Difference between revisions of "Power ISA/Privilege States"

From RCS Wiki
Jump to navigation Jump to search
(→‎Ultravisor State: rewriting for the present, additional information)
 
(12 intermediate revisions by 6 users not shown)
Line 3: Line 3:
 
=== Ultravisor State ===
 
=== Ultravisor State ===
  
At the moment very little information exists about the Ultravisor State. It is not mentioned in Power ISA version 2.07 documents at all, and version 3.0B only mentions it as a possible privilege of instructions. There is no official documentation of a ''UV'' - ''Ultravisor State'' [[Machine State Register]] bit, although some source code does reference its existence.<ref>https://patchwork.ozlabs.org/patch/719952/</ref>
+
The Ultravisor State is a part of the IBM Protected Execution Facility (PEF) which enables support for Secure Virtual Machines (SVMs). It was first made available on POWER9 Nimbus chips with DD2.3 stepping. Like with Hypervisor State, Ultravisor State made use of a MSR bit previously marked as reserved.
  
Skiboot documentation mentions this as one of "the four rings".<ref>[https://open-power.github.io/skiboot/doc/xive.html#i-device-tree-updates P9 XIVE Exploitation > I - Device-tree updates] "reg property contains the addresses & sizes for the register ranges corresponding respectively to the 4 rings: Ultravisor level, Hypervisor level, Guest OS level, User level"</ref>
+
It is not mentioned in Power ISA version 2.07 documents at all, and version 3.0B only mentions it as a possible privilege level of instructions. Prior to release of Nimbus chips with DD2.3 stepping there already was source code available which referenced the existence of an ''Ultravisor State'' [[Power ISA/Machine State Register|Machine State Register]] bit.<ref>https://patchwork.ozlabs.org/patch/719952/</ref> It will probably be part of future revisions of the Power ISA.
  
A report from IBM for the Air Force Research Laboratory indicates than Ultravisor State was tested in a modified [[POWER8|POWER8]] processor simulation.<ref>[[File:AFRL-RI-RS-TR-2017-021.pdf|HARDWARE SUPPORT FOR MALWARE DEFENSE AND END-TO-END TRUST]]. IBM. 2017-02</ref>
+
==== Timeline ====
 +
 
 +
On March 22, 2018 IBM published an article about Protected Computing using the Ultravisor state at https://developer.ibm.com/articles/l-support-protected-computing/
 +
 
 +
In October 2018, IBM gave a [https://www.youtube.com/watch?v=9ixMd9wwRrs talk about Ultravisor/Protected Execution Facility] at the Linux Security Summit.
 +
 
 +
A report from IBM for the Air Force Research Laboratory indicates that the Ultravisor State was already tested in a modified [[POWER8|POWER8]] processor simulation.<ref>[[File:AFRL-RI-RS-TR-2017-021.pdf|HARDWARE SUPPORT FOR MALWARE DEFENSE AND END-TO-END TRUST]]. IBM. 2017-02</ref>
  
 
==== POWER9 ====
 
==== POWER9 ====
  
IBM has confirmed to Raptor in direct messaging that the ultravisor state does not exist in POWER9, despite some material continuing to reference it.  This information was also made public on Twitter.<ref>Lynn, Justin.[https://twitter.com/justinrwlynn/status/956772078702571520 tweet]</ref>
+
IBM has confirmed to Raptor in direct messaging that the ultravisor state does not exist in POWER9, despite some material continuing to reference it.  This information was also made public on Twitter.<ref>Lynn, Justin. [https://twitter.com/justinrwlynn/status/956772078702571520 tweet]</ref>
  
 
=== Hypervisor State ===
 
=== Hypervisor State ===
Line 74: Line 80:
 
|an instruction that can be executed only in ultravisor state
 
|an instruction that can be executed only in ultravisor state
 
|}
 
|}
 +
 +
== Ultravisor-related Patents, Patent Applications and Official Documentation ==
 +
 +
* [http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220190034666%22.PGNR.&OS=DN/20190034666&RS=DN/20190034666 US Patent Application 20190034666 -  HARDWARE BASED ISOLATION FOR SECURE EXECUTION OF VIRTUAL MACHINES] - Local Full-Text PDF w/ Illustrations: [[File:US020190034666A120190131-HARDWARE-BASED-ISOLATION-FOR-SECURE-EXECUTION-OF-VIRTUAL-MACHINES.pdf]]
 +
* [https://github.com/open-power/hostboot/search?q=secure+memory+facility&unscoped_q=secure+memory+facility Hostboot Bootloader - Secure Memory Facility/Ultravisor Configuration References]
  
 
== References ==
 
== References ==

Latest revision as of 20:09, 4 May 2020

States

Ultravisor State

The Ultravisor State is a part of the IBM Protected Execution Facility (PEF) which enables support for Secure Virtual Machines (SVMs). It was first made available on POWER9 Nimbus chips with DD2.3 stepping. Like with Hypervisor State, Ultravisor State made use of a MSR bit previously marked as reserved.

It is not mentioned in Power ISA version 2.07 documents at all, and version 3.0B only mentions it as a possible privilege level of instructions. Prior to release of Nimbus chips with DD2.3 stepping there already was source code available which referenced the existence of an Ultravisor State Machine State Register bit.[1] It will probably be part of future revisions of the Power ISA.

Timeline

On March 22, 2018 IBM published an article about Protected Computing using the Ultravisor state at https://developer.ibm.com/articles/l-support-protected-computing/

In October 2018, IBM gave a talk about Ultravisor/Protected Execution Facility at the Linux Security Summit.

A report from IBM for the Air Force Research Laboratory indicates that the Ultravisor State was already tested in a modified POWER8 processor simulation.[2]

POWER9

IBM has confirmed to Raptor in direct messaging that the ultravisor state does not exist in POWER9, despite some material continuing to reference it. This information was also made public on Twitter.[3]

Hypervisor State

Hypervisor State is indicated by the HV (bit 3) of the Machine State Register, and is normally used by a hypervisor. An operating system running without a hypervisor can run in Hypervisor State, with its userland in Problem State and avoid using Privileged State altogether.

Hypervisor State was introduced in POWER4, although for some time it was not included in documentation, appearing only as a reserved bit in the Machine State Register.[4]

Privileged State

Privileged State, also called Supervisor Mode, is normally used by an operating system running on top of a hypervisor.

Problem State

Problem State, also called User Mode, is indicated by the PR (bit 49) of the Machine State Register.

Instruction Classification

Privilege Classification of Instructions in Power ISA
Code 2.07 3.0B Description
P Yes Yes a privileged instruction.
O Yes Yes an instruction that is treated as privileged or nonprivileged (or hypervisor, for mtspr), depend-

ing on the SPR or PMR number.

PI No Yes an instruction that is illegal in privileged state.
H Yes Yes an instruction that can be executed only in hypervisor state
PH Yes No a hypervisor privileged instruction if Category Embedded.Hypervisor is implemented; otherwise

denotes a privileged instruction.

M Yes No an instruction that is treated as privileged or nonprivileged, depending on the value of the UCLE

bit in the MSR

U No Yes an instruction that can be executed only in ultravisor state

Ultravisor-related Patents, Patent Applications and Official Documentation

References

  1. https://patchwork.ozlabs.org/patch/719952/
  2. File:AFRL-RI-RS-TR-2017-021.pdf. IBM. 2017-02
  3. Lynn, Justin. tweet
  4. Kerr, Jeremy. OpenPOWER: building an open-source software stack from bare metal (video). Linux.conf.au 2015
Retrieved from "https://wiki.raptorcs.com/w/index.php?title=Power_ISA/Privilege_States&oldid=3222"