Volume 2 System Programming (794096), страница 93
Текст из файла (страница 93)
A #GP exception is raised if the CPL is greater than 0.Furthermore, the processor must be in protected mode and EFER.SVME must be set to 1, otherwise, a#UD exception is raised.The VMRUN instruction saves some host processor state information in the host state-save area inmain memory at the physical address specified in the VM_HSAVE_PA MSR; it then loadscorresponding guest state from the VMCB state-save area. VMRUN also reads additional control bitsfrom the VMCB that allow the VMM to flush the guest TLB, inject virtual interrupts into the guest,etc.The VMRUN instruction then checks the guest state just loaded. If an illegal state has been loaded, theprocessor exits back to the host (see “#VMEXIT” on page 372).Otherwise, the processor now runs the guest code until an intercept event occurs, at which point theprocessor suspends guest execution and resumes host execution at the instruction following theVMRUN.
This is called a #VMEXIT and is described in detail in “#VMEXIT” on page 372.VMRUN saves or restores a minimal amount of state information to allow the VMM to resumeexecution after a guest has exited. This allows the VMM to handle simple intercept conditions quickly.If additional guest state information must be saved or restored (e.g., to handle more complex interceptsor to switch to a different guest), the VMM can employ the VMSAVE and VMLOAD instructions (see“VMSAVE and VMLOAD Instructions” on page 386).Saving Host State. To assure that the host can resume operation after #VMEXIT, VMRUN saves atleast the following host state information at the physical address specified in the new MSRVM_HSAVE_PA:•••••CS.SEL, NEXT_RIP—The CS selector and rIP of the instruction following the VMRUN.
On#VMEXIT the host resumes running at this address.RFLAGS, RAX—Host processor mode and the register used by VMRUN to address the VMCB.SS.SEL, RSP—Stack pointer for host.CR0, CR3, CR4, EFER—Paging/operating mode for host.IDTR, GDTR—The pseudo-descriptors. VMRUN does not save or restore the host LDTR.368Secure Virtual Machine24593—Rev. 3.13—July 2007•AMD64 TechnologyES.SEL and DS.SEL.Processor implementations may store only part or none of host state in the memory area pointed to byVM_HSAVE_PA MSR and may store some or all host state in hidden on-chip memory. Differentimplementations may choose to save the hidden parts of the host’s segment registers as well as theselectors. For these reasons, software must not rely on the format or contents of the host state save area,nor attempt to change host state by modifying the contents of the host save area.Loading Guest State.
After saving host state, VMRUN loads the following guest state from theVMCB:•••••••••••CS, rIP—Guest begins execution at this address. The hidden state of the CS segment register isalso loaded from the VMCB.RFLAGS, RAX.SS, RSP—Includes the hidden state of the SS segment register.CR0, CR2, CR3, CR4, EFER—Guest paging mode. Writing paging-related control registers withVMRUN does not flush the TLB since address spaces are switched.
See Section 15.15, “TLBControl,” on page 387.INTERRUPT_SHADOW—This flag indicates whether the guest is currently in an interruptlockout shadow; see “Interrupt Shadows” on page 393.IDTR, GDTR.ES and DS—Includes the hidden state of the segment registers.DR7 and DR6—The guest’s breakpoint state.V_TPR—The guest’s virtual TPR.V_IRQ—The flag indicating whether a virtual interrupt is pending in the guest.CPL—If the guest is in real mode, the CPL is forced to 0; if the guest is in v86 mode, the CPL isforced to 3. Otherwise, the CPL saved in the VMCB is used.The processor checks the loaded guest state for consistency. If a consistency check fails while loadingguest state, the processor performs a #VMEXIT. For additional information, see “Canonicalizationand Consistency Checks” on page 371.If the guest is in PAE paging mode according to the registers just loaded, the processor will also readthe four PDPEs pointed to by the newly loaded CR3 value; setting any reserved bits in the PDPEs alsocauses a #VMEXIT.It is possible for the VMRUN instruction to load a guest rIP that is outside the limit of the guest codesegment or that is non-canonical (if running in long mode).
If this occurs, a #GP fault is deliveredinside the guest; the rIP falling outside the limit of the guest code segment is not considered illegalguest state.After all guest state is loaded, and intercepts and other control bits are set up, the processor reenablesinterrupts by setting GIF to 1. It is assumed that VMM software cleared GIF some time beforeexecuting the VMRUN instruction, to ensure an atomic state switch.Secure Virtual Machine369AMD64 Technology24593—Rev. 3.13—July 2007Control Bits.
Besides loading guest state, the VMRUN instruction reads various control fields fromthe VMCB; most of these fields are not written back to the VMCB on #VMEXIT, since they cannotchange during guest execution:••••••TSC_OFFSET—an offset to add when the guest reads the TSC (time stamp counter). Guest writesto the TSC can be intercepted and emulated by changing the offset (without writing the physicalTSC). This offset is cleared when the guest exits back to the host.V_INTR_PRIO, V_INTR_VECTOR, V_IGN_TPR—fields used to describe a virtual interrupt forthe guest (see “Injecting Virtual (INTR) Interrupts” on page 392).V_INTR_MASKING—controls whether masking of interrupts (in EFLAGS.IF and TPR) is to bevirtualized (see Section 15.20 on page 391).The address space ID (ASID) to use while running the guest. (See the AMD CPUID Specification,order# 25481, for feature identification, including how many ASIDs are implemented.)A field to control flushing of the TLB during a VMRUN (see Section 15.15).The intercept vector describing the active intercepts for the guest.
On exit from the guest, theinternal intercept registers are cleared so no host operations will be intercepted.Segment State in the VMCB. The segment registers are stored in the VMCB in a format similar tothat for SMM: both base and limit are fully expanded; segment attributes are stored as 12-bit valuesformed by the concatenation of bits 55–52 and 47–40 from the original 64-bit (in-memory) segmentdescriptors; the descriptor “P” bit is used to signal NULL segments (P==0) where permissible and/orrelevant. When loaded from the VMCB, only some of the attribute bits are observed by hardware,depending on the segment register in question:•••••CS—D, L, R (null code segments are not allowed).SS—B, P, DPL, E, W (null stack segments allowed in 64-bit mode only).DS, ES, FS, GS —D, P, DPL, E, W, Code/Data.LDTR—Only the P bit is observed.TR—Only TSS type (32 or 16 bit) is relevant, since a null TSS is not allowed.The VMM should follow these rules when storing segment attributes into the VMCB:•••For NULL segments, set all attribute bits to zero; otherwise, write the concatenation of bits[55–52] and [47–40] from the original 64-bit (in-memory) segment descriptors.The processor reads the current privilege level from the CPL field in the VMCB, not from SS.DPL.However, SS.DPL should match the CPL field.When in virtual x86 or real mode, the processor ignores the CPL field in the VMCB and forces thevalues of 3 and 0, respectively.When examining segment attributes after a #VMEXIT:••Test the Present (P) bit to check whether a segment is NULL; note that CS and TR never containNULL segments and so their P bit is ignored;Retrieve the CPL from the CPL field in the VMCB, not from any segment DPL.370Secure Virtual Machine24593—Rev.
3.13—July 2007AMD64 TechnologyCanonicalization and Consistency Checks. The VMRUN instruction performs consistencychecks on guest state and #VMEXIT performs the appropriate subset of these consistency checks onhost state. Illegal guest state combinations cause a #VMEXIT with error code VMEXIT_INVALID.The following conditions are considered illegal state combinations:•••••••••EFER.SVME is zero.CR0.CD is zero and CR0.NW is set.CR0[63–32] are not zero.Any MBZ bit of CR3 is set.CR4[63–11] are not zero.DR6[63–32] are not zero.DR7[63–32] are not zero.EFER[63–15] are not zero.EFER.LMA or EFER.LME is non-zero and this processor does not support long mode.•••••EFER.LME and CR0.PG are both set and CR4.PAE is zero.EFER.LME and CR0.PG are both non-zero and CR0.PE is zero.EFER.LME, CR0.PG, CR4.PAE, CS.L, and CS.D are all non-zero.The VMRUN intercept bit is clear.The MSR or IOIO intercept tables extend to a physical address that is greater than or equal to themaximum supported physical address.Illegal event injection (see Section 15.19 on page 389).ASID is equal to zero.••VMRUN can load a guest value of CR0 with PE = 0 but PG = 1, a combination that is otherwise illegal(see Section 15.18).In addition to consistency checks, VMRUN and #VMEXIT canonicalize (i.e., sign-extend to 63 bits)all base addresses in the segment registers that have been loaded.VMRUN and TF/RF Bits in EFLAGS.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
