Patchwork [v2,1/5] backdoor: Add documentation

login
register
mail settings
Submitter Lluís Vilanova
Date Dec. 5, 2011, 10:22 p.m.
Message ID <20111205222225.31271.1747.stgit@ginnungagap.bsc.es>
Download mbox | patch
Permalink /patch/129451/
State New
Headers show

Comments

Lluís Vilanova - Dec. 5, 2011, 10:22 p.m.
Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
---
 docs/backdoor.txt |  167 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 167 insertions(+), 0 deletions(-)
 create mode 100644 docs/backdoor.txt
Peter Maydell - Dec. 6, 2011, 10:36 p.m.
2011/12/5 Lluís Vilanova <vilanova@ac.upc.edu>:
> +3. Build QEMU with the backdoor feature:
> +
> +    /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu

If we want to do this wouldn't it make more sense to do it
by having qemu dynamically load a plugin DLL with a specified
ABI rather than having to compile the specific backdoor
handler into qemu proper?

-- PMM
Anthony Liguori - Dec. 6, 2011, 10:50 p.m.
On 12/05/2011 04:22 PM, Lluís Vilanova wrote:
> Signed-off-by: Lluís Vilanova<vilanova@ac.upc.edu>
> ---
>   docs/backdoor.txt |  167 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>   1 files changed, 167 insertions(+), 0 deletions(-)
>   create mode 100644 docs/backdoor.txt
>
> diff --git a/docs/backdoor.txt b/docs/backdoor.txt
> new file mode 100644
> index 0000000..1c6502a
> --- /dev/null
> +++ b/docs/backdoor.txt
> @@ -0,0 +1,167 @@
> += Backdoor communication channel =
> +
> +== Introduction ==
> +
> +This document describes how the guest can use the backdoor communication channel
> +to interact with user-provided code inside QEMU.
> +
> +The backdoor provides a lightweight and guest-initiated communication channel
> +between code running inside the guest system and code in QEMU, including both
> +QEMU in 'softmmu' and 'user' modes.
> +
> +The semantics of the backdoor channel are up to the user, who must provide the
> +implementation of the QEMU-side callbacks used when the backdoor channel is
> +invoked.
> +
> +On the guest side, code can be linked against a simple library provided in QEMU
> +to interface with the backdoor channel.
> +
> +The features of this mechanism are:
> +
> +* Minimal setup for the guest.
> +* Independent of guest architecture.
> +* Works with 'softmmu' and 'user' mode.
> +* Negligible guest overhead; guest invocations of the backdoor channel does not
> +  go through any OS abstraction, except during the setup of the communication
> +  channel.
> +* Negligible host overhead; invocations of the backdoor channel are interpreted
> +  by QEMU, while a side-channel can be used as regular memory to communicate
> +  bulk data without any extra overhead.
> +* The user-provided backdoor callbacks can perform arbitrary actions on the
> +  guest system (e.g., read or write memory, change register values, etc.).
> +
> +
> +== QEMU-side code ==
> +
> +1. Create the "Makefile" to build the user-provided backdoor channel library:
> +
> +    mkdir /tmp/my-backdoor-qemu
> +    cat>  /tmp/my-backdoor-qemu/Makefile<<EOF
> +    include $(BUILD_DIR)/config-host.mak
> +    include $(BUILD_DIR)/$(TARGET_DIR)../config-target.mak
> +    include $(SRC_PATH)/rules.mak
> +
> +    vpath %.c /tmp/my-backdoor-qemu
> +
> +
> +    libbackdoor.a: backdoor.o
> +
> +
> +    # Include automatically generated dependency files
> +    -include $(wildcard *.d)
> +    EOF
> +
> +2. Implement the callbacks declared in "backdoor/qemu/qemu-backdoor.h":
> +
> +    cat>  /tmp/my-backdoor-qemu/backdoor.c<<EOF

Oh, I didn't see this.

Major Nack on this.  This is not reasonable at all to do.  We're not sneaking in 
an ad-hoc plugin interface here.

Regards,

Anthony Liguori
Anthony Liguori - Dec. 6, 2011, 10:51 p.m.
On 12/06/2011 04:36 PM, Peter Maydell wrote:
> 2011/12/5 Lluís Vilanova<vilanova@ac.upc.edu>:
>> +3. Build QEMU with the backdoor feature:
>> +
>> +    /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu
>
> If we want to do this wouldn't it make more sense to do it
> by having qemu dynamically load a plugin DLL with a specified
> ABI rather than having to compile the specific backdoor
> handler into qemu proper?

No way.  If you want to implement a custom device, then send a proper patch. 
We're not adding hooks to let people add random things like this.

Regards,

Anthony Liguori

>
> -- PMM
>

Patch

diff --git a/docs/backdoor.txt b/docs/backdoor.txt
new file mode 100644
index 0000000..1c6502a
--- /dev/null
+++ b/docs/backdoor.txt
@@ -0,0 +1,167 @@ 
+= Backdoor communication channel =
+
+== Introduction ==
+
+This document describes how the guest can use the backdoor communication channel
+to interact with user-provided code inside QEMU.
+
+The backdoor provides a lightweight and guest-initiated communication channel
+between code running inside the guest system and code in QEMU, including both
+QEMU in 'softmmu' and 'user' modes.
+
+The semantics of the backdoor channel are up to the user, who must provide the
+implementation of the QEMU-side callbacks used when the backdoor channel is
+invoked.
+
+On the guest side, code can be linked against a simple library provided in QEMU
+to interface with the backdoor channel.
+
+The features of this mechanism are:
+
+* Minimal setup for the guest.
+* Independent of guest architecture.
+* Works with 'softmmu' and 'user' mode.
+* Negligible guest overhead; guest invocations of the backdoor channel does not
+  go through any OS abstraction, except during the setup of the communication
+  channel.
+* Negligible host overhead; invocations of the backdoor channel are interpreted
+  by QEMU, while a side-channel can be used as regular memory to communicate
+  bulk data without any extra overhead.
+* The user-provided backdoor callbacks can perform arbitrary actions on the
+  guest system (e.g., read or write memory, change register values, etc.).
+
+
+== QEMU-side code ==
+
+1. Create the "Makefile" to build the user-provided backdoor channel library:
+
+    mkdir /tmp/my-backdoor-qemu
+    cat > /tmp/my-backdoor-qemu/Makefile <<EOF
+    include $(BUILD_DIR)/config-host.mak
+    include $(BUILD_DIR)/$(TARGET_DIR)../config-target.mak
+    include $(SRC_PATH)/rules.mak
+    
+    vpath %.c /tmp/my-backdoor-qemu
+    
+    
+    libbackdoor.a: backdoor.o
+    
+    
+    # Include automatically generated dependency files
+    -include $(wildcard *.d)
+    EOF
+
+2. Implement the callbacks declared in "backdoor/qemu/qemu-backdoor.h":
+
+    cat > /tmp/my-backdoor-qemu/backdoor.c <<EOF
+    #include "backdoor/qemu/qemu-backdoor.h"
+    
+    #include "cpu.h"
+    
+    #include <stdio.h>
+    
+    
+    void qemu_backdoor_init(uint64_t data_size)
+    {
+        printf("+ %"PRId64"\n", data_size);
+    }
+    
+    void qemu_backdoor(uint64_t cmd, void *data)
+    {
+        /* Perform any endianess-wise loads to interpret the data */
+        uint64_t c = tswap64(cmd);
+        uint64_t d = tswap64(*(uint64_t*)data);
+        printf("-> %"PRIx64" :: %"PRIx64"\n", c, d);
+    }
+    EOF
+
+3. Build QEMU with the backdoor feature:
+
+    /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu
+
+
+== Guest-side code ==
+
+1. Compile the corresponding guest-side interface library:
+
+    make -C /path/to/qemu-build/x86_64-linux-user/backdoor/guest
+
+2. Create a guest application to interact with the backdoor channel through the
+   interface declared in "backdoor/guest/qemu-backdoor.h":
+
+    cat > /tmp/my-backdoor-guest.c <<EOF
+    #include <stdio.h>
+    #include <errno.h>
+    #include <stdlib.h>
+    #include <string.h>
+    #include <qemu-backdoor.h>
+    
+    
+    int main()
+    {
+        /* This base path is only applicable to 'user' mode */
+        if (qemu_backdoor_init("/tmp/backdoor") != 0) {
+            fprintf(stderr, "error: qemu_backdoor_init: %s\n", strerror(errno));
+            abort();
+        }
+    
+        uint64_t vcmd  = 0xcafe;
+        uint64_t vdata = 0xbabe;
+    
+        printf("size: %"PRId64"\n", qemu_backdoor_data_size());
+        printf("sending cmd: 0x%"PRIx64" data: 0x%"PRIx64"\n", vcmd, vdata);
+    
+        /* Get a pointer to the beginning of the data channel */
+        uint64_t * data = qemu_backdoor_data();
+     
+        /* Write anything into the channel */
+        *data = vdata;
+        /* Invoke the channel */
+        qemu_backdoor(vcmd);
+    }
+    EOF
+
+3. Link the guest application against "libqemu-backdoor-guest.a":
+
+    gcc -o /tmp/my-backdoor-guest /tmp/my-backdoor-guest.c /path/to/qemu-build/x86_64-linux-user/backdoor/guest/libqemu-backdoor-guest.a -I/path/to/qemu/backdoor/guest
+
+
+== Running QEMU ==
+
+If you want to use QEMU's 'softmmu' mode:
+
+    /path/to/qemu-build/x86_64-softmmu/qemu-system-x86_64 -device backdoor
+    sudo /tmp/my-backdoor-guest # inside the VM
+
+If you want to use QEMU's 'user' mode:
+
+    /path/to/qemu-build/x86_64-linux-user/qemu-x86_64 -backdoor /tmp/backdoor /tmp/my-backdoor-guest
+
+
+== Implementation details ==
+
+The backdoor channel is composed of two channels that are handled as
+memory-mapped files. The data channel is used to contain arbitrary data to
+communicate back and forth between the guest and QEMU. The control channel is
+used by the guest to read the size of the data channel and to write into it to
+signal that the data channel is ready to be used.
+
+When using the 'softmmu' mode, the backdoor communication channels are provided
+as a virtual device used through MMIO. The data channel acts as regular memory
+and the control channel intercepts all accesses to it to proxy them to the
+user-provided backdoor library.
+
+When using the 'user' mode, the backdoor communication channels are provided as
+regular files in the host system that the guest must 'mmap' into its address
+space. The data channel acts as regular memory and the 'mmap' of the control
+channel is intercepted in QEMU to establish if it's an 'mmap' for the control
+channel file. If that's the case, the memory that QEMU allocates for the guest
+is 'mprotect'ed to intercept all accesses to it performed by the guest and proxy
+them to the user-provided backdoor library.
+
+Note that guest accesses to the device are automatically serialized by QEMU into
+a single thread that handles the host-side backdoor callbacks. This means that
+its operation is thread-safe (as long as the command is written with a single
+guest instruction), and the 64 bits used to signal a backdoor command can be used
+to index into different portions of the data channel so that multiple guest
+processes/threads can use the backdoor channel concurrently.