From patchwork Tue Aug 6 09:28:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zero Tang X-Patchwork-Id: 1969397 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=CE39AAeX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdSfl4mp9z1yYD for ; Tue, 6 Aug 2024 19:28:47 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sbGUS-0002vG-JD; Tue, 06 Aug 2024 05:28:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sbGUQ-0002mU-Ea for qemu-devel@nongnu.org; Tue, 06 Aug 2024 05:28:22 -0400 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sbGUM-0002T6-U1 for qemu-devel@nongnu.org; Tue, 06 Aug 2024 05:28:22 -0400 Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5b8c2a6135eso982388a12.0 for ; Tue, 06 Aug 2024 02:28:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722936496; x=1723541296; darn=nongnu.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=KAlhIHX6tS4E1n4BogBiXgp4i+6SzrRiVFW1tB1ecR0=; b=CE39AAeX+lEuuC2VT3omRDM/YG3od8c9V7I3ckuttbXAAdrsHRAiTgfMCSPJW8lQPI MUTjrHZ6SOLtq/tTIMjqBKgrQrze6KILEEQD1bbp+A7CCEURcaKqhdRQ9CS9EeiVQ1qJ avsGwxFvtbZe+8xaELpysYIR7VgRvIbr1x63wCiA6AYt8diIPDIyXcu5AXbgcXbcx0GD YQerR63raMKByoAUoxNllxGAiaNeHFznlZV2YXrk6xRW1kHecxenadjmxsyl66MTdmp0 QR6pASHZbFM9luPuSrpBXwSHwfC+yJPmLXJDgDwQ/i4LkYxdg5IZYeeKVjTuBUPHftn1 ellA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722936496; x=1723541296; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KAlhIHX6tS4E1n4BogBiXgp4i+6SzrRiVFW1tB1ecR0=; b=JqNAsjFQ+3pMuppxw32RqhdqzLL9UNDYQiujIlP8mC5FLPUyq8FseB02zb93pNjYYk NnQjbzYWAbryEsLaTxA3LVcgD3hz2iA62SFb6wPUTiVURTdfIxqPBoOrqhebQ1GKkJHV CEHUiXszgoWGYKv1l6ZsJjy9VYu/tYWDLfoxS4xRNrGq6j6Jb9jrEAlL7bcalSAgQ+qM tYaVODBZ+q6So2Cov7PB1cfSje/aQdg1NHzou73qKnASnUNfb34Vus9XkWjfnN9EmKEC KIFStejYTdh3bbFpYe6zJmmRcZ1SYHUg//EqmKROwDVsVK9YcSHR0Cbc6X1hVakebbaF yBTw== X-Gm-Message-State: AOJu0Yzq0ewvUUIfDkzmNo0iZDV8jHSVv9WWEdkxMh502fI2BHcfCLqz XZeBvn7X7PSS0D0Ezus9uK3Ro5pmmAmHtCe+DvtoWnLuNoQjaxQc9lF1SxBXbK720H52qBYfaVJ QSM/v38UZ3btd2Gee9h1UV4oYp/on9oSK X-Google-Smtp-Source: AGHT+IHpLQblTzwQrlDpXGleJA25LxgnRTK3Gx/eitUUKelSpvnEy97AUXoLzlPSuTHckbp1x6YOm8lA4iZYblldhKM= X-Received: by 2002:a05:6402:655:b0:5b9:fe2f:48e4 with SMTP id 4fb4d7f45d1cf-5b9fe2f490dmr8321295a12.6.1722936495326; Tue, 06 Aug 2024 02:28:15 -0700 (PDT) MIME-Version: 1.0 From: Zero Tang Date: Tue, 6 Aug 2024 17:28:01 +0800 Message-ID: Subject: [PATCH] hw/misc: Add a virtual PCILeech device To: qemu-devel@nongnu.org Cc: mst@redhat.com, marcel.apfelbaum@gmail.com Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=zero.tangptr@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This virtual PCILeech device aims to help security researchers attack the guest via DMA and test their IOMMU defenses. This device is intended to support any systems with PCI, but I am only able to test x86-based guests. For what PCILeech is, check PCILeech GitHub repository: https://github.com/ufrisk/pcileech The QEMU-PCILeech plugin is currently awaiting merging: https://github.com/ufrisk/LeechCore-plugins/pull/10 This is my first time contributing to QEMU and I am sorry that I forgot to include a "[PATCH]" prefix in the title from my previous email and that I didn't cc to relevant maintainers. If needed, add my name and contact info into the maintainer's list. Signed-off-by: Zero Tang --- hw/misc/Kconfig | 5 ++++ hw/misc/meson.build | 1 + hw/misc/pcileech.c | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 297 insertions(+) +{ + static InterfaceInfo interfaces[] = { + {INTERFACE_CONVENTIONAL_PCI_DEVICE}, + {}, + }; + static const TypeInfo leech_info = { + .name = TYPE_PCILEECH_DEVICE, + .parent = TYPE_PCI_DEVICE, + .instance_size = sizeof(PciLeechState), + .instance_init = pci_leech_instance_init, + .class_init = pci_leech_class_init, + .interfaces = interfaces, + }; + type_register_static(&leech_info); +} + +type_init(pci_leech_register_types) diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig index 1e08785b83..6c3ea7bf74 100644 --- a/hw/misc/Kconfig +++ b/hw/misc/Kconfig @@ -30,6 +30,11 @@ config EDU default y if TEST_DEVICES depends on PCI && MSI_NONBROKEN +config PCILEECH + bool + default y + depends on PCI + config PCA9552 bool depends on I2C diff --git a/hw/misc/meson.build b/hw/misc/meson.build index 2ca8717be2..e79931b9a6 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -1,5 +1,6 @@ system_ss.add(when: 'CONFIG_APPLESMC', if_true: files('applesmc.c')) system_ss.add(when: 'CONFIG_EDU', if_true: files('edu.c')) +system_ss.add(when: 'CONFIG_PCILEECH', if_true: files('pcileech.c')) system_ss.add(when: 'CONFIG_FW_CFG_DMA', if_true: files('vmcoreinfo.c')) system_ss.add(when: 'CONFIG_ISA_DEBUG', if_true: files('debugexit.c')) system_ss.add(when: 'CONFIG_ISA_TESTDEV', if_true: files('pc-testdev.c')) diff --git a/hw/misc/pcileech.c b/hw/misc/pcileech.c new file mode 100644 index 0000000000..252a570161 --- /dev/null +++ b/hw/misc/pcileech.c @@ -0,0 +1,291 @@ +/* + * QEMU Virtual PCILeech Device + * + * Copyright (c) 2024 Zero Tang + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "qemu/osdep.h" +#include "qemu/units.h" +#include "hw/pci/pci.h" +#include "hw/hw.h" +#include "hw/pci/msi.h" +#include "qemu/timer.h" +#include "hw/qdev-properties.h" +#include "hw/qdev-properties-system.h" +#include "qom/object.h" +#include "qemu/main-loop.h" /* iothread mutex */ +#include "qemu/module.h" +#include "qapi/visitor.h" + +#define TYPE_PCILEECH_DEVICE "pcileech" + +struct LeechRequestHeader { + uint8_t endianness; /* 0 - Little, 1 - Big */ + uint8_t command; /* 0 - Read, 1 - Write */ + uint8_t reserved[6]; + /* Variable Endianness */ + uint64_t address; + uint64_t length; +}; + +struct LeechResponseHeader { + uint8_t endianness; /* 0 - Little, 1 - Big */ + uint8_t reserved[3]; + MemTxResult result; + uint64_t length; /* Indicates length of data followed by header */ +}; + +/* Verify the header length */ +static_assert(sizeof(struct LeechRequestHeader) == 24); +static_assert(sizeof(struct LeechResponseHeader) == 16); + +struct PciLeechState { + /* Internal State */ + PCIDevice device; + QemuThread thread; + QemuMutex mutex; + bool endianness; + bool stopping; + /* Communication */ + char *host; + uint16_t port; + int sockfd; +}; + +typedef struct LeechRequestHeader LeechRequestHeader; +typedef struct PciLeechState PciLeechState; + +DECLARE_INSTANCE_CHECKER(PciLeechState, PCILEECH, TYPE_PCILEECH_DEVICE) + +static void pci_leech_process_write_request(PciLeechState *state, + LeechRequestHeader *request, + int incoming) +{ + char buff[1024]; + for (uint64_t i = 0; i < request->length; i += sizeof(buff)) { + struct LeechResponseHeader response = { 0 }; + char* response_buffer = (char *)&response; + const uint64_t writelen = (request->length - i) <= sizeof(buff) ? + (request->length - i) : sizeof(buff); + ssize_t recvlen = 0, sendlen = 0; + while (recvlen < writelen) { + recvlen += recv(incoming, &buff[recvlen], writelen - recvlen, 0); + } + response.endianness = state->endianness; + response.result = pci_dma_write(&state->device, request->address + i, + buff, writelen); + if (response.result) { + printf("PCILeech: Address 0x%lX Write Error! MemTxResult: 0x%X\n", + request->address + i, response.result); + } + response.length = 0; + while (sendlen < sizeof(struct LeechResponseHeader)) { + sendlen += send(incoming, &response_buffer[sendlen], + sizeof(struct LeechResponseHeader) - sendlen, 0); + } + } +} + +static void pci_leech_process_read_request(PciLeechState *state, + LeechRequestHeader *request, + int incoming) +{ + char buff[1024]; + for (uint64_t i = 0; i < request->length; i += sizeof(buff)) { + struct LeechResponseHeader response = { 0 }; + char* response_buffer = (char *)&response; + const uint64_t readlen = (request->length - i) <= sizeof(buff) ? + (request->length - i) : sizeof(buff); + ssize_t sendlen = 0; + response.endianness = state->endianness; + response.result = pci_dma_read(&state->device, request->address + i, + buff, readlen); + if (response.result) { + printf("PCILeech: Address 0x%lX Read Error! MemTxResult: 0x%X\n", + request->address + i, response.result); + } + response.length = (request->endianness != state->endianness) ? + bswap64(readlen) : readlen; + while (sendlen < sizeof(struct LeechResponseHeader)) { + sendlen += send(incoming, &response_buffer[sendlen], + sizeof(struct LeechResponseHeader) - sendlen, 0); + } + sendlen = 0; + while (sendlen < readlen) { + sendlen += send(incoming, &buff[sendlen], readlen - sendlen, 0); + } + } +} + +static void *pci_leech_worker_thread(void *opaque) +{ + PciLeechState *state = PCILEECH(opaque); + while (1) { + LeechRequestHeader request; + char *request_buffer = (char *)&request; + ssize_t received = 0; + int incoming; + struct sockaddr address; + socklen_t addrlen; + /* Check if we are stopping. */ + qemu_mutex_lock(&state->mutex); + if (state->stopping) { + qemu_mutex_unlock(&state->mutex); + break; + } + qemu_mutex_unlock(&state->mutex); + /* Accept PCILeech requests. */ + /* Use HTTP1.0-like protocol for simplicity. */ + incoming = accept(state->sockfd, &address, &addrlen); + if (incoming < 0) { + puts("WARNING: Failed to accept socket for PCILeech! Skipping " + "Request...\n"); + continue; + } + /* Get PCILeech requests. */ + while (received < sizeof(LeechRequestHeader)) { + received += recv(incoming, &request_buffer[received], + sizeof(LeechRequestHeader) - received, 0); + } + /* Swap endianness. */ + if (request.endianness != state->endianness) { + request.address = bswap64(request.address); + request.length = bswap64(request.length); + } + /* Process PCILeech requests. */ + qemu_mutex_lock(&state->mutex); + if (request.command) { + pci_leech_process_write_request(state, &request, incoming); + } else { + pci_leech_process_read_request(state, &request, incoming); + } + qemu_mutex_unlock(&state->mutex); + close(incoming); + } + return NULL; +} + +static void pci_leech_realize(PCIDevice *pdev, Error **errp) +{ + PciLeechState *state = PCILEECH(pdev); + struct sockaddr_in sock_addr; + char host_ip[16]; + struct hostent *he = gethostbyname(state->host); + if (he == NULL) { + puts("gethostbyname failed!"); + exit(EXIT_FAILURE); + } + /* Initialize the socket for PCILeech. */ + state->sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (state->sockfd < 0) { + puts("Failed to initialize socket for PCILeech!"); + exit(EXIT_FAILURE); + } + sock_addr.sin_family = AF_INET; + sock_addr.sin_addr = *(struct in_addr *)he->h_addr; + sock_addr.sin_port = htons(state->port); + inet_ntop(AF_INET, &sock_addr.sin_addr, host_ip, sizeof(host_ip)); + if (bind(state->sockfd, (struct sockaddr *)&sock_addr, sizeof(sock_addr)) + < 0) { + puts("Failed to bind socket for PCILeech!"); + close(state->sockfd); + exit(EXIT_FAILURE); + } + if (listen(state->sockfd, 10) < 0) { + puts("Failed to listen to socket for PCILeech!"); + close(state->sockfd); + exit(EXIT_FAILURE); + } + printf("INFO: PCILeech is listening on %s:%u...\n", host_ip, state->port); + /* Initialize the thread for PCILeech. */ + qemu_mutex_init(&state->mutex); + qemu_thread_create(&state->thread, "pcileech", pci_leech_worker_thread, + state, QEMU_THREAD_JOINABLE); +} + +static void pci_leech_finalize(PCIDevice *pdev) +{ + PciLeechState *state = PCILEECH(pdev); + puts("Stopping PCILeech Worker..."); + qemu_mutex_lock(&state->mutex); + state->stopping = true; + qemu_mutex_unlock(&state->mutex); + close(state->sockfd); + qemu_thread_join(&state->thread); + qemu_mutex_destroy(&state->mutex); +} + +char pci_leech_default_host[] = "0.0.0.0"; + +static void pci_leech_instance_init(Object *obj) +{ + int x = 1; + char* y = (char *)&x; + PciLeechState *state = PCILEECH(obj); + /* QEMU's String-Property can't specify default value. */ + /* So we have to set the default on our own. */ + if (state->host == NULL) { + state->host = pci_leech_default_host; + } + /* Save Our Endianness. */ + state->endianness = (*y == 0); +} + +static Property leech_properties[] = { + DEFINE_PROP_UINT16("port", PciLeechState, port, 6789), + DEFINE_PROP_STRING("host", PciLeechState, host), + DEFINE_PROP_END_OF_LIST(), +}; + +static void pci_leech_class_init(ObjectClass *class, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(class); + PCIDeviceClass *k = PCI_DEVICE_CLASS(class); + k->realize = pci_leech_realize; + k->exit = pci_leech_finalize; + /* Change the Vendor/Device ID to your favor. */ + /* These are the default values from PCILeech-FPGA. */ + k->vendor_id = PCI_VENDOR_ID_XILINX; + k->device_id = 0x0666; + k->revision = 0; + k->class_id = PCI_CLASS_NETWORK_ETHERNET; + device_class_set_props(dc, leech_properties); + set_bit(DEVICE_CATEGORY_MISC, dc->categories); +} + +static void pci_leech_register_types(void)