diff options
author | Alexander Graf <agraf@suse.de> | 2010-07-29 08:48:07 -0400 |
---|---|---|
committer | Avi Kivity <avi@redhat.com> | 2010-10-24 04:50:57 -0400 |
commit | d7d3c2ea99c4845611997cf728af88c4c232e908 (patch) | |
tree | a6b920a93f367ea8458d0e9af03788807ae47d7e /Documentation/kvm/ppc-pv.txt | |
parent | 644bfa013fd589b0df2470a66bcd104318ef24cd (diff) |
KVM: PPC: Add Documentation about PV interface
We just introduced a new PV interface that screams for documentation. So here
it is - a shiny new and awesome text file describing the internal works of
the PPC KVM paravirtual interface.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Avi Kivity <avi@redhat.com>
Diffstat (limited to 'Documentation/kvm/ppc-pv.txt')
-rw-r--r-- | Documentation/kvm/ppc-pv.txt | 179 |
1 files changed, 179 insertions, 0 deletions
diff --git a/Documentation/kvm/ppc-pv.txt b/Documentation/kvm/ppc-pv.txt new file mode 100644 index 000000000000..41ee16d954d7 --- /dev/null +++ b/Documentation/kvm/ppc-pv.txt | |||
@@ -0,0 +1,179 @@ | |||
1 | The PPC KVM paravirtual interface | ||
2 | ================================= | ||
3 | |||
4 | The basic execution principle by which KVM on PowerPC works is to run all kernel | ||
5 | space code in PR=1 which is user space. This way we trap all privileged | ||
6 | instructions and can emulate them accordingly. | ||
7 | |||
8 | Unfortunately that is also the downfall. There are quite some privileged | ||
9 | instructions that needlessly return us to the hypervisor even though they | ||
10 | could be handled differently. | ||
11 | |||
12 | This is what the PPC PV interface helps with. It takes privileged instructions | ||
13 | and transforms them into unprivileged ones with some help from the hypervisor. | ||
14 | This cuts down virtualization costs by about 50% on some of my benchmarks. | ||
15 | |||
16 | The code for that interface can be found in arch/powerpc/kernel/kvm* | ||
17 | |||
18 | Querying for existence | ||
19 | ====================== | ||
20 | |||
21 | To find out if we're running on KVM or not, we leverage the device tree. When | ||
22 | Linux is running on KVM, a node /hypervisor exists. That node contains a | ||
23 | compatible property with the value "linux,kvm". | ||
24 | |||
25 | Once you determined you're running under a PV capable KVM, you can now use | ||
26 | hypercalls as described below. | ||
27 | |||
28 | KVM hypercalls | ||
29 | ============== | ||
30 | |||
31 | Inside the device tree's /hypervisor node there's a property called | ||
32 | 'hypercall-instructions'. This property contains at most 4 opcodes that make | ||
33 | up the hypercall. To call a hypercall, just call these instructions. | ||
34 | |||
35 | The parameters are as follows: | ||
36 | |||
37 | Register IN OUT | ||
38 | |||
39 | r0 - volatile | ||
40 | r3 1st parameter Return code | ||
41 | r4 2nd parameter 1st output value | ||
42 | r5 3rd parameter 2nd output value | ||
43 | r6 4th parameter 3rd output value | ||
44 | r7 5th parameter 4th output value | ||
45 | r8 6th parameter 5th output value | ||
46 | r9 7th parameter 6th output value | ||
47 | r10 8th parameter 7th output value | ||
48 | r11 hypercall number 8th output value | ||
49 | r12 - volatile | ||
50 | |||
51 | Hypercall definitions are shared in generic code, so the same hypercall numbers | ||
52 | apply for x86 and powerpc alike with the exception that each KVM hypercall | ||
53 | also needs to be ORed with the KVM vendor code which is (42 << 16). | ||
54 | |||
55 | Return codes can be as follows: | ||
56 | |||
57 | Code Meaning | ||
58 | |||
59 | 0 Success | ||
60 | 12 Hypercall not implemented | ||
61 | <0 Error | ||
62 | |||
63 | The magic page | ||
64 | ============== | ||
65 | |||
66 | To enable communication between the hypervisor and guest there is a new shared | ||
67 | page that contains parts of supervisor visible register state. The guest can | ||
68 | map this shared page using the KVM hypercall KVM_HC_PPC_MAP_MAGIC_PAGE. | ||
69 | |||
70 | With this hypercall issued the guest always gets the magic page mapped at the | ||
71 | desired location in effective and physical address space. For now, we always | ||
72 | map the page to -4096. This way we can access it using absolute load and store | ||
73 | functions. The following instruction reads the first field of the magic page: | ||
74 | |||
75 | ld rX, -4096(0) | ||
76 | |||
77 | The interface is designed to be extensible should there be need later to add | ||
78 | additional registers to the magic page. If you add fields to the magic page, | ||
79 | also define a new hypercall feature to indicate that the host can give you more | ||
80 | registers. Only if the host supports the additional features, make use of them. | ||
81 | |||
82 | The magic page has the following layout as described in | ||
83 | arch/powerpc/include/asm/kvm_para.h: | ||
84 | |||
85 | struct kvm_vcpu_arch_shared { | ||
86 | __u64 scratch1; | ||
87 | __u64 scratch2; | ||
88 | __u64 scratch3; | ||
89 | __u64 critical; /* Guest may not get interrupts if == r1 */ | ||
90 | __u64 sprg0; | ||
91 | __u64 sprg1; | ||
92 | __u64 sprg2; | ||
93 | __u64 sprg3; | ||
94 | __u64 srr0; | ||
95 | __u64 srr1; | ||
96 | __u64 dar; | ||
97 | __u64 msr; | ||
98 | __u32 dsisr; | ||
99 | __u32 int_pending; /* Tells the guest if we have an interrupt */ | ||
100 | }; | ||
101 | |||
102 | Additions to the page must only occur at the end. Struct fields are always 32 | ||
103 | or 64 bit aligned, depending on them being 32 or 64 bit wide respectively. | ||
104 | |||
105 | MSR bits | ||
106 | ======== | ||
107 | |||
108 | The MSR contains bits that require hypervisor intervention and bits that do | ||
109 | not require direct hypervisor intervention because they only get interpreted | ||
110 | when entering the guest or don't have any impact on the hypervisor's behavior. | ||
111 | |||
112 | The following bits are safe to be set inside the guest: | ||
113 | |||
114 | MSR_EE | ||
115 | MSR_RI | ||
116 | MSR_CR | ||
117 | MSR_ME | ||
118 | |||
119 | If any other bit changes in the MSR, please still use mtmsr(d). | ||
120 | |||
121 | Patched instructions | ||
122 | ==================== | ||
123 | |||
124 | The "ld" and "std" instructions are transormed to "lwz" and "stw" instructions | ||
125 | respectively on 32 bit systems with an added offset of 4 to accomodate for big | ||
126 | endianness. | ||
127 | |||
128 | The following is a list of mapping the Linux kernel performs when running as | ||
129 | guest. Implementing any of those mappings is optional, as the instruction traps | ||
130 | also act on the shared page. So calling privileged instructions still works as | ||
131 | before. | ||
132 | |||
133 | From To | ||
134 | ==== == | ||
135 | |||
136 | mfmsr rX ld rX, magic_page->msr | ||
137 | mfsprg rX, 0 ld rX, magic_page->sprg0 | ||
138 | mfsprg rX, 1 ld rX, magic_page->sprg1 | ||
139 | mfsprg rX, 2 ld rX, magic_page->sprg2 | ||
140 | mfsprg rX, 3 ld rX, magic_page->sprg3 | ||
141 | mfsrr0 rX ld rX, magic_page->srr0 | ||
142 | mfsrr1 rX ld rX, magic_page->srr1 | ||
143 | mfdar rX ld rX, magic_page->dar | ||
144 | mfdsisr rX lwz rX, magic_page->dsisr | ||
145 | |||
146 | mtmsr rX std rX, magic_page->msr | ||
147 | mtsprg 0, rX std rX, magic_page->sprg0 | ||
148 | mtsprg 1, rX std rX, magic_page->sprg1 | ||
149 | mtsprg 2, rX std rX, magic_page->sprg2 | ||
150 | mtsprg 3, rX std rX, magic_page->sprg3 | ||
151 | mtsrr0 rX std rX, magic_page->srr0 | ||
152 | mtsrr1 rX std rX, magic_page->srr1 | ||
153 | mtdar rX std rX, magic_page->dar | ||
154 | mtdsisr rX stw rX, magic_page->dsisr | ||
155 | |||
156 | tlbsync nop | ||
157 | |||
158 | mtmsrd rX, 0 b <special mtmsr section> | ||
159 | mtmsr rX b <special mtmsr section> | ||
160 | |||
161 | mtmsrd rX, 1 b <special mtmsrd section> | ||
162 | |||
163 | [BookE only] | ||
164 | wrteei [0|1] b <special wrteei section> | ||
165 | |||
166 | |||
167 | Some instructions require more logic to determine what's going on than a load | ||
168 | or store instruction can deliver. To enable patching of those, we keep some | ||
169 | RAM around where we can live translate instructions to. What happens is the | ||
170 | following: | ||
171 | |||
172 | 1) copy emulation code to memory | ||
173 | 2) patch that code to fit the emulated instruction | ||
174 | 3) patch that code to return to the original pc + 4 | ||
175 | 4) patch the original instruction to branch to the new code | ||
176 | |||
177 | That way we can inject an arbitrary amount of code as replacement for a single | ||
178 | instruction. This allows us to check for pending interrupts when setting EE=1 | ||
179 | for example. | ||