Constructing a VMX Demo

1
Constructing a VMX Demo

• A hands-on exploration of Intels Virtual
  Machine Extensions

2
Guest and Host
Virtual Machine (Guest)
VM Exit
VM Entry
Virtual Machine Manager (Host)
VMXON
VMXOFF
Execution in root mode
Execution in non-root mode
3
The ten VMX instructions

• These nine execute in root mode
• VMXON and VMXOFF
• VMPTRLD and VMPTRST
• VMCLEAR
• VMWRITE and VMREAD
• VMLAUNCH and VMRESUME
• This one executes in non-root mode
• VMCALL

4
Step-by-step

• To become familiar with x86 Virtualization
  Technology, we propose to build a simple Guest
  example, with accompanying Host as well as
  appropriate VMX controls
• Each of these elements (Guest, Host, and
  Controls) will require us to construct some
  supporting data-structures ahead of time
• We can proceed in a step-by-step manner

5
Our guest and host modes

• Lets arrange for our guest to operate as if it
  were a virtual 8086 processor executing
  real-mode code in a 1-MB address-space
• Lets have our host execute 64-bit code in
  Intels advanced IA-32e protected-mode
• This plan should serve to demonstrate a useful
  aspect of VT -- since otherwise we couldnt run
  real-mode code under IA-32e

6
Virtual-8086

• We cant execute real-mode code in its native
  processor-mode, but we can use the so-called
  virtual-8086 emulation-mode (its available as a
  sub-mode under 32-bit legacy protected-mode) if
  we use paging
• We will need supporting data-structures
• Page-mapping tables and Descriptor Tables
• A 32-bit Task-State Segment
• Stack-areas for ring-3 and for ring-0

7
What will our guest do?

• We want to keep things simple, but we do need for
  our guest task to do something that has a
  perceptible effect so we will know that it did,
  in fact, work as intended
• Drawing a message onscreen wont work because we
  cant see the actual display using our remote
  Core-2 Duo machines
• Idea transmit a message via the UART

8
The UART issues

• To keep things simple, lets have our guest
  employ polling rather than use interrupts

Read the Line Status Register
Transmit Holding Register is Empty?
NO
YES
Write byte to the Transmitter Data Register
DONE
9
Our guests code
This loop uses polling to transmit a message
via the serial UART .code16 for x86
real-mode instructions mov 0x1000, ax
real-mode segment-address mov ax, ds
loaded into the DS register xor si, si
initialize message array-index nxbyte mov UART
5, dx i/o port for UARTs Line-Status in dx,
al input the current line-status
test 0x20, al Tx-Holding Register
Empty? jz nxbyte not yet, check status
again mov msg(si), al else fetch the next
character or al, al is it the final
null-byte? jz done yes, this loop is
concluded mov UART0, dx else setup i/o port
for Tx-Data out al, dx and transmit that
character inc si then advance the
array-index jmp nxbyte and go back for
another byte done hlt else exit from the
guest task --------------------------------------
--------------------------------------------------
------ msg .asciz Hello from our 8086 Virtual
Machine guest
10
Can ring3 code do I/O?

• Execution in virtual-8086 mode occurs at
  privilege-level 3, so input/output to devices is
  subject to protected-mode restrictions
• It is allowed on a port-by-port basis by a
  data-structure in the Task-State Segment known as
  the I/O Permission Bitmap
• We will need to build a TSS that includes that
  bitmap data-structure

11
The 80386 TSS format
32-bits
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68
72 76 80 84 88 92 96 100
link
esp0
ss0
We wont have to initialize most of
these fields (since our guest doesnt do
task-switching)
esp1
ss1
esp2
ss2
PTDB
We will need to initialize the SS0 and ESP0
fields (for our hlt instruction)
EIP
ss0
ss0
EFLAGS
ss0
ss0
EAX
ss0
ss0
ECX
ss0
ss0
EDX
ss0
ss0
EBX
ss0
ss0
ESP
ss0
ss0
EBP
ss0
ss0
ESI
26 longwords
ss0
ss0
EDI
ES
CS
SS
DS
field is static
FS
GS
field is volatile
LDTR
We will need to initialize the IOMAP field and
the I/O permission bitmap (for use of in and
out)
IOMAP
TRAP
field is reserved
I/O permission bitmap
12
I/O permission bitmap

• There is potentially one bit for every I/O
  port-address (thus, up to 65536 bits!)
• Our guest only needs to use UART ports

0x03F8
0x03FF
0
65535
Legend 0 means I/O is allowed, 1 means I/O
is trapped
00000000
To encompass all the i/o ports, the bitmap needs
8K bytes!
13
The hlt instruction

• In native real-mode the hlt instruction is
  used to halt the CPUs fetch-execute cycle
• But in a multiuser/multitasking system, it
  wouldnt be appropriate to allow one task to stop
  the processor from doing any work
• So in protected-mode the hlt instruction is
  privileged it will trigger an exception if
  the CPU isnt executing at ring-0

14
Our exception-handler

• When our guest-task encounters the hlt
  instruction, it wont be executed instead the
  CPU will switch from ring3 to ring 0 to execute
  an exception-handling procedure
• We need to write that handlers code, we need to
  install an interrupt-gate that will direct the
  CPU to that code, and we need to put a ring0
  stack-address in the TSS

15
The stack-frame layout
When a general protection exception occurs in
Virtual-8086 mode, the CPU automatically switches
stacks, then it pushes nine register-values, plus
an error-code, onto the new ring0 stack and
transfers control to a procedure whose address it
finds in the IDTs gate descriptor for
Interrupt-0x0D We can write an
exception-handler that will perform a VM Exit
from our Guest-task to our Host VM Manager (for
example, by using VMCALL)
32-bits
GS
FS
DS
ES
SS
SP
EFLAGS
CS
IP
error-code
SSESP
ring0 stackframe
16
Error-Codes format

• Normally the error-code contains useful
  information about what caused the fault
• But when a privileged instruction was the faults
  cause, this error-code will be zero (as the
  instructions address will be there)

15
3 2 1 0
selector-index
E X T
I D T
T I
17
Segment-descriptors

• Our guest-task need a Global Descriptor for its
  mandatory Task-State Segment
• It may optionally need a Global Descriptor for
  its Local Descriptor Table (if used)
• It will definitely require code-segment and
  data-segment descriptors (for ring0 use)
• It will NOT need descriptors its code and data in
  ring3 (real-mode addresses used)

18
Page-mapping Tables

• Our guest-task needs to use page-tables that the
  processor understands in 32-bit protected-mode
  (and Virtual-8086 mode)
• For this we have several options
• Strict emulation of the 8086s one-megabyte
  address-space will require us to construct a
  Page-Table and a Page-Directory
• Simpler solution, using Page-Size Extensions,
  would require only a Page-Directory table

19
Page-mapping alternatives
4MB
Scheme 1
4KB
CR3
page directory
page table
page frames
Scheme 2
CR3
page directory
big page frame
20
Directory-entry formats
R (Reserved)
Without Pase-Size Extensions enabled in CR4
(PSE0)
31

12 11
0
0000 0000 0111
page-table frame number
P (Present) W (Writable) U
(User)
With Pase-Size Extensions enabled in CR4 (PSE1)
31
22 21
12 11
0
0 0 0 0 0 0 0 0 0 0
0000 1000 0111
big frame-number
PS (Page-Size) (14M, 04K)
21
Summary

• Step-by-step approach focuses first on the
  Virtual Machine guest-task
• We need these guest data-structures
• A Page-Directory table
• A Task-State Segment
• A GDT and an IDT (and maybe an LDT)
• A ring-3 stack-area and a ring-0 stack-area
• We need these executable procedures
• The guest-tasks ring-3 routine (.code16)
• The guest-tasks fault-handler (.code32)

22
In-class exercise

• Modify our vm86demo.s program so that it
  includes the code needed to transmit a
  message-string via the serial null-modem cable.
  (You will also need to enlarge the TSS to include
  an I/O permission bitmap.)
• You can use the rxrender.cpp program to test
  your changes on our classroom PCs
• Next Design our Host and VMX Controls