Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arm64/vmm: Preserve PSR_C64 when injecting an exception #2255

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

arm64/vmm: Preserve PSR_C64 when injecting an exception #2255

wants to merge 1 commit into from
+4 −0

Conversation

markjdb
Copy link
Contributor

@markjdb markjdb commented Nov 27, 2024

I'm not sure if this might be simplistic, but it resolves a problem I see with breakpoint injection from bhyve's gdb stub. This arises when the debugger has installed a breakpoint, and the guest triggers a breakpoint exception some other way, e.g., a dtrace FBT probe.

jrtc27
jrtc27 reviewed Nov 27, 2024
View reviewed changes
sys/arm64/vmm/vmm_arm64.c Outdated Show resolved Hide resolved
@jrtc27
Copy link
Member

jrtc27 commented Nov 27, 2024

This looks to be the bug @kwitaszczyk was running into, and the cause of the problem aligns with what @bsdjhb and I had managed to ascertain at the PI meeting.

@jrtc27
Copy link
Member

jrtc27 commented Nov 27, 2024

The handling of vbar_el1 also looks a bit dodgy. If CPACR_EL1.CEN[0] is 0 then CVBAR_EL1 is just interpreted as VBAR_EL1 by the architecture when trapping to EL1 (setting PCC's address to it), which means we need to derive a capability for tf_elr from elr_el1.

@jrtc27
Copy link
Member

jrtc27 commented Nov 27, 2024

The handling of vbar_el1 also looks a bit dodgy. If CPACR_EL1.CEN[0] is 0 then CVBAR_EL1 is just interpreted as VBAR_EL1 by the architecture when trapping to EL1 (setting PCC's address to it), which means we need to derive a capability for tf_elr from elr_el1.

This should be testable by running GDB against a plain FreeBSD VM, setting a breakpoint from GDB and triggering a breakpoint from within the VM, just as for the SPSR C64 issue except with a FreeBSD guest. I'm not sure how exactly I expect it to break, whether it'll get stuck in a trap loop or end up in bhyve. Hopefully at least it doesn't wedge the host, which should be true as long as some of this code is preemptible... otherwise there are other ways a malicious guest could trigger the same kinds of issues even with correct handling here.

@kwitaszczyk
Copy link
Member

This looks to be the bug @kwitaszczyk was running into, and the cause of the problem aligns with what @bsdjhb and I had managed to ascertain at the PI meeting.

Unfortunately, it doesn't seem the host kernel enters the block of if (hypctx->has_exception) in my case. It does enter it but once the guest kernel ends up in kdb_enter() after the panic.

@bsdjhb
Copy link
Collaborator

bsdjhb commented Nov 29, 2024

Can you add a trace to see if vmmops_setreg is ever called to write a value to VM_REG_GUEST_CPSR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrtc27 jrtc27 jrtc27 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@markjdb @jrtc27 @kwitaszczyk @bsdjhb