x86: add PVM (Pagetable-based Virtual Machine) hypervisor support

Francesco Lavra · Francesco Lavra · commit 478b8825bd6e · 2025-05-22T16:01:28.000+02:00
This hypervisor runs the guest code natively without needing hardware VM acceleration. https://lwn.net/Articles/963718/ The code of the patched Linux kernel that implements PVM is at https://github.com/virt-pvm/linux, and the hypervisor specification is at https://github.com/virt-pvm/linux/blob/pvm/Documentation/virt/kvm/x86/pvm-spec.rst.
diff --git a/platform/pc/Makefile b/platform/pc/Makefile
@@ -126,6 +126,8 @@ SRCS-kernel.elf= \
 	$(SRCDIR)/x86_64/kernel_machine.c \
 	$(SRCDIR)/x86_64/mp.c \
 	$(SRCDIR)/x86_64/page.c \
+	$(SRCDIR)/x86_64/pvm.c \
+	$(SRCDIR)/x86_64/pvm_asm.s \
 	$(SRCDIR)/x86_64/rtc.c \
 	$(SRCDIR)/x86_64/serial.c \
 	$(SRCDIR)/x86_64/synth.c \
@@ -231,7 +233,10 @@ endif
 		$(AWK) 'BEGIN{getline l < "$(PLATFORMDIR)/test-libs"}/TEST-LIBS/{gsub("TEST-LIBS",l)}/ARCH_DIR/{gsub("ARCH_DIR","$(PLATFORMOBJDIR)")}1' $(ROOTDIR)/test/runtime/$(TARGET).manifest | \
 		$(MKFS) $(TARGET_ROOT_OPT) -b $(BOOTIMG) $(MKFS_UEFI) -k $(KERNEL) -t "(debug_exit:t)" $(TRACELOG_MKFS_OPTS) $(EXTRA_MKFS_OPTS) $(IMAGE)
 
-$(OBJDIR)/src/$(ARCH)/crt0.o: $(OBJDIR)/frame.inc
+$(OBJDIR)/src/$(ARCH)/crt0.o \
+$(OBJDIR)/src/$(ARCH)/pvm_asm.o \
+$(OBJDIR)/src/$(ARCH)/frtace.o \
+: $(OBJDIR)/frame.inc
 
 $(OBJDIR)/frame.inc: $(ARCHDIR)/frame.h
 	$(call cmd,sed)
diff --git a/platform/pc/service.c b/platform/pc/service.c
@@ -19,6 +19,7 @@
 #include <xen_platform.h>
 #include <virtio/virtio.h>
 #include <vmware/vmware.h>
+#include "pvm.h"
 #include "serial.h"
 
 #define BOOT_PARAM_OFFSET_E820_ENTRIES  0x01E8
@@ -398,7 +399,12 @@ void init_service(u64 rdi, u64 rsi, hvm_start_info start_info)
     serial_init();
     early_init_debug("init_service");
 
-    pv_ops.cpuid = x86_cpuid;
+    if (pvm_detect()) {
+        kvmem.r = pvm_get_addr_range();
+        pv_ops.cpuid = pvm_cpuid;
+    } else {
+        pv_ops.cpuid = x86_cpuid;
+    }
     if (do_setup_initmap)
         setup_initmap();
     find_initial_pages();
@@ -413,7 +419,10 @@ void init_service(u64 rdi, u64 rsi, hvm_start_info start_info)
     u64 offset_cpuid = u64_from_pointer(pv_ops.cpuid) + kas_kern_offset - kernel_phys_offset;
     pv_ops.cpuid = pointer_from_u64(offset_cpuid);
 
-    pv_ops.frame_return = x86_frame_return;
+    if (pvm_detected)
+        pv_ops.frame_return = pvm_frame_return;
+    else
+        pv_ops.frame_return = x86_frame_return;
     init_kernel_heaps();
     if (cmdline)
         create_region(u64_from_pointer(cmdline), cmdline_size, REGION_CMDLINE);
@@ -454,6 +463,8 @@ extern boolean init_tsc_timer(kernel_heaps kh);
 
 void detect_hypervisor(kernel_heaps kh)
 {
+    if (pvm_detected)
+        pvm_setup(kh);
     if (!kvm_detect(kh)) {
         init_debug("probing for Xen hypervisor");
         if (!xen_detect(kh)) {
diff --git a/src/x86_64/interrupt.c b/src/x86_64/interrupt.c
@@ -12,7 +12,6 @@
 #define int_debug(x, ...)
 #endif
 
-#define INTERRUPT_VECTOR_START 32 /* end of exceptions; defined by architecture */
 #define MAX_INTERRUPT_VECTORS  256 /* as defined by architecture; we may have less */
 
 typedef struct inthandler {
diff --git a/src/x86_64/kernel_machine.h b/src/x86_64/kernel_machine.h
@@ -240,25 +240,30 @@ static inline void xgetbv(u32 ecx, u32 *eax, u32 *edx)
 }
 
 #ifdef KERNEL
+#include "pvm.h"
+
 void cmdline_consume(sstring opt_name, cmdline_handler h);
 void boot_params_apply(tuple t);
 
 /* syscall entry */
 
-static inline void set_syscall_handler(void *syscall_entry)
-{
-    write_msr(LSTAR_MSR, u64_from_pointer(syscall_entry));
-    u32 selectors = ((USER_CODE32_SELECTOR | 0x3) << 16) | KERNEL_CODE_SELECTOR;
-    write_msr(STAR_MSR, (u64)selectors << 32);
-    write_msr(SFMASK_MSR, U64_FROM_BIT(EFLAG_INTERRUPT) | U64_FROM_BIT(EFLAG_TRAP));
-    write_msr(EFER_MSR, read_msr(EFER_MSR) | EFER_SCE);
-}
-
 extern void syscall_enter(void);
 
 static inline void init_syscall_handler()
 {
-    set_syscall_handler(syscall_enter);
+    void *syscall_entry;
+    if (pvm_detected) {
+        /* Do not set the STAR MSR, because PVM does not allow setting the user-mode selector to a
+         * different value than the value used on Linux. */
+        syscall_entry = pvm_syscall_entry;
+    } else {
+        u32 selectors = ((USER_CODE32_SELECTOR | 0x3) << 16) | KERNEL_CODE_SELECTOR;
+        write_msr(STAR_MSR, (u64)selectors << 32);
+        syscall_entry = syscall_enter;
+    }
+    write_msr(LSTAR_MSR, u64_from_pointer(syscall_entry));
+    write_msr(SFMASK_MSR, U64_FROM_BIT(EFLAG_INTERRUPT) | U64_FROM_BIT(EFLAG_TRAP));
+    write_msr(EFER_MSR, read_msr(EFER_MSR) | EFER_SCE);
 }
 
 static inline void set_page_write_protect(boolean enable)
@@ -324,6 +329,8 @@ struct cpuinfo_machine {
     /* Monotonic clock timestamp when the lapic timer is supposed to fire; used to re-arm the timer
      * when it fires too early (based on what the monotonic clock source says). */
     timestamp lapic_timer_expiry;
+
+    struct pvm_vcpu *pvm;
 };
 
 typedef struct cpuinfo *cpuinfo;
diff --git a/src/x86_64/machine.h b/src/x86_64/machine.h
@@ -24,8 +24,13 @@ static inline __attribute__((always_inline)) u8 is_immediate_integer(value v)
 
 #ifdef KERNEL
 
+/* Tagged memory is (VA_TAG_OFFSET + VA_TAG_WIDTH) bits long, and needs to be aligned to its length.
+ * The PVM hypervisor allocates 44 bits of address space for the guest; to ensure tagged memory can
+ * be carved out from this space without touching its limits (because memory regions around its
+ * limits are used for other purposes), tagged memory must be at least 2 bits shorter than the total
+ * address space. */
 #define VA_TAG_OFFSET 38
-#define VA_TAG_WIDTH  8
+#define VA_TAG_WIDTH  4
 
 static inline __attribute__((always_inline)) value_tag tagof(void* v) {
     u64 x = u64_from_pointer(v);
diff --git a/src/x86_64/pvm.c b/src/x86_64/pvm.c
@@ -0,0 +1,143 @@
+/* Pagetable-based Virtual Machine hypervisor */
+
+#include <kernel.h>
+#include "pvm.h"
+
+#define PVM_CPUID_SIGNATURE         0x40000000
+#define PVM_CPUID_VENDOR_FEATURES   0x40000002
+
+#define KVM_SIGNATURE   "KVMKVMKVM\0\0\0"
+#define PVM_SIGNATURE   0x4d5650    /* "PVM\0" */
+
+#define MSR_PVM_LINEAR_ADDRESS_RANGE    0x4b564df0
+#define MSR_PVM_VCPU_STRUCT             0x4b564df1
+#define MSR_PVM_SUPERVISOR_RSP          0x4b564df2
+#define MSR_PVM_EVENT_ENTRY             0x4b564df4
+#define MSR_PVM_RETU_RIP                0x4b564df5
+#define MSR_PVM_RETS_RIP                0x4b564df6
+#define MSR_PVM_SWITCH_CR3              0x4b564df7
+
+boolean pvm_detected;
+
+boolean pvm_detect(void)
+{
+    u64 flags = read_flags();
+    if (!(flags & U64_FROM_BIT(EFLAG_INTERRUPT)))
+        return false;
+    u64 cs;
+    asm volatile("mov %%cs,%0" : "=r" (cs) : );
+    if ((cs & 0x3) != 3)    /* check if CPL == 3 */
+        return false;
+    u32 v[4];
+    pvm_cpuid(PVM_CPUID_SIGNATURE, 0, v);
+    if ((v[0] < PVM_CPUID_VENDOR_FEATURES) || runtime_memcmp(&v[1], KVM_SIGNATURE, 3 * sizeof(u32)))
+        return false;
+    pvm_cpuid(PVM_CPUID_VENDOR_FEATURES, 0, v);
+    return pvm_detected = (v[1] == PVM_SIGNATURE);
+}
+
+range pvm_get_addr_range(void)
+{
+    u64 addr_range = read_msr(MSR_PVM_LINEAR_ADDRESS_RANGE);
+    u64 pml4_index_start = addr_range & 0x1ff;
+    u64 pml4_index_end = (addr_range >> 16) & 0x1ff;
+    return irange((0x1fffe00 | pml4_index_start) << PT_SHIFT_L1,
+                  (0x1fffe00 | pml4_index_end) << PT_SHIFT_L1);
+}
+
+closure_func_basic(thunk, void, pvm_cpu_init)
+{
+    /* the PVM vCPU struct must be page-aligned */
+    struct pvm_vcpu *pvm = allocate_zero((heap)heap_page_backed(get_kernel_heaps()), PAGESIZE);
+    assert(pvm != INVALID_ADDRESS);
+
+    /* PVM requires user-mode segment selectors to have the same values as used on Linux */
+    pvm->user_ss = 0x2b;
+    pvm->user_cs = 0x33;
+
+    write_msr(MSR_PVM_VCPU_STRUCT, physical_from_virtual(pvm));
+    cpuinfo ci = current_cpu();
+    ci->m.pvm = pvm;
+    write_msr(KERNEL_GS_MSR, u64_from_pointer(ci));
+    u64 cr3;
+    mov_from_cr("cr3", cr3);
+    /* In order for the direct switching feature to be enabled (i.e. to switch between user mode and
+     * supervisor mode without a VM exit), PVM requires CR3 values for the two modes to be different
+     * from each other; since Nanos uses a single CR3 value, flip one bit between the user CR3 and
+     * the supervisor CR3 to make them appear as different values (a CR3 value must be page-aligned,
+     * so the flipped bit will not cause a different page table root to be used). */
+    write_msr(MSR_PVM_SWITCH_CR3, cr3 | 1);
+    extern void *pvm_event_entry;
+    write_msr(MSR_PVM_EVENT_ENTRY, u64_from_pointer(&pvm_event_entry));
+    extern void *pvm_retu, *pvm_rets;
+    write_msr(MSR_PVM_RETU_RIP, u64_from_pointer(&pvm_retu));
+    write_msr(MSR_PVM_RETS_RIP, u64_from_pointer(&pvm_rets));
+    /* Configure initial stack for PVM events in user mode: the actual stack (interrupt vs
+     * exception) is selected in the event handler. */
+    write_msr(MSR_PVM_SUPERVISOR_RSP, u64_from_pointer(ci->m.int_stack));
+}
+
+void pvm_setup(kernel_heaps kh)
+{
+    thunk t = closure_func(heap_general(kh), thunk, pvm_cpu_init);
+    assert(t != INVALID_ADDRESS);
+    apply(t);
+    register_percpu_init(t);
+}
+
+void pvm_cpuid(u32 leaf, u32 subleaf, u32 *v)
+{
+    asm volatile(".byte 0x0f,0x01,0x3c,0x25,0x50,0x56,0x4d,0xff,0x0f,0xa2" :
+                 "=a" (v[0]), "=b" (v[1]), "=c" (v[2]), "=d" (v[3]) : "0" (leaf), "2" (subleaf));
+}
+
+void pvm_event(boolean save_frame)
+{
+    cpuinfo ci = current_cpu();
+    struct pvm_vcpu *pvm = ci->m.pvm;
+    context_frame f = get_current_context(ci)->frame;
+    if (save_frame) {
+        f[FRAME_RIP] = pvm->rip;
+        f[FRAME_RSP] = pvm->rsp;
+        f[FRAME_EFLAGS] = pvm->eflags;
+        f[FRAME_RCX] = pvm->rcx;
+        f[FRAME_R11] = pvm->r11;
+        f[FRAME_VECTOR] = pvm->event_vector;
+        f[FRAME_ERROR_CODE] = pvm->event_errcode;
+    }
+    u32 vector = f[FRAME_VECTOR];
+    if (vector == 14)   /* page fault */
+        f[FRAME_CR2] = pvm->cr2;
+    void *stack = (vector < INTERRUPT_VECTOR_START) ? ci->m.exception_stack : ci->m.int_stack;
+    switch_stack(stack, common_handler);
+}
+
+void pvm_syscall(context user_ctx)
+{
+    extern void (*syscall)(context ctx);
+    cpuinfo ci = current_cpu();
+    struct pvm_vcpu *pvm = ci->m.pvm;
+    context_frame f = user_ctx->frame;
+    f[FRAME_RIP] = pvm->rip;
+    f[FRAME_RSP] = pvm->rsp;
+    f[FRAME_EFLAGS] = pvm->eflags;
+    f[FRAME_RCX] = pvm->rcx;
+    f[FRAME_R11] = pvm->r11;
+    syscall(user_ctx);
+    pvm_frame_return(f);
+}
+
+void __attribute__((noreturn)) pvm_frame_return(context_frame f)
+{
+    if (f[FRAME_CS] & 0x3) {    /* (CPL != 0) means return to user mode */
+        cpuinfo ci = current_cpu();
+        context_frame f = get_current_context(ci)->frame;
+        struct pvm_vcpu *pvm = ci->m.pvm;
+        pvm->rip = f[FRAME_RIP];
+        pvm->rsp = f[FRAME_RSP];
+        pvm->eflags = f[FRAME_EFLAGS];
+        pvm->rcx = f[FRAME_RCX];
+        pvm->r11 = f[FRAME_R11];
+    }
+    pvm_event_return(f);
+}
diff --git a/src/x86_64/pvm.h b/src/x86_64/pvm.h
@@ -0,0 +1,35 @@
+/* Pagetable-based Virtual Machine hypervisor */
+
+#ifndef PVM_H_
+#define PVM_H_
+
+struct pvm_vcpu {
+    u64 event_flags;
+    u32 event_errcode;
+    u32 event_vector;
+    u64 cr2;
+    u64 reserved0[5];
+    u16 user_cs, user_ss;
+    u32 reserved1;
+    u64 reserved2;
+    u64 user_gsbase;
+    u32 eflags;
+    u32 pkru;
+    u64 rip;
+    u64 rsp;
+    u64 rcx;
+    u64 r11;
+};
+
+boolean pvm_detect(void);
+range pvm_get_addr_range(void);
+void pvm_setup(kernel_heaps kh);
+
+void pvm_cpuid(u32 leaf, u32 subleaf, u32 *v);
+void pvm_syscall_entry(void);
+void pvm_frame_return(context_frame f) __attribute__((noreturn));
+void pvm_event_return(context_frame f) __attribute__((noreturn));
+
+extern boolean pvm_detected;
+
+#endif
diff --git a/src/x86_64/pvm_asm.s b/src/x86_64/pvm_asm.s
diff --git a/src/x86_64/x86.h b/src/x86_64/x86.h
