; VMM - World Switchers, 32Bit to AMD64. ; ; ; Copyright (C) 2006-2012 Oracle Corporation ; ; This file is part of VirtualBox Open Source Edition (OSE), as ; available from http://www.virtualbox.org. This file is free software; ; you can redistribute it and/or modify it under the terms of the GNU ; General Public License (GPL) as published by the Free Software ; Foundation, in version 2 as it comes in the "COPYING" file of the ; VirtualBox OSE distribution. VirtualBox OSE is distributed in the ; hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. ; ;%define DEBUG_STUFF 1 ;%define STRICT_IF 1 ;******************************************************************************* ;* Defined Constants And Macros * ;******************************************************************************* ;******************************************************************************* ;* Header Files * ;******************************************************************************* %include "VBox/asmdefs.mac" %include "VBox/apic.mac" %include "iprt/x86.mac" %include "VBox/vmm/cpum.mac" %include "VBox/vmm/stam.mac" %include "VBox/vmm/vm.mac" %include "CPUMInternal.mac" %include "VMMSwitcher.mac" ; ; Start the fixup records ; We collect the fixups in the .data section as we go along ; It is therefore VITAL that no-one is using the .data section ; for anything else between 'Start' and 'End'. ; BEGINDATA GLOBALNAME Fixups BEGINCODE GLOBALNAME Start BITS 32 ;; ; The C interface. ; @param [esp + 04h] Param 1 - VM handle ; @param [esp + 08h] Param 2 - VMCPU offset ; BEGINPROC vmmR0ToRawMode %ifdef DEBUG_STUFF COM32_S_NEWLINE COM32_S_CHAR '^' %endif %ifdef VBOX_WITH_STATISTICS ; ; Switcher stats. ; FIXUP FIX_HC_VM_OFF, 1, VM.StatSwitcherToGC mov edx, 0ffffffffh STAM_PROFILE_ADV_START edx %endif push ebp mov ebp, [esp + 12] ; VMCPU offset ; turn off interrupts pushf cli ; ; Call worker. ; FIXUP FIX_HC_CPUM_OFF, 1, 0 mov edx, 0ffffffffh push cs ; allow for far return and restore cs correctly. call NAME(vmmR0ToRawModeAsm) %ifdef VBOX_WITH_VMMR0_DISABLE_LAPIC_NMI CPUM_FROM_CPUMCPU(edx) ; Restore blocked Local APIC NMI vectors mov ecx, [edx + CPUM.fApicDisVectors] mov edx, [edx + CPUM.pvApicBase] shr ecx, 1 jnc gth_nolint0 and dword [edx + APIC_REG_LVT_LINT0], ~APIC_REG_LVT_MASKED gth_nolint0: shr ecx, 1 jnc gth_nolint1 and dword [edx + APIC_REG_LVT_LINT1], ~APIC_REG_LVT_MASKED gth_nolint1: shr ecx, 1 jnc gth_nopc and dword [edx + APIC_REG_LVT_PC], ~APIC_REG_LVT_MASKED gth_nopc: shr ecx, 1 jnc gth_notherm and dword [edx + APIC_REG_LVT_THMR], ~APIC_REG_LVT_MASKED gth_notherm: %endif ; restore original flags popf pop ebp %ifdef VBOX_WITH_STATISTICS ; ; Switcher stats. ; FIXUP FIX_HC_VM_OFF, 1, VM.StatSwitcherToHC mov edx, 0ffffffffh STAM_PROFILE_ADV_STOP edx %endif ret ENDPROC vmmR0ToRawMode ; ***************************************************************************** ; vmmR0ToRawModeAsm ; ; Phase one of the switch from host to guest context (host MMU context) ; ; INPUT: ; - edx virtual address of CPUM structure (valid in host context) ; - ebp offset of the CPUMCPU structure ; ; USES/DESTROYS: ; - eax, ecx, edx, esi ; ; ASSUMPTION: ; - current CS and DS selectors are wide open ; ; ***************************************************************************** ALIGNCODE(16) BEGINPROC vmmR0ToRawModeAsm ;; ;; Save CPU host context ;; Skip eax, edx and ecx as these are not preserved over calls. ;; CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp %ifdef VBOX_WITH_CRASHDUMP_MAGIC ; phys address of scratch page mov eax, dword [edx + CPUMCPU.Guest.dr + 4*8] mov cr2, eax mov dword [edx + CPUMCPU.Guest.dr + 4*8], 1 %endif ; general registers. mov [edx + CPUMCPU.Host.ebx], ebx mov [edx + CPUMCPU.Host.edi], edi mov [edx + CPUMCPU.Host.esi], esi mov [edx + CPUMCPU.Host.esp], esp mov [edx + CPUMCPU.Host.ebp], ebp ; selectors. mov [edx + CPUMCPU.Host.ds], ds mov [edx + CPUMCPU.Host.es], es mov [edx + CPUMCPU.Host.fs], fs mov [edx + CPUMCPU.Host.gs], gs mov [edx + CPUMCPU.Host.ss], ss ; special registers. sldt [edx + CPUMCPU.Host.ldtr] sidt [edx + CPUMCPU.Host.idtr] sgdt [edx + CPUMCPU.Host.gdtr] str [edx + CPUMCPU.Host.tr] %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [edx + CPUMCPU.Guest.dr + 4*8], 2 %endif %ifdef VBOX_WITH_VMMR0_DISABLE_LAPIC_NMI CPUM_FROM_CPUMCPU_WITH_OFFSET edx, ebp mov ebx, [edx + CPUM.pvApicBase] or ebx, ebx jz htg_noapic mov eax, [ebx + APIC_REG_LVT_LINT0] mov ecx, eax and ecx, (APIC_REG_LVT_MASKED | APIC_REG_LVT_MODE_MASK) cmp ecx, APIC_REG_LVT_MODE_NMI jne htg_nolint0 or edi, 0x01 or eax, APIC_REG_LVT_MASKED mov [ebx + APIC_REG_LVT_LINT0], eax mov eax, [ebx + APIC_REG_LVT_LINT0] ; write completion htg_nolint0: mov eax, [ebx + APIC_REG_LVT_LINT1] mov ecx, eax and ecx, (APIC_REG_LVT_MASKED | APIC_REG_LVT_MODE_MASK) cmp ecx, APIC_REG_LVT_MODE_NMI jne htg_nolint1 or edi, 0x02 or eax, APIC_REG_LVT_MASKED mov [ebx + APIC_REG_LVT_LINT1], eax mov eax, [ebx + APIC_REG_LVT_LINT1] ; write completion htg_nolint1: mov eax, [ebx + APIC_REG_LVT_PC] mov ecx, eax and ecx, (APIC_REG_LVT_MASKED | APIC_REG_LVT_MODE_MASK) cmp ecx, APIC_REG_LVT_MODE_NMI jne htg_nopc or edi, 0x04 or eax, APIC_REG_LVT_MASKED mov [ebx + APIC_REG_LVT_PC], eax mov eax, [ebx + APIC_REG_LVT_PC] ; write completion htg_nopc: mov eax, [ebx + APIC_REG_VERSION] shr eax, 16 cmp al, 5 jb htg_notherm mov eax, [ebx + APIC_REG_LVT_THMR] mov ecx, eax and ecx, (APIC_REG_LVT_MASKED | APIC_REG_LVT_MODE_MASK) cmp ecx, APIC_REG_LVT_MODE_NMI jne htg_notherm or edi, 0x08 or eax, APIC_REG_LVT_MASKED mov [ebx + APIC_REG_LVT_THMR], eax mov eax, [ebx + APIC_REG_LVT_THMR] ; write completion htg_notherm: mov [edx + CPUM.fApicDisVectors], edi htg_noapic: CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp %endif ; control registers. mov eax, cr0 mov [edx + CPUMCPU.Host.cr0], eax ;Skip cr2; assume host os don't stuff things in cr2. (safe) mov eax, cr3 mov [edx + CPUMCPU.Host.cr3], eax mov eax, cr4 mov [edx + CPUMCPU.Host.cr4], eax ; save the host EFER msr mov ebx, edx mov ecx, MSR_K6_EFER rdmsr mov [ebx + CPUMCPU.Host.efer], eax mov [ebx + CPUMCPU.Host.efer + 4], edx mov edx, ebx %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [edx + CPUMCPU.Guest.dr + 4*8], 3 %endif ; Load new gdt so we can do a far jump after going into 64 bits mode lgdt [edx + CPUMCPU.Hyper.gdtr] %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [edx + CPUMCPU.Guest.dr + 4*8], 4 %endif ;; ;; Load Intermediate memory context. ;; FIXUP SWITCHER_FIX_INTER_CR3_HC, 1 mov eax, 0ffffffffh mov cr3, eax DEBUG_CHAR('?') ;; ;; Jump to identity mapped location ;; FIXUP FIX_HC_2_ID_NEAR_REL, 1, NAME(IDEnterTarget) - NAME(Start) jmp near NAME(IDEnterTarget) ; We're now on identity mapped pages! ALIGNCODE(16) GLOBALNAME IDEnterTarget DEBUG_CHAR('2') ; 1. Disable paging. mov ebx, cr0 and ebx, ~X86_CR0_PG mov cr0, ebx DEBUG_CHAR('2') %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov eax, cr2 mov dword [eax], 3 %endif ; 2. Enable PAE. mov ecx, cr4 or ecx, X86_CR4_PAE mov cr4, ecx ; 3. Load long mode intermediate CR3. FIXUP FIX_INTER_AMD64_CR3, 1 mov ecx, 0ffffffffh mov cr3, ecx DEBUG_CHAR('3') %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov eax, cr2 mov dword [eax], 4 %endif ; 4. Enable long mode. mov esi, edx mov ecx, MSR_K6_EFER rdmsr FIXUP FIX_EFER_OR_MASK, 1 or eax, 0ffffffffh and eax, ~(MSR_K6_EFER_FFXSR) ; turn off fast fxsave/fxrstor (skipping xmm regs) wrmsr mov edx, esi DEBUG_CHAR('4') %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov eax, cr2 mov dword [eax], 5 %endif ; 5. Enable paging. or ebx, X86_CR0_PG ; Disable ring 0 write protection too and ebx, ~X86_CR0_WRITE_PROTECT mov cr0, ebx DEBUG_CHAR('5') ; Jump from compatibility mode to 64-bit mode. FIXUP FIX_ID_FAR32_TO_64BIT_MODE, 1, NAME(IDEnter64Mode) - NAME(Start) jmp 0ffffh:0fffffffeh ; ; We're in 64-bit mode (ds, ss, es, fs, gs are all bogus). BITS 64 ALIGNCODE(16) NAME(IDEnter64Mode): DEBUG_CHAR('6') jmp [NAME(pICEnterTarget) wrt rip] ; 64-bit jump target NAME(pICEnterTarget): FIXUP FIX_HC_64BIT_NOCHECK, 0, NAME(ICEnterTarget) - NAME(Start) dq 0ffffffffffffffffh ; 64-bit pCpum address. NAME(pCpumIC): FIXUP FIX_GC_64_BIT_CPUM_OFF, 0, 0 dq 0ffffffffffffffffh %ifdef VBOX_WITH_CRASHDUMP_MAGIC NAME(pMarker): db 'Switch_marker' %endif ; ; When we arrive here we're in 64 bits mode in the intermediate context ; ALIGNCODE(16) GLOBALNAME ICEnterTarget ; Load CPUM pointer into rdx mov rdx, [NAME(pCpumIC) wrt rip] CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp mov rax, cs mov ds, rax mov es, rax ; Invalidate fs & gs mov rax, 0 mov fs, rax mov gs, rax %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 5 %endif ; Setup stack. DEBUG_CHAR('7') mov rsp, 0 mov eax, [rdx + CPUMCPU.Hyper.ss.Sel] mov ss, ax mov esp, [rdx + CPUMCPU.Hyper.esp] %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 6 %endif ; load the hypervisor function address mov r9, [rdx + CPUMCPU.Hyper.eip] ; Check if we need to restore the guest FPU state mov esi, [rdx + CPUMCPU.fUseFlags] ; esi == use flags. test esi, CPUM_SYNC_FPU_STATE jz near gth_fpu_no %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 7 %endif mov rax, cr0 mov rcx, rax ; save old CR0 and rax, ~(X86_CR0_TS | X86_CR0_EM) mov cr0, rax fxrstor [rdx + CPUMCPU.Guest.fpu] mov cr0, rcx ; and restore old CR0 again and dword [rdx + CPUMCPU.fUseFlags], ~CPUM_SYNC_FPU_STATE gth_fpu_no: ; Check if we need to restore the guest debug state test esi, CPUM_SYNC_DEBUG_STATE jz near gth_debug_no %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 8 %endif mov rax, qword [rdx + CPUMCPU.Guest.dr + 0*8] mov dr0, rax mov rax, qword [rdx + CPUMCPU.Guest.dr + 1*8] mov dr1, rax mov rax, qword [rdx + CPUMCPU.Guest.dr + 2*8] mov dr2, rax mov rax, qword [rdx + CPUMCPU.Guest.dr + 3*8] mov dr3, rax mov rax, qword [rdx + CPUMCPU.Guest.dr + 6*8] mov dr6, rax ; not required for AMD-V and dword [rdx + CPUMCPU.fUseFlags], ~CPUM_SYNC_DEBUG_STATE gth_debug_no: %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 9 %endif ; parameter for all helper functions (pCtx) lea rsi, [rdx + CPUMCPU.Guest.fpu] call r9 ; Load CPUM pointer into rdx mov rdx, [NAME(pCpumIC) wrt rip] CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp %ifdef VBOX_WITH_CRASHDUMP_MAGIC mov dword [rdx + CPUMCPU.Guest.dr + 4*8], 10 %endif ; Save the return code mov dword [rdx + CPUMCPU.u32RetCode], eax ; now let's switch back jmp NAME(vmmRCToHostAsm) ; rax = returncode. ENDPROC vmmR0ToRawModeAsm ;; ; Trampoline for doing a call when starting the hyper visor execution. ; ; Push any arguments to the routine. ; Push the argument frame size (cArg * 4). ; Push the call target (_cdecl convention). ; Push the address of this routine. ; ; BITS 64 ALIGNCODE(16) BEGINPROC vmmRCCallTrampoline %ifdef DEBUG_STUFF COM64_S_CHAR 'c' COM64_S_CHAR 't' COM64_S_CHAR '!' %endif int3 ENDPROC vmmRCCallTrampoline ;; ; The C interface. ; BITS 64 ALIGNCODE(16) BEGINPROC vmmRCToHost %ifdef DEBUG_STUFF push rsi COM_NEWLINE DEBUG_CHAR('b') DEBUG_CHAR('a') DEBUG_CHAR('c') DEBUG_CHAR('k') DEBUG_CHAR('!') COM_NEWLINE pop rsi %endif int3 ENDPROC vmmRCToHost ;; ; vmmRCToHostAsm ; ; This is an alternative entry point which we'll be using ; when the we have saved the guest state already or we haven't ; been messing with the guest at all. ; ; @param eax Return code. ; @uses eax, edx, ecx (or it may use them in the future) ; BITS 64 ALIGNCODE(16) BEGINPROC vmmRCToHostAsm NAME(vmmRCToHostAsmNoReturn): ;; We're still in the intermediate memory context! ;; ;; Switch to compatibility mode, placing ourselves in identity mapped code. ;; jmp far [NAME(fpIDEnterTarget) wrt rip] ; 16:32 Pointer to IDEnterTarget. NAME(fpIDEnterTarget): FIXUP FIX_ID_32BIT, 0, NAME(IDExitTarget) - NAME(Start) dd 0 FIXUP FIX_HYPER_CS, 0 dd 0 ; We're now on identity mapped pages! ALIGNCODE(16) GLOBALNAME IDExitTarget BITS 32 DEBUG_CHAR('1') ; 1. Deactivate long mode by turning off paging. mov ebx, cr0 and ebx, ~X86_CR0_PG mov cr0, ebx DEBUG_CHAR('2') ; 2. Load intermediate page table. FIXUP SWITCHER_FIX_INTER_CR3_HC, 1 mov edx, 0ffffffffh mov cr3, edx DEBUG_CHAR('3') ; 3. Disable long mode. mov ecx, MSR_K6_EFER rdmsr DEBUG_CHAR('5') and eax, ~(MSR_K6_EFER_LME) wrmsr DEBUG_CHAR('6') %ifndef NEED_PAE_ON_HOST ; 3b. Disable PAE. mov eax, cr4 and eax, ~X86_CR4_PAE mov cr4, eax DEBUG_CHAR('7') %endif ; 4. Enable paging. or ebx, X86_CR0_PG mov cr0, ebx jmp short just_a_jump just_a_jump: DEBUG_CHAR('8') ;; ;; 5. Jump to guest code mapping of the code and load the Hypervisor CS. ;; FIXUP FIX_ID_2_HC_NEAR_REL, 1, NAME(ICExitTarget) - NAME(Start) jmp near NAME(ICExitTarget) ;; ;; When we arrive at this label we're at the ;; intermediate mapping of the switching code. ;; BITS 32 ALIGNCODE(16) GLOBALNAME ICExitTarget DEBUG_CHAR('8') ; load the hypervisor data selector into ds & es FIXUP FIX_HYPER_DS, 1 mov eax, 0ffffh mov ds, eax mov es, eax FIXUP FIX_GC_CPUM_OFF, 1, 0 mov edx, 0ffffffffh CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp mov esi, [edx + CPUMCPU.Host.cr3] mov cr3, esi ;; now we're in host memory context, let's restore regs FIXUP FIX_HC_CPUM_OFF, 1, 0 mov edx, 0ffffffffh CPUMCPU_FROM_CPUM_WITH_OFFSET edx, ebp ; restore the host EFER mov ebx, edx mov ecx, MSR_K6_EFER mov eax, [ebx + CPUMCPU.Host.efer] mov edx, [ebx + CPUMCPU.Host.efer + 4] wrmsr mov edx, ebx ; activate host gdt and idt lgdt [edx + CPUMCPU.Host.gdtr] DEBUG_CHAR('0') lidt [edx + CPUMCPU.Host.idtr] DEBUG_CHAR('1') ; Restore TSS selector; must mark it as not busy before using ltr (!) ; ASSUME that this is supposed to be 'BUSY'. (saves 20-30 ticks on the T42p) movzx eax, word [edx + CPUMCPU.Host.tr] ; eax <- TR and al, 0F8h ; mask away TI and RPL bits, get descriptor offset. add eax, [edx + CPUMCPU.Host.gdtr + 2] ; eax <- GDTR.address + descriptor offset. and dword [eax + 4], ~0200h ; clear busy flag (2nd type2 bit) ltr word [edx + CPUMCPU.Host.tr] ; activate ldt DEBUG_CHAR('2') lldt [edx + CPUMCPU.Host.ldtr] ; Restore segment registers mov eax, [edx + CPUMCPU.Host.ds] mov ds, eax mov eax, [edx + CPUMCPU.Host.es] mov es, eax mov eax, [edx + CPUMCPU.Host.fs] mov fs, eax mov eax, [edx + CPUMCPU.Host.gs] mov gs, eax ; restore stack lss esp, [edx + CPUMCPU.Host.esp] ; Control registers. mov ecx, [edx + CPUMCPU.Host.cr4] mov cr4, ecx mov ecx, [edx + CPUMCPU.Host.cr0] mov cr0, ecx ;mov ecx, [edx + CPUMCPU.Host.cr2] ; assumes this is waste of time. ;mov cr2, ecx ; restore general registers. mov edi, [edx + CPUMCPU.Host.edi] mov esi, [edx + CPUMCPU.Host.esi] mov ebx, [edx + CPUMCPU.Host.ebx] mov ebp, [edx + CPUMCPU.Host.ebp] ; store the return code in eax mov eax, [edx + CPUMCPU.u32RetCode] retf ENDPROC vmmRCToHostAsm GLOBALNAME End ; ; The description string (in the text section). ; NAME(Description): db SWITCHER_DESCRIPTION db 0 extern NAME(Relocate) ; ; End the fixup records. ; BEGINDATA db FIX_THE_END ; final entry. GLOBALNAME FixupsEnd ;; ; The switcher definition structure. ALIGNDATA(16) GLOBALNAME Def istruc VMMSWITCHERDEF at VMMSWITCHERDEF.pvCode, RTCCPTR_DEF NAME(Start) at VMMSWITCHERDEF.pvFixups, RTCCPTR_DEF NAME(Fixups) at VMMSWITCHERDEF.pszDesc, RTCCPTR_DEF NAME(Description) at VMMSWITCHERDEF.pfnRelocate, RTCCPTR_DEF NAME(Relocate) at VMMSWITCHERDEF.enmType, dd SWITCHER_TYPE at VMMSWITCHERDEF.cbCode, dd NAME(End) - NAME(Start) at VMMSWITCHERDEF.offR0ToRawMode, dd NAME(vmmR0ToRawMode) - NAME(Start) at VMMSWITCHERDEF.offRCToHost, dd NAME(vmmRCToHost) - NAME(Start) at VMMSWITCHERDEF.offRCCallTrampoline, dd NAME(vmmRCCallTrampoline) - NAME(Start) at VMMSWITCHERDEF.offRCToHostAsm, dd NAME(vmmRCToHostAsm) - NAME(Start) at VMMSWITCHERDEF.offRCToHostAsmNoReturn, dd NAME(vmmRCToHostAsmNoReturn) - NAME(Start) ; disasm help at VMMSWITCHERDEF.offHCCode0, dd 0 at VMMSWITCHERDEF.cbHCCode0, dd NAME(IDEnterTarget) - NAME(Start) at VMMSWITCHERDEF.offHCCode1, dd NAME(ICExitTarget) - NAME(Start) at VMMSWITCHERDEF.cbHCCode1, dd NAME(End) - NAME(ICExitTarget) at VMMSWITCHERDEF.offIDCode0, dd NAME(IDEnterTarget) - NAME(Start) at VMMSWITCHERDEF.cbIDCode0, dd NAME(ICEnterTarget) - NAME(IDEnterTarget) at VMMSWITCHERDEF.offIDCode1, dd NAME(IDExitTarget) - NAME(Start) at VMMSWITCHERDEF.cbIDCode1, dd NAME(ICExitTarget) - NAME(Start) at VMMSWITCHERDEF.offGCCode, dd 0 at VMMSWITCHERDEF.cbGCCode, dd 0 iend