From patchwork Thu Sep 29 13:47:33 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Llu=C3=ADs_Vilanova?= <vilanova@ac.upc.edu>
X-Patchwork-Id: 116953
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [140.186.70.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 53272B6F72
	for <incoming@patchwork.ozlabs.org>;
	Thu, 29 Sep 2011 23:47:57 +1000 (EST)
Received: from localhost ([::1]:60337 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1R9Gxu-0003No-AV
	for incoming@patchwork.ozlabs.org; Thu, 29 Sep 2011 09:47:54 -0400
Received: from eggs.gnu.org ([140.186.70.92]:58661)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vilanova@ac.upc.edu>) id 1R9Gxg-0003GQ-Iy
	for qemu-devel@nongnu.org; Thu, 29 Sep 2011 09:47:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <vilanova@ac.upc.edu>) id 1R9Gxa-0004AV-Le
	for qemu-devel@nongnu.org; Thu, 29 Sep 2011 09:47:40 -0400
Received: from gw.ac.upc.edu ([147.83.30.3]:50992)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vilanova@ac.upc.edu>) id 1R9GxZ-0004AK-VS
	for qemu-devel@nongnu.org; Thu, 29 Sep 2011 09:47:34 -0400
Received: from localhost (unknown [84.88.53.92])
	by gw.ac.upc.edu (Postfix) with ESMTP id CD94F6B02C7;
	Thu, 29 Sep 2011 15:47:32 +0200 (CEST)
To: qemu-devel@nongnu.org
From: =?utf-8?b?TGx1w61z?= Vilanova <vilanova@ac.upc.edu>
Date: Thu, 29 Sep 2011 15:47:33 +0200
Message-ID: <20110929134733.19559.46294.stgit@ginnungagap.bsc.es>
In-Reply-To: <20110929134727.19559.54734.stgit@ginnungagap.bsc.es>
References: <20110929134727.19559.54734.stgit@ginnungagap.bsc.es>
User-Agent: StGit/0.15
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 147.83.30.3
Cc: Zhi Yong Wu <zwu.kernel@gmail.com>
Subject: [Qemu-devel] [PATCH 1/5] backdoor: Add documentation
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: </archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
---
 docs/backdoor.txt |  144 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 144 insertions(+), 0 deletions(-)
 create mode 100644 docs/backdoor.txt

diff --git a/docs/backdoor.txt b/docs/backdoor.txt
new file mode 100644
index 0000000..3b26b70
--- /dev/null
+++ b/docs/backdoor.txt
@@ -0,0 +1,144 @@
+= Backdoor communication channel =
+
+== Introduction ==
+
+This document describes how the guest can use the backdoor communication channel
+to interact with user-provided code inside QEMU.
+
+The backdoor provides a lightweight and guest-initiated communication channel
+between code running inside the guest system and code in QEMU, including both
+QEMU in 'softmmu' and 'user' modes.
+
+The semantics of the backdoor channel are up to the user, who must provide the
+implementation of the QEMU-side callbacks used when the backdoor channel is
+invoked.
+
+On the guest side, code can simply link against a simple library provided in
+QEMU to interface with the backdoor channel.
+
+The features of this mechanism are:
+
+* Minimal setup for the guest.
+* Independent of guest architecture.
+* Works with 'softmmu' and 'user' mode.
+* Low overhead; capturing memory accesses to specific addresses does not go
+  through any OS abstraction, except during the setup of the communication
+  channel.
+
+
+== QEMU-side code ==
+
+1. Create the "Makefile" to build the user-provided backdoor channel library:
+
+    mkdir /tmp/my-backdoor-qemu
+    cat > /tmp/my-backdoor-qemu/Makefile <<EOF
+    include $(BUILD_DIR)/config-host.mak
+    include $(BUILD_DIR)/$(TARGET_DIR)../config-target.mak
+    include $(SRC_PATH)/rules.mak
+    
+    vpath %.c /tmp/my-backdoor-qemu
+    
+    
+    libbackdoor.a: backdoor.o
+    
+    
+    # Include automatically generated dependency files
+    -include $(wildcard *.d)
+    EOF
+
+2. Implement the callbacks declared in "backdoor/qemu/qemu-backdoor.h":
+
+    cat > /tmp/my-backdoor-qemu/backdoor.c <<EOF
+    #include "backdoor/qemu/qemu-backdoor.h"
+    
+    #include "cpu.h"
+    
+    #include <stdio.h>
+    
+    
+    void qemu_backdoor_init(uint64_t data_size)
+    {
+        printf("+ %ld\n", data_size);
+    }
+    
+    void qemu_backdoor(uint64_t cmd, void *data)
+    {
+        /* Perform any endianess-wise loads to interpret the data */
+        uint64_t d = ldq_p(data);
+        printf("-> %x :: %x\n", cmd, *(uint64_t*)data);
+    }
+    EOF
+
+3. Build QEMU with the backdoor feature:
+
+    /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu
+
+
+== Guest-side code ==
+
+1. Compile the corresponding guest-side interface library:
+
+    make -C /path/to/qemu-build/x86_64-linux-user/backdoor/guest
+
+2. Create your own application to interact with the backdoor channel:
+
+    cat > /tmp/my-backdoor-guest.c <<EOF
+    #include <stdio.h>
+    #include <errno.h>
+    #include <stdlib.h>
+    #include <qemu-backdoor.h>
+    
+    
+    int main()
+    {
+        /* This base path is only applicable to 'user' mode */
+        if (qemu_backdoor_init("/tmp/backdoor") != 0) {
+            fprintf(stderr, "error: qemu_backdoor_init: %s\n", strerror(errno));
+            abort();
+        }
+    
+        /* Get a pointer to beginning of the data channel */
+        uint32_t * data = qemu_backdoor_data();
+        /* Write anything into the channel */
+        *data = 0xcafe;
+        /* Invoke the channel */
+        qemu_backdoor(0xbabe);
+    }
+    EOF
+
+3. Link your application against "libqemu-backdoor-guest.a":
+
+    gcc -o /tmp/my-backdoor-guest /tmp/my-backdoor-guest.c /path/to/qemu-build/x86_64-linux-user/backdoor/guest/libqemu-backdoor-guest.a
+
+
+== Running QEMU ==
+
+If you want to use QEMU's 'softmmu' mode:
+
+    /path/to/qemu-build/x86_64-softmmu/qemu-system-x86_64 -device backdoor
+    sudo /tmp/my-backdoor-guest # inside the VM
+
+If you want to use QEMU's 'user' mode:
+
+    /path/to/qemu-build/x86_64-linux-user/qemu-x86_64 -backdoor /tmp/backdoor /tmp/my-backdoor-guest
+
+
+== Implementation details ==
+
+The backdoor channel is composed of two channels that are handled as 'mmap'ed
+files. The data channel is used to contain arbitrary data to communicate back
+and forth between the guest and QEMU. The control channel is used by the guest
+to signal that the data channel is ready to be used.
+
+When using the 'softmmu' mode, the backdoor communication channels are provided
+as a virtual device used through MMIO. The data channel acts as regular memory
+and the control channel intercepts all accesses to it to proxy them to the
+user-provided backdoor library.
+
+When using the 'user' mode, the backdoor communication channels are provided as
+regular files in the host system that the guest must 'mmap' into its address
+space. The data channel acts as regular memory and the 'mmap' of the control
+channel is intercepted in QEMU to establish if it's an 'mmap' for the control
+channel file. If that's the case, the memory that QEMU allocates for the guest
+is 'mprotect'ed to intercept all accesses to it performed by the guest and proxy
+them to the user-provided backdoor library.