2 * This file is part of the Palacios Virtual Machine Monitor developed
3 * by the V3VEE Project with funding from the United States National
4 * Science Foundation and the Department of Energy.
6 * The V3VEE Project is a joint project between Northwestern University
7 * and the University of New Mexico. You can find out more at
10 * Copyright (c) 2008, Jack Lange <jarusl@cs.northwestern.edu>
11 * Copyright (c) 2008, The V3VEE Project <http://www.v3vee.org>
12 * All rights reserved.
14 * Author: Jack Lange <jarusl@cs.northwestern.edu>
16 * This is free software. You are permitted to use,
17 * redistribute, and modify it as specified in the file "V3VEE_LICENSE".
20 #include <palacios/vmm.h>
21 #include <palacios/vmm_emulator.h>
22 #include <palacios/vm_guest_mem.h>
23 #include <palacios/vmm_decoder.h>
24 #include <palacios/vmm_paging.h>
25 #include <palacios/vmm_instr_emulator.h>
27 #ifndef DEBUG_EMULATOR
29 #define PrintDebug(fmt, args...)
35 static int run_op(struct guest_info * info, v3_op_type_t op_type, addr_t src_addr, addr_t dst_addr, int src_op_size, int dst_op_size);
37 // We emulate up to the next 4KB page boundry
38 static int emulate_string_write_op(struct guest_info * info, struct x86_instr * dec_instr,
39 addr_t write_gva, addr_t write_gpa, addr_t dst_addr,
40 int (*write_fn)(addr_t guest_addr, void * src, uint_t length, void * priv_data),
42 uint_t emulation_length = 0;
46 if (dec_instr->dst_operand.operand != write_gva) {
47 PrintError("Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
48 (void *)dec_instr->dst_operand.operand, (void *)write_gva);
52 emulation_length = ( (dec_instr->str_op_length < (0x1000 - PAGE_OFFSET_4KB(write_gva))) ?
53 dec_instr->str_op_length :
54 (0x1000 - PAGE_OFFSET_4KB(write_gva)));
56 /* ** Fix emulation length so that it doesn't overrun over the src page either ** */
57 tmp_rcx = emulation_length;
62 if (dec_instr->op_type == V3_OP_MOVS) {
64 // figure out addresses here....
65 if (info->mem_mode == PHYSICAL_MEM) {
66 if (guest_pa_to_host_va(info, dec_instr->src_operand.operand, &src_addr) == -1) {
67 PrintError("Could not translate write Source (Physical) to host VA\n");
71 if (guest_va_to_host_va(info, dec_instr->src_operand.operand, &src_addr) == -1) {
72 PrintError("Could not translate write Source (Virtual) to host VA\n");
77 if (dec_instr->dst_operand.size == 1) {
78 movs8((addr_t *)&dst_addr, &src_addr, &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
79 } else if (dec_instr->dst_operand.size == 2) {
80 movs16((addr_t *)&dst_addr, &src_addr, &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
81 } else if (dec_instr->dst_operand.size == 4) {
82 movs32((addr_t *)&dst_addr, &src_addr, &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
84 } else if (dec_instr->dst_operand.size == 8) {
85 movs64((addr_t *)&dst_addr, &src_addr, &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
88 PrintError("Invalid operand length\n");
92 info->vm_regs.rdi += emulation_length;
93 info->vm_regs.rsi += emulation_length;
95 // RCX is only modified if the rep prefix is present
96 if (dec_instr->prefixes.rep == 1) {
97 info->vm_regs.rcx -= emulation_length;
100 } else if (dec_instr->op_type == V3_OP_STOS) {
102 if (dec_instr->dst_operand.size == 1) {
103 stos8((addr_t *)&dst_addr, (addr_t *)&(info->vm_regs.rax), &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
104 } else if (dec_instr->dst_operand.size == 2) {
105 stos16((addr_t *)&dst_addr, (addr_t *)&(info->vm_regs.rax), &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
106 } else if (dec_instr->dst_operand.size == 4) {
107 stos32((addr_t *)&dst_addr, (addr_t *)&(info->vm_regs.rax), &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
109 } else if (dec_instr->dst_operand.size == 8) {
110 stos64((addr_t *)&dst_addr, (addr_t *)&(info->vm_regs.rax), &tmp_rcx, (addr_t *)&(info->ctrl_regs.rflags));
113 PrintError("Invalid operand length\n");
117 info->vm_regs.rdi += emulation_length;
119 // RCX is only modified if the rep prefix is present
120 if (dec_instr->prefixes.rep == 1) {
121 info->vm_regs.rcx -= emulation_length;
125 PrintError("Unimplemented String operation\n");
129 if (write_fn(write_gpa, (void *)dst_addr, emulation_length, priv_data) != emulation_length) {
130 PrintError("Did not fully read hooked data\n");
134 if (emulation_length == dec_instr->str_op_length) {
135 info->rip += dec_instr->instr_length;
138 return emulation_length;
142 static int emulate_xchg_write_op(struct guest_info * info, struct x86_instr * dec_instr,
143 addr_t write_gva, addr_t write_gpa, addr_t dst_addr,
144 int (*write_fn)(addr_t guest_addr, void * src, uint_t length, void * priv_data),
147 addr_t em_dst_addr = 0;
150 PrintDebug("Emulating XCHG write\n");
152 if (dec_instr->src_operand.type == MEM_OPERAND) {
153 if (info->shdw_pg_mode == SHADOW_PAGING) {
154 if (dec_instr->src_operand.operand != write_gva) {
155 PrintError("XCHG: Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
156 (void *)dec_instr->src_operand.operand, (void *)write_gva);
162 } else if (dec_instr->src_operand.type == REG_OPERAND) {
163 src_addr = dec_instr->src_operand.operand;
165 src_addr = (addr_t)&(dec_instr->src_operand.operand);
170 if (dec_instr->dst_operand.type == MEM_OPERAND) {
171 if (info->shdw_pg_mode == SHADOW_PAGING) {
172 if (dec_instr->dst_operand.operand != write_gva) {
173 PrintError("XCHG: Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
174 (void *)dec_instr->dst_operand.operand, (void *)write_gva);
178 //check that the operand (GVA) maps to the the faulting GPA
181 em_dst_addr = dst_addr;
182 } else if (dec_instr->src_operand.type == REG_OPERAND) {
183 em_dst_addr = dec_instr->src_operand.operand;
185 em_dst_addr = (addr_t)&(dec_instr->src_operand.operand);
188 dst_op_len = dec_instr->dst_operand.size;
189 src_op_len = dec_instr->src_operand.size;
191 PrintDebug("Dst_Addr = %p, SRC operand = %p\n",
192 (void *)dst_addr, (void *)src_addr);
195 if (run_op(info, dec_instr->op_type, src_addr, em_dst_addr, src_op_len, dst_op_len) == -1) {
196 PrintError("Instruction Emulation Failed\n");
200 if (write_fn(write_gpa, (void *)dst_addr, dst_op_len, priv_data) != dst_op_len) {
201 PrintError("Did not fully write hooked data\n");
205 info->rip += dec_instr->instr_length;
212 static int emulate_xchg_read_op(struct guest_info * info, struct x86_instr * dec_instr,
213 addr_t read_gva, addr_t read_gpa, addr_t src_addr,
214 int (*read_fn)(addr_t guest_addr, void * dst, uint_t length, void * priv_data),
215 int (*write_fn)(addr_t guest_addr, void * src, uint_t length, void * priv_data),
217 addr_t em_src_addr = 0;
218 addr_t em_dst_addr = 0;
222 PrintDebug("Emulating XCHG Read\n");
224 if (dec_instr->src_operand.type == MEM_OPERAND) {
225 if (dec_instr->src_operand.operand != read_gva) {
226 PrintError("XCHG: Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
227 (void *)dec_instr->src_operand.operand, (void *)read_gva);
231 em_src_addr = src_addr;
232 } else if (dec_instr->src_operand.type == REG_OPERAND) {
233 em_src_addr = dec_instr->src_operand.operand;
235 em_src_addr = (addr_t)&(dec_instr->src_operand.operand);
240 if (dec_instr->dst_operand.type == MEM_OPERAND) {
241 if (info->shdw_pg_mode == SHADOW_PAGING) {
242 if (dec_instr->dst_operand.operand != read_gva) {
243 PrintError("XCHG: Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
244 (void *)dec_instr->dst_operand.operand, (void *)read_gva);
248 //check that the operand (GVA) maps to the the faulting GPA
251 em_dst_addr = src_addr;
252 } else if (dec_instr->src_operand.type == REG_OPERAND) {
253 em_dst_addr = dec_instr->src_operand.operand;
255 em_dst_addr = (addr_t)&(dec_instr->src_operand.operand);
258 dst_op_len = dec_instr->dst_operand.size;
259 src_op_len = dec_instr->src_operand.size;
261 PrintDebug("Dst_Addr = %p, SRC operand = %p\n",
262 (void *)em_dst_addr, (void *)em_src_addr);
265 if (read_fn(read_gpa, (void *)src_addr, src_op_len, priv_data) != src_op_len) {
266 PrintError("Did not fully read hooked data\n");
270 if (run_op(info, dec_instr->op_type, em_src_addr, em_dst_addr, src_op_len, dst_op_len) == -1) {
271 PrintError("Instruction Emulation Failed\n");
275 if (write_fn(read_gpa, (void *)src_addr, dst_op_len, priv_data) != dst_op_len) {
276 PrintError("Did not fully write hooked data\n");
280 info->rip += dec_instr->instr_length;
288 int v3_emulate_write_op(struct guest_info * info, addr_t write_gva, addr_t write_gpa, addr_t dst_addr,
289 int (*write_fn)(addr_t guest_addr, void * src, uint_t length, void * priv_data),
291 struct x86_instr dec_instr;
298 PrintDebug("Emulating Write for instruction at %p\n", (void *)(addr_t)(info->rip));
299 PrintDebug("GVA=%p\n", (void *)write_gva);
301 if (info->mem_mode == PHYSICAL_MEM) {
302 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
304 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
311 if (v3_decode(info, (addr_t)instr, &dec_instr) == -1) {
312 PrintError("Decoding Error\n");
313 // Kick off single step emulator
318 * Instructions needing to be special cased.... *
320 if (dec_instr.is_str_op) {
321 return emulate_string_write_op(info, &dec_instr, write_gva, write_gpa, dst_addr, write_fn, priv_data);
322 } else if (dec_instr.op_type == V3_OP_XCHG) {
323 return emulate_xchg_write_op(info, &dec_instr, write_gva, write_gpa, dst_addr, write_fn, priv_data);
327 if (info->shdw_pg_mode == SHADOW_PAGING) {
328 if ((dec_instr.dst_operand.type != MEM_OPERAND) ||
329 (dec_instr.dst_operand.operand != write_gva)) {
330 PrintError("Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
331 (void *)dec_instr.dst_operand.operand, (void *)write_gva);
335 //check that the operand (GVA) maps to the the faulting GPA
339 if (dec_instr.src_operand.type == MEM_OPERAND) {
340 if (info->mem_mode == PHYSICAL_MEM) {
341 if (guest_pa_to_host_va(info, dec_instr.src_operand.operand, &src_addr) == -1) {
342 PrintError("Could not translate write Source (Physical) to host VA\n");
346 if (guest_va_to_host_va(info, dec_instr.src_operand.operand, &src_addr) == -1) {
347 PrintError("Could not translate write Source (Virtual) to host VA\n");
351 } else if (dec_instr.src_operand.type == REG_OPERAND) {
352 src_addr = dec_instr.src_operand.operand;
354 src_addr = (addr_t)&(dec_instr.src_operand.operand);
357 dst_op_len = dec_instr.dst_operand.size;
358 src_op_len = dec_instr.src_operand.size;
360 PrintDebug("Dst_Addr = %p, SRC operand = %p\n",
361 (void *)dst_addr, (void *)src_addr);
364 if (run_op(info, dec_instr.op_type, src_addr, dst_addr, src_op_len, dst_op_len) == -1) {
365 PrintError("Instruction Emulation Failed\n");
369 if (write_fn(write_gpa, (void *)dst_addr, dst_op_len, priv_data) != dst_op_len) {
370 PrintError("Did not fully write hooked data\n");
374 info->rip += dec_instr.instr_length;
380 int v3_emulate_read_op(struct guest_info * info, addr_t read_gva, addr_t read_gpa, addr_t src_addr,
381 int (*read_fn)(addr_t guest_addr, void * dst, uint_t length, void * priv_data),
382 int (*write_fn)(addr_t guest_addr, void * src, uint_t length, void * priv_data),
384 struct x86_instr dec_instr;
391 PrintDebug("Emulating Read for instruction at %p\n", (void *)(addr_t)(info->rip));
392 PrintDebug("GVA=%p\n", (void *)read_gva);
394 if (info->mem_mode == PHYSICAL_MEM) {
395 ret = read_guest_pa_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
397 ret = read_guest_va_memory(info, get_addr_linear(info, info->rip, &(info->segments.cs)), 15, instr);
404 if (v3_decode(info, (addr_t)instr, &dec_instr) == -1) {
405 PrintError("Decoding Error\n");
406 // Kick off single step emulator
410 if (dec_instr.is_str_op) {
411 PrintError("String operations not implemented on fully hooked regions\n");
413 } else if (dec_instr.op_type == V3_OP_XCHG) {
414 return emulate_xchg_read_op(info, &dec_instr, read_gva, read_gpa, src_addr, read_fn, write_fn, priv_data);
417 if (info->shdw_pg_mode == SHADOW_PAGING) {
418 if ((dec_instr.src_operand.type != MEM_OPERAND) ||
419 (dec_instr.src_operand.operand != read_gva)) {
420 PrintError("Inconsistency between Pagefault and Instruction Decode XED_ADDR=%p, PF_ADDR=%p\n",
421 (void *)dec_instr.src_operand.operand, (void *)read_gva);
425 //check that the operand (GVA) maps to the the faulting GPA
428 if (dec_instr.dst_operand.type == MEM_OPERAND) {
429 if (info->mem_mode == PHYSICAL_MEM) {
430 if (guest_pa_to_host_va(info, dec_instr.dst_operand.operand, &dst_addr) == -1) {
431 PrintError("Could not translate Read Destination (Physical) to host VA\n");
435 if (guest_va_to_host_va(info, dec_instr.dst_operand.operand, &dst_addr) == -1) {
436 PrintError("Could not translate Read Destination (Virtual) to host VA\n");
440 } else if (dec_instr.dst_operand.type == REG_OPERAND) {
441 dst_addr = dec_instr.dst_operand.operand;
443 dst_addr = (addr_t)&(dec_instr.dst_operand.operand);
446 src_op_len = dec_instr.src_operand.size;
447 dst_op_len = dec_instr.dst_operand.size;
449 PrintDebug("Dst_Addr = %p, SRC Addr = %p\n",
450 (void *)dst_addr, (void *)src_addr);
452 if (read_fn(read_gpa, (void *)src_addr, src_op_len, priv_data) != src_op_len) {
453 PrintError("Did not fully read hooked data\n");
457 if (run_op(info, dec_instr.op_type, src_addr, dst_addr, src_op_len, dst_op_len) == -1) {
458 PrintError("Instruction Emulation Failed\n");
462 info->rip += dec_instr.instr_length;
472 static int run_op(struct guest_info * info, v3_op_type_t op_type, addr_t src_addr, addr_t dst_addr, int src_op_size, int dst_op_size) {
474 if (src_op_size == 1) {
475 PrintDebug("Executing 8 bit instruction\n");
479 adc8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
482 add8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
485 and8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
488 or8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
491 xor8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
494 sub8((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
498 mov8((addr_t *)dst_addr, (addr_t *)src_addr);
502 movzx8((addr_t *)dst_addr, (addr_t *)src_addr, dst_op_size);
505 movsx8((addr_t *)dst_addr, (addr_t *)src_addr, dst_op_size);
509 not8((addr_t *)dst_addr);
512 xchg8((addr_t *)dst_addr, (addr_t *)src_addr);
517 inc8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
520 dec8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
523 neg8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
526 setb8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
529 setbe8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
532 setl8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
535 setle8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
538 setnb8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
541 setnbe8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
544 setnl8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
547 setnle8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
550 setno8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
553 setnp8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
556 setns8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
559 setnz8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
562 seto8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
565 setp8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
568 sets8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
571 setz8((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
575 PrintError("Unknown 8 bit instruction\n");
579 } else if (src_op_size == 2) {
580 PrintDebug("Executing 16 bit instruction\n");
584 adc16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
587 add16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
590 and16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
593 or16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
596 xor16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
599 sub16((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
604 inc16((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
607 dec16((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
610 neg16((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
614 mov16((addr_t *)dst_addr, (addr_t *)src_addr);
617 movzx16((addr_t *)dst_addr, (addr_t *)src_addr, dst_op_size);
620 movsx16((addr_t *)dst_addr, (addr_t *)src_addr, dst_op_size);
623 not16((addr_t *)dst_addr);
626 xchg16((addr_t *)dst_addr, (addr_t *)src_addr);
630 PrintError("Unknown 16 bit instruction\n");
634 } else if (src_op_size == 4) {
635 PrintDebug("Executing 32 bit instruction\n");
639 adc32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
642 add32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
645 and32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
648 or32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
651 xor32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
654 sub32((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
658 inc32((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
661 dec32((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
664 neg32((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
668 mov32((addr_t *)dst_addr, (addr_t *)src_addr);
672 not32((addr_t *)dst_addr);
675 xchg32((addr_t *)dst_addr, (addr_t *)src_addr);
679 PrintError("Unknown 32 bit instruction\n");
684 } else if (src_op_size == 8) {
685 PrintDebug("Executing 64 bit instruction\n");
689 adc64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
692 add64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
695 and64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
698 or64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
701 xor64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
704 sub64((addr_t *)dst_addr, (addr_t *)src_addr, (addr_t *)&(info->ctrl_regs.rflags));
708 inc64((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
711 dec64((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
714 neg64((addr_t *)dst_addr, (addr_t *)&(info->ctrl_regs.rflags));
718 mov64((addr_t *)dst_addr, (addr_t *)src_addr);
722 not64((addr_t *)dst_addr);
725 xchg64((addr_t *)dst_addr, (addr_t *)src_addr);
729 PrintError("Unknown 64 bit instruction\n");
735 PrintError("Invalid Operation Size\n");
