refactoring

Signed-off-by: Wojciech Ozga <woz@zurich.ibm.com>

security-monitor/src/confidential_flow/finite_state_machine.rs

@@ -2,7 +2,7 @@
 // SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 // SPDX-License-Identifier: Apache-2.0
 use crate::confidential_flow::handlers::attestation::RetrieveSecretRequest;
-use crate::confidential_flow::handlers::delegate::{DelegateToConfidentialVm, TimeRequest};
+use crate::confidential_flow::handlers::delegate::DelegateToConfidentialVm;
 use crate::confidential_flow::handlers::interrupts::{AllowExternalInterrupt, ExposeEnabledInterrupts, HandleInterrupt};
 use crate::confidential_flow::handlers::mmio::{
     AddMmioRegion, MmioLoadRequest, MmioLoadResponse, MmioStoreRequest, MmioStoreResponse, RemoveMmioRegion,
@@ -17,7 +17,7 @@ use crate::confidential_flow::handlers::symmetrical_multiprocessing::{
     Ipi, NoOperation, RemoteFenceI, RemoteSfenceVma, RemoteSfenceVmaAsid, SbiHsmHartStart, SbiHsmHartStatus, SbiHsmHartStop,
     SbiHsmHartSuspend,
 };
-use crate::confidential_flow::handlers::time::SetTimer;
+use crate::confidential_flow::handlers::time::{ReadTime, SetTimer};
 use crate::confidential_flow::handlers::virtual_instructions::VirtualInstruction;
 use crate::confidential_flow::{ApplyToConfidentialHart, DeclassifyToConfidentialVm};
 use crate::core::architecture::riscv::sbi::BaseExtension::*;
@@ -31,7 +31,7 @@ use crate::core::architecture::riscv::sbi::TimeExtension::*;
 use crate::core::architecture::sbi::CovgExtension;
 use crate::core::architecture::sbi::SbiExtension::Time;
 use crate::core::architecture::TrapCause::*;
-use crate::core::architecture::{GeneralPurposeRegister, HartLifecycleState, TrapCause};
+use crate::core::architecture::{HartLifecycleState, TrapCause};
 use crate::core::control_data::{
     ConfidentialHart, ConfidentialHartRemoteCommand, ConfidentialVm, ConfidentialVmId, ControlDataStorage, HardwareHart, HypervisorHart,
     ResumableOperation,
@@ -114,7 +114,7 @@ impl<'a> ConfidentialFlow<'a> {
             VsEcall(Covg(UnshareMemory)) => UnsharePageRequest::from_confidential_hart(flow.confidential_hart()).handle(flow),
             VsEcall(Covg(RetrieveSecret)) => RetrieveSecretRequest::from_confidential_hart(flow.confidential_hart()).handle(flow),
             VsEcall(Covg(Debug)) => DebugRequest::from_confidential_hart(flow.confidential_hart()).handle(flow),
-            VsEcall(Covg(CovgExtension::Time)) => TimeRequest::from_confidential_hart(flow.confidential_hart()).handle(flow),
+            VsEcall(Covg(CovgExtension::Time)) => ReadTime::from_confidential_hart(flow.confidential_hart()).handle(flow),
             VsEcall(Time(SetTimer)) => SetTimer::from_confidential_hart(flow.confidential_hart()).handle(flow),
             VsEcall(_) => InvalidCall::from_confidential_hart(flow.confidential_hart()).handle(flow),
             GuestLoadPageFault => MmioLoadRequest::from_confidential_hart(flow.confidential_hart()).handle(flow),

security-monitor/src/confidential_flow/handlers/delegate/mod.rs

@@ -1,16 +1,11 @@
 // SPDX-FileCopyrightText: 2023 IBM Corporation
 // SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 // SPDX-License-Identifier: Apache-2.0
-use crate::confidential_flow::handlers::sbi::SbiResponse;
 use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
 use crate::core::architecture::specification::CAUSE_ILLEGAL_INSTRUCTION;
 use crate::core::architecture::GeneralPurposeRegister;
 use crate::core::control_data::ConfidentialHart;
-use crate::error::Error;
-
-pub use time::TimeRequest;
-
-mod time;
+use crate::core::timer_controller::TimerController;
 
 pub struct DelegateToConfidentialVm {
     mstatus: usize,
@@ -19,6 +14,7 @@ pub struct DelegateToConfidentialVm {
     mtval: usize,
     vstvec: usize,
     vsstatus: usize,
+    htimedelta: usize,
     inst: usize,
     inst_len: usize,
 }
@@ -32,7 +28,8 @@ impl DelegateToConfidentialVm {
         let vstvec = confidential_hart.csrs().vstvec.read();
         let vsstatus = confidential_hart.csrs().vsstatus.read();
         let (inst, inst_len) = crate::confidential_flow::handlers::mmio::read_trapped_instruction(confidential_hart);
-        Self { mstatus, mcause, mepc, mtval, vstvec, vsstatus, inst, inst_len }
+        let htimedelta = confidential_hart.csrs().htimedelta;
+        Self { mstatus, mcause, mepc, mtval, vstvec, vsstatus, htimedelta, inst, inst_len }
     }
 
     pub fn handle(self, confidential_flow: ConfidentialFlow) -> ! {
@@ -96,7 +93,7 @@ impl DelegateToConfidentialVm {
         use crate::core::architecture::CSR;
 
         if csr == CSR_TIME.into() {
-            return (unsafe { (0x200BFF8 as *const u64).read_volatile() }) as usize;
+            return TimerController::read_virt_time(self.htimedelta);
         } else if csr == CSR_CYCLE.into() {
             return CSR.mcycle.read();
         } else if csr == CSR_INSTRET.into() {
@@ -109,9 +106,9 @@ impl DelegateToConfidentialVm {
 
     pub fn apply_to_confidential_hart(&self, confidential_hart: &mut ConfidentialHart) {
         use crate::core::architecture::specification::CSR_MSTATUS_MPP;
-        let SR_SPP_MASK = 0x00000100;
-        let SR_SIE = 0x00000002;
-        let SR_SPIE = 0x00000020;
+        const SR_SPP_MASK: usize = 0x00000100;
+        const SR_SIE: usize = 0x00000002;
+        const SR_SPIE: usize = 0x00000020;
 
         let mut new_vsstatus = self.vsstatus;
         new_vsstatus &= !SR_SPP_MASK;
@@ -135,7 +132,7 @@ impl DelegateToConfidentialVm {
         confidential_hart.csrs_mut().vstval.write(self.mtval);
         confidential_hart.csrs_mut().vsepc.write(self.mepc);
         /* Set Guest privilege mode to supervisor */
-        confidential_hart.csrs_mut().mstatus.enable_bits_on_saved_value((1 << CSR_MSTATUS_MPP));
+        confidential_hart.csrs_mut().mstatus.enable_bits_on_saved_value(1 << CSR_MSTATUS_MPP);
 
         confidential_hart.csrs_mut().mepc.save_value_in_main_memory(self.vstvec);
     }

security-monitor/src/confidential_flow/handlers/interrupts/allow_external_interrupt.rs

@@ -18,7 +18,7 @@ impl AllowExternalInterrupt {
     }
 
     pub fn handle(self, confidential_flow: ConfidentialFlow) -> ! {
-        debug!("enable ext interrupts");
+        debug!("Enable external interrupts: {:x}", self.interrupt_id);
         match ControlDataStorage::try_confidential_vm(confidential_flow.confidential_vm_id(), |mut confidential_vm| {
             Ok(confidential_vm.allow_external_interrupt(self.interrupt_id))
         }) {

security-monitor/src/confidential_flow/handlers/interrupts/expose_enabled_interrupts.rs

@@ -11,7 +11,7 @@ pub struct ExposeEnabledInterrupts {
 
 impl ExposeEnabledInterrupts {
     pub fn from_confidential_hart(confidential_hart: &ConfidentialHart) -> Self {
-        let htimedelta = confidential_hart.csrs().htimedelta.read();
+        let htimedelta = confidential_hart.csrs().htimedelta;
         Self {
             vsie: confidential_hart.csrs().vsie.read(),
             vstimecmp: confidential_hart.csrs().vstimecmp.and_then(|v| Some(v.wrapping_add(htimedelta))).unwrap_or(usize::MAX),

security-monitor/src/confidential_flow/handlers/sbi/debug_request.rs

@@ -1,36 +1,35 @@
 // SPDX-FileCopyrightText: 2023 IBM Corporation
 // SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 // SPDX-License-Identifier: Apache-2.0
-use crate::confidential_flow::handlers::sbi::{SbiRequest, SbiResponse};
+use crate::confidential_flow::handlers::sbi::SbiRequest;
 use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
-use crate::core::architecture::riscv::specification::CAUSE_VIRTUAL_SUPERVISOR_ECALL;
 use crate::core::architecture::sbi::CovgExtension;
 use crate::core::architecture::GeneralPurposeRegister;
-use crate::core::control_data::{ConfidentialHart, HypervisorHart, ResumableOperation};
+use crate::core::control_data::{ConfidentialHart, ResumableOperation};
 use crate::non_confidential_flow::DeclassifyToHypervisor;
 
 pub struct DebugRequest {
     a0: usize,
     a1: usize,
-    a2: usize,
-    a3: usize,
 }
 
 impl DebugRequest {
     pub fn from_confidential_hart(confidential_hart: &ConfidentialHart) -> Self {
-        let a0 = confidential_hart.gprs().read(GeneralPurposeRegister::a0);
-        let a1 = confidential_hart.gprs().read(GeneralPurposeRegister::a1);
-        let a2 = confidential_hart.gprs().read(GeneralPurposeRegister::a2);
-        let a3 = confidential_hart.gprs().read(GeneralPurposeRegister::a3);
-        Self { a0, a1, a2, a3 }
+        Self {
+            a0: confidential_hart.gprs().read(GeneralPurposeRegister::a0),
+            a1: confidential_hart.gprs().read(GeneralPurposeRegister::a1),
+        }
     }
 
     pub fn handle(self, confidential_flow: ConfidentialFlow) -> ! {
-        let r = SbiRequest::new(CovgExtension::EXTID, CovgExtension::SBI_EXT_COVG_DEBUG, self.a0, self.a1);
-
         confidential_flow
             .set_resumable_operation(ResumableOperation::SbiRequest())
             .into_non_confidential_flow()
-            .declassify_and_exit_to_hypervisor(DeclassifyToHypervisor::SbiRequest(r));
+            .declassify_and_exit_to_hypervisor(DeclassifyToHypervisor::SbiRequest(SbiRequest::new(
+                CovgExtension::EXTID,
+                CovgExtension::SBI_EXT_COVG_DEBUG,
+                self.a0,
+                self.a1,
+            )));
     }
 }

security-monitor/src/confidential_flow/handlers/time/mod.rs

@@ -1,26 +1,5 @@
-// SPDX-FileCopyrightText: 2023 IBM Corporation
-// SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
-// SPDX-License-Identifier: Apache-2.0
-use crate::confidential_flow::handlers::sbi::SbiResponse;
-use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
-use crate::core::architecture::riscv::specification::WFI_INSTRUCTION;
-use crate::core::architecture::GeneralPurposeRegister;
-use crate::core::control_data::ConfidentialHart;
-use crate::core::timer_controller::TimerController;
-use crate::non_confidential_flow::DeclassifyToHypervisor;
+pub use read_time::ReadTime;
+pub use set_timer::SetTimer;
 
-/// Handles virtual instruction trap that occured during execution of the confidential hart.
-pub struct SetTimer {
-    ncycle: usize,
-}
-
-impl SetTimer {
-    pub fn from_confidential_hart(confidential_hart: &ConfidentialHart) -> Self {
-        Self { ncycle: confidential_hart.gprs().read(GeneralPurposeRegister::a0) }
-    }
-
-    pub fn handle(self, mut confidential_flow: ConfidentialFlow) -> ! {
-        TimerController::new(&mut confidential_flow).set_next_event_for_vs_mode(self.ncycle);
-        confidential_flow.apply_and_exit_to_confidential_hart(ApplyToConfidentialHart::SbiResponse(SbiResponse::success()))
-    }
-}
+mod read_time;
+mod set_timer;

security-monitor/src/confidential_flow/handlers/delegate/time.rs → security-monitor/src/confidential_flow/handlers/time/read_time.rs

@@ -3,20 +3,21 @@
 // SPDX-License-Identifier: Apache-2.0
 use crate::confidential_flow::handlers::sbi::SbiResponse;
 use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
-use crate::core::architecture::{GeneralPurposeRegister, CSR};
 use crate::core::control_data::ConfidentialHart;
-use crate::error::Error;
+use crate::core::timer_controller::TimerController;
 
-pub struct TimeRequest {}
+pub struct ReadTime {
+    htimedelta: usize,
+}
 
-impl TimeRequest {
+impl ReadTime {
     pub fn from_confidential_hart(confidential_hart: &ConfidentialHart) -> Self {
-        Self {}
+        Self { htimedelta: confidential_hart.csrs().htimedelta }
     }
 
     pub fn handle(self, confidential_flow: ConfidentialFlow) -> ! {
-        let addr = 0x200BFF8;
-        let time = unsafe { (addr as *const u64).read_volatile() } as usize;
-        confidential_flow.apply_and_exit_to_confidential_hart(ApplyToConfidentialHart::SbiResponse(SbiResponse::success_with_code(time)))
+        confidential_flow.apply_and_exit_to_confidential_hart(ApplyToConfidentialHart::SbiResponse(SbiResponse::success_with_code(
+            TimerController::read_virt_time(self.htimedelta),
+        )))
     }
 }

security-monitor/src/confidential_flow/handlers/time/set_timer.rs

@@ -0,0 +1,24 @@
+// SPDX-FileCopyrightText: 2023 IBM Corporation
+// SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
+// SPDX-License-Identifier: Apache-2.0
+use crate::confidential_flow::handlers::sbi::SbiResponse;
+use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
+use crate::core::architecture::GeneralPurposeRegister;
+use crate::core::control_data::ConfidentialHart;
+use crate::core::timer_controller::TimerController;
+
+/// Handles virtual instruction trap that occured during execution of the confidential hart.
+pub struct SetTimer {
+    ncycle: usize,
+}
+
+impl SetTimer {
+    pub fn from_confidential_hart(confidential_hart: &ConfidentialHart) -> Self {
+        Self { ncycle: confidential_hart.gprs().read(GeneralPurposeRegister::a0) }
+    }
+
+    pub fn handle(self, mut confidential_flow: ConfidentialFlow) -> ! {
+        TimerController::new(&mut confidential_flow).set_next_event_for_vs_mode(self.ncycle);
+        confidential_flow.apply_and_exit_to_confidential_hart(ApplyToConfidentialHart::SbiResponse(SbiResponse::success()))
+    }
+}

security-monitor/src/confidential_flow/handlers/virtual_instructions/mod.rs

@@ -4,7 +4,6 @@
 use crate::confidential_flow::{ApplyToConfidentialHart, ConfidentialFlow};
 use crate::core::architecture::riscv::specification::WFI_INSTRUCTION;
 use crate::core::control_data::{ConfidentialHart, HypervisorHart};
-use crate::non_confidential_flow::DeclassifyToHypervisor;
 
 /// Handles virtual instruction trap that occured during execution of the confidential hart.
 pub struct VirtualInstruction {
@@ -23,15 +22,7 @@ impl VirtualInstruction {
     pub fn handle(self, mut confidential_flow: ConfidentialFlow) -> ! {
         confidential_flow.confidential_hart_mut().csrs_mut().mepc.add(self.instruction_length);
 
-        // use crate::confidential_flow::handlers::sbi::SbiRequest;
-        // use crate::core::architecture::sbi::CovgExtension;
-        // use crate::non_confidential_flow::DeclassifyToHypervisor;
-
-        // let r = SbiRequest::new(CovgExtension::EXTID, CovgExtension::SBI_EXT_COVG_ALLOW_EXT_INTERRUPT, usize::MAX, 0);
-        // confidential_flow.into_non_confidential_flow().declassify_and_exit_to_hypervisor(DeclassifyToHypervisor::SbiRequest(r))
-
         let transformation = if self.instruction == WFI_INSTRUCTION {
-            // debug!("wfi");
             ApplyToConfidentialHart::VirtualInstruction(self)
         } else {
             // TODO: add support for some CSR manipulation

security-monitor/src/core/architecture/riscv/control_status_registers.rs

@@ -64,7 +64,7 @@ pub struct ControlStatusRegisters {
     pub hgatp: ReadWriteRiscvCsr<CSR_HGATP>,
     // HS-mode Debug
     // pub hcontext: ReadWriteRiscvCsr<CSR_HCONTEXT>,
-    pub htimedelta: ReadWriteRiscvCsr<CSR_HTIMEDELTA>,
+    pub htimedelta: usize,
     // VS-mode
     pub vsstatus: ReadWriteRiscvCsr<CSR_VSSTATUS>,
     pub vsie: ReadWriteRiscvCsr<CSR_VSIE>,
@@ -135,7 +135,7 @@ impl ControlStatusRegisters {
             // henvcfg: ReadWriteRiscvCsr::new(),
             hgatp: ReadWriteRiscvCsr::new(),
             // hcontext: ReadWriteRiscvCsr::new(),
-            htimedelta: ReadWriteRiscvCsr::new(),
+            htimedelta: 0,
             // VS-mode
             vsstatus: ReadWriteRiscvCsr::new(),
             vsie: ReadWriteRiscvCsr::new(),
@@ -207,7 +207,7 @@ impl ControlStatusRegisters {
         self.hgatp.save_in_main_memory();
         // DEBUG extension should never be present due to security concerns.
         // self.hcontext.save_in_main_memory();
-        self.htimedelta.save_in_main_memory();
+        // self.htimedelta.save_in_main_memory();
         // VS-mode
         self.vsstatus.save_in_main_memory();
         self.vsie.save_in_main_memory();
@@ -271,7 +271,7 @@ impl ControlStatusRegisters {
         self.hgatp.restore_from_main_memory();
         // DEBUG extension should never be present due to security concerns.
         // self.hcontext.restore_from_main_memory();
-        self.htimedelta.restore_from_main_memory();
+        // self.htimedelta.restore_from_main_memory();
         // VS-mode
         self.vsstatus.restore_from_main_memory();
         self.vsie.restore_from_main_memory();

security-monitor/src/core/control_data/confidential_hart.rs

@@ -99,7 +99,7 @@ impl ConfidentialHart {
         confidential_hart_state.csrs_mut().hie.save_value_in_main_memory(Self::INTERRUPT_DELEGATION);
         // Allow only hypervisor's timer interrupts to preemt confidential VM's execution
         confidential_hart_state.csrs_mut().mie.save_value_in_main_memory(MIE_MTIP_MASK | MIE_MSIP_MASK | MIE_MEIP_MASK);
-        confidential_hart_state.csrs_mut().htimedelta.save_value_in_main_memory(htimedelta);
+        confidential_hart_state.csrs_mut().htimedelta = htimedelta;
         // Setup the M-mode trap handler to the security monitor's entry point
         confidential_hart_state.csrs_mut().mtvec.save_value_in_main_memory(enter_from_confidential_hart_asm as usize);
 

security-monitor/src/core/timer_controller/mod.rs

@@ -13,18 +13,22 @@ pub struct TimerController<'a, 'b> {
 
 impl<'a, 'b> TimerController<'a, 'b> {
     pub fn new(confidential_flow: &'a mut ConfidentialFlow<'b>) -> Self {
-        confidential_flow.swap_mscratch();
-        let current_time = (unsafe { sbi_timer_value() }) as usize;
-        confidential_flow.swap_mscratch();
+        Self { current_time: TimerController::read_time(), confidential_flow }
+    }
+
+    pub fn read_time() -> usize {
+        unsafe { (0x200BFF8 as *const usize).read_volatile() }
+    }
 
-        Self { current_time, confidential_flow }
+    pub fn read_virt_time(htimedelta: usize) -> usize {
+        TimerController::read_time().wrapping_add(htimedelta)
     }
 
     pub fn set_next_event_for_vs_mode(&mut self, next_event: usize) {
         if next_event >= usize::MAX - 1 {
             self.confidential_flow.confidential_hart_mut().csrs_mut().vstimecmp = None;
         } else {
-            let htimedelta = self.confidential_flow.confidential_hart_mut().csrs_mut().htimedelta.read();
+            let htimedelta = self.confidential_flow.confidential_hart_mut().csrs_mut().htimedelta;
             let next_event = (next_event as isize).wrapping_sub(htimedelta as isize) as usize;
             self.confidential_flow.confidential_hart_mut().csrs_mut().vstimecmp = Some(next_event);
             if self.vs_timer_interrupted() {

security-monitor/src/debug.rs

@@ -103,7 +103,7 @@ pub fn __print_hart_state(state: &HartArchitecturalState) {
     debug!("hgeip = {:16x}", state.csrs().hgeip.read());
     debug!("hgatp = {:16x}", state.csrs().hgatp.read());
     // debug!("hcontext = {:16x}", state.csrs().hcontext.read());
-    debug!("htimedelta = {:16x}", state.csrs().htimedelta.read());
+    // debug!("htimedelta = {:16x}", state.csrs().htimedelta.read());
     debug!("vsstatus = {:16x}", state.csrs().vsstatus.read());
     debug!("vsie = {:16x}", state.csrs().vsie.read());
     debug!("vsip = {:16x}", state.csrs().vsip.read());

security-monitor/src/non_confidential_flow/finite_state_machine.rs

@@ -8,7 +8,7 @@ use crate::core::architecture::riscv::sbi::NaclExtension::*;
 use crate::core::architecture::riscv::sbi::NaclSharedMemory;
 use crate::core::architecture::riscv::sbi::SbiExtension::*;
 use crate::core::architecture::TrapCause::*;
-use crate::core::architecture::{GeneralPurposeRegister, TrapCause};
+use crate::core::architecture::{TrapCause};
 use crate::core::control_data::{ConfidentialVmId, HardwareHart, HypervisorHart};
 use crate::error::Error;
 use crate::non_confidential_flow::handlers::cove_host_extension::{