2 * Copyright (c) 2018-2021 Maxime Villard, m00nbsd.net
5 * This code is part of the NVMM hypervisor.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 #define PAGE_SIZE 4096
40 * A simple calculator that creates a VM which performs the addition of the
41 * two ints given as arguments.
43 * The guest does EBX+=EAX, followed by HLT. We set EAX and EBX, and then
44 * fetch the result in EBX. HLT is our shutdown point, we stop the VM there.
46 * We give one single page to the guest, and copy there the instructions it
47 * must execute. The guest runs in 16bit real mode, and its initial state is
48 * the x86 RESET state (default state). The instruction pointer uses CS.base
49 * as base, and this base value is 0xFFFF0000. So we make it our GPA, and set
50 * RIP=0, which means "RIP=0xFFFF0000+0". The guest therefore executes the
51 * instructions at GPA 0xFFFF0000.
53 * $ cc -g -Wall -Wextra -o calc-vm calc-vm.c -lnvmm
57 * Don't forget to load the nvmm(4) kernel module beforehand!
60 * https://www.netbsd.org/~maxv/nvmm/calc-vm.c
61 * https://blog.netbsd.org/tnf/entry/from_zero_to_nvmm
64 int main(int argc, char *argv[])
66 const uint8_t instr[] = {
67 0x01, 0xc3, /* add %eax,%ebx */
70 struct nvmm_machine mach;
71 struct nvmm_vcpu vcpu;
73 gpaddr_t gpa = 0xFFFF0000;
77 fprintf(stderr, "usage: %s <int#1> <int#2>\n", argv[0]);
85 if (nvmm_init() == -1)
86 err(EXIT_FAILURE, "unable to init NVMM");
87 printf("[+] Initialized NVMM\n");
90 if (nvmm_machine_create(&mach) == -1)
91 err(EXIT_FAILURE, "unable to create the VM");
92 printf("[+] Created machine\n");
93 if (nvmm_vcpu_create(&mach, 0, &vcpu) == -1)
94 err(EXIT_FAILURE, "unable to create VCPU");
95 printf("[+] Created VCPU\n");
97 /* Allocate a HVA. The HVA is writable. */
98 hva = (uintptr_t)mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE,
99 MAP_ANON|MAP_PRIVATE, -1, 0);
100 if ((void *)hva == MAP_FAILED)
101 err(EXIT_FAILURE, "unable to mmap");
102 if (nvmm_hva_map(&mach, hva, PAGE_SIZE) == -1)
103 err(EXIT_FAILURE, "unable to map HVA");
104 printf("[+] Mapped HVA\n");
106 /* Link the GPA towards the HVA. The GPA is executable. */
107 if (nvmm_gpa_map(&mach, hva, gpa, PAGE_SIZE, PROT_READ|PROT_EXEC) == -1)
108 err(EXIT_FAILURE, "unable to map GPA");
109 printf("[+] Mapped GPA\n");
111 /* Install the guest instructions there. */
112 memcpy((void *)hva, instr, sizeof(instr));
114 /* Reset the instruction pointer, and set EAX/EBX. */
115 if (nvmm_vcpu_getstate(&mach, &vcpu, NVMM_X64_STATE_GPRS) == -1)
116 err(EXIT_FAILURE, "unable to get VCPU state");
117 printf("[+] Got VCPU states\n");
118 vcpu.state->gprs[NVMM_X64_GPR_RIP] = 0;
119 vcpu.state->gprs[NVMM_X64_GPR_RAX] = num1;
120 vcpu.state->gprs[NVMM_X64_GPR_RBX] = num2;
121 nvmm_vcpu_setstate(&mach, &vcpu, NVMM_X64_STATE_GPRS);
122 printf("[+] Set VCPU states\n");
126 printf("[+] Running VCPU\n");
127 if (nvmm_vcpu_run(&mach, &vcpu) == -1)
128 err(EXIT_FAILURE, "unable to run VCPU");
129 printf("[+] VCPU exited\n");
131 /* Process the exit reasons. */
132 switch (vcpu.exit->reason) {
133 case NVMM_VCPU_EXIT_NONE:
134 /* Nothing to do, keep rolling. */
136 case NVMM_VCPU_EXIT_HALTED:
137 /* Our shutdown point. Fetch the result. */
138 nvmm_vcpu_getstate(&mach, &vcpu, NVMM_X64_STATE_GPRS);
139 ret = vcpu.state->gprs[NVMM_X64_GPR_RBX];
140 printf("Result: %d\n", ret);
142 /* THE PROCESS EXITS, THE VM GETS DESTROYED. */
144 errx(EXIT_FAILURE, "unknown exit reason: 0x%lx",