From b301f8dd05f04b4501b44b4b698f9e65fab533a1 Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Fri, 21 Nov 2025 15:34:10 +0100 Subject: executor: sys/linux: implement SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK The new command allows mutation of AMD VMCB block with plain 64-bit writes. In addition to VM ID and VMCB offset, @nested_amd_vmcb_write_mask takes three 64-bit numbers: the set mask, the unset mask, and the flip mask. This allows to make bitwise modifications to VMCB without disturbing the execution too much. Also add sys/linux/test/amd64-syz_kvm_nested_amd_vmcb_write_mask to test the new command behavior. --- sys/linux/dev_kvm_amd64.txt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'sys/linux/dev_kvm_amd64.txt') diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt index 29dab16e4..9d1b6fdfc 100644 --- a/sys/linux/dev_kvm_amd64.txt +++ b/sys/linux/dev_kvm_amd64.txt @@ -131,6 +131,21 @@ syzos_api_nested_intel_vmwrite_mask { flip_mask int64 } +# See AMD Secure Virtual Machine Architecture Reference Manual, +# Appendix C: Layout of VMCB. +vmcb_offset [ + control_area int64[0x0:0xc0] + save_area int64[0x400:0x698] +] + +syzos_api_nested_amd_vmcb_write_mask { + vm_id syzos_api_vm_id + offset vmcb_offset + set_mask int64 + unset_mask int64 + flip_mask int64 +} + # IDs here must match those in executor/common_kvm_amd64_syzos.h. syzos_api_call$x86 [ uexit syzos_api$x86[0, intptr] @@ -149,6 +164,7 @@ syzos_api_call$x86 [ nested_vmlaunch syzos_api$x86[303, syzos_api_vm_id] nested_vmresume syzos_api$x86[304, syzos_api_vm_id] nested_intel_vmwrite_mask syzos_api$x86[340, syzos_api_nested_intel_vmwrite_mask] + nested_amd_vmcb_write_mask syzos_api$x86[380, syzos_api_nested_amd_vmcb_write_mask] ] [varlen] kvm_text_x86 [ -- cgit mrf-deployment