| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_VMLOAD and
SYZOS_API_NESTED_AMD_VMSAVE.
These primitives allow the L1 guest to execute the VMLOAD and VMSAVE
instructions, which load/store additional guest state (FS, GS, TR, LDTR,
etc.) to/from the VMCB specified by the 'vm_id' argument.
This stresses the KVM L0 instruction emulator, which must validate the
L1-provided physical address in RAX and perform the state transfer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_SET_INTERCEPT to SYZOS.
This primitive enables the fuzzer to surgically modify intercept vectors
in the AMD VMCB (Virtual Machine Control Block) Control Area.
It implements a read-modify-write operation on 32-bit VMCB offsets,
allowing the L1 hypervisor (SYZOS) to deterministically set or clear
specific intercept bits (e.g., for RDTSC, HLT, or exceptions) for the L2
guest.
This capability allows syzkaller to systematically explore KVM's nested
SVM emulation logic by toggling intercepts on and off, rather than
relying on static defaults or random memory corruption.
|
| |
|
|
|
|
|
|
| |
Enhance the debugging capabilities of C reproducers by passing the VCPU
file descriptor to the syz_kvm_assert_syzos_uexit function. With access to
the VCPU fd, the function can now dump the VCPU's register state upon
assertion failure, providing critical context for debugging guest execution
issues.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement SYZOS_API_NESTED_AMD_INJECT_EVENT to allow the L1 guest to
inject events (Interrupts, NMIs, Exceptions) into L2 via the VMCB EVENTINJ
field.
This primitive abstracts the VMCB bit-packing logic
(Vector, Type, Valid, Error Code) into a high-level API, enabling the fuzzer
to semantically mutate event injection parameters.
This targets KVM's nested event merging logic, specifically where L0 must
reconcile L1-injected events with Host-pending events.
|
| |
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_STGI and SYZOS_API_NESTED_AMD_CLGI
primitives to toggle the Global Interrupt Flag (GIF). These commands
execute the stgi and clgi instructions respectively and require no
arguments.
Also add a test checking that CLGI correctly masks NMI injection from L0.
|
| |
|
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_INVLPGA primitive to execute the
INVLPGA instruction in the L1 guest.
This allows the fuzzer to target KVM's Shadow MMU and Nested Paging (NPT)
logic by invalidating TLB entries for specific ASIDs.
Also add a simple syzlang seed/regression test.
|
| |
|
|
|
| |
Initial support for Intel TDX as per
https://docs.kernel.org/virt/kvm/x86/intel-tdx.html
|
| |
|
|
|
|
|
|
|
|
|
| |
According to arch/x86/include/uapi/asm/kvm.h, kvm_sev_guest_status is
defined as follows:
struct kvm_sev_guest_status {
__u32 handle;
__u32 policy;
__u32 state;
};
|
| |
|
|
|
|
|
| |
Rewrite arch-specific definitions for the nested state to match
the source and the documentation:
- https://elixir.bootlin.com/linux/latest/source/arch/x86/include/uapi/asm/kvm.h
- https://docs.kernel.org/virt/kvm/api.html#kvm-get-nested-state
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the following KVM ioctls:
- KVM_SET_GSI_ROUTING
- KVM_SET_SIGNAL_MASK
- KVM_SET_MSRS
- KVM_SET_CPUID
- KVM_SET_CPUID2
syzkaller is generating squashed blobs, which are less likely to provoke
any interesting behaviors.
Apply the no_squash attribute to these ioctls to have better understanding
of these ioctls' inputs.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of AMD VMCB block with plain 64-bit writes.
In addition to VM ID and VMCB offset, @nested_amd_vmcb_write_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCB without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_amd_vmcb_write_mask to test the
new command behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of Intel VMCS fields with the help
of vmwrite instruction.
In addition to VM ID and field ID, @nested_intel_vmwrite_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCS without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_vmwrite_mask to test the
new command behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide the SYZOS API command to resume L2 execution after a VM exit,
using VMRESUME on Intel and VMRUN on AMD.
For testing purpose, implement basic handling of the INVD instruction:
- enable INVD interception on AMD (set all bits in VMCB 00Ch);
- map EXIT_REASON_INVD and VMEXIT_INVD into SYZOS_NESTED_EXIT_REASON_INVD;
- advance L2 RIP to skip to the next instruction.
While at it, perform minor refactorings of L2 exit reason handling.
sys/linux/test/amd64-syz_kvm_nested_vmresume tests the new command by
executing two instructions, INVD and HLT, in the nested VM.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide a SYZOS API command to launch the L2 VM using the
VMLAUNCH (Intel) or VMRUN (AMD) instruction.
For testing purposes, each L2->L1 exit is followed by a guest_uexit_l2()
returning the exit code to L0. Common exit reasons (like HLT) will be
mapped into a common exit code space (0xe2e20000 | reason), so that
a single test can be used for both Intel and AMD.
Vendor-specific exit codes will be returned using the 0xe2110000 mask
for Intel and 0xe2aa0000 for AMD.
|
| |
|
|
| |
The new command loads an instruction blob into the specified L2 VM.
|
| |
|
|
|
|
|
|
| |
Now that we are using volatiles in guest_main(), there is no
particular need to base the numbers on primes (this didn't work well
with Clang anyway).
Instead, group the commands logically and leave some space between the
groups for future updates.
|
| |
|
|
|
|
| |
Provide basic setup for registers, page tables, and segments to create
Intel/AMD-based nested virtual machines.
Note that the machines do not get started yet.
|
| |
|
|
|
|
| |
Add vendor-specific code to turn on nested virtualization on Intel
and AMD. Also provide get_cpu_vendor() to pick the correct
implementation.
|
| |
|
|
|
|
|
|
|
|
| |
The new API call allows to initialize the handler with one of the
three possible values:
- NULL (should cause a page fault)
- dummy_null_handler (should call iret)
- uexit_irq_handler (should perform guest_uexit(UEXIT_IRQ))
Also add a test for uexit_irq_handler()
|
| |
|
|
|
|
|
|
|
|
| |
This ioctl accepts an arch-specific struct as an argument, so better split it
into several arch-specific ioctls.
To avoid compilation errors on exotic arches like MIPS, this patch also adds
sys/linux/dev_kvm_extra.txt that takes care of them.
While at it, also define KVM_GUESTDBG_USE_HW.
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the debug registers
(DR0-DR7).
|
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
|
| |
Not passing flattened arguments to syz_kvm_add_vcpu() serves two purposes:
- makes it easier to reason about the SYZOS program contents;
- prevents nonsensial mutations of them.
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the system registers
(CR0, CR2, CR3, CR4, CR8).
|
| |
|
|
| |
Let SYZOS execute RDMSR and WRMSR on x86.
|
| |
|
|
|
|
| |
Like we already do on ARM, use prime numbers multiplied by 10 for
SYZOS API IDs to prevent the compiler from emitting a jump table in
guest_main().
|
| |
|
|
| |
This is a system ioctl
|
| |
|
|
|
|
|
| |
Use output parameter instead of an input one.
Use a KVM constant for array size.
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-lapic
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-xcrs
|
| |
|
|
| |
KVM_GET_MSRS can be both a system and a vcpu ioctl
|
| |
|
|
| |
Both KVM_SET_TSC_KHZ and KVM_GET_TSC_KHZ are vcpu and vm ioctls.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-sregs2
|
| |
|
|
|
|
| |
KVM_MEMORY_ENCRYPT_UNREG_REGION
See https://docs.kernel.org/virt/kvm/api.html#kvm-memory-encrypt-reg-region
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-x86-set-msr-filter
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
make sev_handle a resource
|
| |
|
|
|
| |
This patch adds the necessary descriptions for KVM_MEMORY_ENCRYPT_OP
that currently is not supported.
|
| |
|
|
|
| |
Somehow syz-extract is unable to infer KVM_MAX_IRQ_ROUTES on x86,
hardcode it.
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
|
|
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
