← Back to context

Comment by my123

4 hours ago

> HCR_EL2.HCD

That's not ideal because of:

> Any resulting exception is taken to the Exception level at which the HVC instruction is executed.

instead of trapping to the hypervisor

> I've looked at how different hypervisors/VMMs handle this and, if this makes that patch set any less hacky, Virtualization.framework, QNX Hypervisor, and (I think) VMware all decode and emulate those instructions in software. Virtualization.framework is a remarkable spaghetti in this regard :)

And so does Hyper-V.

> It's not macOS triggering this in isolation either

There are some nightmare cases that SEPOS specifically triggers, such as doing isv=0 accesses to GICR... when using the Apple vGIC handling _that_ becomes truly bizarre.

> Simply ignoring the instruction, though, is not enough

Yeah that's not a great idea

3 comments

my123

Reply
m132  3 hours ago

> instead of trapping to the hypervisor

My bad! I mean, ehh, I guess you could maintain a breakpoint in the guest kernel's exception vector table or have QEMU inject its own "zero-level exception handler" whose only purpose would be to capture those HVCs, but that's not as straightforward as I originally thought. And since those PAC calls are expected to set a few Apple-specific registers anyway, using the entitlement or skipping Hypervisor.framework and talking straight to the kernel seem like the only viable options when macOS is the guest.

> There are some nightmare cases that SEPOS specifically triggers, such as doing isv=0 accesses to GICR... when using the Apple vGIC handling _that_ becomes truly bizarre.

Interesting! Are there any resources out there about virtualizing sepOS?

  • my123  2 hours ago

    Not much public yet about VRE virtualisation (which includes SEP) at this point.

    > whose only purpose would be to capture those HVCs

    quite expensive because you get to trap ~ all EL0 -> EL1 priv transitions through the virtualisation infrastructure as the sync handler has a lot going through it

    • m132  2 hours ago

      Only if you used a breakpoint or something similar. I believe a "shadow" exception vector like that can run entirely in the guest context with the guest not even being aware of this (MRS is generally always trapped so you can return the address of the real one while still taking exceptions to the injected one).

      Figuring out where to put it and how to keep it mapped is another problem, though!