feat(opentmk): opentmk framework with first testcase #1210
Conversation
feat: opentmk init feat: opentmk init feat: opentmk init feat: opentmk init feat: opentmk init feat: opentmk init feat: init 1 feat: init 2 feat: init 1 feat: opentmk feat: opentmk init 3 feat: opentmk init 4 feat: opentmk init 4
mayank-microsoft
force-pushed
the
target-opentmk
branch
from
c3f74c0 to
056bf7d
Compare
Cargo.toml
Outdated
| @@ -42,6 +42,7 @@ members = [ | |||
| "vm/loader/igvmfilegen", | |||
| "vm/vmgs/vmgs_lib", | |||
| "vm/vmgs/vmgstool", | |||
| "opentmk" | |||
There was a problem hiding this comment.
We can probably start a new 'category' of members here for tmk-related crates. I'm assuming we'll have more in the future.
Cargo.toml
Outdated
| @@ -525,6 +526,7 @@ xshell-macros = "0.2" | |||
| # We add the derive feature here since the vast majority of our crates use it. | |||
| #zerocopy = { version = "0.7.32", features = ["derive"]} | |||
| zerocopy = { version = "0.8.14", features = ["derive"]} | |||
| linked_list_allocator = "0.10.5" | |||
| @@ -22,7 +22,7 @@ pub fn create_gpt_efi_disk(out_img: &Path, with_files: &[(&Path, &Path)]) -> Res | |||
| )); | |||
| } | |||
|
|
|||
| let disk_size = 1024 * 1024 * 32; // 32MB disk should be enough for our tests | |||
| let disk_size = 1024 * 1024 * 512; // 32MB disk should be enough for our tests | |||
There was a problem hiding this comment.
the image size of the compiled application goes beyond 300MB, So we had to increase the disk size.
There was a problem hiding this comment.
Should probably make it a parameter then, so that guest-test-uefi doesn't also get bigger.
opentmk/README.md
Outdated
| @@ -0,0 +1,3 @@ | |||
| # `guest_test_uefi` | |||
|
|
|||
| See the guide for more info on how to build/run the code in this crate. | |||
There was a problem hiding this comment.
I'll make the changes.
opentmk/build_deploy.sh
Outdated
| @@ -0,0 +1,3 @@ | |||
| RUST_BACKTRACE=1 cargo build -p opentmk --target x86_64-unknown-uefi | |||
| cargo xtask guest-test uefi --bootx64 ./target/x86_64-unknown-uefi/debug/opentmk.efi | |||
There was a problem hiding this comment.
This is fine for v0, but eventually we'll probably want to port this and guest-test-uefi construction to an xflowey process.
There was a problem hiding this comment.
I'll remove this in this PR and add the xflowey changes in a follow up PR.
opentmk/build_deploy.sh
Outdated
| @@ -0,0 +1,3 @@ | |||
| RUST_BACKTRACE=1 cargo build -p opentmk --target x86_64-unknown-uefi | |||
| cargo xtask guest-test uefi --bootx64 ./target/x86_64-unknown-uefi/debug/opentmk.efi | |||
| qemu-img convert -f raw -O vhdx ./target/x86_64-unknown-uefi/debug/opentmk.img ~/projects/opentmk.vhdx | |||
There was a problem hiding this comment.
We probably should try to use a fixed vhd1 instead of vhdx, because I think that will be more portable (i.e. will work in hyper-v and openvmm on both windows and linux)
There was a problem hiding this comment.
Right. I think thats the plan I will work on it with the xflowey changes.
opentmk/Cargo.toml
Outdated
| edition.workspace = true | ||
| rust-version.workspace = true | ||
|
|
||
| [dependencies] |
There was a problem hiding this comment.
nit: sort and switch to dotted syntax for crates that don't need features. Also move all crates to be workspaced.
There was a problem hiding this comment.
@smalis-msft There is one issue where I want to use the serde package with default features off as I want to use a no_std env. Should I disable the feature in workspace?
opentmk/src/main.rs
Outdated
| @@ -0,0 +1,27 @@ | |||
| // Copyright (c) Microsoft Corporation. | |||
| // Licensed under the MIT License. | |||
| #![allow(warnings)] | |||
There was a problem hiding this comment.
This will need to go away eventually
There was a problem hiding this comment.
got it. We don't have any warnings, I will remove this.
opentmk/src/main.rs
Outdated
| #![allow(warnings)] | ||
| #![no_std] | ||
| #![allow(unsafe_code)] | ||
| #![feature(naked_functions)] |
There was a problem hiding this comment.
Is it not possible to do what we're doing wihtout these features? We've been able to stick to stable for everything else so far.
There was a problem hiding this comment.
we either need naked functions or the x86 interrupt abi feature.
There was a problem hiding this comment.
Looks like naked functions will be stabilized in 1.88 rust-lang/rust#134213, but we'll have to leave that functionality disabled or commented out until then.
opentmk/src/main.rs
Outdated
| #![feature(concat_idents)] | ||
|
|
||
| #![doc = include_str!("../README.md")] | ||
| // HACK: workaround for building guest_test_uefi as part of the workspace in CI. |
There was a problem hiding this comment.
Not guest_test_uefi anymore, applies throughout
opentmk/src/slog.rs
Outdated
| @@ -0,0 +1,242 @@ | |||
| #![feature(panic_location)] | |||
| #[no_std] | |||
There was a problem hiding this comment.
Could all this be done as a tracing or log backend instead? That'd provide us a lot of the definitions here for free without having to define it all ourselves.
There was a problem hiding this comment.
I wanted a find control on the structure of the logs as they have to be handled by the test harness, I will see if we can have some way to achieve both of them together.
opentmk/src/sync.rs
Outdated
| /// An unbounded channel implementation with priority send capability. | ||
| /// This implementation works in no_std environments using spin-rs. | ||
| /// It uses a VecDeque as the underlying buffer and ensures non-blocking operations. | ||
| pub struct Channel<T> { |
There was a problem hiding this comment.
Is there a crate out there that provides this sort of functionality? If not then this should move to its own crate in support/
There was a problem hiding this comment.
I would prefer to keep this as an internal module for now and move them to a crate in a follow up once we have more confidence on the APIs stability.
There was a problem hiding this comment.
Things in support don't need to be stable, we break them all the time. They're solely for our internal use.
opentmk/src/slog.rs
Outdated
| pub static mut SERIAL: Serial<InstrIoAccess> = Serial::new(InstrIoAccess {}); | ||
|
|
||
| #[macro_export] | ||
| macro_rules! tmk_assert { |
There was a problem hiding this comment.
This feels like we're combining two very separate concepts: how to format our output, and how to send that output. They should probably be separated into layers. That could also allow us to someday have multiple different formatters and multiple different output backends and mix n match them if need be.
There was a problem hiding this comment.
The slog was supposed to do structuring using the serial device, but I get your point. The APIs can be more cleanly separated.
opentmk/src/uefi/init.rs
Outdated
|
|
||
| let os_loader_indications_result = uefi::runtime::get_variable( | ||
| os_loader_indications_key, | ||
| &uefi::runtime::VariableVendor(guid!("610b9e98-c6f6-47f8-8b47-2d2da0d52a91")), |
There was a problem hiding this comment.
Move the guid to a const to avoid repetition
opentmk/src/uefi/init.rs
Outdated
| ) | ||
| .expect("Failed to get OsLoaderIndications"); | ||
|
|
||
| let _ = unsafe { exit_boot_services(MemoryType::BOOT_SERVICES_DATA) }; |
There was a problem hiding this comment.
We dont use the memory map returned by the exit_boot_services
There was a problem hiding this comment.
I see, ok then in that case we should add a comment and/or a name to this var like _uefi_memory_map
opentmk/src/uefi/hypvctx.rs
Outdated
| } | ||
|
|
||
| /// Implementation of the `TestCtxTrait` for the `HvTestCtx` structure, providing | ||
| /// various methods to manage and interact with virtual processors (VPs) and |
There was a problem hiding this comment.
All of this documentation is great, but it should move to the trait definition and individual methods.
There was a problem hiding this comment.
Makes sense. I'll do that
opentmk/src/uefi/alloc.rs
Outdated
| pub unsafe fn init(&self, size: usize) -> bool { | ||
| let pages = ((SIZE_1MB * size) / 4096) + 1; | ||
| let size = pages * 4096; | ||
| let mem: Result<core::ptr::NonNull<u8>, uefi::Error> = boot::allocate_pages(AllocateType::AnyPages, MemoryType::BOOT_SERVICES_DATA, pages); |
There was a problem hiding this comment.
Why the two different allocators?
There was a problem hiding this comment.
this is there to handler cases where we need to do the allocation before we exit boot services. After exit boot services we cant depend on the uefi allocator and we need to switch.
There was a problem hiding this comment.
I see. Is there some way we can make this cleaner? Like funadamentally splitting up these two allocators and switching between them at a higher level?
| criticallog, infolog, sync::{self, Mutex}, tmk_assert, uefi::context::{TestCtxTrait, VpExecutor} | ||
| }; | ||
|
|
||
| pub fn exec(ctx: &mut dyn TestCtxTrait) { |
There was a problem hiding this comment.
All this is suuuuuper cool.
opentmk/src/uefi/tests/mod.rs
Outdated
| pub mod hv_processor; | ||
| pub mod hv_misc; | ||
|
|
||
| pub fn run_test() { |
There was a problem hiding this comment.
I think what we'll want here is some sort of type definition for a Test that has a string name and other niceties. Then we can have an array of Tests and decide what tests to run and how at runtime.
There was a problem hiding this comment.
Right the v1 plan is to have a config file which we can read using uefi APIs. The config can define the test to run.
|
|
||
| let vtl = ctx.get_current_vtl(); | ||
| infolog!("vtl: {:?}", vtl); | ||
| tmk_assert!(vtl == Vtl::Vtl1, format!("vtl should be Vtl0 for VP {}", i)); |
| // Testing VTL0 | ||
| { | ||
| let (mut tx, mut rx) = crate::sync::Channel::new().split(); | ||
| ctx.start_on_vp(VpExecutor::new(i, Vtl::Vtl0).command( |
There was a problem hiding this comment.
What would happen if these blocks were switched? i.e. if we tried to run on vtl0 on these other vps before vtl1?
There was a problem hiding this comment.
The current underlying implementation lights up VTL1 either way. To simplify the execution.
opentmk/src/uefi/hypvctx.rs
Outdated
| /// | ||
| /// - `start_on_vp(&mut self, cmd: VpExecutor)`: | ||
| /// Starts a virtual processor (VP) on a specified VTL. Handles enabling VTLs, | ||
| /// switching between high and low VTLs, and managing VP execution contexts. |
There was a problem hiding this comment.
Add docs for what happens to a vp after the cmd finishes?
There was a problem hiding this comment.
right, so every VP is like an executor engine which receives the commands to run if the command is for a different vp it switches to the other VTL and reruns the command in a new context. there is a busy loop waiting for commands on every VP.
opentmk/src/uefi/hypvctx.rs
Outdated
| /// switching between high and low VTLs, and managing VP execution contexts. | ||
| /// | ||
| /// - `queue_command_vp(&mut self, cmd: VpExecutor)`: | ||
| /// Queues a command for a specific VP and VTL. |
There was a problem hiding this comment.
Add docs for how the queue is drained, and what happens if someone calls start_on_vp for the same vp/vtl combo
opentmk/src/uefi/hypvctx.rs
Outdated
| /// - `queue_command_vp(&mut self, cmd: VpExecutor)`: | ||
| /// Queues a command for a specific VP and VTL. | ||
| /// | ||
| /// - `switch_to_high_vtl(&mut self)`: |
There was a problem hiding this comment.
Should this and switch_to_low_vtl just combine into a single switch_to_vtl?
opentmk/src/uefi/hypvctx.rs
Outdated
| /// Switches the current execution context to a low VTL. | ||
| /// | ||
| /// - `setup_partition_vtl(&mut self, vtl: Vtl)`: | ||
| /// Configures the partition to enable a specified VTL. |
There was a problem hiding this comment.
Add docs for what will happen if this is not called
opentmk/src/uefi/hypvctx.rs
Outdated
| /// - `start_running_vp_with_default_context(&mut self, cmd: VpExecutor)`: | ||
| /// Starts a VP with the default execution context. | ||
| /// | ||
| /// - `set_default_ctx_to_vp(&mut self, vp_index: u32, vtl: Vtl)`: | ||
| /// Sets the default execution context for a specified VP and VTL. | ||
| /// | ||
| /// - `enable_vp_vtl_with_default_context(&mut self, vp_index: u32, vtl: Vtl)`: | ||
| /// Enables a VTL for a specified VP using the default execution context. |
There was a problem hiding this comment.
What is a default context, and how are these different from the above start_on_vp and the like?
There was a problem hiding this comment.
the default context is basically setting register context for a VP (basically setting the rip to a default value, where the code receives commands to run on the vp/vtl), while start on VP sets the context and schedules a command to start running on a vp.
There was a problem hiding this comment.
Sounds good, document it all
opentmk/src/uefi/hypvctx.rs
Outdated
| /// - `enable_vp_vtl_with_default_context(&mut self, vp_index: u32, vtl: Vtl)`: | ||
| /// Enables a VTL for a specified VP using the default execution context. | ||
| /// | ||
| /// - `set_interupt_idx(&mut self, interrupt_idx: u8, handler: fn())`: |
There was a problem hiding this comment.
What happens if this is called before setup_interrupt_handler?
There was a problem hiding this comment.
If setup is not called this is like a no op, the default handlers will be called as defined in the IDT by the UEFI.
There was a problem hiding this comment.
Fair enough, that should be documented.
opentmk/src/uefi/hypvctx.rs
Outdated
| /// Enables a VTL for a specified VP using the default execution context. | ||
| /// | ||
| /// - `set_interupt_idx(&mut self, interrupt_idx: u8, handler: fn())`: | ||
| /// Sets an interrupt handler for a specified interrupt index. (x86_64 only) |
There was a problem hiding this comment.
If a function is only implemented for a certain architecture, you can add a #[cfg] to it in the trait definition so it only exists on that architecture.
There was a problem hiding this comment.
I'll work on making this change.
opentmk/src/uefi/hypvctx.rs
Outdated
| /// - `get_vp_count(&self) -> u32`: | ||
| /// Retrieves the number of virtual processors available on the system. | ||
| /// | ||
| /// - `get_register(&mut self, reg: u32) -> u128`: |
There was a problem hiding this comment.
This needs a better type than u32 for the register id.
There was a problem hiding this comment.
You are right, we probably need our own enum to create an abstraction to be platform independent. Maybe we can make it happen in V1?
There was a problem hiding this comment.
Check out x86defs and see if anything in there would work.
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
|
|
||
| /// Writes a synthehtic register to tell the hypervisor the OS ID for the boot shim. |
There was a problem hiding this comment.
| /// Writes a synthehtic register to tell the hypervisor the OS ID for the boot shim. | |
| /// Writes a synthetic register to tell the hypervisor the OS ID for the boot shim. |
opentmk/src/slog.rs
Outdated
| @@ -0,0 +1,242 @@ | |||
| #![feature(panic_location)] | |||
There was a problem hiding this comment.
Does "slog" refer to serial log? It's sort of an unfortunate file name.
There was a problem hiding this comment.
Yeah. I am working on it. Steven suggested to abstract the module into two layers on how we log and the structure of the log.
opentmk/src/uefi/hypvctx.rs
Outdated
|
|
||
| const ALIGNMENT: usize = 4096; | ||
|
|
||
| type ComandTable = |
There was a problem hiding this comment.
| type ComandTable = | |
| type CommandTable = |
opentmk/src/uefi/context.rs
Outdated
| pub trait TestCtxTrait { | ||
| fn get_vp_count(&self) -> u32; | ||
| fn get_current_vp(&self) -> u32; | ||
| fn get_current_vtl(&self) -> Vtl; |
There was a problem hiding this comment.
Is this (and similar methods, like switching VTLs) for the current VP?
There was a problem hiding this comment.
Similar questions for get_register, etc
There was a problem hiding this comment.
yes. these APIs are for current VP. (I'll add more documentation to explicitly call that out)
opentmk/src/uefi/context.rs
Outdated
|
|
||
| fn setup_partition_vtl(&mut self, vtl: Vtl); | ||
| fn setup_interrupt_handler(&mut self); | ||
| fn set_interupt_idx(&mut self, interrupt_idx: u8, handler: fn()); |
There was a problem hiding this comment.
| fn set_interupt_idx(&mut self, interrupt_idx: u8, handler: fn()); | |
| fn set_interrupt_idx(&mut self, interrupt_idx: u8, handler: fn()); |
opentmk/src/uefi/hypvctx.rs
Outdated
| .get_mut(&vp_index) | ||
| .unwrap() | ||
| .push_back((cmd, vtl)); | ||
| if vp_index == self.my_vp_idx && self.hvcall.vtl != vtl { |
There was a problem hiding this comment.
Does vtl refer to the VTL you want the current VP to be on, or the VTL you want the target vp to run the command on?
There was a problem hiding this comment.
This VTL switch is for a case where we schedule a cmd on the current VP. The current context will switch to the target VTL on current VP and execute the command. The command is expected to return to initial VTL by calling HvCall/HvReturn.
opentmk/src/uefi/hypercall.rs
Outdated
|
|
||
| let header = hvdef::hypercall::ModifyVtlProtectionMask { | ||
| partition_id: hvdef::HV_PARTITION_ID_SELF, | ||
| map_flags: hvdef::HV_MAP_GPA_PERMISSIONS_NONE, |
There was a problem hiding this comment.
You could make this an input parameter? And then other functions like apply_vtl2_protections could build on top of it.
There was a problem hiding this comment.
Makes sense, I'll work o abstracting this more.
| extern "x86-interrupt" fn no_op(stack_frame: InterruptStackFrame) {} | ||
|
|
||
| pub fn register_interrupt_handler(idt: &mut InterruptDescriptorTable) { | ||
| register_interrupt_handler!(idt, 0, handler_0); |
There was a problem hiding this comment.
Some of these are architectural (and might also be in x86 defs), it might be nice to include the actual name for them.
| let vtl = ctx.get_current_vtl(); | ||
| infolog!("vtl: {:?}", vtl); | ||
| tmk_assert!(vtl == Vtl::Vtl1, format!("vtl should be Vtl0 for VP {}", i)); | ||
| tx.send(()); |
There was a problem hiding this comment.
Eventually would be nice to check that the register state is what we expect, but that might be difficult if execution keeps going.
There was a problem hiding this comment.
Which registers would we want to assert? We can probably think of how we can do it.
There was a problem hiding this comment.
A lot of them, eventually. We need to make sure that we correctly get this shared/private split correct, to the extent that we can:
opentmk/src/uefi/tests/hv_misc.rs
Outdated
| val != 0xAA, | ||
| "heap memory should not be accessible from vtl0" |
There was a problem hiding this comment.
Seems like we could eventually use the interrupt handler that you set on 0x30 to check that we did get a memory intercept?
(Pretty cool to all this in action though :))
No description provided.