Changeset 87359 in vbox

Timestamp:

Jan 21, 2021 7:56:26 PM (4 years ago)

Author:

vboxsync

Message:

VMM/HMSVM: Straighten out the svm vmrun assembly code by having different version for each of the 3 branch conditions. The C code changes which one it calls when the conditions changes (only one which does so at runtime). Should be better for spectre fighting and general mojo.

Location:

trunk/src/VBox/VMM

Files:

• VMMR0/HMR0A.asm (modified) (9 diffs)
• VMMR0/HMSVMR0.cpp (modified) (4 diffs)
• VMMR0/HMSVMR0.h (modified) (1 diff)
• include/HMInternal.h (modified) (1 diff)

trunk/src/VBox/VMM/VMMR0/HMR0A.asm

@@ -19 +19 @@
 ;*  Header Files                                                                                                                 *
 ;*********************************************************************************************************************************
-%define RT_ASM_WITH_SEH64
+;%define RT_ASM_WITH_SEH64  - trouble with SEH, alignment and (probably) 2nd pass optimizations.
 %include "VBox/asmdefs.mac"
 %include "VBox/err.mac"
@@ -1091 +1091 @@
 
 ;;
+; hmR0SvmVmRun template
+;
+; @param    1   The suffix of the variation.
+; @param    2   fLoadSaveGuestXcr0 value
+; @param    3   The CPUMCTX_WSF_IBPB_ENTRY + CPUMCTX_WSF_IBPB_EXIT value.
+%macro hmR0SvmVmRunTemplate 3
+
+;;
 ; Prepares for and executes VMRUN (32-bit and 64-bit guests).
 ;
@@ -1098 +1106 @@
 ; @param    HCPhysVmcb      msc:r8, gcc:rdx     Physical address of guest VMCB.
 ;
-ALIGNCODE(64)
-BEGINPROC SVMR0VMRun
+ALIGNCODE(64) ; This + immediate optimizations causes serious trouble for yasm and the SEH frames: prologue -28 bytes, must be <256
+              ; So the SEH64_XXX stuff is currently not operational.
+BEGINPROC RT_CONCAT(hmR0SvmVmRun,%1)
         push    rbp
         SEH64_PUSH_xBP
@@ -1105 +1114 @@
         SEH64_SET_FRAME_xBP 0
         pushf
-        sub     rsp, 30h - 8h                   ; The frame is 30h bytes, but the rbp-08h entry is the above pushf.
+        sub     rsp, 30h - 8h              ; The frame is 30h bytes, but the rbp-08h entry is the above pushf.
         SEH64_ALLOCATE_STACK 30h                ; And we have CALLEE_PRESERVED_REGISTER_COUNT following it.
 
-%define frm_fRFlags         -08h
-%define frm_uHostXcr0       -18h            ; 128-bit
-%define frm_fNoRestoreXcr0  -20h            ; Non-zero if we should skip XCR0 restoring.
-%define frm_pGstCtx         -28h            ; Where we stash guest CPU context for use after the vmrun.
-%define frm_HCPhysVmcbHost  -30h            ; Where we stash HCPhysVmcbHost for the vmload after vmrun.
-%assign cbFrame              30h
+ %define frm_fRFlags         -08h
+ %define frm_uHostXcr0       -18h               ; 128-bit
+ ;%define frm_fNoRestoreXcr0  -20h               ; Non-zero if we should skip XCR0 restoring.
+ %define frm_pGstCtx         -28h               ; Where we stash guest CPU context for use after the vmrun.
+ %define frm_HCPhysVmcbHost  -30h               ; Where we stash HCPhysVmcbHost for the vmload after vmrun.
+ %assign cbFrame              30h
 
         ; Manual save and restore:
@@ -1127 +1136 @@
         PUSH_CALLEE_PRESERVED_REGISTERS
         SEH64_END_PROLOGUE
-%if cbFrame != (30h + 8 * CALLEE_PRESERVED_REGISTER_COUNT)
- %error Bad cbFrame value
-%endif
+ %if cbFrame != (30h + 8 * CALLEE_PRESERVED_REGISTER_COUNT)
+  %error Bad cbFrame value
+ %endif
 
         ; Shuffle parameter registers so that r8=HCPhysVmcb and rsi=pVCpu.  (rdx & rcx will soon be trashed.)
-%ifdef ASM_CALL64_GCC
+ %ifdef ASM_CALL64_GCC
         mov     r8, rdx                         ; Put HCPhysVmcb in r8 like on MSC as rdx is trashed below.
-%else
+ %else
         mov     rsi, rdx                        ; Put pVCpu in rsi like on GCC as rdx is trashed below.
         ;mov     rdi, rcx                        ; Put pVM in rdi like on GCC as rcx is trashed below.
-%endif
-
+ %endif
+
+ %ifdef VBOX_STRICT
+        ; Verify template preconditions / parameters to ensure HMSVM.cpp didn't miss some state change.
+        cmp     byte [rsi + VMCPU.hm + HMCPU.fLoadSaveGuestXcr0], %2
+        mov     eax, VERR_SVM_VMRUN_PRECOND_0
+        jne     .failure_return
+
+        mov     eax, [rsi + VMCPU.cpum.GstCtx + CPUMCTX.fWorldSwitcher]
+        and     eax, CPUMCTX_WSF_IBPB_ENTRY | CPUMCTX_WSF_IBPB_EXIT
+        cmp     eax, %3
+        mov     eax, VERR_SVM_VMRUN_PRECOND_1
+        jne     .failure_return
+ %endif
+
+ %if %2 != 0
         ; Save the host XCR0 and load the guest one if necessary.
-        mov     ecx, 3fh                        ; indicate that we need not restore XCR0 (in case we jump)
-        test    byte [rsi + VMCPU.hm + HMCPU.fLoadSaveGuestXcr0], 1
-        jz      .xcr0_before_skip
-
         xor     ecx, ecx
         xgetbv                                  ; save the host XCR0 on the stack
@@ -1153 +1172 @@
         xor     ecx, ecx                        ; paranoia; Also, indicates that we must restore XCR0 (moved into ecx, thus 0).
         xsetbv
-
-.xcr0_before_skip:
-        mov     [rbp + frm_fNoRestoreXcr0], rcx
+ %endif
 
         ; Save host fs, gs, sysenter msr etc.
         mov     rax, [rsi + VMCPU.hm + HMCPU.u + HMCPUSVM.HCPhysVmcbHost]
-        mov     qword [rbp + frm_HCPhysVmcbHost], rax          ; save for the vmload after vmrun
+        mov     qword [rbp + frm_HCPhysVmcbHost], rax ; save for the vmload after vmrun
         lea     rsi, [rsi + VMCPU.cpum.GstCtx]
         mov     qword [rbp + frm_pGstCtx], rsi
         vmsave
 
+ %if %3 & CPUMCTX_WSF_IBPB_ENTRY
         ; Fight spectre (trashes rax, rdx and rcx).
-        INDIRECT_BRANCH_PREDICTION_BARRIER_CTX rsi, CPUMCTX_WSF_IBPB_ENTRY
+        mov     ecx, MSR_IA32_PRED_CMD
+        mov     eax, MSR_IA32_PRED_CMD_F_IBPB
+        xor     edx, edx
+        wrmsr
+ %endif
 
         ; Setup rax for VMLOAD.
@@ -1225 +1247 @@
         mov     r11, rcx
         mov     qword [rax + CPUMCTX.edi], rdi
-%ifdef ASM_CALL64_MSC
+ %ifdef ASM_CALL64_MSC
         mov     rdi, [rbp + frm_saved_rdi]
-%else
+ %else
         mov     rdi, rcx
-%endif
+ %endif
         mov     qword [rax + CPUMCTX.esi], rsi
-%ifdef ASM_CALL64_MSC
+ %ifdef ASM_CALL64_MSC
         mov     rsi, [rbp + frm_saved_rsi]
-%else
+ %else
         mov     rsi, rcx
-%endif
+ %endif
         mov     qword [rax + CPUMCTX.ebx], rbx
         mov     rbx, [rbp + frm_saved_rbx]
@@ -1248 +1270 @@
 
         ; Fight spectre.  Note! Trashes rax, rdx and rcx!
-        INDIRECT_BRANCH_PREDICTION_BARRIER_CTX rax, CPUMCTX_WSF_IBPB_EXIT
-
-        ; Restore the host xcr0 if necessary.
-        mov     rcx, [rbp + frm_fNoRestoreXcr0]
-        test    ecx, ecx
-        jnz     .xcr0_after_skip
+ %if %3 & CPUMCTX_WSF_IBPB_EXIT
+        ; Fight spectre (trashes rax, rdx and rcx).
+        mov     ecx, MSR_IA32_PRED_CMD
+        mov     eax, MSR_IA32_PRED_CMD_F_IBPB
+        xor     edx, edx
+        wrmsr
+ %endif
+
+ %if %2 != 0
+        ; Restore the host xcr0.
+        xor     ecx, ecx
         mov     rdx, [rbp + frm_uHostXcr0 + 8]
         mov     rax, [rbp + frm_uHostXcr0]
-        xsetbv                              ; ecx is already zero
-.xcr0_after_skip:
-nop
-;       POP_CALLEE_PRESERVED_REGISTERS
-;%if cbFrame != 30h
-; %error Bad cbFrame value
-;%endif
-
+        xsetbv
+ %endif
+
+        ; Epilogue (assumes we restored volatile registers above when saving the guest GPRs).
+        mov     eax, VINF_SUCCESS
         add     rsp, cbFrame - 8h
-        mov     eax, VINF_SUCCESS
         popf
         leave
         ret
+
+ %ifdef VBOX_STRICT
+        ; Precondition checks failed.
+.failure_return:
+        POP_CALLEE_PRESERVED_REGISTERS
+ %if cbFrame != 30h
+  %error Bad cbFrame value
+ %endif
+        add     rsp, cbFrame - 8h
+        popf
+        leave
+        ret
+ %endif
+
 %undef frm_uHostXcr0
 %undef frm_fNoRestoreXcr0
@@ -1274 +1311 @@
 %undef frm_HCPhysVmcbHost
 %undef cbFrame
-ENDPROC SVMR0VMRun
-
+ENDPROC RT_CONCAT(hmR0SvmVmRun,%1)
+
+%endmacro ; hmR0SvmVmRunTemplate
+
+;
+; Instantiate the hmR0SvmVmRun various variations.
+;
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_SansIbpbExit, 0, 0
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_SansIbpbExit, 1, 0
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_SansIbpbExit, 0, CPUMCTX_WSF_IBPB_ENTRY
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_SansIbpbExit, 1, CPUMCTX_WSF_IBPB_ENTRY
+hmR0SvmVmRunTemplate _SansXcr0_SansIbpbEntry_WithIbpbExit, 0, CPUMCTX_WSF_IBPB_EXIT
+hmR0SvmVmRunTemplate _WithXcr0_SansIbpbEntry_WithIbpbExit, 1, CPUMCTX_WSF_IBPB_EXIT
+hmR0SvmVmRunTemplate _SansXcr0_WithIbpbEntry_WithIbpbExit, 0, CPUMCTX_WSF_IBPB_ENTRY | CPUMCTX_WSF_IBPB_EXIT
+hmR0SvmVmRunTemplate _WithXcr0_WithIbpbEntry_WithIbpbExit, 1, CPUMCTX_WSF_IBPB_ENTRY | CPUMCTX_WSF_IBPB_EXIT
+

trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp

@@ -705 +705 @@
 
 /**
+ * Sets pfnVMRun to the best suited variant.
+ *
+ * This must be called whenever anything changes relative to the SVMR0VMRun
+ * variant selection:
+ *      - pVCpu->hm.s.fLoadSaveGuestXcr0
+ *      - CPUMCTX_WSF_IBPB_ENTRY in pVCpu->cpum.GstCtx.fWorldSwitcher
+ *      - CPUMCTX_WSF_IBPB_EXIT  in pVCpu->cpum.GstCtx.fWorldSwitcher
+ *      - CPUMIsGuestFPUStateActive() (windows only)
+ *      - CPUMCTX.fXStateMask (windows only)
+ *
+ * We currently ASSUME that neither CPUMCTX_WSF_IBPB_ENTRY nor
+ * CPUMCTX_WSF_IBPB_EXIT cannot be changed at runtime.
+ */
+static void hmR0SvmUpdateRunFunction(PVMCPUCC pVCpu)
+{
+    static const PFNHMSVMVMRUN s_apfnHmR0SvmVmRunFunctions[] =
+    {
+        hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit,
+        hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit,
+        hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit,
+        hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit,
+        hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit,
+        hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit,
+        hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit,
+        hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit,
+    };
+    uintptr_t const idx = (pVCpu->hm.s.fLoadSaveGuestXcr0                             ? 1 : 0)
+                        | (pVCpu->cpum.GstCtx.fWorldSwitcher & CPUMCTX_WSF_IBPB_ENTRY ? 2 : 0)
+                        | (pVCpu->cpum.GstCtx.fWorldSwitcher & CPUMCTX_WSF_IBPB_EXIT  ? 4 : 0);
+    PFNHMSVMVMRUN const pfnVMRun = s_apfnHmR0SvmVmRunFunctions[idx];
+    if (pVCpu->hm.s.svm.pfnVMRun != pfnVMRun)
+        pVCpu->hm.s.svm.pfnVMRun = pfnVMRun;
+}
+
+
+/**
+ * Selector FNHMSVMVMRUN implementation.
+ */
+static DECLCALLBACK(int) hmR0SvmVMRunSelector(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhysVMCB)
+{
+    hmR0SvmUpdateRunFunction(pVCpu);
+    return pVCpu->hm.s.svm.pfnVMRun(pVM, pVCpu, HCPhysVMCB);
+}
+
+
+/**
  * Does per-VM AMD-V initialization.
  *
@@ -745 +791 @@
          * We now use a single handler for both 32-bit and 64-bit guests, see @bugref{6208#c73}.
          */
-        pVCpu->hm.s.svm.pfnVMRun = SVMR0VMRun;
+        pVCpu->hm.s.svm.pfnVMRun = hmR0SvmVMRunSelector;
 
         /*
@@ -1622 +1668 @@
 
     /* Whether to save/load/restore XCR0 during world switch depends on CR4.OSXSAVE and host+guest XCR0. */
-    pVCpu->hm.s.fLoadSaveGuestXcr0 = (pCtx->cr4 & X86_CR4_OSXSAVE) && pCtx->aXcr[0] != ASMGetXcr0();
+    bool const fLoadSaveGuestXcr0 = (pCtx->cr4 & X86_CR4_OSXSAVE) && pCtx->aXcr[0] != ASMGetXcr0();
+    if (fLoadSaveGuestXcr0 != pVCpu->hm.s.fLoadSaveGuestXcr0)
+    {
+        pVCpu->hm.s.fLoadSaveGuestXcr0 = fLoadSaveGuestXcr0;
+        hmR0SvmUpdateRunFunction(pVCpu);
+    }
 
     /* Avoid intercepting CR4 reads if the guest and shadow CR4 values are identical. */
@@ -6513 +6564 @@
     {
         PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
-        pVCpu->hm.s.fLoadSaveGuestXcr0 = (pCtx->cr4 & X86_CR4_OSXSAVE) && pCtx->aXcr[0] != ASMGetXcr0();
-        Log4Func(("New XCR0=%#RX64 fLoadSaveGuestXcr0=%RTbool (cr4=%#RX64)\n", pCtx->aXcr[0], pVCpu->hm.s.fLoadSaveGuestXcr0,
-                  pCtx->cr4));
+        bool const fLoadSaveGuestXcr0 = (pCtx->cr4 & X86_CR4_OSXSAVE) && pCtx->aXcr[0] != ASMGetXcr0();
+        Log4Func(("New XCR0=%#RX64 fLoadSaveGuestXcr0=%RTbool (cr4=%#RX64)\n", pCtx->aXcr[0], fLoadSaveGuestXcr0, pCtx->cr4));
+        if (fLoadSaveGuestXcr0 != pVCpu->hm.s.fLoadSaveGuestXcr0)
+        {
+            pVCpu->hm.s.fLoadSaveGuestXcr0 = fLoadSaveGuestXcr0;
+            hmR0SvmUpdateRunFunction(pVCpu);
+        }
     }
     else if (rcStrict == VINF_IEM_RAISED_XCPT)

trunk/src/VBox/VMM/VMMR0/HMSVMR0.h

@@ -60 +60 @@
  * @param   pVCpu           The cross context virtual CPU structure.
  * @param   HCPhyspVMCB     Physical address of the VMCB.
+ *
+ * @remarks With spectre mitigations and the usual need for speed (/ micro
+ *          optimizations), we have a bunch of variations of this code depending
+ *          on a few precoditions.  In release builds, the code is entirely
+ *          without conditionals.  Debug builds have a couple of assertions that
+ *          shouldn't ever be triggered.
+ *
+ * @{
  */
-DECLASM(int) SVMR0VMRun(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_SansIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_SansIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_SansIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_SansXcr0_WithIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+DECLASM(int) hmR0SvmVmRun_WithXcr0_WithIbpbEntry_WithIbpbExit(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB);
+/** @} */
+
 
 /**

trunk/src/VBox/VMM/include/HMInternal.h

@@ -702 +702 @@
 
 /** SVM VMRun function, see SVMR0VMRun(). */
-typedef DECLCALLBACKTYPE(int, FNHMSVMVMRUN,(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhyspVMCB));
+typedef DECLCALLBACKTYPE(int, FNHMSVMVMRUN,(PVMCC pVM, PVMCPUCC pVCpu, RTHCPHYS HCPhysVMCB));
 /** Pointer to a SVM VMRun function. */
 typedef R0PTRTYPE(FNHMSVMVMRUN *) PFNHMSVMVMRUN;