2

I'm currently developing my own small hypervisor which runs directly on (currently emulated) hardware and utilizes Intel VT-x. I am testing the hypervisor in the x86 Bochs emulator. However, I cannot seems to properly set the Monitor Trap Flag bit so that a VM exit occurs after the current instruction in the guest OS.

Intel SDM does not seems to contain what I am looking for, or at the very least, it is not explained at the place I would expect it to be. My goal is to cause a VM exit after the current instruction, in case said instruction does not cause another VM exit. In my situation, I am using the MTF flag to protect a page in the Extended Page Table (EPT) after I granted access by setting the appropiate bit in the EPT entry for the corresponding GPA. However, the permission is only granted for the length of one instruction; after the instruction succeeded, the VM exit caused by the MTF should protect the page again.

Currently, my implementation causes a MTF VM exit before the instruction is even executed, meaning, right after I set the appropiate bit in the EPTE and subsequently resume the guest OS, the MTF VM exit occurs without the instruction being executed, which causes an infinite loop, since after the MTF VM exit handling the execution resumes to the same instruction, but the page is now protected again, which causes another EPT Violation etc.

I am enabling MTF in the VM-execution controls of the VMCS and my VM-entry Interruption-Information field is set as follows:

static void vmx_store_interruption_information(uint32_t intr_info)
{
    vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr_info);
}

static void vmx_inject_mtf(struct vcpu_vmx *vmx)
{
    /* intr_info = 0x80000700 */
    uint32_t intr_info = INTR_TYPE_OTHER_EVENT | INTR_INFO_VALID_MASK;

    vmx_store_interruption_information(intr_info);
}

Now, one possibility would be to simply emulate the one instruction, but this would result in a far too complicated approach by creating an opcode table for all possible instructions. Instead, I would like to cause a MTF VM exit after the instruction.

CRoemheld
  • 889
  • 7
  • 26
  • Can you handle the first MTF vm-exit which always happens before the instruction executes, then single-step by returning from that handler? If it's like the normal TF in EFLAGS, you can single step with MTF, so it shouldn't repeatedly vm-exit before running the same instruction, should it? ([Difference between trap flag (TF) and monitor trap flag?](https://stackoverflow.com/q/14725401) says it fires when the guest is making forward progress). Anyway, then on the next VM exit, whether it's from MTF or something else, do your change and clear MTF. (I don't really know VMX, just guessing) – Peter Cordes Dec 14 '18 at 03:04

1 Answers1

3

Don't request MTF by setting the VM entry interruption information field. Instead, set the Monitor Trap Flag, bit 27 of the Primary Processor-based VM-execution Controls.

When you set the VM entry interruption information field, it causes an MTF event /before/ the first instruction following the VM entry (exactly the behavior you are getting). The reason for this feature, I believe, is that if you set MTF (in the execution controls) and a VM exit occurs for some reason /other/ than MTF, the VMM can resume the VM and force the MTF exit immediately. Otherwise, the MTF exit would be missed because of the higher priority exit reason.

See section 25.5.2 of the SDM.

prl
  • 11,716
  • 2
  • 13
  • 31
  • In short, set the MTF flag and nothing else? Currently I am setting both the MTF flag to enable MTF VM exits and also the interruption information field. Without the interruption information field set, no MTF VM exit occurs. – CRoemheld Dec 14 '18 at 13:27
  • Just MTF in the processor control – abhi Dec 14 '18 at 19:17
  • I just noticed you said you’re setting MTF in the VM entry controls. MTF is in the execution controls. Perhaps that’s why you’re not getting the VM exit you expect? – prl Dec 16 '18 at 16:57
  • @prl Sorry that's a mistake in my question, I am indeed setting the bit in the VM execution controls. Thanks for pointing this out. – CRoemheld Dec 16 '18 at 22:39