Add translated embedder syscall hook#69
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
from
8d14f8a to
388b41f
Compare
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
doanbaotrung
changed the title
doanbaotrung
changed the title
doanbaotrung
changed the title
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
2 times, most recently
from
ba57d4e to
a9ff5d7
Compare
jserv
left a comment
jserv
left a comment
There was a problem hiding this comment.
Check https://cbea.ms/git-commit/ carefully and enforce the rules for informative git commit messages.
You MUST address the motivations and considerations.
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
from
a9ff5d7 to
645a6e4
Compare
doanbaotrung
changed the title
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
from
645a6e4 to
18ae471
Compare
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
from
18ae471 to
262954b
Compare
jserv
left a comment
jserv
left a comment
There was a problem hiding this comment.
Hook itself is correct and the memory-safety story checks out (guest_read_small honors MEM_PERM_EL1_ONLY via gva_translate_perm, so a guest pointing X1 into shim_data or the PT pool gets -EFAULT, not data exfiltration). Three P2s should land before this does, and one open question gates the whole premise.
P2 -- the PR's stated use case is Rosetta-translated x86_64 guests, but it's not verified that Apple's Rosetta forwards an unknown syscall number (999) through to elfuse's HVC #5 dispatch instead of returning ENOSYS at the translation layer. Without an empirical demonstration (graphics-bridge round-trip from an actual x86_64 guest), the PR may only work as a native-aarch64 hook.
P2 -- make ELFUSE_NR_EMBEDDER_HVC6= breaks the build (empty override defeats ?=, CFLAGS gets -DELFUSE_NR_EMBEDDER_HVC6=, then if (nr == ) won't compile). See inline.
P2 -- native aarch64 guests can also reach the embedder handler via svc #0; x8=999. Intentional per the description ("share the same dispatch logic") but worth either gating on g->is_rosetta or documenting so embedders validate call_nr against an allowlist.
P2 -- no test. Hook lands on the hot path of every syscall dispatch; the success, EFAULT, and absent-handler paths all need coverage.
P3 (procedural) -- branch is 3 commits behind main (a00cc3d, 9aa54a3, 7acfe17 all touch src/syscall/syscall.c); rebase before merge so the conflict review is honest.
|
|
||
| # Private pseudo-syscall number used by translated guests to invoke the | ||
| # embedder HVC 6 hook. This is not a Linux syscall number. | ||
| ELFUSE_NR_EMBEDDER_HVC6 ?= 999 |
There was a problem hiding this comment.
make ELFUSE_NR_EMBEDDER_HVC6= lets an empty value override ?=, then CFLAGS picks up -DELFUSE_NR_EMBEDDER_HVC6= and the C hook becomes if (nr == ) -- syntax error. Either skip the -D when the value is empty, or guard the C side with a numeric check:
#if defined(ELFUSE_NR_EMBEDDER_HVC6) && (ELFUSE_NR_EMBEDDER_HVC6 + 0 > 0)
There was a problem hiding this comment.
Make sure make ELFUSE_NR_EMBEDDER_HVC6= will disable this variable
Translated x86_64 guests cannot issue the AArch64 HVC instruction used by the existing embedder extension ABI. This prevents those guests from using embedder-provided services such as the graphics bridge. Add a private elfuse pseudo-syscall as the translated guest counterpart to HVC 6. The syscall keeps the existing hvc6_handler ABI instead of adding a second embedder callback path, so native and translated guests can share the same dispatch logic. The pseudo-syscall is enabled through the build system and is gated on g->is_rosetta so native AArch64 guests cannot reach the embedder hook through SVC. The selected number is required to remain outside syscall_table; the build fails if it would collide with the generated Linux syscall table.
doanbaotrung
force-pushed
the
feature/x86_64-guest-counterpart-AArch64-hvc6
branch
from
262954b to
9e70e83
Compare
2 participants
Translated x86_64 guests cannot issue the AArch64 HVC instruction used by the existing embedder extension ABI. This prevents those guests from using embedder-provided services such as the graphics bridge.
Add a private elfuse pseudo-syscall as the translated guest counterpart to HVC 6. The syscall keeps the existing hvc6_handler ABI instead of adding a second embedder callback path, so native and translated guests can share the same dispatch logic.
Use syscall number 999 as an internal ABI value between the translated guest shim and elfuse. This is not a Linux syscall number. It is chosen outside the current generic Linux syscall range to avoid colliding with normal guest syscalls, but it is not reserved by Linux and must remain private to elfuse.
If no embedder handler is registered, dispatch falls back to normal syscall handling.
Summary by cubic
Adds a private elfuse pseudo-syscall for translated x86_64 guests to call the embedder ABI equivalent of AArch64 HVC 6. Keeps the existing
hvc6_handlerso native and translated guests share one dispatch path.ELFUSE_NR_EMBEDDER_HVC6(999) via build flag; compile-time check ensures it sits outside the Linuxsyscall_table.g->is_rosetta) so native AArch64 cannot reach the hook via SVC.Written for commit 9e70e83. Summary will update on new commits.