amd64: add exception stack at top of scratch memory

A separate exception stack is needed in preparation for moving
management of the main guest stack into the guest.

Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>

Author: syntactically

src/hyperlight_guest/src/arch/amd64/prim_alloc.rs

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
  */
 
+use hyperlight_common::flatbuffer_wrappers::guest_error::ErrorCode;
+
 // There are no notable architecture-specific safety considerations
 // here, and the general conditions are documented in the
 // architecture-independent re-export in prim_alloc.rs
@@ -29,8 +31,18 @@ pub unsafe fn alloc_phys_pages(n: u64) -> u64 {
             x = inout(reg) x
         );
     }
-    if x.checked_add(nbytes).is_none() {
-        panic!("Out of physical memory!")
+    // Set aside two pages at the top of the scratch region for the
+    // exception stack, shared state, etc
+    let max_avail = hyperlight_common::layout::MAX_GPA - hyperlight_common::vmem::PAGE_SIZE * 2;
+    if x.checked_add(nbytes)
+        .is_none_or(|xx| xx >= max_avail as u64)
+    {
+        unsafe {
+            crate::exit::abort_with_code_and_message(
+                &[ErrorCode::MallocFailed as u8],
+                c"Out of physical memory".as_ptr(),
+            )
+        }
     }
     x
 }

src/hyperlight_guest_bin/src/arch/amd64/init.rs

@@ -18,25 +18,42 @@ use core::arch::asm;
 use core::mem;
 
 use super::exception::entry::init_idt;
-use super::machine::{GDT, GdtEntry, GdtPointer, ProcCtrl};
+use super::machine::{GDT, GdtEntry, GdtPointer, ProcCtrl, TSS};
 
+/// See AMD64 Architecture Programmer's Manual, Volume 2: System Programming
+///     Section 4: Segmented Virtual Memory
+///         §4.6: Descriptor Tables
+/// for the functions of the GDT.
+///
+/// Hyperlight's GDT consists of:
+/// - A null first entry, which is architecturally required
+/// - A single code segment descriptor, used for all code accesses
+/// - A single data segment descriptor, used for all data accesses
+/// - A TSS System descriptor that outlines the location of the TSS
+///   (see [`init_tss`], below)
 #[repr(C)]
 struct HyperlightGDT {
     null: GdtEntry,
     kernel_code: GdtEntry,
     kernel_data: GdtEntry,
+    tss: [GdtEntry; 2],
 }
 const _: () = assert!(mem::size_of::<HyperlightGDT>() == mem::size_of::<GDT>());
 const _: () = assert!(mem::offset_of!(HyperlightGDT, null) == 0x00);
 const _: () = assert!(mem::offset_of!(HyperlightGDT, kernel_code) == 0x08);
 const _: () = assert!(mem::offset_of!(HyperlightGDT, kernel_data) == 0x10);
+const _: () = assert!(mem::offset_of!(HyperlightGDT, tss) == 0x18);
 
 unsafe fn init_gdt(pc: *mut ProcCtrl) {
     unsafe {
         let gdt_ptr = &raw mut (*pc).gdt as *mut HyperlightGDT;
         (&raw mut (*gdt_ptr).null).write_volatile(GdtEntry::new(0, 0, 0, 0));
         (&raw mut (*gdt_ptr).kernel_code).write_volatile(GdtEntry::new(0, 0, 0x9A, 0xA));
         (&raw mut (*gdt_ptr).kernel_data).write_volatile(GdtEntry::new(0, 0, 0x92, 0xC));
+        (&raw mut (*gdt_ptr).tss).write_volatile(GdtEntry::tss(
+            &raw mut (*pc).tss as u64,
+            mem::size_of::<TSS>() as u32,
+        ));
         let gdtr = GdtPointer {
             limit: (core::mem::size_of::<[GdtEntry; 5]>() - 1) as u16,
             base: gdt_ptr as u64,
@@ -62,13 +79,39 @@ unsafe fn init_gdt(pc: *mut ProcCtrl) {
     }
 }
 
+/// Hyperlight's TSS contains only a single IST entry, which is used
+/// to set up the stack switch to the exception stack whenever we take
+/// an exception (including page faults, which are important, since
+/// the fault might be due to needing to grow the stack!)
+///
+/// This function sets up the TSS and then points the processor at the
+/// system segment descriptor, initialized in [`init_gdt`] above,
+/// which describes the location of the TSS.
+unsafe fn init_tss(pc: *mut ProcCtrl) {
+    unsafe {
+        let tss_ptr = &raw mut (*pc).tss;
+        // copy byte by byte to avoid alignment issues
+        let ist1_ptr = &raw mut (*tss_ptr).ist1 as *mut [u8; 8];
+        let exn_stack = hyperlight_common::layout::MAX_GVA as u64
+            - hyperlight_common::layout::SCRATCH_TOP_EXN_STACK_OFFSET
+            + 1;
+        ist1_ptr.write_volatile(exn_stack.to_ne_bytes());
+        asm!(
+            "ltr ax",
+            in("ax") core::mem::offset_of!(HyperlightGDT, tss),
+            options(nostack, preserves_flags)
+        );
+    }
+}
+
 /// Machine-specific initialisation; calls [`crate::generic_init`]
 /// once stack, CoW, etc have been set up.
 #[unsafe(no_mangle)]
 pub extern "C" fn entrypoint(peb_address: u64, seed: u64, ops: u64, max_log_level: u64) {
     unsafe {
         let pc = ProcCtrl::init();
         init_gdt(pc);
+        init_tss(pc);
         init_idt(pc);
         call_generic_init(peb_address, seed, ops, max_log_level);
     }

src/hyperlight_guest_bin/src/arch/amd64/machine.rs

@@ -55,6 +55,40 @@ impl GdtEntry {
             access,
         }
     }
+
+    /// Create a new entry that describes the Task State Segment
+    /// (TSS).
+    ///
+    /// The segment descriptor for the TSS needs to be wider than
+    /// other segments, because its base address is actually used &
+    /// must therefore be able to encode an entire 64-bit VA.  Because
+    /// of this, it uses two adjacent descriptor entries.
+    ///
+    /// See AMD64 Architecture Programmer's Manual, Volume 2: System Programming
+    ///     Section 4: Segmented Virtual Memory
+    ///         §4.8: Long-Mod Segment Descriptors
+    ///             §4.8.3: System Descriptors
+    /// for details of the layout
+    pub const fn tss(base: u64, limit: u32) -> [Self; 2] {
+        [
+            Self {
+                limit_low: (limit & 0xffff) as u16,
+                base_low: (base & 0xffff) as u16,
+                base_middle: ((base >> 16) & 0xff) as u8,
+                access: 0x89,
+                flags_limit: ((limit >> 16) & 0x0f) as u8,
+                base_high: ((base >> 24) & 0xff) as u8,
+            },
+            Self {
+                limit_low: ((base >> 32) & 0xffff) as u16,
+                base_low: ((base >> 48) & 0xffff) as u16,
+                base_middle: 0,
+                access: 0,
+                flags_limit: 0,
+                base_high: 0,
+            },
+        ]
+    }
 }
 
 /// GDTR (GDT pointer)
@@ -68,6 +102,32 @@ pub(super) struct GdtPointer {
     pub(super) base: u64,
 }
 
+/// Task State Segment
+///
+/// See AMD64 Architecture Programmer's Manual, Volume 2: System Programming
+///     Section 12: Task Management
+///         §12.2: Task-Management Resources
+///             §12.2.5: 64-bit Task State Segment
+#[allow(clippy::upper_case_acronyms)]
+#[repr(C, packed)]
+pub(super) struct TSS {
+    _rsvd0: [u8; 4],
+    _rsp0: u64,
+    _rsp1: u64,
+    _rsp2: u64,
+    _rsvd1: [u8; 8],
+    pub(super) ist1: u64,
+    _ist2: u64,
+    _ist3: u64,
+    _ist4: u64,
+    _ist5: u64,
+    _ist6: u64,
+    _ist7: u64,
+    _rsvd2: [u8; 8],
+}
+const _: () = assert!(mem::size_of::<TSS>() == 0x64);
+const _: () = assert!(mem::offset_of!(TSS, ist1) == 0x24);
+
 /// An entry in the Interrupt Descriptor Table (IDT)
 /// For reference, see page 7-20 Vol. 3A of Intel 64 and IA-32
 /// Architectures Software Developer's Manual, figure 7-8
@@ -97,7 +157,7 @@ impl IdtEntry {
         Self {
             offset_low: (handler & 0xFFFF) as u16,
             selector: 0x08, // Kernel Code Segment
-            interrupt_stack_table_offset: 0,
+            interrupt_stack_table_offset: 1,
             type_attr: 0x8E,
             // 0x8E = 10001110b
             // 1 00 0 1101
@@ -121,14 +181,15 @@ pub(super) struct IdtPointer {
 const _: () = assert!(mem::size_of::<IdtPointer>() == 10);
 
 #[allow(clippy::upper_case_acronyms)]
-pub(super) type GDT = [GdtEntry; 3];
+pub(super) type GDT = [GdtEntry; 5];
 #[allow(clippy::upper_case_acronyms)]
 #[repr(align(0x1000))]
 pub(super) struct IDT {
     pub(super) entries: [IdtEntry; 256],
 }
 const _: () = assert!(mem::size_of::<IDT>() == 0x1000);
 
+const PADDING_BEFORE_TSS: usize = 64 - mem::size_of::<GDT>();
 /// A single structure containing all of the processor control
 /// structures that we use during early initialization, making it easy
 /// to keep them in an early-allocated physical page.  Field alignment
@@ -138,11 +199,14 @@ const _: () = assert!(mem::size_of::<IDT>() == 0x1000);
 #[repr(C, align(0x1000))]
 pub(super) struct ProcCtrl {
     pub(super) gdt: GDT,
+    _pad: mem::MaybeUninit<[u8; PADDING_BEFORE_TSS]>,
+    pub(super) tss: TSS,
     pub(super) idt: IDT,
 }
 const _: () = assert!(mem::size_of::<ProcCtrl>() == 0x2000);
 const _: () = assert!(mem::size_of::<ProcCtrl>() <= PAGE_SIZE * 2);
 const _: () = assert!(mem::offset_of!(ProcCtrl, gdt) == 0);
+const _: () = assert!(mem::offset_of!(ProcCtrl, tss) == 64);
 const _: () = assert!(mem::offset_of!(ProcCtrl, idt) == 0x1000);
 
 impl ProcCtrl {
@@ -162,6 +226,7 @@ impl ProcCtrl {
             );
             let ptr = ptr as *mut Self;
             (&raw mut (*ptr).gdt).write_bytes(0u8, 1);
+            (&raw mut (*ptr).tss).write_bytes(0u8, 1);
             (&raw mut (*ptr).idt).write_bytes(0u8, 1);
             ptr
         }

typos.toml

@@ -11,3 +11,5 @@ mmaped="mmapped"
 fpr="fpr"
 # consts is a module name in stdlib
 consts="consts"
+# ist is an acronym for Interrupt Stack Table, not a missspelling of its
+ist="ist"