More cleanup.

Rename shellcode_hypervisor to shellcode_hv and kernel_code to boot_linux.

shellcode_hv/Makefile

@@ -0,0 +1,39 @@
+ifndef PS5_PAYLOAD_SDK
+    PS5_PAYLOAD_SDK = /opt/ps5-payload-sdk/
+endif
+
+# 1. Variables
+ifeq ($(shell uname -m),aarch64)
+CC      = x86_64-linux-gnu-gcc
+LD      = x86_64-linux-gnu-ld
+OBJCOPY = x86_64-linux-gnu-objcopy
+else
+CC      = gcc
+LD      = ld
+OBJCOPY = objcopy
+endif
+CFLAGS  = -O2 -fno-stack-protector -ffreestanding -nostdlib -fcf-protection=none -m64 -I$(PS5_PAYLOAD_SDK)/target/include
+LDFLAGS = -T linker.ld
+TARGET  = shellcode_hv.elf
+TEXT_BIN = shellcode_hv.bin
+dump = shellcode_hv.h
+
+SRC = main.c utils.c boot_linux.c
+OBJ = $(SRC:.c=.o)
+
+all: $(dump)
+
+$(TARGET): $(OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) $(OBJ) -o $(TARGET)
+
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(TEXT_BIN): $(TARGET)
+	$(OBJCOPY) -O binary -j .shell_code $(TARGET) $(TEXT_BIN)
+
+clean:
+	rm -f $(OBJ) $(TARGET) $(TEXT_BIN) $(dump)
+
+$(dump): $(TEXT_BIN)
+	xxd -i $(TEXT_BIN) > $(dump)

shellcode_hv/boot_linux.c

@@ -0,0 +1,167 @@
+#include "boot_linux.h"
+#include "../include/config.h"
+#include "../include/linux.h"
+#include "utils.h"
+#include <stddef.h>
+#include <stdint.h>
+
+static struct linux_info info;
+
+static volatile int exited_cpus = 0;
+
+static void configure_vram(uint64_t fb_start, uint64_t vram_start,
+                           uint64_t vram_size) {
+  uint64_t vram_end = vram_start + vram_size - 1;
+  uint64_t fb_top = fb_start + vram_size - 1;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + RCC_CONFIG_MEMSIZE) = vram_size >> 20;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_OFFSET) = vram_start >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_LOCAL_HBM_ADDRESS_START) =
+      vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_LOCAL_HBM_ADDRESS_END) =
+      vram_end >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_LOCATION_BASE) = fb_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + GCMC_VM_FB_LOCATION_TOP) = fb_top >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_OFFSET) = vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_LOCAL_HBM_ADDRESS_START) =
+      vram_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_LOCAL_HBM_ADDRESS_END) =
+      vram_end >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_LOCATION_BASE) = fb_start >> 24;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMMC_VM_FB_LOCATION_TOP) = fb_top >> 24;
+
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMHUBBUB_WHITELIST_BASE_ADDR_0) =
+      vram_start >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + MMHUBBUB_WHITELIST_TOP_ADDR_0) =
+      vram_end >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + DCHUBBUB_WHITELIST_BASE_ADDR_0) =
+      vram_start >> 12;
+  *(uint32_t *)(AMDGPU_MMIO_BASE + DCHUBBUB_WHITELIST_TOP_ADDR_0) =
+      vram_end >> 12;
+}
+
+static void append_e820_table(struct boot_params *bp, uint64_t start,
+                              uint64_t end, uint32_t type) {
+  uint8_t idx = bp->e820_entries;
+  bp->e820_table[idx].addr = start;
+  bp->e820_table[idx].size = end - start;
+  bp->e820_table[idx].type = type;
+  bp->e820_entries++;
+}
+
+static void e820_memory_setup(struct boot_params *bp) {
+  append_e820_table(bp, 0x000000000, 0x000001000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x000001000, 0x000070000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x000070000, 0x0000a0000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0000a0000, 0x0000c0000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0000c0000, 0x000100000, E820_TYPE_RESERVED); // VBIOS
+  append_e820_table(bp, 0x000100000, 0x03fffc000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x03fffc000, 0x040000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x040000000, 0x060000000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x060000000, 0x060800000, E820_TYPE_RESERVED); // MP4
+  append_e820_table(bp, 0x060800000, 0x060c00000, E820_TYPE_RESERVED); // VCN FW
+  append_e820_table(bp, 0x060c00000, 0x062800000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x062800000, 0x064800000, E820_TYPE_RESERVED); // HV
+  append_e820_table(bp, 0x064800000, 0x064829000, E820_TYPE_RESERVED); // MP3
+  append_e820_table(bp, 0x064829000, 0x07f9d0000, E820_TYPE_RAM);
+  append_e820_table(bp, 0x07f9d0000, 0x07fd5f000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd5f000, 0x07fd63000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd63000, 0x07fd67000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd67000, 0x07fd6f000, E820_TYPE_NVS);
+  append_e820_table(bp, 0x07fd6f000, 0x07fd8f000, E820_TYPE_ACPI);
+  append_e820_table(bp, 0x07fd8f000, 0x07fd90000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x07fd90000, 0x080000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x080000000, 0x0c4400000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0d0000000, 0x0e0700000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x0f0000000, 0x0f8000000, E820_TYPE_RESERVED);
+  append_e820_table(bp, 0x100000000, VRAM_BASE, E820_TYPE_RAM);
+  append_e820_table(bp, VRAM_BASE, 0x470000000, E820_TYPE_RESERVED); // VRAM
+
+  // DevKits have 32GB
+  if (info.kit_type != KIT_DEVKIT) {
+    append_e820_table(bp, 0x470000000, 0x47f300000, E820_TYPE_RAM);
+    append_e820_table(bp, 0x47f300000, 0x480000000, E820_TYPE_RESERVED);
+  } else {
+    append_e820_table(bp, 0x470000000, 0x87f300000, E820_TYPE_RAM);
+    append_e820_table(bp, 0x87f300000, 0x880000000, E820_TYPE_RESERVED);
+  }
+}
+
+void boot_linux(void) {
+  uintptr_t kernel_pa = 0x100000;
+  uintptr_t setup_pa = 0x10000;
+  uintptr_t cmdline_pa = 0x20000;
+
+  struct boot_params *bzimage_bp = (struct boot_params *)info.bzimage;
+
+  struct boot_params *bp = (struct boot_params *)setup_pa;
+  struct setup_header *shdr = &bp->hdr;
+
+  memset(bp, 0, sizeof(struct boot_params));
+
+  memcpy(shdr, &bzimage_bp->hdr, sizeof(struct setup_header));
+
+  e820_memory_setup(bp);
+
+  shdr->hardware_subarch = X86_SUBARCH_PS5;
+  shdr->type_of_loader = 0xff;
+  shdr->cmd_line_ptr = cmdline_pa;
+  shdr->ramdisk_image = info.initrd & 0xffffffff;
+  shdr->ramdisk_size = info.initrd_size & 0xffffffff;
+  bp->ext_ramdisk_image = info.initrd >> 32;
+  bp->ext_ramdisk_size = info.initrd_size >> 32;
+  bp->acpi_rsdp_addr = ACPI_RSDP_ADDRESS;
+
+  strcpy((char *)cmdline_pa, info.cmdline);
+
+  size_t setup_size = (shdr->setup_sects + 1) * 512;
+  size_t kernel_size = shdr->syssize * 16;
+
+  memcpy((void *)kernel_pa, (void *)(info.bzimage + setup_size), kernel_size);
+
+  void (*startup_64)(uint64_t physaddr, struct boot_params *bp) =
+      (void *)(kernel_pa + 0x200);
+  startup_64(kernel_pa, bp);
+}
+
+void entry(void) {
+  disable_intr();
+
+  // Set global interrupt flag.
+  __asm__ volatile("stgi\n");
+
+  // Clear SVM flag.
+  wrmsr(MSR_EFER, rdmsr(MSR_EFER) & ~EFER_SVM);
+
+  // Disable INIT redirection.
+  wrmsr(MSR_VM_CR, rdmsr(MSR_VM_CR) & ~VM_CR_R_INIT);
+
+  // Clean up mtrr.
+  wrmsr(MSR_MTRR4kBase + 0, 0);
+  wrmsr(MSR_MTRR4kBase + 1, 0);
+  wrmsr(MSR_MTRRVarBase + 7 * 2 + 1, 0);
+
+  atomic_add_32(&exited_cpus, 1);
+
+  while (atomic_cmpset_32(&exited_cpus, MAXCPU, MAXCPU) == 0)
+    ;
+
+  if (get_cpu() != 0) {
+    while (1) {
+      halt();
+    }
+  }
+
+  // Disable IOMMU.
+  *(volatile uint64_t *)(AMDIOMMU_MMIO_BASE + AMDIOMMU_CTRL) &= ~1;
+
+  memcpy(&info, (void *)(cave_linux_info), sizeof(struct linux_info));
+
+  configure_vram(FB_BASE, VRAM_BASE, info.vram_size);
+
+  printf("[*] Booting Linux in bare metal...\n");
+  boot_linux();
+}

shellcode_hv/boot_linux.h

@@ -0,0 +1,48 @@
+
+#define MSR_EFER 0xc0000080
+#define EFER_SVM (1ULL << 12) // Bit 12: Secure Virtual Machine Enable
+
+// // Virtual Machine Control Register (VM_CR)
+#define MSR_VM_CR 0xc0010114
+#define VM_CR_R_INIT (1ULL << 1) // Bit 1: Intercept INIT
+
+// // MTRRs (Memory Type Range Registers)
+#define MSR_MTRR4kBase 0x00000268
+#define MSR_MTRRVarBase 0x00000200
+
+#define VRAM_BASE (0x470000000 - info.vram_size)
+
+#define FB_BASE 0xf400000000
+
+#define ACPI_RSDP_ADDRESS 0x7fd8e014
+
+#define AMDGPU_MMIO_BASE 0xe0600000
+
+#define RCC_CONFIG_MEMSIZE 0x378c
+
+#define GCMC_VM_FB_OFFSET 0xa5ac
+#define GCMC_VM_LOCAL_HBM_ADDRESS_START 0xa5d4
+#define GCMC_VM_LOCAL_HBM_ADDRESS_END 0xa5d8
+#define GCMC_VM_FB_LOCATION_BASE 0xa600
+#define GCMC_VM_FB_LOCATION_TOP 0xa604
+
+#define MMMC_VM_FB_OFFSET 0x6a15c
+#define MMMC_VM_LOCAL_HBM_ADDRESS_START 0x6a184
+#define MMMC_VM_LOCAL_HBM_ADDRESS_END 0x6a188
+#define MMMC_VM_FB_LOCATION_BASE 0x6a1b0
+#define MMMC_VM_FB_LOCATION_TOP 0x6a1b4
+
+#define MMHUBBUB_WHITELIST_BASE_ADDR_0 0x24850
+#define MMHUBBUB_WHITELIST_TOP_ADDR_0 0x24854
+#define DCHUBBUB_WHITELIST_BASE_ADDR_0 0x24878
+#define DCHUBBUB_WHITELIST_TOP_ADDR_0 0x2487c
+
+#define AMDIOMMU_MMIO_BASE 0xfdd80000
+#define AMDIOMMU_CTRL 0x18
+
+#define MAXCPU 16
+
+void entry(void);
+void boot_linux(void);
+
+enum kit_type { KIT_RETAIL, KIT_TESTKIT, KIT_DEVKIT };

shellcode_hv/linker.ld

@@ -0,0 +1,18 @@
+/* linker.ld */
+ENTRY(main)
+
+SECTIONS
+{
+    . = 0x1000; /* 0x1000 to avoid warnings from linker */
+    /* Place our custom header first */
+    .shell_code :
+    {
+        *(.entry_point)
+        *(.text)
+        *(.text.*)
+        *(.data*)
+        *(.rodata*)
+        *(.bss)
+        *(.bss.*)
+    }
+}

shellcode_hv/main.c

@@ -0,0 +1,32 @@
+#include "main.h"
+#include "../include/config.h"
+#include "boot_linux.h"
+#include "utils.h"
+#include <stdint.h>
+
+__attribute__((section(".entry_point"), naked)) uint32_t main(void) {
+  // We enter this function after CR3 was updated to 1:1 mapping
+  // We need to point RSP/RBP to a good known valid address
+  uint32_t ebax, ebx, ecx, edx;
+  uint32_t cpu_id;
+
+  __asm__ volatile("cpuid"
+                   : "=a"(ebax), "=b"(ebx), "=c"(ecx), "=d"(edx)
+                   : "a"(1));
+
+  cpu_id = (ebx >> 24) & 0xFF;
+
+  // We point to a location after the main linux boot code
+  // Each CPU should have a different location
+  uintptr_t new_rsp =
+      (uintptr_t)hv_base_rsp + ((uint64_t)(cpu_id)*hv_stack_size);
+
+  // WARNING: This invalidates current local variables
+  __asm__ volatile("movq %0, %%rsp \n\t"
+                   "movq %%rsp, %%rbp \n\t"
+                   :
+                   : "r"(new_rsp)
+                   : "rbp", "memory");
+
+  entry();
+}

shellcode_hv/main.h

@@ -0,0 +1,3 @@
+#include "shellcode_hv_args.h"
+#include <stdarg.h>
+#include <stdint.h>

shellcode_hv/shellcode_hv_args.h

@@ -0,0 +1,9 @@
+// This file is shared between kernel shellcode and hypervisor shellcode
+
+#include <stdint.h>
+
+typedef struct {
+  uint64_t bzimage_pa;    // Already relocated by Kernel shellcode
+  uint64_t initrd_pa;     // Already relocated by Kernel shellcode
+  uint64_t linux_info_pa; // Already relocated by Kernel shellcode
+} shellcode_hv_args;

shellcode_hv/utils.c

@@ -0,0 +1,113 @@
+#include "utils.h"
+#include "shellcode_hv_args.h"
+#include <cpuid.h>
+
+extern shellcode_hv_args args;
+
+__attribute__((noinline, optimize("O0"))) uint32_t putc_uart(uint8_t tx_byte) {
+  volatile uint32_t *uart_tx = (volatile uint32_t *)0xc1010104ULL;
+  volatile uint32_t *uart_busy = (volatile uint32_t *)0xc101010cULL;
+  uint64_t timeout = 0xFFFFFFFF;
+  do {
+    timeout--;
+    if (timeout == 0)
+      break;
+  } while (((*uart_busy) & 0x20) == 0);
+
+  if (timeout == 0)
+    return -1;
+
+  *uart_tx = (uint32_t)tx_byte & 0xFF;
+  return 0;
+}
+
+// Variable for val to hex
+uint8_t hex_val[17];
+
+__attribute__((noinline, optimize("O0"))) uint8_t *
+u64_to_hex_custom(uint64_t val, uint8_t *dest) {
+  const uint8_t hex_chars[] = "0123456789abcdef";
+  dest[16] = '\0';
+
+  for (int i = 15; i >= 0; i--) {
+    dest[i] = hex_chars[val & 0xf];
+    val >>= 4;
+  }
+  return dest;
+}
+
+__attribute__((noinline, optimize("O0"))) int printf(const uint8_t *msg) {
+  uint32_t max = 255;
+  int ret = 0;
+
+  for (int i = 0; i < 255; i++) {
+    if (msg[i] == '\0') {
+      break;
+    }
+    if (msg[i] == '\n') {
+      putc_uart('\r');
+    }
+    ret = putc_uart(msg[i]);
+  }
+
+  return ret;
+}
+
+__attribute__((noinline, optimize("O0"))) void memcpy(void *dest, void *src,
+                                                      uint64_t len) {
+  uint8_t *d = (uint8_t *)dest;
+  const uint8_t *s = (const uint8_t *)src;
+  for (uint64_t i = 0; i < len; i++) {
+    d[i] = s[i];
+  }
+}
+
+__attribute__((noinline, optimize("O0"))) char *strcpy(char *dest,
+                                                       const char *src) {
+  char *d = dest;
+  while ((*d++ = *src++)) {
+  }
+  return dest;
+}
+
+__attribute__((noinline, optimize("O0"))) void *memset(void *s, int c,
+                                                       uint64_t n) {
+  unsigned char *p = (unsigned char *)s;
+  while (n--) {
+    *p++ = (unsigned char)c;
+  }
+  return s;
+}
+
+void disable_intr(void) { __asm__ __volatile__("cli" : : : "memory"); }
+
+void halt(void) { __asm__ __volatile__("hlt"); }
+
+uint64_t rdmsr(uint32_t msr) {
+  uint32_t low, high;
+  __asm__ __volatile__("rdmsr" : "=a"(low), "=d"(high) : "c"(msr));
+  return ((uint64_t)high << 32) | low;
+}
+
+void wrmsr(uint32_t msr, uint64_t val) {
+  uint32_t low = val & 0xFFFFFFFF;
+  uint32_t high = val >> 32;
+  __asm__ __volatile__("wrmsr" : : "a"(low), "d"(high), "c"(msr));
+}
+
+// Map FreeBSD atomic_add_32 to GCC builtin
+void atomic_add_32(volatile uint32_t *p, uint32_t v) {
+  __sync_fetch_and_add(p, v);
+}
+
+// Map FreeBSD atomic_cmpset_32 to GCC builtin
+int atomic_cmpset_32(volatile uint32_t *dst, uint32_t exp, uint32_t src) {
+  return __sync_bool_compare_and_swap(dst, exp, src);
+}
+
+uint8_t get_cpu(void) {
+  uint32_t eax, ebx, ecx, edx;
+  __get_cpuid(1, &eax, &ebx, &ecx, &edx);
+  uint8_t cpu_id = (ebx >> 24) & 0xFF;
+  return cpu_id;
+}

shellcode_hv/utils.h

@@ -0,0 +1,28 @@
+#ifndef UTILS_H
+#define UTILS_H
+
+#include <stdint.h>
+
+uint32_t putc_uart(uint8_t tx_byte);
+int printf(const uint8_t *msg);
+uint8_t *u64_to_hex_custom(uint64_t val, uint8_t *dest);
+
+extern uint8_t hex_val[17];
+
+inline int print_val64(uint64_t val) {
+  return printf(u64_to_hex_custom(val, hex_val));
+}
+
+void memcpy(void *dest, void *src, uint64_t len);
+char *strcpy(char *dest, const char *src);
+void *memset(void *s, int c, uint64_t n);
+
+void disable_intr(void);
+void halt(void);
+uint64_t rdmsr(uint32_t msr);
+void wrmsr(uint32_t msr, uint64_t val);
+void atomic_add_32(volatile uint32_t *p, uint32_t v);
+int atomic_cmpset_32(volatile uint32_t *dst, uint32_t exp, uint32_t src);
+uint8_t get_cpu(void);
+
+#endif