Volume 2 System Programming (794096), страница 94
Текст из файла (страница 94)
When considering interactions of VMRUN with the TF andRF bits in EFLAGS, one must distinguish between the behavior of host as opposed to that of the guest.From the host point of view, VMRUN acts like a single instruction, even though an arbitrary number ofguest instructions may execute before a #VMEXIT effectively completes the VMRUN. As a singlehost instruction, VMRUN interacts with EFLAGS.RF and EFLAGS.TF like ordinary instructions.EFLAGS.RF suppresses any potential instruction breakpoint match on the VMRUN, and EFLAGS.TFcauses a #DB trap after the VMRUN completes on the host side (i.e., after the #VMEXIT from theguest). As with any normal instruction, completion of the VMRUN instruction clears the hostEFLAGS.RF bit.The value of EFLAGS.RF from the VMCB affects the first guest instruction.
When VMRUN loads aguest value of 1 for EFLAGS.RF, that value takes effect and suppresses any potential (guest)Secure Virtual Machine371AMD64 Technology24593—Rev. 3.13—July 2007instruction breakpoint on the first guest instruction. When VMRUN loads a guest value of 1 inEFLAGS.TF, that value does not cause a trace trap between the VMRUN and the first guestinstruction, but rather after completion of the first guest instruction.Host values of EFLAGS have no effect on the guest and guest values of EFLAGS have no effect on thehost.See also Section 15.7.1 on page 373 regarding the value of EFLAGS.RF saved on #VMEXIT.15.6#VMEXITWhen an intercept triggers, the processor performs a #VMEXIT (i.e., an exit from the guest to the hostcontext).On #VMEXIT, the processor:•••••••••••••Disables interrupts by clearing the GIF, so that after the #VMEXIT, VMM software can completethe state switch atomically.Writes back to the VMCB the current guest state—the same subset of processor state as is loadedby the VMRUN instruction, including the V_IRQ, V_TPR, and the INTERRUPT_SHADOW bits.Saves the reason for exiting the guest in the VMCB’s EXITCODE field; additional informationmay be saved in the EXITINFO1 or EXITINFO2 fields, depending on the intercept.Clears all intercepts.Resets the current ASID register to zero (host ASID).Clears the V_IRQ and V_INTR_MASKING bits inside the processor.Clears the TSC_OFFSET inside the processor.Reloads the host state previously saved by the VMRUN instruction.
The processor reloads thehost’s CS, SS, DS, and ES segment registers and, if required, re-reads the descriptors from thehost’s segment descriptor tables, depending on the implementation. The segment descriptor tablesmust be mapped as present and writable by the host's page tables. Software should keep the host’ssegment descriptor tables consistent with the segment registers when executing VMRUNinstructions. Immediately after #VMEXIT, the processor still contains the guest value for LDTR.So for CS, SS, DS, and ES, the VMM must only use segment descriptors from the global descriptortable. Any exception encountered while reloading the host segments causes a shutdown.If the host is in PAE mode, the processor reloads the host's PDPEs from the page table indicated bythe host's CR3.
If the PDPEs contain illegal state, the processor causes a shutdown.Forces CR0.PE = 1, RFLAGS.VM = 0.Sets the host CPL to zero.Disables all breakpoints in the host DR7 register.Checks the reloaded host state for consistency; any error causes the processor to shutdown. If thehost’s rIP reloaded by #VMEXIT is outside the limit of the host’s code segment or non-canonical(in the case of long mode), a #GP fault is delivered inside the host.372Secure Virtual Machine24593—Rev.
3.13—July 200715.7AMD64 TechnologyIntercept OperationVarious instructions and events (such as exceptions) in the guest can be intercepted by means ofcontrol bits in the VMCB. The two primary classes of intercepts supported by SVM are instruction andexception intercepts.Exception intercepts. Exception intercepts are checked when normal instruction processing mustraise an exception—before resolving possible double-fault conditions according to table 8-3 andbefore attempting delivery of the exception (which includes pushing an exception frame, accessing theIDT, etc.).For some exceptions, the processor still writes certain exception-specific registers even if theexception is intercepted.
(See the descriptions in Section 15.11 on page 381 and following for details.)When an external or virtual interrupt is intercepted, the interrupt is left pending.When an intercept occurs while the guest is in the process of delivering a non-intercepted interrupt orexception using the IDT, SVM provides additional information on #VMEXIT (See Section 15.7.2 onpage 374).Instruction intercepts. These occur at well-defined points in instruction execution—before theresults of the instruction are committed, but ordered in an intercept-specific priority relative to theinstruction’s exception checks. Generally, instruction intercepts are checked after simple exceptions(such as #GP when CPL is incorrect, or #UD) have been checked, but before exceptions related tomemory accesses (such as page faults) and exceptions based on specific operand values.
There areseveral exceptions to this guideline, e.g., the RSM instruction. Instruction breakpoints for the currentinstruction and pending data breakpoint traps from the previous instruction are designed to be checkedbefore instruction intercepts.15.7.1 State Saved on ExitWhen triggered, intercepts write an EXITCODE into the VMCB identifying the cause of the intercept.The EXITINTINFO field signals whether the intercept occurred while the guest was attempting todeliver an interrupt or exception through the IDT; a VMM can use this information to transparentlycomplete the delivery (see “Event Injection” on page 389).
Some intercepts provide additionalinformation in the EXITINFO1 and EXITINFO2 fields in the VMCB; see the individual interceptdescriptions for details.The guest state saved in the VMCB is the processor state as of the moment the intercept triggers. In thex86 architecture, traps (as opposed to faults) are detected and delivered after the instruction thattriggered them has completed execution.
Accordingly, a trap intercept takes place after the executionof the instruction that triggered the trap in the first place. The saved guest state thus includes the effectsof executing that instruction.Example: Assume a guest instruction triggers a data breakpoint (#DB) trap which is in turnintercepted. The VMCB records the guest state after execution of that instruction, so that the savedSecure Virtual Machine373AMD64 Technology24593—Rev. 3.13—July 2007CS:rIP points to the following instruction, and the saved DR7 includes the effects of matching the databreakpoint.Some exceptions write special registers even when they are intercepted; see the individual descriptionsin “Exception Intercepts” on page 381 for details.15.7.2 Intercepts During IDT Interrupt DeliveryIt is possible for an intercept to occur while the guest is attempting to deliver an exception or interruptthrough the IDT (e.g., #PF because the VMM has paged out the guest’s exception stack).
In somecases, such an intercept can result in the loss of information necessary for transparent resumption ofthe guest. In the case of an external interrupt, for example, the processor will already have performedan interrupt acknowledge cycle with the PIC or APIC to obtain the interrupt type and vector, and theinterrupt is thus no longer pending.To recover from such situations, all intercepts indicate (in the EXITINTINFO field in the VMCB)whether they occurred during exception or interrupt delivery though the IDT. This mechanism allowsthe VMM to complete the intercepted interrupt delivery, even when it is no longer possible to recreatethe event in question.6332 31ERRORCODEBits63–323130–121110–8MnemonicERRORCODEVReserved, 0EVTYPE7–0VECTOR30V12Reserved, 01110EVTYPE870VECTORDescriptionError CodeValidError Code ValidQualifies the guest exception or interrupt. Table 15-1shows possible values returned and their correspondinginterrupt or exception types.
Values not indicated areunused and reserved.8-bit IDT vector of the interrupt or exception.Figure 15-1.EXITINTINFO for All InterceptsTable 15-1. Guest Exception or Interrupt TypesValueType0External or virtual interrupt (INTR)2NMI3Exception (fault or trap)4Software interrupt (caused by INTn instruction)374Secure Virtual Machine24593—Rev.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
