From patchwork Mon Dec 5 22:22:25 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Llu=C3=ADs_Vilanova?= X-Patchwork-Id: 129451 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 063961007D4 for ; Tue, 6 Dec 2011 09:22:52 +1100 (EST) Received: from localhost ([::1]:34042 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RXgvu-0004lc-6e for incoming@patchwork.ozlabs.org; Mon, 05 Dec 2011 17:22:46 -0500 Received: from eggs.gnu.org ([140.186.70.92]:36263) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RXgvl-0004cr-6B for qemu-devel@nongnu.org; Mon, 05 Dec 2011 17:22:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RXgvj-0000uN-LM for qemu-devel@nongnu.org; Mon, 05 Dec 2011 17:22:37 -0500 Received: from gw.ac.upc.edu ([147.83.30.3]:60653) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RXgvj-0000uE-4I for qemu-devel@nongnu.org; Mon, 05 Dec 2011 17:22:35 -0500 Received: from localhost (unknown [84.88.53.92]) by gw.ac.upc.edu (Postfix) with ESMTP id 961E76B01CA; Mon, 5 Dec 2011 23:22:33 +0100 (CET) To: qemu-devel@nongnu.org From: =?utf-8?b?TGx1w61z?= Vilanova Date: Mon, 05 Dec 2011 23:22:25 +0100 Message-ID: <20111205222225.31271.1747.stgit@ginnungagap.bsc.es> In-Reply-To: <20111205222208.31271.65662.stgit@ginnungagap.bsc.es> References: <20111205222208.31271.65662.stgit@ginnungagap.bsc.es> User-Agent: StGit/0.15 MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 147.83.30.3 Cc: Blue Swirl , Zhi Yong Wu Subject: [Qemu-devel] [PATCH v2 1/5] backdoor: Add documentation X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Signed-off-by: LluĂ­s Vilanova --- docs/backdoor.txt | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 167 insertions(+), 0 deletions(-) create mode 100644 docs/backdoor.txt diff --git a/docs/backdoor.txt b/docs/backdoor.txt new file mode 100644 index 0000000..1c6502a --- /dev/null +++ b/docs/backdoor.txt @@ -0,0 +1,167 @@ += Backdoor communication channel = + +== Introduction == + +This document describes how the guest can use the backdoor communication channel +to interact with user-provided code inside QEMU. + +The backdoor provides a lightweight and guest-initiated communication channel +between code running inside the guest system and code in QEMU, including both +QEMU in 'softmmu' and 'user' modes. + +The semantics of the backdoor channel are up to the user, who must provide the +implementation of the QEMU-side callbacks used when the backdoor channel is +invoked. + +On the guest side, code can be linked against a simple library provided in QEMU +to interface with the backdoor channel. + +The features of this mechanism are: + +* Minimal setup for the guest. +* Independent of guest architecture. +* Works with 'softmmu' and 'user' mode. +* Negligible guest overhead; guest invocations of the backdoor channel does not + go through any OS abstraction, except during the setup of the communication + channel. +* Negligible host overhead; invocations of the backdoor channel are interpreted + by QEMU, while a side-channel can be used as regular memory to communicate + bulk data without any extra overhead. +* The user-provided backdoor callbacks can perform arbitrary actions on the + guest system (e.g., read or write memory, change register values, etc.). + + +== QEMU-side code == + +1. Create the "Makefile" to build the user-provided backdoor channel library: + + mkdir /tmp/my-backdoor-qemu + cat > /tmp/my-backdoor-qemu/Makefile < /tmp/my-backdoor-qemu/backdoor.c < + + + void qemu_backdoor_init(uint64_t data_size) + { + printf("+ %"PRId64"\n", data_size); + } + + void qemu_backdoor(uint64_t cmd, void *data) + { + /* Perform any endianess-wise loads to interpret the data */ + uint64_t c = tswap64(cmd); + uint64_t d = tswap64(*(uint64_t*)data); + printf("-> %"PRIx64" :: %"PRIx64"\n", c, d); + } + EOF + +3. Build QEMU with the backdoor feature: + + /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu + + +== Guest-side code == + +1. Compile the corresponding guest-side interface library: + + make -C /path/to/qemu-build/x86_64-linux-user/backdoor/guest + +2. Create a guest application to interact with the backdoor channel through the + interface declared in "backdoor/guest/qemu-backdoor.h": + + cat > /tmp/my-backdoor-guest.c < + #include + #include + #include + #include + + + int main() + { + /* This base path is only applicable to 'user' mode */ + if (qemu_backdoor_init("/tmp/backdoor") != 0) { + fprintf(stderr, "error: qemu_backdoor_init: %s\n", strerror(errno)); + abort(); + } + + uint64_t vcmd = 0xcafe; + uint64_t vdata = 0xbabe; + + printf("size: %"PRId64"\n", qemu_backdoor_data_size()); + printf("sending cmd: 0x%"PRIx64" data: 0x%"PRIx64"\n", vcmd, vdata); + + /* Get a pointer to the beginning of the data channel */ + uint64_t * data = qemu_backdoor_data(); + + /* Write anything into the channel */ + *data = vdata; + /* Invoke the channel */ + qemu_backdoor(vcmd); + } + EOF + +3. Link the guest application against "libqemu-backdoor-guest.a": + + gcc -o /tmp/my-backdoor-guest /tmp/my-backdoor-guest.c /path/to/qemu-build/x86_64-linux-user/backdoor/guest/libqemu-backdoor-guest.a -I/path/to/qemu/backdoor/guest + + +== Running QEMU == + +If you want to use QEMU's 'softmmu' mode: + + /path/to/qemu-build/x86_64-softmmu/qemu-system-x86_64 -device backdoor + sudo /tmp/my-backdoor-guest # inside the VM + +If you want to use QEMU's 'user' mode: + + /path/to/qemu-build/x86_64-linux-user/qemu-x86_64 -backdoor /tmp/backdoor /tmp/my-backdoor-guest + + +== Implementation details == + +The backdoor channel is composed of two channels that are handled as +memory-mapped files. The data channel is used to contain arbitrary data to +communicate back and forth between the guest and QEMU. The control channel is +used by the guest to read the size of the data channel and to write into it to +signal that the data channel is ready to be used. + +When using the 'softmmu' mode, the backdoor communication channels are provided +as a virtual device used through MMIO. The data channel acts as regular memory +and the control channel intercepts all accesses to it to proxy them to the +user-provided backdoor library. + +When using the 'user' mode, the backdoor communication channels are provided as +regular files in the host system that the guest must 'mmap' into its address +space. The data channel acts as regular memory and the 'mmap' of the control +channel is intercepted in QEMU to establish if it's an 'mmap' for the control +channel file. If that's the case, the memory that QEMU allocates for the guest +is 'mprotect'ed to intercept all accesses to it performed by the guest and proxy +them to the user-provided backdoor library. + +Note that guest accesses to the device are automatically serialized by QEMU into +a single thread that handles the host-side backdoor callbacks. This means that +its operation is thread-safe (as long as the command is written with a single +guest instruction), and the 64 bits used to signal a backdoor command can be used +to index into different portions of the data channel so that multiple guest +processes/threads can use the backdoor channel concurrently.