Trace32 xen awareness
Trace32 Xen Awareness
To implement Xen awareness,
proceed sequentially with MMU setup, Task config, and Menu reprogramming.
[Warning]
This document is for those who have some understanding of trace32 and osawareness.
If you are not familiar with the awareness setting,
please refer to the linux awareness document first.
Go to Linux Awareness
Hypervisor awareness settings may vary slightly depending on the system design.
Examples of systems in this document are as follows.
+------- VM1 -------+ +------- VM2 -------+
| (dom0) | | (domu1) |
| Linux Kernel 5.10 | | Linux Kernel 5.10 |
+-------------------+ +-------------------+
===========================================
+--------------- HYPERVISOR --------------+
| Xen Kernel 4.16 |
+-----------------------------------------+
xen also needs to turn off watchdog before connecting the debugger.
However, in the case of xen,
the daemon performs the wdt timer operation in the background.
$ systemctl stop xen-watchdog.service
MMU setup
In B::SYStem , check MMUSPACES or use the command B::SYStem.Option.MMUSPACES ON
to enable the MMUSPACES option.
and check MACHINESPACES or use the command B::SYStem.Option.MACHINESPACES ON
to enable the MMUSPACES option.
In an environment where xen and other hypervisors are set up,
several symbols are raised together, so machine space is used to make it easier to distinguish.
Of course, machine space is not a mendatory.
The use of machine space causes some changes in the address system used by the debugger program.
address => {class}:{machine space}:::{address}
With macinespace enabled, the command when uploading the xen kernel symbol is as follows.
Data.LOAD.Elf &xen_symbol H:0:::0 /noclear /nocode /anysym /macro /gnu /Name xen
sYmbol.sourcePATH.Translate "&xen_invalid_path" "&xen_correct_path"
Now we need to prepare mmutable matching for awareness.
However, since the hypervisor will use the entire area anyway, I set it up as follows.
MMU.FORMAT STD
TRANSlation.COMMON H:0:::0x0--0xffffffffffffffff
TRANSlation.TableWalk ON
TRANSlation.ON
And you can add the config file.
The Task.config command is replaced by the EXTENSION.LOAD command
because it cannot carry information about machine space. (based on Power View 2023)
EXTension.LOAD &xen_cfg_file /Machine 0 /NAME xen /ACCESS H:
MENU.ReProgram &xen_men_file
Remember the system design of this document?
I will put up the dom0 symbol first.
Data.LOAD.Elf &dom0_symbol N:1:::0 /noclear /nocode /anysym /macro /gnu /Name dom0
sYmbol.sourcePATH.Translate "&dom0_invalid_path" "&dom0_correct_path"
You need to find an address for table mapping.
The hypervisor performs a two-stage conversion .
The physical address converted through mmu in the VM is actually not a real physical address.
To explain it through design,
+----+ +-----+ +-----+
| VM | <---> (VA) <--- | MMU | ---> (IPA) <--- | HYP | ---> (PA)
+----+ +-----+ +-----+
The address translated to the MMU is the Immediate Physical Address.
This address is actually the address where the hypervisor virtualized the real physical address once.
In other words, from the point of view of VM, the address system is mistaking IPA for real PA!
The Trace32 debugger uses ‘ I ‘ as a class representing the IPA address system.
The process for dom0 mmu setup is as follows.
Use B::y.list to find the text symbol, which is the starting point of the code.
The starting virtual address is NP:1:0xFFFFFFC010000000 .
Find the end address of the virtual address, which is NP:1:0xFFFFFFC0110E0000 .
Use the B::MMU.List.EL1PageTable /MACHINE 1 command to check the MMU VA-to-IPA mapping table.
When machine space is allocated in this way, it can be distinguished by the MACHINE option.
You can also see why there’s a slight difference from the text virtual address (I:1:::0x60000000).
Since dom0 is a Linux kernel,
it constructs MMU translation tables in the same way that linux awareness did.
B::MMU.FORMAT LINUXSWAP3 \dom0\Global\swapper_pg_dir
B::TRANSlation.Create N:1:::0xFFFFFFC0100000000—0xFFFFFFC0110E00000 I:1:0x60000000
And set the entire range of virtual addresses.
B::TRANSlation.COMMON N:1:::0xFFFFFF0000000000–0xFFFFFFFFFFFFFFFF
Turn on Translation when you are done setting up.
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
You can also refer to the symbol directly
because it is cumbersome to write the address directly.
So, the command is summarized as follows.
B::MMU.FORMAT LINUXSWAP3 \\vmlinux\Global\swapper_pg_dir
B::TRANSlation.create (\\dom0\Global\_text)--(\\dom0\Global\_end-1) I:1:::0x60000000
B::TRANSlation.COMMON 0xFFFF000000000000—0xFFFFFFFFFFFFFFFF
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
B::EXTension.LOAD &dom0_cfg_file /Machine 1 /NAME dom0
I also added the linux kernel config file, and the menu config is set to xen menu, so it is omitted.
domu1 goes through the same process. machine space uses space 2.
Data.LOAD.Elf &domu1_symbol N:2:::0 /noclear /nocode /anysym /macro /gnu /Name domu1
sYmbol.sourcePATH.Translate "&domu1_invalid_path" "&domu1_correct_path"
Use B::y.list to find the text symbol, which is the starting point of the code.
The starting virtual address is NP:2:0xFFFFFFC010000000 .
Find the end address of the virtual address, which is NP:2:0xFFFFFFC0110E0000 .
Use the B::MMU.List.EL1PageTable /MACHINE 2 command to check the MMU VA-to-IPA mapping table.
When machine space is allocated in this way, it can be distinguished by the MACHINE option.
You can also see why there’s a slight difference from the text virtual address (I:2:::0x40000000).
Since domu1 is a Linux kernel,
it constructs MMU translation tables in the same way that linux awareness did.
B::MMU.FORMAT LINUXSWAP3 \domu1\Global\swapper_pg_dir
B::TRANSlation.Create N:2:::0xFFFFFFC0100000000—0xFFFFFFC0110E00000 I:2:0x40000000
And set the entire range of virtual addresses.
B::TRANSlation.COMMON N:2:::0xFFFFFF0000000000–0xFFFFFFFFFFFFFFFF
Turn on Translation when you are done setting up.
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
You can also refer to the symbol directly
because it is cumbersome to write the address directly.
So, the command is summarized as follows.
B::MMU.FORMAT LINUXSWAP3 \\vmlinux\Global\swapper_pg_dir
B::TRANSlation.create (\\domu1\Global\_text)--(\\domu1\Global\_end-1) I:2:::0x40000000
B::TRANSlation.COMMON 0xFFFF000000000000—0xFFFFFFFFFFFFFFFF
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
B::EXTension.LOAD &domu1_cfg_file /Machine 2 /NAME domu1
I also added the linux kernel config file, and the menu config is set to xen menu, so it is omitted.
Summary
The cmm script is summarized as follows.
; initialize
SYStem.Option.MMUSPACES ON
SYStem.Option.MACHINESPACE ON
sYmbol.RESet
; xen setup
Data.LOAD.Elf &xen_symbol H:0:::0 /noclear /nocode /anysym /macro /gnu /Name xen
sYmbol.sourcePATH.Translate "&xen_invalid_path" "&xen_correct_path"
MMU.FORMAT STD
TRANSlation.COMMON H:0:::0x0--0xffffffffffffffff
TRANSlation.TableWalk ON
TRANSlation.ON
EXTension.LOAD &xen_cfg_file /Machine 0 /NAME xen /ACCESS H:
MENU.ReProgram &xen_men_file
; dom0 setup
Data.LOAD.Elf &dom0_symbol N:1:::0 /noclear /nocode /anysym /macro /gnu /Name dom0
sYmbol.sourcePATH.Translate "&dom0_invalid_path" "&dom0_correct_path"
B::MMU.FORMAT LINUXSWAP3 \\vmlinux\Global\swapper_pg_dir
B::TRANSlation.create (\\dom0\Global\_text)--(\\dom0\Global\_end-1) I:1:::0x60000000
B::TRANSlation.COMMON 0xFFFF000000000000—0xFFFFFFFFFFFFFFFF
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
B::EXTension.LOAD &dom0_cfg_file /Machine 1 /NAME dom0
; domu1 setup
Data.LOAD.Elf &domu1_symbol N:2:::0 /noclear /nocode /anysym /macro /gnu /Name domu1
sYmbol.sourcePATH.Translate "&domu1_invalid_path" "&domu1_correct_path"
B::MMU.FORMAT LINUXSWAP3 \\vmlinux\Global\swapper_pg_dir
B::TRANSlation.create (\\domu1\Global\_text)--(\\domu1\Global\_end-1) I:2:::0x40000000
B::TRANSlation.COMMON 0xFFFF000000000000—0xFFFFFFFFFFFFFFFF
B::TRANSlation.TableWalk ON
B::TRANSlation.ON
B::EXTension.LOAD &domu1_cfg_file /Machine 2 /NAME domu1