Jens Nerche wrote:
> That's (nearly) our current implementation. But the cache is a set
> of free entries in GDT, what's bad for two reasons:
> * Segment Selectors have other values than guest OS expects
> * May be that there aren't (enough) free entries in GDT
> But think that could be changed easily while you are changing guest
> (ring 3) <-> monitor (ring 0) switching. Have to enhance the virtual
> guest structures by a number of descriptor entries (one per selector)...
Yes, these are pretty much my thoughts also. While using
SBE, it's easy to maintain a descriptor cache for each
segment register (as you mention). Segment checks etc performed
by the monitor for the guest, use this cache. This is what bochs
does, but all the time.
Having descriptor caches which occupy free slots in the GDT
works for SBE mode, since we can play with the selector
values. With SBE off, we must disable these extra
cache descriptors, since we don't want the guest to
access them. We must use selector values as expected, otherwise
the guest will see the changes. If there are no cache vs descriptor entry
inconsistencies, then the selectors can point to the
(virtualized) descriptor as expected. Thus the ring3 code
can run as-is. If there are inconsistencies, then we can
have the monitor either keep SBE on, or load the seg regs like this:
GDT[DS_selector] = DS_cache
reload DS
GDT[ES_selector] = ES_cache
reload ES
GDT[FS_selector] = FS_cache
reload FS
GDT[GS_selector] = GS_cache
reload GS
GDT[DS_selector] = inaccessible
GDT[ES_selector] = inaccessible
GDT[FS_selector] = inaccessible
GDT[GS_selector] = inaccessible
IRET
Now, the caches will be correct, accesses via the seg regs will
work, and seg reg reloads will trap out and can be virtualized until
there is a consistent state again. When that state is reached,
(as is hopefully the norm) we load the GDT with virtualized values
of the guest GDT and return to the guest code simply with:
pop DS
pop ES
pop FS
pop GS
IRET
-Kevin
