[PATCH v10 1/8] x86/vmware: Introduce VMware hypercall API
Alexey Makhalov
alexey.makhalov at broadcom.com
Thu Jun 6 23:18:57 UTC 2024
On 6/3/24 10:58 AM, Borislav Petkov wrote:
> On Wed, May 29, 2024 at 05:44:32PM -0700, Alexey Makhalov wrote:
>> While most of the vmware_hypercall callers are executed after alternative
>> patching applied, there are small amount of hypercalls running before that.
>> Only for them we have the logic of analyzing vmware_hypercall_mode as a
>> default alternative code. And there are 2 constraints:
>> 1. vmcall/vmmcall are not supported by old ESXi/Workstation/Fusion. We have
>> to use in/out instructions. After the end of support of old hypervisors the
>> alternative can be simplified as follow:
>> ALTERNATIVE("vmcall", "vmmcall", X86_FEATURE_VMW_VMMCALL);
>> 2. SEV-ES enabled VMs should use _only_ vmcall/vmmcall as in/out
>> instructions cause faults.
>>
>> Another approach that we discussed internally was to use
>> ALTERNATIVE_2("movw %[port], %%dx; "inl (%%dx), %%eax", "vmcall",
>> X86_FEATURE_VMW_VMCALL, "vmmcall", X86_FEATURE_VMW_VMMCALL) for
>> vmware_hypercallX family of functions, _and_ to have a separate API
>> vmware_sev_hypercallX, with the silly dance without an alternative inside,
>> to be used only by early boot code, before alternative application. But,
>> it's error prone when things come to boot time related code movements or
>> rearrangements as it puts additional requirement for SEV-ES
>> understanding/testing for VMware guests.
>
> Right, so since we're exporting that alternatives_patched thing already,
> you might also try to do:
>
> if (unlikely(!alternatives_patched))
> return slow_hypercall_X_in_c();
>
> asm_inline volatile(VMWARE_HYPERCALL...
>
> where that slow_hypercall_X_in_c()* set of APIs does the checks in C.
>
> And the VMWARE_HYPERCALL thing is a lot simpler then.
>
> All in all, you'll have a lot less unreadable asm to pay attention to
> and those APIs should be all easy and readable.
>
Thanks for the idea.
I improved the condition to eliminate slow path for modules such as
vmmouse, vmwgfx.
if (unlikely(!alternatives_patched) && !__is_defined(MODULE))
return vmware_hypercall_slow(...);
It also drops the need for exporting vmware_hypercall_mode or
vmware_hypercall_slow symbols.
Will post just Patch0001 for review here before sending v11 out.
More information about the dri-devel
mailing list