What happens on an INT80 instruction

What happens on an INT80 instruction

[Cameron Macdonell]

Hi,

I'm trying to understand guest virtualization at the lower levels.  I  
have a somewhat basic question:  How does KVM virtualize an int80  
instruction from a guest?  A pointer to an answer is just as good as  
an answer itself.

Thanks,
Cam



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Anthony Liguori]

Cameron Macdonell wrote:
> Hi,
>
> I'm trying to understand guest virtualization at the lower levels.  I  
> have a somewhat basic question:  How does KVM virtualize an int80  
> instruction from a guest?  A pointer to an answer is just as good as  
> an answer itself.
>   

The same thing happens as it does on normal hardware.

The way VT/SVM works (at a high level), is that certain instructions and 
events check a special area called the VMCS/VMCB to determine whether 
the event should generate a vmexit which is really just a special type 
of trap.

There are no hooks for interrupts 32-255 so the hardware operates as it 
normally would.  If you're interested in getting a trap for int80 within 
KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll need 
to setup a fake IDT and have the int80 handler do a hypercall.  This is 
complicated if the guest is using a fast-syscall mechanism.  It may be a 
little challenging finding a piece of guest memory to take over that has 
a valid virtual mapping.  To solve this in the general case, you'll need 
to have the guest be aware of a memory hole.  If you can limit yourself 
to things like Linux and Windows, you can probably just rely on some 
memory within the BIOS area (both Linux and Windows always have valid 
mappings of the BIOS memory).

If you need to enforce that int80s go to you, you'll need to 
write-protect this memory too.

Regards,

Anthony Liguori

> Thanks,
> Cam
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> kvm-devel mailing list
> kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
> https://lists.sourceforge.net/lists/listinfo/kvm-devel
>
>   


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Cam Macdonell]

Anthony Liguori wrote:
> Cameron Macdonell wrote:
>> Hi,
>>
>> I'm trying to understand guest virtualization at the lower levels.  I  
>> have a somewhat basic question:  How does KVM virtualize an int80  
>> instruction from a guest?  A pointer to an answer is just as good as  
>> an answer itself.
>>   
> 
> The same thing happens as it does on normal hardware.
> 
> The way VT/SVM works (at a high level), is that certain instructions and 
> events check a special area called the VMCS/VMCB to determine whether 
> the event should generate a vmexit which is really just a special type 
> of trap.
>

Thanks Anthony.  Does an int80 from an application in the guest always 
cause a vmexit (in kvm's case at least)?

Thanks,
Cam

> There are no hooks for interrupts 32-255 so the hardware operates as it 
> normally would.  If you're interested in getting a trap for int80 within 
> KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll need 
> to setup a fake IDT and have the int80 handler do a hypercall.  This is 
> complicated if the guest is using a fast-syscall mechanism.  It may be a 
> little challenging finding a piece of guest memory to take over that has 
> a valid virtual mapping.  To solve this in the general case, you'll need 
> to have the guest be aware of a memory hole.  If you can limit yourself 
> to things like Linux and Windows, you can probably just rely on some 
> memory within the BIOS area (both Linux and Windows always have valid 
> mappings of the BIOS memory).
> 
> If you need to enforce that int80s go to you, you'll need to 
> write-protect this memory too.
> 
> Regards,
> 
> Anthony Liguori
> 
>> Thanks,
>> Cam
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> kvm-devel mailing list
>> kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
>> https://lists.sourceforge.net/lists/listinfo/kvm-devel
>>
>>   

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Anthony Liguori]

Cam Macdonell wrote:
> Anthony Liguori wrote:
>> Cameron Macdonell wrote:
>>> Hi,
>>>
>>> I'm trying to understand guest virtualization at the lower levels.  
>>> I  have a somewhat basic question:  How does KVM virtualize an 
>>> int80  instruction from a guest?  A pointer to an answer is just as 
>>> good as  an answer itself.
>>>   
>>
>> The same thing happens as it does on normal hardware.
>>
>> The way VT/SVM works (at a high level), is that certain instructions 
>> and events check a special area called the VMCS/VMCB to determine 
>> whether the event should generate a vmexit which is really just a 
>> special type of trap.
>>
>
> Thanks Anthony.  Does an int80 from an application in the guest always 
> cause a vmexit (in kvm's case at least)?

No, an int80 would never generate a trap in KVM.  The only way to make 
it generate a trap is for an int80 to trigger some other event that 
would generate a trap.  This is what I meant by taking over the guest's 
IDT such that you could change the int80 handler to do a hypercall.

I presume you're looking into doing a guest IDS right?

Regards,

Anthony Liguori

> Thanks,
> Cam
>
>> There are no hooks for interrupts 32-255 so the hardware operates as 
>> it normally would.  If you're interested in getting a trap for int80 
>> within KVM, you'll have to trap sidt/lidt and virtualize the IDT.  
>> You'll need to setup a fake IDT and have the int80 handler do a 
>> hypercall.  This is complicated if the guest is using a fast-syscall 
>> mechanism.  It may be a little challenging finding a piece of guest 
>> memory to take over that has a valid virtual mapping.  To solve this 
>> in the general case, you'll need to have the guest be aware of a 
>> memory hole.  If you can limit yourself to things like Linux and 
>> Windows, you can probably just rely on some memory within the BIOS 
>> area (both Linux and Windows always have valid mappings of the BIOS 
>> memory).
>>
>> If you need to enforce that int80s go to you, you'll need to 
>> write-protect this memory too.
>>
>> Regards,
>>
>> Anthony Liguori
>>
>>> Thanks,
>>> Cam
>>>
>>>
>>>
>>> ------------------------------------------------------------------------- 
>>>
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> kvm-devel mailing list
>>> kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
>>> https://lists.sourceforge.net/lists/listinfo/kvm-devel
>>>
>>>   
>


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Cam Macdonell]

Anthony Liguori wrote:
> Cam Macdonell wrote:
>> Anthony Liguori wrote:
>>> Cameron Macdonell wrote:
>>>> Hi,
>>>>
>>>> I'm trying to understand guest virtualization at the lower levels.  
>>>> I  have a somewhat basic question:  How does KVM virtualize an 
>>>> int80  instruction from a guest?  A pointer to an answer is just as 
>>>> good as  an answer itself.
>>>>   
>>>
>>> The same thing happens as it does on normal hardware.
>>>
>>> The way VT/SVM works (at a high level), is that certain instructions 
>>> and events check a special area called the VMCS/VMCB to determine 
>>> whether the event should generate a vmexit which is really just a 
>>> special type of trap.
>>>
>>
>> Thanks Anthony.  Does an int80 from an application in the guest always 
>> cause a vmexit (in kvm's case at least)?
> 
> No, an int80 would never generate a trap in KVM.  The only way to make 
> it generate a trap is for an int80 to trigger some other event that 
> would generate a trap.  This is what I meant by taking over the guest's 
> IDT such that you could change the int80 handler to do a hypercall.
> 
> I presume you're looking into doing a guest IDS right?
> 

Actually, I looking into doing a PhD dissertation :)  I'm just trying to 
get a better working understanding of how kvm (and other VMMs) handle 
instructions like int80 that should trap into the OS, but of course in a 
VM need to trap into the guest OS (which is running at user-level) and 
not the host OS.  Do traps by a guest app to the guest OS involve the 
VMM at all?

Pardon my ignorance, what is IDS?

Thanks,
Cam

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Jun Koi]

On 10/2/07, Cam Macdonell <cam-edFDblaTWIyXbbII50Afww@public.gmane.org> wrote:
> Anthony Liguori wrote:
> > Cam Macdonell wrote:
> >> Anthony Liguori wrote:
> >>> Cameron Macdonell wrote:
> >>>> Hi,
> >>>>
> >>>> I'm trying to understand guest virtualization at the lower levels.
> >>>> I  have a somewhat basic question:  How does KVM virtualize an
> >>>> int80  instruction from a guest?  A pointer to an answer is just as
> >>>> good as  an answer itself.
> >>>>
> >>>
> >>> The same thing happens as it does on normal hardware.
> >>>
> >>> The way VT/SVM works (at a high level), is that certain instructions
> >>> and events check a special area called the VMCS/VMCB to determine
> >>> whether the event should generate a vmexit which is really just a
> >>> special type of trap.
> >>>
> >>
> >> Thanks Anthony.  Does an int80 from an application in the guest always
> >> cause a vmexit (in kvm's case at least)?
> >
> > No, an int80 would never generate a trap in KVM.  The only way to make
> > it generate a trap is for an int80 to trigger some other event that
> > would generate a trap.  This is what I meant by taking over the guest's
> > IDT such that you could change the int80 handler to do a hypercall.
> >
> > I presume you're looking into doing a guest IDS right?
> >
>
> Actually, I looking into doing a PhD dissertation :)  I'm just trying to
> get a better working understanding of how kvm (and other VMMs) handle
> instructions like int80 that should trap into the OS, but of course in a
> VM need to trap into the guest OS (which is running at user-level) and
> not the host OS.  Do traps by a guest app to the guest OS involve the
> VMM at all?
>
> Pardon my ignorance, what is IDS?
>

IDS stands for Intrusion Detection System.

Anthony thought that you want to monitor int80 to detect illegal usage
of system calls.


regards,
Jun

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Gregory Haskins]

[-- Attachment #1.1: Type: text/plain, Size: 2737 bytes --]

On Mon, 2007-10-01 at 17:23 -0600, Cam Macdonell wrote:

> 
> Actually, I looking into doing a PhD dissertation :)  I'm just trying to 
> get a better working understanding of how kvm (and other VMMs) handle 
> instructions like int80 that should trap into the OS, but of course in a 
> VM need to trap into the guest OS (which is running at user-level) and 
> not the host OS.  Do traps by a guest app to the guest OS involve the 
> VMM at all?

Hi Cam,
   The answer has to do with a few different variables:

1) The capabilities of the virtualization technology hw (e.g. VMX, SVM,
etc)

2) The programming of those capabilities by the VMM

The important thing to remember when using VM hardware is: they aren't
*really* executing guest code in "userspace" (though that is a very nice
way to think of them in many respects...I do this myself when its
convenient).  They are really executing in a special context
("guest-mode") where the hardware can be programmed in various ways by
the VMM.

Intel VMX for instance, (and AMD-SVM is similar) allows the guest to
have its own Interrupt-Descriptor-Table (IDT) independent of the hosts
IDT.  This governs how interrupts are handled when they are injected
into the guest context, just like the host IDT governs how they are
delivered to the VMM.  One primary difference, however, is the host has
some programmatic control over the behavior of the guest (within the
constraints of the hardware capabilities, of course).  For instance, the
host can program the VMX hardware to cause a VMEXIT when certain
instructions or events happen inside the guest.

VMX has such a control for INTx instructions (see Section 20.6.3 in the
Intel SDM Volume 3b), but (IIUC, and as Anthony mentioned) they are
limited to the first 32 of the 256 vectors in x86 (i.e. the "hardware
exceptions") whereas the remaining vectors are not trappable.  What this
means is that if the vector is >= 32, or if its < 32 but the
exit-control is not enabled the INTx instruction will be delivered right
to the guests-IDT without leaving guest-context.  Otherwise, it will
VMEXIT back to the host. 

IIUC, KVM in particular only sets the control for a handful of the 32
vectors (#PF is one, I'm pretty sure ;).  KVM doesn't care about INT80,
and the VMX hardware doesn't support that exit-condition even if it did.
What this means is that on KVM/VMX, an INT80 is delivered to whatever
the guest set up in its own IDT for vector 80, and that's it.  The host
wouldn't even know, per se.  However, I'm sure there might be some
VMM/HW combo out there other than KVM that might trap INT80, so YMMV.

I hope this helps to clarify.

Good luck on that dissertation!
-Greg



[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 228 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

[-- Attachment #3: Type: text/plain, Size: 186 bytes --]

_______________________________________________
kvm-devel mailing list
kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/kvm-devel

Re: What happens on an INT80 instruction

[Jun Koi]

On 10/1/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:
> Cameron Macdonell wrote:
> > Hi,
> >
> > I'm trying to understand guest virtualization at the lower levels.  I
> > have a somewhat basic question:  How does KVM virtualize an int80
> > instruction from a guest?  A pointer to an answer is just as good as
> > an answer itself.
> >
>
> The same thing happens as it does on normal hardware.
>
> The way VT/SVM works (at a high level), is that certain instructions and
> events check a special area called the VMCS/VMCB to determine whether
> the event should generate a vmexit which is really just a special type
> of trap.
>
> There are no hooks for interrupts 32-255 so the hardware operates as it
> normally would.  If you're interested in getting a trap for int80 within
> KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll need
> to setup a fake IDT and have the int80 handler do a hypercall.  This is
> complicated if the guest is using a fast-syscall mechanism.  It may be a
> little challenging finding a piece of guest memory to take over that has
> a valid virtual mapping.

This is a bit vague to me. Why do you need "a piece of guest memory" here?

Thanks,
Jun

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Anthony Liguori]

Jun Koi wrote:
> On 10/1/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:
>   
>> Cameron Macdonell wrote:
>>     
>>> Hi,
>>>
>>> I'm trying to understand guest virtualization at the lower levels.  I
>>> have a somewhat basic question:  How does KVM virtualize an int80
>>> instruction from a guest?  A pointer to an answer is just as good as
>>> an answer itself.
>>>
>>>       
>> The same thing happens as it does on normal hardware.
>>
>> The way VT/SVM works (at a high level), is that certain instructions and
>> events check a special area called the VMCS/VMCB to determine whether
>> the event should generate a vmexit which is really just a special type
>> of trap.
>>
>> There are no hooks for interrupts 32-255 so the hardware operates as it
>> normally would.  If you're interested in getting a trap for int80 within
>> KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll need
>> to setup a fake IDT and have the int80 handler do a hypercall.  This is
>> complicated if the guest is using a fast-syscall mechanism.  It may be a
>> little challenging finding a piece of guest memory to take over that has
>> a valid virtual mapping.
>>     
>
> This is a bit vague to me. Why do you need "a piece of guest memory" here?
>   

You don't just need guest memory, you need a valid guest virtual address 
too.  The IDTR contains a guest VA.  If you want to create your own IDT, 
then it has to be a valid VA in the guest's address space.

Regards,

Anthony Liguori

> Thanks,
> Jun
>
>   


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Avi Kivity]

Anthony Liguori wrote:
> Jun Koi wrote:
>   
>> On 10/1/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:
>>   
>>     
>>> Cameron Macdonell wrote:
>>>     
>>>       
>>>> Hi,
>>>>
>>>> I'm trying to understand guest virtualization at the lower levels.  I
>>>> have a somewhat basic question:  How does KVM virtualize an int80
>>>> instruction from a guest?  A pointer to an answer is just as good as
>>>> an answer itself.
>>>>
>>>>       
>>>>         
>>> The same thing happens as it does on normal hardware.
>>>
>>> The way VT/SVM works (at a high level), is that certain instructions and
>>> events check a special area called the VMCS/VMCB to determine whether
>>> the event should generate a vmexit which is really just a special type
>>> of trap.
>>>
>>> There are no hooks for interrupts 32-255 so the hardware operates as it
>>> normally would.  If you're interested in getting a trap for int80 within
>>> KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll need
>>> to setup a fake IDT and have the int80 handler do a hypercall.  This is
>>> complicated if the guest is using a fast-syscall mechanism.  It may be a
>>> little challenging finding a piece of guest memory to take over that has
>>> a valid virtual mapping.
>>>     
>>>       
>> This is a bit vague to me. Why do you need "a piece of guest memory" here?
>>   
>>     
>
> You don't just need guest memory, you need a valid guest virtual address 
> too.  The IDTR contains a guest VA.  If you want to create your own IDT, 
> then it has to be a valid VA in the guest's address space.
>
>   

You can set the guest idt size to zero and trap the double fault exception.


-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: What happens on an INT80 instruction

[Anthony Liguori]

Avi Kivity wrote:
> Anthony Liguori wrote:
>> Jun Koi wrote:
>>  
>>> On 10/1/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:
>>>      
>>>> Cameron Macdonell wrote:
>>>>          
>>>>> Hi,
>>>>>
>>>>> I'm trying to understand guest virtualization at the lower levels.  I
>>>>> have a somewhat basic question:  How does KVM virtualize an int80
>>>>> instruction from a guest?  A pointer to an answer is just as good as
>>>>> an answer itself.
>>>>>
>>>>>               
>>>> The same thing happens as it does on normal hardware.
>>>>
>>>> The way VT/SVM works (at a high level), is that certain 
>>>> instructions and
>>>> events check a special area called the VMCS/VMCB to determine whether
>>>> the event should generate a vmexit which is really just a special type
>>>> of trap.
>>>>
>>>> There are no hooks for interrupts 32-255 so the hardware operates 
>>>> as it
>>>> normally would.  If you're interested in getting a trap for int80 
>>>> within
>>>> KVM, you'll have to trap sidt/lidt and virtualize the IDT.  You'll 
>>>> need
>>>> to setup a fake IDT and have the int80 handler do a hypercall.  
>>>> This is
>>>> complicated if the guest is using a fast-syscall mechanism.  It may 
>>>> be a
>>>> little challenging finding a piece of guest memory to take over 
>>>> that has
>>>> a valid virtual mapping.
>>>>           
>>> This is a bit vague to me. Why do you need "a piece of guest memory" 
>>> here?
>>>       
>>
>> You don't just need guest memory, you need a valid guest virtual 
>> address too.  The IDTR contains a guest VA.  If you want to create 
>> your own IDT, then it has to be a valid VA in the guest's address space.
>>
>>   
>
> You can set the guest idt size to zero and trap the double fault 
> exception.

You could, but then you're trapping all exceptions instead of just the 
int80.  Of course, int80 is probably the one you care most about 
performance wise so it's probably a reasonable approach.

Regards,

Anthony Liguori



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/