Signed-off-by: Lluís Vilanova <vilan...@ac.upc.edu> --- docs/backdoor.txt | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 144 insertions(+), 0 deletions(-) create mode 100644 docs/backdoor.txt
diff --git a/docs/backdoor.txt b/docs/backdoor.txt new file mode 100644 index 0000000..3b26b70 --- /dev/null +++ b/docs/backdoor.txt @@ -0,0 +1,144 @@ += Backdoor communication channel = + +== Introduction == + +This document describes how the guest can use the backdoor communication channel +to interact with user-provided code inside QEMU. + +The backdoor provides a lightweight and guest-initiated communication channel +between code running inside the guest system and code in QEMU, including both +QEMU in 'softmmu' and 'user' modes. + +The semantics of the backdoor channel are up to the user, who must provide the +implementation of the QEMU-side callbacks used when the backdoor channel is +invoked. + +On the guest side, code can simply link against a simple library provided in +QEMU to interface with the backdoor channel. + +The features of this mechanism are: + +* Minimal setup for the guest. +* Independent of guest architecture. +* Works with 'softmmu' and 'user' mode. +* Low overhead; capturing memory accesses to specific addresses does not go + through any OS abstraction, except during the setup of the communication + channel. + + +== QEMU-side code == + +1. Create the "Makefile" to build the user-provided backdoor channel library: + + mkdir /tmp/my-backdoor-qemu + cat > /tmp/my-backdoor-qemu/Makefile <<EOF + include $(BUILD_DIR)/config-host.mak + include $(BUILD_DIR)/$(TARGET_DIR)../config-target.mak + include $(SRC_PATH)/rules.mak + + vpath %.c /tmp/my-backdoor-qemu + + + libbackdoor.a: backdoor.o + + + # Include automatically generated dependency files + -include $(wildcard *.d) + EOF + +2. Implement the callbacks declared in "backdoor/qemu/qemu-backdoor.h": + + cat > /tmp/my-backdoor-qemu/backdoor.c <<EOF + #include "backdoor/qemu/qemu-backdoor.h" + + #include "cpu.h" + + #include <stdio.h> + + + void qemu_backdoor_init(uint64_t data_size) + { + printf("+ %ld\n", data_size); + } + + void qemu_backdoor(uint64_t cmd, void *data) + { + /* Perform any endianess-wise loads to interpret the data */ + uint64_t d = ldq_p(data); + printf("-> %x :: %x\n", cmd, *(uint64_t*)data); + } + EOF + +3. Build QEMU with the backdoor feature: + + /path/to/qemu/configure --with-backdoor=/tmp/my-backdoor-qemu + + +== Guest-side code == + +1. Compile the corresponding guest-side interface library: + + make -C /path/to/qemu-build/x86_64-linux-user/backdoor/guest + +2. Create your own application to interact with the backdoor channel: + + cat > /tmp/my-backdoor-guest.c <<EOF + #include <stdio.h> + #include <errno.h> + #include <stdlib.h> + #include <qemu-backdoor.h> + + + int main() + { + /* This base path is only applicable to 'user' mode */ + if (qemu_backdoor_init("/tmp/backdoor") != 0) { + fprintf(stderr, "error: qemu_backdoor_init: %s\n", strerror(errno)); + abort(); + } + + /* Get a pointer to beginning of the data channel */ + uint32_t * data = qemu_backdoor_data(); + /* Write anything into the channel */ + *data = 0xcafe; + /* Invoke the channel */ + qemu_backdoor(0xbabe); + } + EOF + +3. Link your application against "libqemu-backdoor-guest.a": + + gcc -o /tmp/my-backdoor-guest /tmp/my-backdoor-guest.c /path/to/qemu-build/x86_64-linux-user/backdoor/guest/libqemu-backdoor-guest.a + + +== Running QEMU == + +If you want to use QEMU's 'softmmu' mode: + + /path/to/qemu-build/x86_64-softmmu/qemu-system-x86_64 -device backdoor + sudo /tmp/my-backdoor-guest # inside the VM + +If you want to use QEMU's 'user' mode: + + /path/to/qemu-build/x86_64-linux-user/qemu-x86_64 -backdoor /tmp/backdoor /tmp/my-backdoor-guest + + +== Implementation details == + +The backdoor channel is composed of two channels that are handled as 'mmap'ed +files. The data channel is used to contain arbitrary data to communicate back +and forth between the guest and QEMU. The control channel is used by the guest +to signal that the data channel is ready to be used. + +When using the 'softmmu' mode, the backdoor communication channels are provided +as a virtual device used through MMIO. The data channel acts as regular memory +and the control channel intercepts all accesses to it to proxy them to the +user-provided backdoor library. + +When using the 'user' mode, the backdoor communication channels are provided as +regular files in the host system that the guest must 'mmap' into its address +space. The data channel acts as regular memory and the 'mmap' of the control +channel is intercepted in QEMU to establish if it's an 'mmap' for the control +channel file. If that's the case, the memory that QEMU allocates for the guest +is 'mprotect'ed to intercept all accesses to it performed by the guest and proxy +them to the user-provided backdoor library.