Xen devel - Oct 2005 - RE: [PATCH] [VT] add BT instruction support to VMXMMIO decoder

>This seems a little questionable:
>
>- in handle_mmio()''s INSTR_BT case value should be signed, not
unsigned
>(see definition of BitOffset in IA32 SDM Vol 2a Section 3.1)
Thanks.
>- in the same place, you implicitly assume that va and gpa are
>congruent over a range 2**29/2**61 bytes, which is likely wrong,
>especially for mmio regions (while one could argue that there
shouldn''t
>be accesses with a base address pointing into one mmio region, but the
>effective address with the shifted bit offset included pointing into a
>different on, I believe the hypervisor should actually verify this and
>either handle it properly or fail the request)
>- the alignment (and thus implicit range) limitations of real hardware
>aren''t followed (for e.g. a 32-bit operation, hardware confines the
>access to the aligned 32-bit quantity addressed by 
>EA+4*(BitOffset/32));
>to match that you should either pass 1 instead of mmio_inst.op_size to
>send_mmio_req, or you should calculate the offset from gpa depending on
>the operand size (which is probably the better solution, although I
>don''t know which of the two possible mechanisms real hardware uses)
Yes, this is not perfect.
Can you help?
>
>Jan
>
>>>> "Li, Xin B" <xin.b.li@intel.com> 15.10.05
08:14:03 >>>
>add BT instruction support to VMX MMIO decoder.
>Also extends TEST and OR instructions support for 16/32 bit
>operations,
>these are needed for windows.
>
>Signed-off-by: Xin Li <xin.b.li@intel.com>
>Signed-off-by: Chengyuan Li <chengyuan.li@intel.com>
>Signed-off-by: Nakajima Jun <nakajima.jun@intel.com>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>>- in the same place, you implicitly assume that va and gpa are
>>congruent over a range 2**29/2**61 bytes, which is likely wrong,
>>especially for mmio regions (while one could argue that there
shouldn''t
>>be accesses with a base address pointing into one mmio region, but
the
>>effective address with the shifted bit offset included pointing into
a
>>different on, I believe the hypervisor should actually verify this
and
>>either handle it properly or fail the request)
>>- the alignment (and thus implicit range) limitations of real
hardware
>>aren''t followed (for e.g. a 32-bit operation, hardware confines
the
>>access to the aligned 32-bit quantity addressed by 
>>EA+4*(BitOffset/32));
>>to match that you should either pass 1 instead of mmio_inst.op_size
to
>>send_mmio_req, or you should calculate the offset from gpa depending
on
>>the operand size (which is probably the better solution, although I
>>don''t know which of the two possible mechanisms real hardware
uses)
>
>Yes, this is not perfect.
>Can you help?
Not without first understanding the infrastructure of the decoder,
which I haven''t looked at in detail. Looking at the call site of
handle_mmio I believe that getting this right requires more than just
adjusting the specific INSTR_BT cases that you patch touches, because
the call to gva_to_gpa() (and thus the decision made by mmio_space())
must be done *AFTER* instruction decoding. And this is not only true for
bt, but for all instructions that touch more than a single byte, because
(at least for security reasons) one must deal with the case of accesses
that straddle page boundaries (or, if mmio regions are allocated at an
even finer granularity - which is commonly the case -, even device
boundaries).

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel