verbose(" %02x", get_feature_bits(dev)[i]); 1067 verbose(", accepted"); 1068 for (i = 0; i < dev->feature_len; i++) 1069 verbose(" %02x", get_feature_bits(dev) 1070 [dev->feature_len+i]); 1071 1072 dev->irq_on_empty = accepted_feature(dev, VIRTIO_F_NOTIFY_ON_EMPTY); 1073 1074 for (vq = dev->vq; vq; vq = vq->next) { 1075 if (vq->service) 1076 create_thread(vq); 1077 } 1078 dev->running = true; 1079} 1080 1081static void cleanup_devices(void) 1082{ 1083 struct device *dev; 1084 1085 for (dev = devices.dev; dev; dev = dev->next) 1086 reset_device(dev); 1087 1088 /* If we saved off the original terminal settings, restore them now. */ 1089 if (orig_term.c_lflag & (ISIG|ICANON|ECHO)) 1090 tcsetattr(STDIN_FILENO, TCSANOW, &orig_term); 1091} 1092 1093/* When the Guest tells us they updated the status field, we handle it. */ 1094static void update_device_status(struct device *dev) 1095{ 1096 /* A zero status is a reset, otherwise it's a set of flags. */ 1097 if (dev->desc->status == 0) 1098 reset_device(dev); 1099 else if (dev->desc->status & VIRTIO_CONFIG_S_FAILED) { 1100 warnx("Device %s configuration FAILED", dev->name); 1101 if (dev->running) 1102 reset_device(dev); 1103 } else if (dev->desc->status & VIRTIO_CONFIG_S_DRIVER_OK) { 1104 if (!dev->running) 1105 start_device(dev); 1106 } 1107} 1108 1109/*L:215 1110 * This is the generic routine we call when the Guest uses LHCALL_NOTIFY. In 1111 * particular, it's used to notify us of device status changes during boot. 1112 */ 1113static void handle_output(unsigned long addr) 1114{ 1115 struct device *i; 1116 1117 /* Check each device. */ 1118 for (i = devices.dev; i; i = i->next) { 1119 struct virtqueue *vq; 1120 1121 /* 1122 * Notifications to device descriptors mean they updated the 1123 * device status. 1124 */ 1125 if (from_guest_phys(addr) == i->desc) { 1126 update_device_status(i); 1127 return; 1128 } 1129 1130 /* 1131 * Devices *can* be used before status is set to DRIVER_OK. 1132 * The original plan was that they would never do this: they 1133 * would always finish setting up their status bits before 1134 * actually touching the virtqueues. In practice, we allowed 1135 * them to, and they do (eg. the disk probes for partition 1136 * tables as part of initialization). 1137 * 1138 * If we see this, we start the device: once it's running, we 1139 * expect the device to catch all the notifications. 1140 */ 1141 for (vq = i->vq; vq; vq = vq->next) { 1142 if (addr != vq->config.pfn*getpagesize()) 1143 continue; 1144 if (i->running) 1145 errx(1, "Notification on running %s", i->name); 1146 /* This just calls create_thread() for each virtqueue */ 1147 start_device(i); 1148 return; 1149 } 1150 } 1151 1152 /* 1153 * Early console write is done using notify on a nul-terminated string 1154 * in Guest memory. It's also great for hacking debugging messages 1155 * into a Guest. 1156 */ 1157 if (addr >= guest_limit) 1158 errx(1, "Bad NOTIFY %#lx", addr); 1159 1160 write(STDOUT_FILENO, from_guest_phys(addr), 1161 strnlen(from_guest_phys(addr), guest_limit - addr)); 1162} 1163 1164/*L:190 1165 * Device Setup 1166 * 1167 * All devices need a descriptor so the Guest knows it exists, and a "struct 1168 * device" so the Launcher can keep track of it. We have common helper 1169 * routines to allocate and manage them. 1170 */ 1171 1172/* 1173 * The layout of the device page is a "struct lguest_device_desc" followed by a 1174 * number of virtqueue descriptors, then two sets of feature bits, then an 1175 * array of configuration bytes. This routine returns the configuration 1176 * pointer. 1177 */ 1178static u8 *device_config(const struct device *dev) 1179{ 1180 return (void *)(dev->desc + 1) 1181 + dev->num_vq * sizeof(struct lguest_vqconfig) 1182 + dev->feature_len * 2; 1183} 1184 1185/* 1186 * This routine allocates a new "struct lguest_device_desc" from descriptor 1187 * table page just above the Guest's normal memory. It returns a pointer to 1188 * that descriptor. 1189 */ 1190static struct lguest_device_desc *new_dev_desc(u16 type) 1191{ 1192 struct lguest_device_desc d = { .type = type }; 1193 void *p; 1194 1195 /* Figure out where the next device config is, based on the last one. */ 1196 if (devices.lastdev) 1197 p = device_config(devices.lastdev) 1198 + devices.lastdev->desc->config_len; 1199 else 1200 p = devices.descpage; 1201 1202 /* We only have one page for all the descriptors. */ 1203 if (p + sizeof(d) > (void *)devices.descpage + getpagesize()) 1204 errx(1, "Too many devices"); 1205 1206 /* p might not be aligned, so we memcpy in. */ 1207 return memcpy(p, &d, sizeof(d)); 1208} 1209 1210/* 1211 * Each device descriptor is followed by the description of its virtqueues. We 1212 * specify how many descriptors the virtqueue is to have. 1213 */ 1214static void add_virtqueue(struct device *dev, unsigned int num_descs, 1215 void (*service)(struct virtqueue *)) 1216{ 1217 unsigned int pages; 1218 struct virtqueue **i, *vq = malloc(sizeof(*vq)); 1219 void *p; 1220 1221 /* First we need some memory for this virtqueue. */ 1222 pages = (vring_size(num_descs, LGUEST_VRING_ALIGN) + getpagesize() - 1) 1223 / getpagesize(); 1224 p = get_pages(pages); 1225 1226 /* Initialize the virtqueue */ 1227 vq->next = NULL; 1228 vq->last_avail_idx = 0; 1229 vq->dev = dev; 1230 1231 /* 1232 * This is the routine the service thread will run, and its Process ID 1233 * once it's running. 1234 */ 1235 vq->service = service; 1236 vq->thread = (pid_t)-1; 1237 1238 /* Initialize the configuration. */ 1239 vq->config.num = num_descs; 1240 vq->config.irq = devices.next_irq++; 1241 vq->config.pfn = to_guest_phys(p) / getpagesize(); 1242 1243 /* Initialize the vring. */ 1244 vring_init(&vq->vring, num_descs, p, LGUEST_VRING_ALIGN); 1245 1246 /* 1247 * Append virtqueue to this device's descriptor. We use 1248 * device_config() to get the end of the device's current virtqueues; 1249 * we check that we haven't added any config or feature information 1250 * yet, otherwise we'd be overwriting them. 1251 */ 1252 assert(dev->desc->config_len == 0 && dev->desc->feature_len == 0); 1253 memcpy(device_config(dev), &vq->config, sizeof(vq->config)); 1254 dev->num_vq++; 1255 dev->desc->num_vq++; 1256 1257 verbose("Virtqueue page %#lx\n", to_guest_phys(p)); 1258 1259 /* 1260 * Add to tail of list, so dev->vq is first vq, dev->vq->next is 1261 * second. 1262 */ 1263 for (i = &dev->vq; *i; i = &(*i)->next); 1264 *i = vq; 1265} 1266 1267/* 1268 * The first half of the feature bitmask is for us to advertise features. The 1269 * second half is for the Guest to accept features. 1270 */ 1271static void add_feature(struct device *dev, unsigned bit) 1272{ 1273 u8 *features = get_feature_bits(dev); 1274 1275 /* We can't extend the feature bits once we've added config bytes */ 1276 if (dev->desc->feature_len <= bit / CHAR_BIT) { 1277 assert(dev->desc->config_len == 0); 1278 dev->feature_len = dev->desc->feature_len = (bit/CHAR_BIT) + 1; 1279 } 1280 1281 features[bit / CHAR_BIT] |= (1 << (bit % CHAR_BIT)); 1282} 1283 1284/* 1285 * This routine sets the configuration fields for an existing device's 1286 * descriptor. It only works for the last device, but that's OK because that's 1287 * how we use it. 1288 */ 1289static void set_config(struct device *dev, unsigned len, const void *conf) 1290{ 1291 /* Check we haven't overflowed our single page. */ 1292 if (device_config(dev) + len > devices.descpage + getpagesize()) 1293 errx(1, "Too many devices"); 1294 1295 /* Copy in the config information, and store the length. */ 1296 memcpy(device_config(dev), conf, len); 1297 dev->desc->config_len = len; 1298 1299 /* Size must fit in config_len field (8 bits)! */ 1300 assert(dev->desc->config_len == len); 1301} 1302 1303/* 1304 * This routine does all the creation and setup of a new device, including 1305 * calling new_dev_desc() to allocate the descriptor and device memory. We 1306 * don't actually start the service threads until later. 1307 * 1308 * See what I mean about userspace being boring? 1309 */ 1310static struct device *new_device(const char *name, u16 type) 1311{ 1312 struct device *dev = malloc(sizeof(*dev)); 1313 1314 /* Now we populate the fields one at a time. */ 1315 dev->desc = new_dev_desc(type); 1316 dev->name = name; 1317 dev->vq = NULL; 1318 dev->feature_len = 0; 1319 dev->num_vq = 0; 1320 dev->running = false; 1321 1322 /* 1323 * Append to device list. Prepending to a single-linked list is 1324 * easier, but the user expects the devices to be arranged on the bus 1325 * in command-line order. The first network device on the command line 1326 * is eth0, the first block device /dev/vda, etc. 1327 */ 1328 if (devices.lastdev) 1329 devices.lastdev->next = dev; 1330 else 1331 devices.dev = dev; 1332 devices.lastdev = dev; 1333 1334 return dev; 1335} 1336 1337/* 1338 * Our first setup routine is the console. It's a fairly simple device, but 1339 * UNIX tty handling makes it uglier than it could be. 1340 */ 1341static void setup_console(void) 1342{ 1343 struct device *dev; 1344 1345 /* If we can save the initial standard input settings... */ 1346 if (tcgetattr(STDIN_FILENO, &orig_term) == 0) { 1347 struct termios term = orig_term; 1348 /* 1349 * Then we turn off echo, line buffering and ^C etc: We want a 1350 * raw input stream to the Guest. 1351 */ 1352 term.c_lflag &= ~(ISIG|ICANON|ECHO); 1353 tcsetattr(STDIN_FILENO, TCSANOW, &term); 1354 } 1355 1356 dev = new_device("console", VIRTIO_ID_CONSOLE); 1357 1358 /* We store the console state in dev->priv, and initialize it. */ 1359 dev->priv = malloc(sizeof(struct console_abort)); 1360 ((struct console_abort *)dev->priv)->count = 0; 1361 1362 /* 1363 * The console needs two virtqueues: the input then the output. When 1364 * they put something the input queue, we make sure we're listening to 1365 * stdin. When they put something in the output queue, we write it to 1366 * stdout. 1367 */ 1368 add_virtqueue(dev, VIRTQUEUE_NUM, console_input); 1369 add_virtqueue(dev, VIRTQUEUE_NUM, console_output); 1370 1371 verbose("device %u: console\n", ++devices.device_num); 1372} 1373/*:*/ 1374 1375/*M:010 1376 * Inter-guest networking is an interesting area. Simplest is to have a 1377 * --sharenet=<name> option which opens or creates a named pipe. This can be 1378 * used to send packets to another guest in a 1:1 manner. 1379 * 1380 * More sopisticated is to use one of the tools developed for project like UML 1381 * to do networking. 1382 * 1383 * Faster is to do virtio bonding in kernel. Doing this 1:1 would be 1384 * completely generic ("here's my vring, attach to your vring") and would work 1385 * for any traffic. Of course, namespace and permissions issues need to be 1386 * dealt with. A more sophisticated "multi-channel" virtio_net.c could hide 1387 * multiple inter-guest channels behind one interface, although it would 1388 * require some manner of hotplugging new virtio channels. 1389 * 1390 * Finally, we could implement a virtio network switch in the kernel. 1391:*/ 1392 1393static u32 str2ip(const char *ipaddr) 1394{ 1395 unsigned int b[4]; 1396 1397 if (sscanf(ipaddr, "%u.%u.%u.%u", &b[0], &b[1], &b[2], &b[3]) != 4) 1398 errx(1, "Failed to parse IP address '%s'", ipaddr); 1399 return (b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]; 1400} 1401 1402static void str2mac(const char *macaddr, unsigned char mac[6]) 1403{ 1404 unsigned int m[6]; 1405 if (sscanf(macaddr, "%02x:%02x:%02x:%02x:%02x:%02x", 1406 &m[0], &m[1], &m[2], &m[3], &m[4], &m[5]) != 6) 1407 errx(1, "Failed to parse mac address '%s'", macaddr); 1408 mac[0] = m[0]; 1409 mac[1] = m[1]; 1410 mac[2] = m[2]; 1411 mac[3] = m[3]; 1412 mac[4] = m[4]; 1413 mac[5] = m[5]; 1414} 1415 1416/* 1417 * This code is "adapted" from libbridge: it attaches the Host end of the 1418 * network device to the bridge device specified by the command line. 1419 * 1420 * This is yet another James Morris contribution (I'm an IP-level guy, so I 1421 * dislike bridging), and I just try not to break it. 1422 */ 1423static void add_to_bridge(int fd, const char *if_name, const char *br_name) 1424{ 1425 int ifidx; 1426 struct ifreq ifr; 1427 1428 if (!*br_name) 1429 errx(1, "must specify bridge name"); 1430 1431 ifidx = if_nametoindex(if_name); 1432 if (!ifidx) 1433 errx(1, "interface %s does not exist!", if_name); 1434 1435 strncpy(ifr.ifr_name, br_name, IFNAMSIZ); 1436 ifr.ifr_name[IFNAMSIZ-1] = '\0'; 1437 ifr.ifr_ifindex = ifidx; 1438 if (ioctl(fd, SIOCBRADDIF, &ifr) < 0) 1439 err(1, "can't add %s to bridge %s", if_name, br_name); 1440} 1441 1442/* 1443 * This sets up the Host end of the network device with an IP address, brings 1444 * it up so packets will flow, the copies the MAC address into the hwaddr 1445 * pointer. 1446 */ 1447static void configure_device(int fd, const char *tapif, u32 ipaddr) 1448{ 1449 struct ifreq ifr; 1450 struct sockaddr_in sin; 1451 1452 memset(&ifr, 0, sizeof(ifr)); 1453 strcpy(ifr.ifr_name, tapif); 1454 1455 /* Don't read these incantations. Just cut & paste them like I did! */ 1456 sin.sin_family = AF_INET; 1457 sin.sin_addr.s_addr = htonl(ipaddr); 1458 memcpy(&ifr.ifr_addr, &sin, sizeof(sin)); 1459 if (ioctl(fd, SIOCSIFADDR, &ifr) != 0) 1460 err(1, "Setting %s interface address", tapif); 1461 ifr.ifr_flags = IFF_UP; 1462 if (ioctl(fd, SIOCSIFFLAGS, &ifr) != 0) 1463 err(1, "Bringing interface %s up", tapif); 1464} 1465 1466static int get_tun_device(char tapif[IFNAMSIZ]) 1467{ 1468 struct ifreq ifr; 1469 int netfd; 1470 1471 /* Start with this zeroed. Messy but sure. */ 1472 memset(&ifr, 0, sizeof(ifr)); 1473 1474 /* 1475 * We open the /dev/net/tun device and tell it we want a tap device. A 1476 * tap device is like a tun device, only somehow different. To tell 1477 * the truth, I completely blundered my way through this code, but it 1478 * works now! 1479 */ 1480 netfd = open_or_die("/dev/net/tun", O_RDWR); 1481 ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_VNET_HDR; 1482 strcpy(ifr.ifr_name, "tap%d"); 1483 if (ioctl(netfd, TUNSETIFF, &ifr) != 0) 1484 err(1, "configuring /dev/net/tun"); 1485 1486 if (ioctl(netfd, TUNSETOFFLOAD, 1487 TUN_F_CSUM|TUN_F_TSO4|TUN_F_TSO6|TUN_F_TSO_ECN) != 0) 1488 err(1, "Could not set features for tun device"); 1489 1490 /* 1491 * We don't need checksums calculated for packets coming in this 1492 * device: trust us! 1493 */ 1494 ioctl(netfd, TUNSETNOCSUM, 1); 1495 1496 memcpy(tapif, ifr.ifr_name, IFNAMSIZ); 1497 return netfd; 1498} 1499 1500/*L:195 1501 * Our network is a Host<->Guest network. This can either use bridging or 1502 * routing, but the principle is the same: it uses the "tun" device to inject 1503 * packets into the Host as if they came in from a normal network card. We 1504 * just shunt packets between the Guest and the tun device. 1505 */ 1506static void setup_tun_net(char *arg) 1507{ 1508 struct device *dev; 1509 struct net_info *net_info = malloc(sizeof(*net_info)); 1510 int ipfd; 1511 u32 ip = INADDR_ANY; 1512 bool bridging = false; 1513 char tapif[IFNAMSIZ], *p; 1514 struct virtio_net_config conf; 1515 1516 net_info->tunfd = get_tun_device(tapif); 1517 1518 /* First we create a new network device. */ 1519 dev = new_device("net", VIRTIO_ID_NET); 1520 dev->priv = net_info; 1521 1522 /* Network devices need a recv and a send queue, just like console. */ 1523 add_virtqueue(dev, VIRTQUEUE_NUM, net_input); 1524 add_virtqueue(dev, VIRTQUEUE_NUM, net_output); 1525 1526 /* 1527 * We need a socket to perform the magic network ioctls to bring up the 1528 * tap interface, connect to the bridge etc. Any socket will do! 1529 */ 1530 ipfd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); 1531 if (ipfd < 0) 1532 err(1, "opening IP socket"); 1533 1534 /* If the command line was --tunnet=bridge:<name> do bridging. */ 1535 if (!strncmp(BRIDGE_PFX, arg, strlen(BRIDGE_PFX))) { 1536 arg += strlen(BRIDGE_PFX); 1537 bridging = true; 1538 } 1539 1540 /* A mac address may follow the bridge name or IP address */ 1541 p = strchr(arg, ':'); 1542 if (p) { 1543 str2mac(p+1, conf.mac); 1544 add_feature(dev, VIRTIO_NET_F_MAC); 1545 *p = '\0'; 1546 } 1547 1548 /* arg is now either an IP address or a bridge name */ 1549 if (bridging) 1550 add_to_bridge(ipfd, tapif, arg); 1551 else 1552 ip = str2ip(arg); 1553 1554 /* Set up the tun device. */ 1555 configure_device(ipfd, tapif, ip); 1556 1557 add_feature(dev, VIRTIO_F_NOTIFY_ON_EMPTY); 1558 /* Expect Guest to handle everything except UFO */ 1559 add_feature(dev, VIRTIO_NET_F_CSUM); 1560 add_feature(dev, VIRTIO_NET_F_GUEST_CSUM); 1561 add_feature(dev, VIRTIO_NET_F_GUEST_TSO4); 1562 add_feature(dev, VIRTIO_NET_F_GUEST_TSO6); 1563 add_feature(dev, VIRTIO_NET_F_GUEST_ECN); 1564 add_feature(dev, VIRTIO_NET_F_HOST_TSO4); 1565 add_feature(dev, VIRTIO_NET_F_HOST_TSO6); 1566 add_feature(dev, VIRTIO_NET_F_HOST_ECN); 1567 /* We handle indirect ring entries */ 1568 add_feature(dev, VIRTIO_RING_F_INDIRECT_DESC); 1569 set_config(dev, sizeof(conf), &conf); 1570 1571 /* We don't need the socket any more; setup is done. */ 1572 close(ipfd); 1573 1574 devices.device_num++; 1575 1576 if (bridging) 1577 verbose("device %u: tun %s attached to bridge: %s\n", 1578 devices.device_num, tapif, arg); 1579 else 1580 verbose("device %u: tun %s: %s\n", 1581 devices.device_num, tapif, arg); 1582} 1583/*:*/ 1584 1585/* This hangs off device->priv. */ 1586struct vblk_info { 1587 /* The size of the file. */ 1588 off64_t len; 1589 1590 /* The file descriptor for the file. */ 1591 int fd; 1592 1593}; 1594 1595/*L:210 1596 * The Disk 1597 * 1598 * The disk only has one virtqueue, so it only has one thread. It is really 1599 * simple: the Guest asks for a block number and we read or write that position 1600 * in the file. 1601 * 1602 * Before we serviced each virtqueue in a separate thread, that was unacceptably 1603 * slow: the Guest waits until the read is finished before running anything 1604 * else, even if it could have been doing useful work. 1605 * 1606 * We could have used async I/O, except it's reputed to suck so hard that 1607 * characters actually go missing from your code when you try to use it. 1608 */ 1609static void blk_request(struct virtqueue *vq) 1610{ 1611 struct vblk_info *vblk = vq->dev->priv; 1612 unsigned int head, out_num, in_num, wlen; 1613 int ret; 1614 u8 *in; 1615 struct virtio_blk_outhdr *out; 1616 struct iovec iov[vq->vring.num]; 1617 off64_t off; 1618 1619 /* 1620 * Get the next request, where we normally wait. It triggers the 1621 * interrupt to acknowledge previously serviced requests (if any). 1622 */ 1623 head = wait_for_vq_desc(vq, iov, &out_num, &in_num); 1624 1625 /* 1626 * Every block request should contain at least one output buffer 1627 * (detailing the location on disk and the type of request) and one 1628 * input buffer (to hold the result). 1629 */ 1630 if (out_num == 0 || in_num == 0) 1631 errx(1, "Bad virtblk cmd %u out=%u in=%u", 1632 head, out_num, in_num); 1633 1634 out = convert(&iov[0], struct virtio_blk_outhdr); 1635 in = convert(&iov[out_num+in_num-1], u8); 1636 /* 1637 * For historical reasons, block operations are expressed in 512 byte 1638 * "sectors". 1639 */ 1640 off = out->sector * 512; 1641 1642 /* 1643 * The block device implements "barriers", where the Guest indicates 1644 * that it wants all previous writes to occur before this write. We 1645 * don't have a way of asking our kernel to do a barrier, so we just 1646 * synchronize all the data in the file. Pretty poor, no? 1647 */ 1648 if (out->type & VIRTIO_BLK_T_BARRIER) 1649 fdatasync(vblk->fd); 1650 1651 /* 1652 * In general the virtio block driver is allowed to try SCSI commands. 1653 * It'd be nice if we supported eject, for example, but we don't. 1654 */ 1655 if (out->type & VIRTIO_BLK_T_SCSI_CMD) { 1656 fprintf(stderr, "Scsi commands unsupported\n"); 1657 *in = VIRTIO_BLK_S_UNSUPP; 1658 wlen = sizeof(*in); 1659 } else if (out->type & VIRTIO_BLK_T_OUT) { 1660 /* 1661 * Write 1662 * 1663 * Move to the right location in the block file. This can fail 1664 * if they try to write past end. 1665 */ 1666 if (lseek64(vblk->fd, off, SEEK_SET) != off) 1667 err(1, "Bad seek to sector %llu", out->sector); 1668 1669 ret = writev(vblk->fd, iov+1, out_num-1); 1670 verbose("WRITE to sector %llu: %i\n", out->sector, ret); 1671 1672 /* 1673 * Grr... Now we know how long the descriptor they sent was, we 1674 * make sure they didn't try to write over the end of the block 1675 * file (possibly extending it). 1676 */ 1677 if (ret > 0 && off + ret > vblk->len) { 1678 /* Trim it back to the correct length */ 1679 ftruncate64(vblk->fd, vblk->len); 1680 /* Die, bad Guest, die. */ 1681 errx(1, "Write past end %llu+%u", off, ret); 1682 } 1683 wlen = sizeof(*in); 1684 *in = (ret >= 0 ? VIRTIO_BLK_S_OK : VIRTIO_BLK_S_IOERR); 1685 } else { 1686 /* 1687 * Read 1688 * 1689 * Move to the right location in the block file. This can fail 1690 * if they try to read past end. 1691 */ 1692 if (lseek64(vblk->fd, off, SEEK_SET) != off) 1693 err(1, "Bad seek to sector %llu", out->sector); 1694 1695 ret = readv(vblk->fd, iov+1, in_num-1); 1696 verbose("READ from sector %llu: %i\n", out->sector, ret); 1697 if (ret >= 0) { 1698 wlen = sizeof(*in) + ret; 1699 *in = VIRTIO_BLK_S_OK; 1700 } else { 1701 wlen = sizeof(*in); 1702 *in = VIRTIO_BLK_S_IOERR; 1703 } 1704 } 1705 1706 /* 1707 * OK, so we noted that it was pretty poor to use an fdatasync as a 1708 * barrier. But Christoph Hellwig points out that we need a sync 1709 * *afterwards* as well: "Barriers specify no reordering to the front 1710 * or the back." And Jens Axboe confirmed it, so here we are: 1711 */ 1712 if (out->type & VIRTIO_BLK_T_BARRIER) 1713 fdatasync(vblk->fd); 1714 1715 /* Finished that request. */ 1716 add_used(vq, head, wlen); 1717} 1718 1719/*L:198 This actually sets up a virtual block device. */ 1720static void setup_block_file(const char *filename) 1721{ 1722 struct device *dev; 1723 struct vblk_info *vblk; 1724 struct virtio_blk_config conf; 1725 1726 /* Creat the device. */ 1727 dev = new_device("block", VIRTIO_ID_BLOCK); 1728 1729 /* The device has one virtqueue, where the Guest places requests. */ 1730 add_virtqueue(dev, VIRTQUEUE_NUM, blk_request); 1731 1732 /* Allocate the room for our own bookkeeping */ 1733 vblk = dev->priv = malloc(sizeof(*vblk)); 1734 1735 /* First we open the file and store the length. */ 1736 vblk->fd = open_or_die(filename, O_RDWR|O_LARGEFILE); 1737 vblk->len = lseek64(vblk->fd, 0, SEEK_END); 1738 1739 /* We support barriers. */ 1740 add_feature(dev, VIRTIO_BLK_F_BARRIER); 1741 1742 /* Tell Guest how many sectors this device has. */ 1743 conf.capacity = cpu_to_le64(vblk->len / 512); 1744 1745 /* 1746 * Tell Guest not to put in too many descriptors at once: two are used 1747 * for the in and out elements. 1748 */ 1749 add_feature(dev, VIRTIO_BLK_F_SEG_MAX); 1750 conf.seg_max = cpu_to_le32(VIRTQUEUE_NUM - 2); 1751 1752 /* Don't try to put whole struct: we have 8 bit limit. */ 1753 set_config(dev, offsetof(struct virtio_blk_config, geometry), &conf); 1754 1755 verbose("device %u: virtblock %llu sectors\n", 1756 ++devices.device_num, le64_to_cpu(conf.capacity)); 1757} 1758 1759/*L:211 1760 * Our random number generator device reads from /dev/random into the Guest's 1761 * input buffers. The usual case is that the Guest doesn't want random numbers 1762 * and so has no buffers although /dev/random is still readable, whereas 1763 * console is the reverse. 1764 * 1765 * The same logic applies, however. 1766 */ 1767struct rng_info { 1768 int rfd; 1769}; 1770 1771static void rng_input(struct virtqueue *vq) 1772{ 1773 int len; 1774 unsigned int head, in_num, out_num, totlen = 0; 1775 struct rng_info *rng_info = vq->dev->priv; 1776 struct iovec iov[vq->vring.num]; 1777 1778 /* First we need a buffer from the Guests's virtqueue. */ 1779 head = wait_for_vq_desc(vq, iov, &out_num, &in_num); 1780 if (out_num) 1781 errx(1, "Output buffers in rng?"); 1782 1783 /* 1784 * Just like the console write, we loop to cover the whole iovec. 1785 * In this case, short reads actually happen quite a bit. 1786 */ 1787 while (!iov_empty(iov, in_num)) { 1788 len = readv(rng_info->rfd, iov, in_num); 1789 if (len <= 0) 1790 err(1, "Read from /dev/random gave %i", len); 1791 iov_consume(iov, in_num, len); 1792 totlen += len; 1793 } 1794 1795 /* Tell the Guest about the new input. */ 1796 add_used(vq, head, totlen); 1797} 1798 1799/*L:199 1800 * This creates a "hardware" random number device for the Guest. 1801 */ 1802static void setup_rng(void) 1803{ 1804 struct device *dev; 1805 struct rng_info *rng_info = malloc(sizeof(*rng_info)); 1806 1807 /* Our device's privat info simply contains the /dev/random fd. */ 1808 rng_info->rfd = open_or_die("/dev/random", O_RDONLY); 1809 1810 /* Create the new device. */ 1811 dev = new_device("rng", VIRTIO_ID_RNG); 1812 dev->priv = rng_info; 1813 1814 /* The device has one virtqueue, where the Guest places inbufs. */ 1815 add_virtqueue(dev, VIRTQUEUE_NUM, rng_input); 1816 1817 verbose("device %u: rng\n", devices.device_num++); 1818} 1819/* That's the end of device setup. */ 1820 1821/*L:230 Reboot is pretty easy: clean up and exec() the Launcher afresh. */ 1822static void __attribute__((noreturn)) restart_guest(void) 1823{ 1824 unsigned int i; 1825 1826 /* 1827 * Since we don't track all open fds, we simply close everything beyond 1828 * stderr. 1829 */ 1830 for (i = 3; i < FD_SETSIZE; i++) 1831 close(i); 1832 1833 /* Reset all the devices (kills all threads). */ 1834 cleanup_devices(); 1835 1836 execv(main_args[0], main_args); 1837 err(1, "Could not exec %s", main_args[0]); 1838} 1839 1840/*L:220 1841 * Finally we reach the core of the Launcher which runs the Guest, serves 1842 * its input and output, and finally, lays it to rest. 1843 */ 1844static void __attribute__((noreturn)) run_guest(void) 1845{ 1846 for (;;) { 1847 unsigned long notify_addr; 1848 int readval; 1849 1850 /* We read from the /dev/lguest device to run the Guest. */ 1851 readval = pread(lguest_fd, ¬ify_addr, 1852 sizeof(notify_addr), cpu_id); 1853 1854 /* One unsigned long means the Guest did HCALL_NOTIFY */ 1855 if (readval == sizeof(notify_addr)) { 1856 verbose("Notify on address %#lx\n", notify_addr); 1857 handle_output(notify_addr); 1858 /* ENOENT means the Guest died. Reading tells us why. */ 1859 } else if (errno == ENOENT) { 1860 char reason[1024] = { 0 }; 1861 pread(lguest_fd, reason, sizeof(reason)-1, cpu_id); 1862 errx(1, "%s", reason); 1863 /* ERESTART means that we need to reboot the guest */ 1864 } else if (errno == ERESTART) { 1865 restart_guest(); 1866 /* Anything else means a bug or incompatible change. */ 1867 } else 1868 err(1, "Running guest failed"); 1869 } 1870} 1871/*L:240 1872 * This is the end of the Launcher. The good news: we are over halfway 1873 * through! The bad news: the most fiendish part of the code still lies ahead 1874 * of us. 1875 * 1876 * Are you ready? Take a deep breath and join me in the core of the Host, in 1877 * "make Host". 1878:*/ 1879 1880static struct option opts[] = { 1881 { "verbose", 0, NULL, 'v' }, 1882 { "tunnet", 1, NULL, 't' }, 1883 { "block", 1, NULL, 'b' }, 1884 { "rng", 0, NULL, 'r' }, 1885 { "initrd", 1, NULL, 'i' }, 1886 { NULL }, 1887}; 1888static void usage(void) 1889{ 1890 errx(1, "Usage: lguest [--verbose] " 1891 "[--tunnet=(<ipaddr>:<macaddr>|bridge:<bridgename>:<macaddr>)\n" 1892 "|--block=<filename>|--initrd=<filename>]...\n" 1893 "<mem-in-mb> vmlinux [args...]"); 1894} 1895 1896/*L:105 The main routine is where the real work begins: */ 1897int main(int argc, char *argv[]) 1898{ 1899 /* Memory, code startpoint and size of the (optional) initrd. */ 1900 unsigned long mem = 0, start, initrd_size = 0; 1901 /* Two temporaries. */ 1902 int i, c; 1903 /* The boot information for the Guest. */ 1904 struct boot_params *boot; 1905 /* If they specify an initrd file to load. */ 1906 const char *initrd_name = NULL; 1907 1908 /* Save the args: we "reboot" by execing ourselves again. */ 1909 main_args = argv; 1910 1911 /* 1912 * First we initialize the device list. We keep a pointer to the last 1913 * device, and the next interrupt number to use for devices (1: 1914 * remember that 0 is used by the timer). 1915 */ 1916 devices.lastdev = NULL; 1917 devices.next_irq = 1; 1918 1919 /* We're CPU 0. In fact, that's the only CPU possible right now. */ 1920 cpu_id = 0; 1921 1922 /* 1923 * We need to know how much memory so we can set up the device 1924 * descriptor and memory pages for the devices as we parse the command 1925 * line. So we quickly look through the arguments to find the amount 1926 * of memory now. 1927 */ 1928 for (i = 1; i < argc; i++) { 1929 if (argv[i][0] != '-') { 1930 mem = atoi(argv[i]) * 1024 * 1024; 1931 /* 1932 * We start by mapping anonymous pages over all of 1933 * guest-physical memory range. This fills it with 0, 1934 * and ensures that the Guest won't be killed when it 1935 * tries to access it. 1936 */ 1937 guest_base = map_zeroed_pages(mem / getpagesize() 1938 + DEVICE_PAGES); 1939 guest_limit = mem; 1940 guest_max = mem + DEVICE_PAGES*getpagesize(); 1941 devices.descpage = get_pages(1); 1942 break; 1943 } 1944 } 1945 1946 /* The options are fairly straight-forward */ 1947 while ((c = getopt_long(argc, argv, "v", opts, NULL)) != EOF) { 1948 switch (c) { 1949 case 'v': 1950 verbose = true; 1951 break; 1952 case 't': 1953 setup_tun_net(optarg); 1954 break; 1955 case 'b': 1956 setup_block_file(optarg); 1957 break; 1958 case 'r': 1959 setup_rng(); 1960 break; 1961 case 'i': 1962 initrd_name = optarg; 1963 break; 1964 default: 1965 warnx("Unknown argument %s", argv[optind]); 1966 usage(); 1967 } 1968 } 1969 /* 1970 * After the other arguments we expect memory and kernel image name, 1971 * followed by command line arguments for the kernel. 1972 */ 1973 if (optind + 2 > argc) 1974 usage(); 1975 1976 verbose("Guest base is at %p\n", guest_base); 1977 1978 /* We always have a console device */ 1979 setup_console(); 1980 1981 /* Now we load the kernel */ 1982 start = load_kernel(open_or_die(argv[optind+1], O_RDONLY)); 1983 1984 /* Boot information is stashed at physical address 0 */ 1985 boot = from_guest_phys(0); 1986 1987 /* Map the initrd image if requested (at top of physical memory) */ 1988 if (initrd_name) { 1989 initrd_size = load_initrd(initrd_name, mem); 1990 /* 1991 * These are the location in the Linux boot header where the 1992 * start and size of the initrd are expected to be found. 1993 */ 1994 boot->hdr.ramdisk_image = mem - initrd_size; 1995 boot->hdr.ramdisk_size = initrd_size; 1996 /* The bootloader type 0xFF means "unknown"; that's OK. */ 1997 boot->hdr.type_of_loader = 0xFF; 1998 } 1999 2000 /* 2001 * The Linux boot header contains an "E820" memory map: ours is a 2002 * simple, single region. 2003 */ 2004 boot->e820_entries = 1; 2005 boot->e820_map[0] = ((struct e820entry) { 0, mem, E820_RAM }); 2006 /* 2007 * The boot header contains a command line pointer: we put the command 2008 * line after the boot header. 2009 */ 2010 boot->hdr.cmd_line_ptr = to_guest_phys(boot + 1); 2011 /* We use a simple helper to copy the arguments separated by spaces. */ 2012 concat((char *)(boot + 1), argv+optind+2); 2013 2014 /* Boot protocol version: 2.07 supports the fields for lguest. */ 2015 boot->hdr.version = 0x207; 2016 2017 /* The hardware_subarch value of "1" tells the Guest it's an lguest. */ 2018 boot->hdr.hardware_subarch = 1; 2019 2020 /* Tell the entry path not to try to reload segment registers. */ 2021 boot->hdr.loadflags |= KEEP_SEGMENTS; 2022 2023 /* 2024 * We tell the kernel to initialize the Guest: this returns the open 2025 * /dev/lguest file descriptor. 2026 */ 2027 tell_kernel(start); 2028 2029 /* Ensure that we terminate if a device-servicing child dies. */ 2030 signal(SIGCHLD, kill_launcher); 2031 2032 /* If we exit via err(), this kills all the threads, restores tty. */ 2033 atexit(cleanup_devices); 2034 2035 /* Finally, run the Guest. This doesn't return. */ 2036 run_guest(); 2037} 2038/*:*/ 2039 2040/*M:999 2041 * Mastery is done: you now know everything I do. 2042 * 2043 * But surely you have seen code, features and bugs in your wanderings which 2044 * you now yearn to attack? That is the real game, and I look forward to you 2045 * patching and forking lguest into the Your-Name-Here-visor. 2046 * 2047 * Farewell, and good coding! 2048 * Rusty Russell. 2049 */ 2050