330713 |
10-Mar-2018 |
tychon |
MFC r328011,329162
r328011:
Provide some mitigation against CVE-2017-5715 by clearing registers upon returning from the guest which aren't immediately clobbered by the host. This eradicates any remaining guest contents limiting their usefulness in an exploit gadget.
r329162:
Provide further mitigation against CVE-2017-5715 by flushing the return stack buffer (RSB) upon returning from the guest. |
330069 |
27-Feb-2018 |
avg |
MFC r329364: move vintr_intercept_enabled under INVARIANTS |
329321 |
15-Feb-2018 |
avg |
MFC r328622: vmm/svm: post LAPIC interrupts using event injection
PR: 215972 |
328842 |
04-Feb-2018 |
avg |
MFC r327726: vmm/svm: contigmalloc of the whole svm_softc is excessive |
328002 |
15-Jan-2018 |
avg |
MFC r327593: Fix a couple of comments in AMD Virtual Machine Control Block structure |
308436 |
08-Nov-2016 |
avg |
MFC r307903,307904,308039,308050: vmm/svm: iopm_bitmap and msr_bitmap must be contiguous in physical memory |
295124 |
01-Feb-2016 |
grehan |
MFC r284539, r284630, r284688, r284877, r285217, r285218, r286837, r286838, r288470, r288522, r288524, r288826, r289001
Pull in bhyve bug fixes and changes to allow UEFI booting. This provides Windows support.
Tested on Intel and AMD with: - Arch Linux i386+amd64 (kernel 4.3.3) - Ubuntu 15.10 server 64-bit - FreeBSD-CURRENT/amd64 20160127 snap - FreeBSD 10.2 i386+amd64 - OpenBSD 5.8 i386+amd64 - SmartOS latest - Windows 10 build 1511'
Huge thanks to Yamagi Burmeister who submitted the patch and did the majority of the testing.
r284539 - bootrom mem allocation support r284630 - Add SO_REUSEADDR when starting debug port r284688 - Fix a regression in "movs" emulation r284877 - verify_gla() non-zero segment base fix r285217 - Always assert DCD and DSR in the uart r285218 - devmem nodes moved to /dev/vmm.io/ r286837 - Add define for SATA Check-Power-Mode r286838 - Add simple (no-op) SATA cmd emulations r288470 - Increase virtio-blk indirect descs r288522 - Firmware guest query interface r288524 - Fix post-test typo r288826 - Clean up SATA unimplemented cmd msg r289001 - Add -l option to specify userboot path
Submitted by: Yamagi Burmeister Approved by: re (kib) |
285015 |
01-Jul-2015 |
neel |
MFC r284712: Restore the host's GS.base before returning from 'svm_launch()' so the Dtrace FBT provider works with vmm.ko on AMD. |
284900 |
28-Jun-2015 |
neel |
MFC r282209: Emulate the 'bit test' instruction.
MFC r282259: Re-implement RTC current time calculation to eliminate the possibility of losing time.
MFC r282281: Advertise the MTRR feature via CPUID and emulate the minimal set of MTRR MSRs.
MFC r282284: When an instruction cannot be decoded just return to userspace so bhyve(8) can dump the instruction bytes.
MFC r282287: Don't require <sys/cpuset.h> to be always included before <machine/vmm.h>.
MFC r282296: Emulate MSR_SYSCFG which is accessed by Linux on AMD cpus when MTRRs are enabled.
MFC r282301: Relax limits when transitioning a vector from the IRR to the ISR and also when extinguishing it from the ISR in response to an EOI.
MFC r282335: Advertise an additional memory BAR in the "dummy" device emulation.
MFC r282336: Emulate machine check related MSRs to allow guest OSes like Windows to boot.
MFC r282351: Don't advertise the Intel SMX capability to the guest.
MFC r282407: Emulate the 'CMP r/m8, imm8' instruction.
MFC r282519: Add macros for AMD-specific bits in MSR_EFER: LMSLE, FFXSR and TCE.
MFC r282520: Emulate guest writes to EFER_MSR properly.
MFC r282558: Deprecate the 3-way return values from vm_gla2gpa() and vm_copy_setup().
MFC r282571: Check 'td_owepreempt' and yield the vcpu thread if it is set.
MFC r282595: Allow byte reads of AHCI registers.
MFC r282784: Handling indirect descriptors is a capability of the host and not one that needs to be negotiated. Use the host capabilities field and not the negotiated field when verifying that indirect descriptors are supported.
MFC r282788: Allow configuration of the sector size advertised to the guest.
MFC r282865: Set the subvendor field in config space to the vendor ID. This is required by the Windows virtio drivers to correctly match a device.
MFC r282922: Bump the size of the blockif scatter-gather list to 67.
MFC r283075: Fix off-by-one in array index bounds check. bhyveload would allow you to create 33 entries on an array that only has 32 slots
MFC r283168: Temporarily revert r282922 which bumped the max descriptors.
MFC r283255: Emulate the "CMP r/m, reg" instruction (opcode 39H).
MFC r283256: Add an option "--get-vmcs-exit-inst-length" to display the instruction length of the instruction that caused the VM-exit.
MFC r283264: Change the header type of the emulated host-bridge from type 1 to type 0.
MFC r283293: Don't rely on the 'VM-exit instruction length' field in the VMCS to always have an accurate length on an EPT violation.
MFC r283299: Remove bogus verification of instruction length after instruction decode.
MFC r283308: Exceptions don't deliver an error code in real mode.
MFC r283657: Fix non-deterministic delays when accessing a vcpu that was in "running" or "sleeping" state.
MFC r283973: Use tunable 'hw.vmm.svm.features' to disable specific SVM features even though they might be available in hardware. Use tunable 'hw.vmm.svm.num_asids' to limit the number of ASIDs used by the hypervisor.
MFC r284046: Fix regression in 'verify_gla()' with the RIP-relative addressing mode.
MFC r284174: Support guest writes to the TSC by enabling the "use TSC offsetting" execution control. |
284899 |
28-Jun-2015 |
neel |
MFC r279444: Allow passthrough devices to be hinted.
MFC r279683: When ICW1 is issued the edge sense circuit is reset which means that following an initialization a low-to-high transistion is necesary to generate an interrupt.
MFC r279925: Add -p parameter to list PCI device to pass through to the guest.
MFC r281559: Fix handling of BUS_PROBE_NOWILDCARD in 'device_probe_child()'.
MFC r280447: When fetching an instruction in non-64bit mode, consider the value of the code segment base address.
MFC r280725: Move legacy interrupt allocation for virtio devices to common code.
MFC r280775: Fix the RTC device model to operate correctly in 12-hour mode.
MFC r280929: Fix "MOVS" instruction memory to MMIO emulation.
MFC r280968: Display instruction bytes and %rip prior to aborting due to an instruction emulation error.
MFC r281145: Enhance the support for Group 1 Extended opcodes for CMP, AND, OR instructions.
MFC r281542: Initialize 'error' before use (Coverity IDs 1249748, 1249747, 1249751, 1249749)
MFC r281561: Prior to aborting due to an ioport error, it is always interesting to see what the guest's %rip is.
MFC r281611: If the number of guest vcpus is less than '1' then flag it as an error.
MFC r281612: Prefer 'vcpu_should_yield()' over checking 'curthread->td_flags' directly.
MFC r281630: Relax the check on which vectors can be delivered through the APIC. According to the Intel SDM vectors 16 through 255 are allowed to be delivered via the local APIC.
MFC r281879: Missing break in switch case (Coverity ID 1292499)
MFC r281946: Don't allow guest to modify readonly bits in the PCI config 'status' register.
MFC r281987: STOS/STOSB/STOSW/STOSD/STOSQ instruction emulation.
MFC r282206: Implement the century byte in the RTC. |
284894 |
27-Jun-2015 |
neel |
MFC r276428: Replace bhyve's minimal RTC emulation with a fully featured one in vmm.ko.
MFC r276432: Initialize all fields of 'struct vm_exception exception' before passing it to vm_inject_exception().
MFC r276763: Clear blocking due to STI or MOV SS in the hypervisor when an instruction is emulated or when the vcpu incurs an exception.
MFC r277149: Clean up usage of 'struct vm_exception' to only to communicate information from userspace to vmm.ko when injecting an exception.
MFC r277168: Fix typo (missing comma).
MFC r277309: Make the error message explicit instead of just printing the usage if the virtual machine name is not specified.
MFC r277310: Simplify instruction restart logic in bhyve.
MFC r277359: Fix a bug in libvmmapi 'vm_copy_setup()' where it would return success even if the 'gpa' was in the guest MMIO region.
MFC r277360: MOVS instruction emulation.
MFC r277626: Add macro to identify AVIC capability (advanced virtual interrupt controller) in AMD processors.
MFC r279220: Don't close a block context if it couldn't be opened avoiding a null deref.
MFC r279225: Add "-u" option to bhyve(8) to indicate that the RTC should maintain UTC time.
MFC r279227: Emulate MSR 0xC0011024 when running on AMD processors.
MFC r279228: Always emulate MSR_PAT on Intel processors and don't rely on PAT save/restore capability of VT-x. This lets bhyve run nested in older VMware versions that don't support the PAT save/restore capability.
MFC r279540: Fix warnings/errors when building vmm.ko with gcc. |
279470 |
01-Mar-2015 |
rstone |
MFC r264007,r264008,r264009,r264011,r264012,r264013
MFC support for PCI Alternate RID Interpretation. ARI is an optional PCIe feature that allows PCI devices to present up to 256 functions on a bus. This is effectively a prerequisite for PCI SR-IOV support.
r264007: Add a method to get the PCI RID for a device.
Reviewed by: kib MFC after: 2 months Sponsored by: Sandvine Inc.
r264008: Re-implement the DMAR I/O MMU code in terms of PCI RIDs
Under the hood the VT-d spec is really implemented in terms of PCI RIDs instead of bus/slot/function, even though the spec makes pains to convert back to bus/slot/function in examples. However working with bus/slot/function is not correct when PCI ARI is in use, so convert to using RIDs in most cases. bus/slot/function will only be used when reporting errors to a user.
Reviewed by: kib MFC after: 2 months Sponsored by: Sandvine Inc.
r264009: Re-write bhyve's I/O MMU handling in terms of PCI RID.
Reviewed by: neel MFC after: 2 months Sponsored by: Sandvine Inc.
r264011: Add support for PCIe ARI
PCIe Alternate RID Interpretation (ARI) is an optional feature that allows devices to have up to 256 different functions. It is implemented by always setting the PCI slot number to 0 and re-purposing the 5 bits used to encode the slot number to instead contain the function number. Combined with the original 3 bits allocated for the function number, this allows for 256 functions.
This is enabled by default, but it's expected to be a no-op on currently supported hardware. It's a prerequisite for supporting PCI SR-IOV, and I want the ARI support to go in early to help shake out any bugs in it. ARI can be disabled by setting the tunable hw.pci.enable_ari=0.
Reviewed by: kib MFC after: 2 months Sponsored by: Sandvine Inc.
r264012: Print status of ARI capability in pciconf -c
Teach pciconf how to print out the status (enabled/disabled) of the ARI capability on PCI Root Complexes and Downstream Ports.
MFC after: 2 months Sponsored by: Sandvine Inc.
r264013: Add missing copyright date.
MFC after: 2 months |
276403 |
30-Dec-2014 |
neel |
MFC r273375 Add support AMD processors with the SVM/AMD-V hardware extensions.
MFC r273749 Remove bhyve SVM feature printf's now that they are available in the general CPU feature detection code.
MFC r273766 Add missing 'break' pointed out by Coverity CID 1249760.
MFC r276098 Allow ktr(4) tracing of all guest exceptions via the tunable "hw.vmm.trace_guest_exceptions"
MFC r276392 Inject #UD into the guest when it executes either 'MONITOR' or 'MWAIT' on an AMD/SVM host.
MFC r276402 Remove "svn:mergeinfo" property that was dragged along when these files were svn copied in r273375. |
268935 |
21-Jul-2014 |
jhb |
MFC 263780,264516,265062,265101,265203,265364: Add an ioctl to suspend a virtual machine (VM_SUSPEND).
Add logic in the HLT exit handler to detect if the guest has put all vcpus to sleep permanently by executing a HLT with interrupts disabled.
When this condition is detected the guest with be suspended with a reason of VM_SUSPEND_HALT and the bhyve(8) process will exit.
This logic can be disabled via the tunable 'hw.vmm.halt_detection'. |
267427 |
12-Jun-2014 |
jhb |
MFC 261638,262144,262506,266765: Add virtualized XSAVE support to bhyve which permits guests to use XSAVE and XSAVE-enabled features like AVX. - Store a per-cpu guest xcr0 register and handle xsetbv VM exits by emulating the instruction. - Only expose XSAVE to guests if XSAVE is enabled in the host. Only expose a subset of XSAVE features currently supported by the guest and for which the proper emulation of xsetbv is known. Currently this includes X87, SSE, AVX, AVX-512, and Intel MPX. - Add support for injecting hardware exceptions into the guest and use this to trigger exceptions in the guest for invalid xsetbv operations instead of potentially faulting in the host. - Queue pending exceptions in the 'struct vcpu' instead of directly updating the processor-specific VMCS or VMCB. The pending exception will be delivered right before entering the guest. - Rename the unused ioctl VM_INJECT_EVENT to VM_INJECT_EXCEPTION and restrict it to only deliver x86 hardware exceptions. This new ioctl is now used to inject a protection fault when the guest accesses an unimplemented MSR. - Expose a subset of known-safe features from leaf 0 of the structured extended features to guests if they are supported on the host including RDFSBASE/RDGSBASE, BMI1/2, AVX2, AVX-512, HLE, ERMS, and RTM. Aside from AVX-512, these features are all new instructions available for use in ring 3 with no additional hypervisor changes needed. |
266339 |
17-May-2014 |
jhb |
MFC 259641,259863,259924,259937,259961,259978,260380,260383,260410,260466, 260531,260532,260550,260619,261170,261453,261621,263280,263290,264516: Add support for local APIC hardware-assist. - Restructure vlapic access and register handling to support hardware-assist for the local APIC. - Use the 'Virtual Interrupt Delivery' and 'Posted Interrupt Processing' feature of Intel VT-x if supported by hardware. - Add an API to rendezvous all active vcpus in a virtual machine and use it to support level triggered interrupts with VT-x 'Virtual Interrupt Delivery'. - Use a cheaper IPI handler than IPI_AST for nested page table shootdowns and avoid doing unnecessary nested TLB invalidations.
Reviewed by: neel |
261275 |
29-Jan-2014 |
jhb |
MFC 259782: Add a resume hook for bhyve that runs a function on all CPUs during resume. For Intel CPUs, invoke vmxon for CPUs that were in VMX mode at the time of suspend. |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
256072 |
05-Oct-2013 |
neel |
Merge projects/bhyve_npt_pmap into head.
Make the amd64/pmap code aware of nested page table mappings used by bhyve guests. This allows bhyve to associate each guest with its own vmspace and deal with nested page faults in the context of that vmspace. This also enables features like accessed/dirty bit tracking, swapping to disk and transparent superpage promotions of guest memory.
Guest vmspace: Each bhyve guest has a unique vmspace to represent the physical memory allocated to the guest. Each memory segment allocated by the guest is mapped into the guest's address space via the 'vmspace->vm_map' and is backed by an object of type OBJT_DEFAULT.
pmap types: The amd64/pmap now understands two types of pmaps: PT_X86 and PT_EPT.
The PT_X86 pmap type is used by the vmspace associated with the host kernel as well as user processes executing on the host. The PT_EPT pmap is used by the vmspace associated with a bhyve guest.
Page Table Entries: The EPT page table entries as mostly similar in functionality to regular page table entries although there are some differences in terms of what bits are used to express that functionality. For e.g. the dirty bit is represented by bit 9 in the nested PTE as opposed to bit 6 in the regular x86 PTE. Therefore the bitmask representing the dirty bit is now computed at runtime based on the type of the pmap. Thus PG_M that was previously a macro now becomes a local variable that is initialized at runtime using 'pmap_modified_bit(pmap)'.
An additional wrinkle associated with EPT mappings is that older Intel processors don't have hardware support for tracking accessed/dirty bits in the PTE. This means that the amd64/pmap code needs to emulate these bits to provide proper accounting to the VM subsystem. This is achieved by using the following mapping for EPT entries that need emulation of A/D bits: Bit Position Interpreted By PG_V 52 software (accessed bit emulation handler) PG_RW 53 software (dirty bit emulation handler) PG_A 0 hardware (aka EPT_PG_RD) PG_M 1 hardware (aka EPT_PG_WR)
The idea to use the mapping listed above for A/D bit emulation came from Alan Cox (alc@).
The final difference with respect to x86 PTEs is that some EPT implementations do not support superpage mappings. This is recorded in the 'pm_flags' field of the pmap.
TLB invalidation: The amd64/pmap code has a number of ways to do invalidation of mappings that may be cached in the TLB: single page, multiple pages in a range or the entire TLB. All of these funnel into a single EPT invalidation routine called 'pmap_invalidate_ept()'. This routine bumps up the EPT generation number and sends an IPI to the host cpus that are executing the guest's vcpus. On a subsequent entry into the guest it will detect that the EPT has changed and invalidate the mappings from the TLB.
Guest memory access: Since the guest memory is no longer wired we need to hold the host physical page that backs the guest physical page before we can access it. The helper functions 'vm_gpa_hold()/vm_gpa_release()' are available for this purpose.
PCI passthru: Guest's with PCI passthru devices will wire the entire guest physical address space. The MMIO BAR associated with the passthru device is backed by a vm_object of type OBJT_SG. An IOMMU domain is created only for guest's that have one or more PCI passthru devices attached to them.
Limitations: There isn't a way to map a guest physical page without execute permissions. This is because the amd64/pmap code interprets the guest physical mappings as user mappings since they are numerically below VM_MAXUSER_ADDRESS. Since PG_U shares the same bit position as EPT_PG_EXECUTE all guest mappings become automatically executable.
Thanks to Alan Cox and Konstantin Belousov for their rigorous code reviews as well as their support and encouragement.
Thanks for John Baldwin for reviewing the use of OBJT_SG as the backing object for pci passthru mmio regions.
Special thanks to Peter Holm for testing the patch on short notice.
Approved by: re Discussed with: grehan Reviewed by: alc, kib Tested by: pho
|
245678 |
20-Jan-2013 |
neel |
Add svn properties to the recently merged bhyve source files.
The pre-commit hook will not allow any commits without the svn:keywords property in head.
|
245652 |
19-Jan-2013 |
neel |
Merge projects/bhyve to head.
'bhyve' was developed by grehan@ and myself at NetApp (thanks!).
Special thanks to Peter Snyder, Joe Caradonna and Michael Dexter for their support and encouragement.
Obtained from: NetApp
|
241982 |
24-Oct-2012 |
neel |
Maintain state regarding NMI delivery to guest vcpu in VT-x independent manner. Also add a stats counter to count the number of NMIs delivered per vcpu.
Obtained from: NetApp
|
241362 |
08-Oct-2012 |
neel |
Allocate memory pages for the guest from the host's free page queue.
It is no longer necessary to hard-partition the memory between the host and guests at boot time.
|
241147 |
03-Oct-2012 |
neel |
Get rid of assumptions in the hypervisor that the host physical memory associated with guest physical memory is contiguous.
Rewrite vm_gpa2hpa() to get the GPA to HPA mapping by querying the nested page tables.
|
240894 |
24-Sep-2012 |
neel |
Stash the 'vm_exit' information in each 'struct vcpu'.
There is no functional change at this time but this paves the way for vm exit handler functions to easily modify the exit reason going forward.
|
223621 |
28-Jun-2011 |
grehan |
IFC @ r222830
|
221914 |
14-May-2011 |
jhb |
First cut at porting the kernel portions of 221828 and 221905 from the BHyVe reference branch to HEAD.
|
221828 |
13-May-2011 |
grehan |
Import of bhyve hypervisor and utilities, part 1. vmm.ko - kernel module for VT-x, VT-d and hypervisor control bhyve - user-space sequencer and i/o emulation vmmctl - dump of hypervisor register state libvmm - front-end to vmm.ko chardev interface
bhyve was designed and implemented by Neel Natu.
Thanks to the following folk from NetApp who helped to make this available: Joe CaraDonna Peter Snyder Jeff Heller Sandeep Mann Steve Miller Brian Pawlowski
|