executor: arm64: add SYZOS_API_MRS

Add support for the MRS instruction in a similar manner to MSR.

Author: marpom

executor/common_kvm_arm64_syzos.h

@@ -28,6 +28,7 @@ typedef enum {
 	SYZOS_API_MEMWRITE,
 	SYZOS_API_ITS_SETUP,
 	SYZOS_API_ITS_SEND_CMD,
+	SYZOS_API_MRS,
 	SYZOS_API_STOP, // Must be the last one
 } syzos_api_id;
 
@@ -41,6 +42,11 @@ struct api_call_uexit {
 	uint64 exit_code;
 };
 
+struct api_call_1 {
+	struct api_call_header header;
+	uint64 arg;
+};
+
 struct api_call_2 {
 	struct api_call_header header;
 	uint64 args[2];
@@ -89,6 +95,7 @@ struct api_call_its_send_cmd {
 
 static void guest_uexit(uint64 exit_code);
 static void guest_execute_code(uint32* insns, uint64 size);
+static void guest_handle_mrs(uint64 reg);
 static void guest_handle_msr(uint64 reg, uint64 val);
 static void guest_handle_smc(struct api_call_smccc* cmd);
 static void guest_handle_hvc(struct api_call_smccc* cmd);
@@ -128,6 +135,11 @@ guest_main(uint64 size, uint64 cpu)
 			guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header));
 			break;
 		}
+		case SYZOS_API_MRS: {
+			struct api_call_1* ccmd = (struct api_call_1*)cmd;
+			guest_handle_mrs(ccmd->arg);
+			break;
+		}
 		case SYZOS_API_MSR: {
 			struct api_call_2* ccmd = (struct api_call_2*)cmd;
 			guest_handle_msr(ccmd->args[0], ccmd->args[1]);
@@ -180,6 +192,7 @@ GUEST_CODE static noinline void guest_uexit(uint64 exit_code)
 }
 
 #define MSR_REG_OPCODE 0xd5100000
+#define MRS_REG_OPCODE 0xd5300000
 
 // Generate an `MSR register, x0` instruction based on the register ID.
 // Luckily for us, the five operands, Op0, Op1, CRn, CRm, and Op2 are laid out sequentially in
@@ -191,6 +204,12 @@ GUEST_CODE static uint32 reg_to_msr(uint64 reg)
 	return MSR_REG_OPCODE | ((reg & 0xffff) << 5);
 }
 
+// Generate an `MRS register, x0` instruction based on the register ID.
+GUEST_CODE static uint32 reg_to_mrs(uint64 reg)
+{
+	return MRS_REG_OPCODE | ((reg & 0xffff) << 5);
+}
+
 // Host sets TPIDR_EL1 to contain the virtual CPU id.
 GUEST_CODE static uint32 get_cpu_id()
 {
@@ -203,6 +222,23 @@ GUEST_CODE static uint32 get_cpu_id()
 // Some ARM chips use 128-byte cache lines. Pick 256 to be on the safe side.
 #define MAX_CACHE_LINE_SIZE 256
 
+// Read the value from a system register using an MRS instruction.
+GUEST_CODE static noinline void
+guest_handle_mrs(uint64 reg)
+{
+	uint32 mrs = reg_to_mrs(reg);
+	uint32 cpu_id = get_cpu_id();
+	// Make sure CPUs use different cache lines for scratch code.
+	uint32* insn = (uint32*)((uint64)ARM64_ADDR_SCRATCH_CODE + cpu_id * MAX_CACHE_LINE_SIZE);
+	insn[0] = mrs;
+	insn[1] = 0xd65f03c0; // RET
+	// Make a call to the generated MSR instruction and clobber x0.
+	asm("blr %[pc]\n"
+	    :
+	    : [pc] "r"(insn)
+	    : "x0", "x30");
+}
+
 // Write value to a system register using an MSR instruction.
 // The word "MSR" here has nothing to do with the x86 MSR registers.
 GUEST_CODE static noinline void

sys/linux/dev_kvm_arm64.txt

@@ -100,6 +100,10 @@ syzos_api_code {
 	ret	const[0xd65f03c0, int32]
 } [packed]
 
+syzos_api_mrs {
+	arg_reg	flags[kvm_regs_arm64_sys, int64]
+}
+
 syzos_api_msr {
 	arg_reg		flags[kvm_regs_arm64_sys, int64]
 	arg_value	int64
@@ -207,4 +211,5 @@ syzos_api_call [
 	memwrite	syzos_api[6, syzos_api_memwrite]
 	its_setup	syzos_api[7, syzos_api_its_setup]
 	its_send_cmd	syzos_api[8, syzos_api_its_send_cmd]
+	mrs		syzos_api[9, syzos_api_mrs]
 ] [varlen]

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu-mrs

@@ -0,0 +1,25 @@
+#
+# requires: arch=arm64 -threaded
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
+#
+# 0x603000000013df40 is PMEVCNTR0_EL0, write to it will trigger access_pmu_evcntr() in arch/arm64/kvm/sys_regs.c
+# This is done to illustrate that PMU is accessible.
+# 0x8 corresponds to the KVM_ARM_VCPU_PMU_V3 feature bit and is required to enable PMU.
+#
+r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@mrs={AUTO, AUTO, {0x603000000013df40}}], AUTO}, &AUTO=[@featur1={0x1, 0x8}], 0x1)
+#
+# Call ioctl(KVM_SET_DEVICE_ATTR) with group=KVM_ARM_VCPU_PMU_V3_CTRL and attr=KVM_ARM_VCPU_PMU_V3_INIT,
+# as per https://www.kernel.org/doc/Documentation/virt/kvm/devices/vcpu.rst.
+#
+ioctl$KVM_SET_DEVICE_ATTR_vcpu(r3, AUTO, &AUTO=@attr_pmu_init)
+
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+#
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)

…/arm64-syz_kvm_setup_syzos_vm-enable-pmu …64-syz_kvm_setup_syzos_vm-enable-pmu-msrsys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu renamed to sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu-msr sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu renamed to sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu-msr

@@ -0,0 +1,17 @@
+#
+# requires: arch=arm64 -threaded
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
+#
+# 0x6030000000138010 is MDCCINT_EL1.
+#
+r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@mrs={AUTO, AUTO, {0x6030000000138010}}], AUTO}, 0x0, 0x0)
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)