/**
* Worker for supdrvOSMsrProberModify.
*/
static DECLCALLBACK(void) supdrvLnxMsrProberModifyOnCpu(RTCPUID idCpu, void *pvUser1, void *pvUser2)
{
PSUPMSRPROBER pReq = (PSUPMSRPROBER)pvUser1;
register uint32_t uMsr = pReq->u.In.uMsr;
bool const fFaster = pReq->u.In.enmOp == SUPMSRPROBEROP_MODIFY_FASTER;
uint64_t uBefore;
uint64_t uWritten;
uint64_t uAfter;
int rcBefore, rcWrite, rcAfter, rcRestore;
RTCCUINTREG fOldFlags;
/* Initialize result variables. */
uBefore = uWritten = uAfter = 0;
rcWrite = rcAfter = rcRestore = -EIO;
/*
* Do the job.
*/
fOldFlags = ASMIntDisableFlags();
ASMCompilerBarrier(); /* paranoia */
if (!fFaster)
ASMWriteBackAndInvalidateCaches();
rcBefore = rdmsrl_safe(uMsr, &uBefore);
if (rcBefore >= 0)
{
register uint64_t uRestore = uBefore;
uWritten = uRestore;
uWritten &= pReq->u.In.uArgs.Modify.fAndMask;
uWritten |= pReq->u.In.uArgs.Modify.fOrMask;
rcWrite = wrmsr_safe(uMsr, RT_LODWORD(uWritten), RT_HIDWORD(uWritten));
rcAfter = rdmsrl_safe(uMsr, &uAfter);
rcRestore = wrmsr_safe(uMsr, RT_LODWORD(uRestore), RT_HIDWORD(uRestore));
if (!fFaster)
{
ASMWriteBackAndInvalidateCaches();
ASMReloadCR3();
ASMNopPause();
}
}
ASMCompilerBarrier(); /* paranoia */
ASMSetFlags(fOldFlags);
/*
* Write out the results.
*/
pReq->u.Out.uResults.Modify.uBefore = uBefore;
pReq->u.Out.uResults.Modify.uWritten = uWritten;
pReq->u.Out.uResults.Modify.uAfter = uAfter;
pReq->u.Out.uResults.Modify.fBeforeGp = rcBefore != 0;
pReq->u.Out.uResults.Modify.fModifyGp = rcWrite != 0;
pReq->u.Out.uResults.Modify.fAfterGp = rcAfter != 0;
pReq->u.Out.uResults.Modify.fRestoreGp = rcRestore != 0;
RT_ZERO(pReq->u.Out.uResults.Modify.afReserved);
}
/**
* Try undo the harm done by the init function.
*
* This may leave the system in an unstable state since we might have been
* hijacking memory below 1MB that is in use by the kernel.
*/
void vmmR0TripleFaultHackTerm(void)
{
/*
* Restore overwritten memory.
*/
if ( g_pvSavedLowCore
&& g_pbLowCore)
memcpy(g_pbLowCore, g_pvSavedLowCore, PAGE_SIZE);
if (g_pbPage0)
{
g_pbPage0[0x467+0] = RT_BYTE1(g_u32SavedVector);
g_pbPage0[0x467+1] = RT_BYTE2(g_u32SavedVector);
g_pbPage0[0x467+2] = RT_BYTE3(g_u32SavedVector);
g_pbPage0[0x467+3] = RT_BYTE4(g_u32SavedVector);
g_pbPage0[0x472+0] = RT_BYTE1(g_u16SavedCadIndicator);
g_pbPage0[0x472+1] = RT_BYTE2(g_u16SavedCadIndicator);
}
/*
* Fix the CMOS.
*/
if (g_pvSavedLowCore)
{
uint32_t fSaved = ASMIntDisableFlags();
ASMOutU8(0x70, 0x0f);
ASMOutU8(0x71, 0x0a);
ASMOutU8(0x70, 0x00);
ASMInU8(0x71);
ASMReloadCR3();
ASMWriteBackAndInvalidateCaches();
ASMSetFlags(fSaved);
}
/*
* Release resources.
*/
RTMemFree(g_pvSavedLowCore);
g_pvSavedLowCore = NULL;
RTR0MemObjFree(g_hMemLowCore, true /*fFreeMappings*/);
g_hMemLowCore = NIL_RTR0MEMOBJ;
g_hMapLowCore = NIL_RTR0MEMOBJ;
g_pbLowCore = NULL;
g_HCPhysLowCore = NIL_RTHCPHYS;
RTR0MemObjFree(g_hMemPage0, true /*fFreeMappings*/);
g_hMemPage0 = NIL_RTR0MEMOBJ;
g_hMapPage0 = NIL_RTR0MEMOBJ;
g_pbPage0 = NULL;
}
/**
* Initalizes the triple fault / boot hack.
*
* Always call vmmR0TripleFaultHackTerm to clean up, even when this call fails.
*
* @returns VBox status code.
*/
int vmmR0TripleFaultHackInit(void)
{
/*
* Map the first page.
*/
int rc = RTR0MemObjEnterPhys(&g_hMemPage0, 0, PAGE_SIZE, RTMEM_CACHE_POLICY_DONT_CARE);
AssertRCReturn(rc, rc);
rc = RTR0MemObjMapKernel(&g_hMapPage0, g_hMemPage0, (void *)-1, 0, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
AssertRCReturn(rc, rc);
g_pbPage0 = (uint8_t *)RTR0MemObjAddress(g_hMapPage0);
LogRel(("0040:0067 = %04x:%04x\n", RT_MAKE_U16(g_pbPage0[0x467+2], g_pbPage0[0x467+3]), RT_MAKE_U16(g_pbPage0[0x467+0], g_pbPage0[0x467+1]) ));
/*
* Allocate some "low core" memory. If that fails, just grab some memory.
*/
//rc = RTR0MemObjAllocPhys(&g_hMemLowCore, PAGE_SIZE, _1M - 1);
//__debugbreak();
rc = RTR0MemObjEnterPhys(&g_hMemLowCore, 0x7000, PAGE_SIZE, RTMEM_CACHE_POLICY_DONT_CARE);
AssertRCReturn(rc, rc);
rc = RTR0MemObjMapKernel(&g_hMapLowCore, g_hMemLowCore, (void *)-1, 0, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
AssertRCReturn(rc, rc);
g_pbLowCore = (uint8_t *)RTR0MemObjAddress(g_hMapLowCore);
g_HCPhysLowCore = RTR0MemObjGetPagePhysAddr(g_hMapLowCore, 0);
LogRel(("Low core at %RHp mapped at %p\n", g_HCPhysLowCore, g_pbLowCore));
/*
* Save memory we'll be overwriting.
*/
g_pvSavedLowCore = RTMemAlloc(PAGE_SIZE);
AssertReturn(g_pvSavedLowCore, VERR_NO_MEMORY);
memcpy(g_pvSavedLowCore, g_pbLowCore, PAGE_SIZE);
g_u32SavedVector = RT_MAKE_U32_FROM_U8(g_pbPage0[0x467], g_pbPage0[0x467+1], g_pbPage0[0x467+2], g_pbPage0[0x467+3]);
g_u16SavedCadIndicator = RT_MAKE_U16(g_pbPage0[0x472], g_pbPage0[0x472+1]);
/*
* Install the code.
*/
size_t cbCode = (uintptr_t)&vmmR0TripleFaultHackEnd - (uintptr_t)&vmmR0TripleFaultHackStart;
AssertLogRelReturn(cbCode <= PAGE_SIZE, VERR_OUT_OF_RANGE);
memcpy(g_pbLowCore, &vmmR0TripleFaultHackStart, cbCode);
g_pbPage0[0x467+0] = 0x00;
g_pbPage0[0x467+1] = 0x70;
g_pbPage0[0x467+2] = 0x00;
g_pbPage0[0x467+3] = 0x00;
g_pbPage0[0x472+0] = 0x34;
g_pbPage0[0x472+1] = 0x12;
/*
* Configure the status port and cmos shutdown command.
*/
uint32_t fSaved = ASMIntDisableFlags();
ASMOutU8(0x70, 0x0f);
ASMOutU8(0x71, 0x0a);
ASMOutU8(0x70, 0x05);
ASMInU8(0x71);
ASMReloadCR3();
ASMWriteBackAndInvalidateCaches();
ASMSetFlags(fSaved);
#if 1 /* For testing & debugging. */
vmmR0TripleFaultHackTripleFault();
#endif
return VINF_SUCCESS;
}
