Add initial minimal nested-svm-vmrun testcase

Based on an initial experiment by Ross

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Bernhard Kaindl <bernhard.kaindl@citrix.com>

Author: root

docs/all-tests.dox

@@ -206,4 +206,6 @@ states.
 @subpage test-nested-svm - Nested SVM tests.
 
 @subpage test-nested-vmx - Nested VT-x tests.
+
+@subpage test-nested-svm-vmrun - Nested SVM VMRUN tests.
 */

tests/nested-svm-vmrun/Makefile

@@ -0,0 +1,11 @@
+include $(ROOT)/build/common.mk
+
+NAME      := nested-svm-vmrun
+CATEGORY  := in-development
+TEST-ENVS := hvm64
+
+TEST-EXTRA-CFG := extra.cfg.in
+
+obj-perenv += main.o entry.o
+
+include $(ROOT)/build/gen.mk

tests/nested-svm-vmrun/entry.S

@@ -0,0 +1,30 @@
+/*
+ * SVM nested-virt VMRUN trampoline.
+ *
+ * Calling convention (System V AMD64):
+ *     %rdi - physical address of the L2 (guest) VMCB
+ *
+ * VMRUN auto-saves a subset of host state to the area pointed to by
+ * MSR_VM_HSAVE_PA and reloads it on #VMEXIT.  Fields outside that subset
+ * (FS/GS/LDTR/TR base, KernelGSBase, syscall MSRs, SYSENTER_*) are
+ * exchanged via VMSAVE/VMLOAD on the L2 VMCB itself: VMLOAD before VMRUN
+ * loads L2's copy; VMSAVE after #VMEXIT writes L2's back.  This is
+ * sufficient here because L2 inherits the same flat FS/GS as L1, so no
+ * host-side preservation of those fields is required.
+ *
+ * GIF is left at 0 across the call: VMRUN expects GIF=1 at entry, so we
+ * STGI before VMRUN, and after #VMEXIT GIF is 0 anyway.  We do not STGI
+ * on return; the framework runs with GIF=1 normally and #VMEXIT puts us
+ * back in a non-nested context where leaving GIF clear is harmless for
+ * the rest of the test.
+ */
+#include <xtf/asm_macros.h>
+
+ENTRY(svm_vmrun)
+        mov    %rdi, %rax
+        vmload %rax
+        vmrun  %rax
+        vmsave %rax
+
+        ret
+ENDFUNC(svm_vmrun)

tests/nested-svm-vmrun/extra.cfg.in

@@ -0,0 +1 @@
+nestedhvm = 1

tests/nested-svm-vmrun/main.c

@@ -0,0 +1,151 @@
+/**
+ * @file tests/nested-svm-vmrun/main.c
+ * @ref test-nested-svm-vmrun
+ *
+ * @page test-nested-svm-vmrun nested-svm-vmrun
+ *
+ * Smoke-test of AMD SVM nested virtualisation: an L1 guest enables SVM,
+ * builds a minimal L2 VMCB that re-uses L1's address space, and uses
+ * VMRUN to enter an L2 callback.  L2 writes a sentinel into shared
+ * memory and signals completion with HLT, which causes a #VMEXIT back
+ * to L1.  The test passes if VMRUN succeeds, the exit reason is HLT,
+ * and L1 observes the expected sentinel value.
+ *
+ * @see tests/nested-svm-vmrun/main.c
+ */
+#include <xtf.h>
+
+#include "vmcb.h"
+
+/* AMD MSRs. */
+#define MSR_VM_HSAVE_PA 0xc0010117U
+
+const char test_title[] = "Nested SVM VMRUN";
+
+/*
+ * The L2 VMCB lives here.  VMRUN auto-saves and restores the bulk of L1's
+ * state via the host-save area pointed to by MSR_VM_HSAVE_PA.
+ */
+static struct vmcb l2_vmcb __page_aligned_bss;
+
+/* Backing store for the VMRUN host-save area (MSR_VM_HSAVE_PA). */
+static uint8_t hsave[PAGE_SIZE] __page_aligned_bss;
+
+/* Stack used by L2.  Two pages of backing store. */
+static uint8_t l2_stack[2 * PAGE_SIZE] __page_aligned_bss;
+
+/* Trampoline implemented in entry.S. */
+void svm_vmrun(unsigned long l2_vmcb_pa);
+
+/* Sentinel written by L2 and verified by L1. */
+#define L2_SENTINEL 0xc0ffeeULL
+static volatile uint64_t l2_handshake;
+
+/*
+ * L2 entry point.  L2 cannot use the inherited Xen hypercall page because
+ * VMMCALL from L2 unconditionally takes a #VMEXIT to L1 in Xen's nested
+ * SVM model, regardless of L1's VMCB intercepts.  Instead, L2 writes a
+ * sentinel into a shared variable (L1 and L2 share the same address
+ * space) and signals completion with HLT, which L1 intercepts.
+ */
+static void __used l2_entry(void)
+{
+    l2_handshake = L2_SENTINEL;
+    for ( ;; )
+        asm volatile ("hlt");
+}
+
+/*
+ * Populate the L2 VMCB with a flat long-mode environment that mirrors L1.
+ * L2 shares L1's pagetables (cr3) and IDT/GDT, but runs on its own stack
+ * and at its own RIP.
+ */
+static void build_l2_vmcb(void)
+{
+    desc_ptr gdt_desc, idt_desc;
+
+    /* Intercept VMRUN (architecturally required) and HLT (used by L2 to
+     * signal completion).  Also intercept SHUTDOWN so L2 mistakes surface
+     * as a recognisable VMEXIT rather than killing the L1 domain. */
+    l2_vmcb.general1_intercepts =
+        GENERAL1_INTERCEPT_HLT | GENERAL1_INTERCEPT_SHUTDOWN_EVT;
+    l2_vmcb.general2_intercepts = GENERAL2_INTERCEPT_VMRUN;
+
+    l2_vmcb.asid = 1;
+
+    /* Inherit L1's paging/control state, EFER and RFLAGS. */
+    l2_vmcb.cr0    = read_cr0();
+    l2_vmcb.cr3    = read_cr3();
+    l2_vmcb.cr4    = read_cr4();
+    l2_vmcb.efer   = rdmsr(MSR_EFER);
+    l2_vmcb.rflags = read_flags();
+
+    l2_vmcb.rsp    = _u(&l2_stack[sizeof(l2_stack)]);
+    l2_vmcb.rip    = _u(l2_entry);
+
+    /* Inherit L1's GDT/IDT. */
+    sgdt(&gdt_desc);
+    sidt(&idt_desc);
+    l2_vmcb.gdtr.base  = gdt_desc.base;
+    l2_vmcb.gdtr.limit = gdt_desc.limit;
+    l2_vmcb.idtr.base  = idt_desc.base;
+    l2_vmcb.idtr.limit = idt_desc.limit;
+
+    /*
+     * Flat 64-bit segments, mirroring how XTF sets up L1.
+     * Encoded segment attributes (P|DPL|S|Type|...|G|D/B|L|AVL):
+     *   CS: present, ring 0, code, exec/read,                  L=1 -> 0xa9b
+     *   DS/ES/SS/FS/GS: present, ring 3, data, read/write, G=1 -> 0xcf3 (DPL3)
+     */
+    l2_vmcb.cs.sel = __KERN_CS;
+    l2_vmcb.cs.attr = 0xa9b;
+    l2_vmcb.cs.limit = ~0u;
+
+    l2_vmcb.ss.sel = __KERN_DS;
+    l2_vmcb.ss.attr = 0xcf3;
+    l2_vmcb.ss.limit = ~0u;
+
+    l2_vmcb.ds.sel = __USER_DS;
+    l2_vmcb.ds.attr = 0xcf3;
+    l2_vmcb.ds.limit = ~0u;
+
+    l2_vmcb.es = l2_vmcb.fs = l2_vmcb.gs = l2_vmcb.ds;
+}
+
+void test_main(void)
+{
+    if ( !cpu_has_svm )
+        return xtf_skip("Skip: SVM not available\n");
+
+    /* Enable SVM and arm the host-save area. */
+    wrmsr(MSR_EFER, rdmsr(MSR_EFER) | EFER_SVME);
+    wrmsr(MSR_VM_HSAVE_PA, _u(hsave));
+
+    build_l2_vmcb();
+
+    printk("L1: entering L2 via VMRUN\n");
+    svm_vmrun(_u(&l2_vmcb));
+    printk("L1: returned from L2 (exitcode 0x%lx, handshake 0x%lx)\n",
+           l2_vmcb.exitcode, (unsigned long)l2_handshake);
+
+    if ( l2_vmcb.exitcode != VMEXIT_HLT )
+        return xtf_failure("Fail: unexpected L2 exit 0x%lx (expected HLT 0x%x)\n",
+                           l2_vmcb.exitcode, VMEXIT_HLT);
+
+    if ( l2_handshake != L2_SENTINEL )
+        return xtf_failure("Fail: L2 handshake 0x%lx != expected 0x%lx\n",
+                           (unsigned long)l2_handshake,
+                           (unsigned long)L2_SENTINEL);
+
+    xtf_success(NULL);
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */

tests/nested-svm-vmrun/vmcb.h

@@ -0,0 +1,128 @@
+/*
+ * Minimal AMD SVM Virtual Machine Control Block layout.
+ *
+ * Only the fields required by the nested-svm-vmrun test are named; the rest
+ * of the 4 KiB structure is preserved as anonymous reserved padding so the
+ * named fields land at their architectural offsets.  See AMD64 APM Volume 2,
+ * Appendix B "Layout of VMCB" for the authoritative layout.
+ *
+ * This is intentionally not the full Xen vmcb_struct; in particular there are
+ * no setter/getter accessors or VMCB clean-bit tracking.  Tests can simply
+ * write fields directly.
+ */
+#ifndef XTF_NESTED_SVM_VMRUN_VMCB_H
+#define XTF_NESTED_SVM_VMRUN_VMCB_H
+
+#include <xtf/types.h>
+
+struct vmcb_seg {
+    uint16_t sel;
+    uint16_t attr;
+    uint32_t limit;
+    uint64_t base;
+};
+
+struct vmcb {
+    /* Control area (offsets from start of VMCB). */
+    uint32_t cr_intercepts;          /* 0x000 */
+    uint32_t dr_intercepts;          /* 0x004 */
+    uint32_t exception_intercepts;   /* 0x008 */
+    uint32_t general1_intercepts;    /* 0x00C */
+    uint32_t general2_intercepts;    /* 0x010 */
+    uint8_t  _pad_014[0x040 - 0x014];
+    uint64_t iopm_base_pa;           /* 0x040 */
+    uint64_t msrpm_base_pa;          /* 0x048 */
+    uint64_t tsc_offset;             /* 0x050 */
+    uint32_t asid;                   /* 0x058 */
+    uint8_t  tlb_control;            /* 0x05C */
+    uint8_t  _pad_05d[3];
+    uint64_t vintr;                  /* 0x060 */
+    uint64_t int_state;              /* 0x068 */
+    uint64_t exitcode;               /* 0x070 */
+    uint64_t exitinfo1;              /* 0x078 */
+    uint64_t exitinfo2;              /* 0x080 */
+    uint64_t exit_int_info;          /* 0x088 */
+    uint64_t np_enable;              /* 0x090 */
+    uint8_t  _pad_098[0x0a8 - 0x098];
+    uint64_t event_inj;              /* 0x0A8 */
+    uint64_t h_cr3;                  /* 0x0B0 */
+    uint8_t  _pad_0b8[0x400 - 0x0b8];
+
+    /* State save area.  Offsets are relative to 0x400. */
+    struct vmcb_seg es;              /* 0x400 */
+    struct vmcb_seg cs;              /* 0x410 */
+    struct vmcb_seg ss;              /* 0x420 */
+    struct vmcb_seg ds;              /* 0x430 */
+    struct vmcb_seg fs;              /* 0x440 */
+    struct vmcb_seg gs;              /* 0x450 */
+    struct vmcb_seg gdtr;            /* 0x460 */
+    struct vmcb_seg ldtr;            /* 0x470 */
+    struct vmcb_seg idtr;            /* 0x480 */
+    struct vmcb_seg tr;              /* 0x490 */
+    uint8_t  _pad_4a0[0x4cb - 0x4a0];
+    uint8_t  cpl;                    /* 0x4CB */
+    uint32_t _pad_4cc;
+    uint64_t efer;                   /* 0x4D0 */
+    uint8_t  _pad_4d8[0x548 - 0x4d8];
+    uint64_t cr4;                    /* 0x548 */
+    uint64_t cr3;                    /* 0x550 */
+    uint64_t cr0;                    /* 0x558 */
+    uint64_t dr7;                    /* 0x560 */
+    uint64_t dr6;                    /* 0x568 */
+    uint64_t rflags;                 /* 0x570 */
+    uint64_t rip;                    /* 0x578 */
+    uint8_t  _pad_580[0x5d8 - 0x580];
+    uint64_t rsp;                    /* 0x5D8 */
+    uint8_t  _pad_5e0[0x5f8 - 0x5e0];
+    uint64_t rax;                    /* 0x5F8 */
+
+    uint8_t  _pad_tail[0x1000 - 0x600];
+};
+
+/* Compile-time verification of architectural offsets. */
+#define VMCB_CHECK(field, offset) \
+    _Static_assert(__builtin_offsetof(struct vmcb, field) == (offset), \
+                   "VMCB layout mismatch: " #field)
+VMCB_CHECK(general1_intercepts, 0x00c);
+VMCB_CHECK(general2_intercepts, 0x010);
+VMCB_CHECK(asid,                0x058);
+VMCB_CHECK(exitcode,            0x070);
+VMCB_CHECK(es,                  0x400);
+VMCB_CHECK(gdtr,                0x460);
+VMCB_CHECK(idtr,                0x480);
+VMCB_CHECK(tr,                  0x490);
+VMCB_CHECK(efer,                0x4d0);
+VMCB_CHECK(cr4,                 0x548);
+VMCB_CHECK(cr3,                 0x550);
+VMCB_CHECK(cr0,                 0x558);
+VMCB_CHECK(rflags,              0x570);
+VMCB_CHECK(rip,                 0x578);
+VMCB_CHECK(rsp,                 0x5d8);
+VMCB_CHECK(rax,                 0x5f8);
+_Static_assert(sizeof(struct vmcb) == 0x1000, "VMCB size != 4 KiB");
+#undef VMCB_CHECK
+
+/* General Intercept 1 register (offset 0x00C). */
+#define GENERAL1_INTERCEPT_HLT          (1u << 24)
+#define GENERAL1_INTERCEPT_SHUTDOWN_EVT (1u << 31)
+
+/* General Intercept 2 register (offset 0x010). */
+#define GENERAL2_INTERCEPT_VMRUN        (1u <<  0)
+#define GENERAL2_INTERCEPT_VMMCALL      (1u <<  1)
+
+/* Selected VMEXIT exit codes. */
+#define VMEXIT_HLT                      0x078
+#define VMEXIT_SHUTDOWN                 0x07f
+#define VMEXIT_VMMCALL                  0x081
+
+#endif /* XTF_NESTED_SVM_VMRUN_VMCB_H */
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */