diff --git a/shellcode_kernel/main.c b/shellcode_kernel/main.c index 327e70e..c975056 100644 --- a/shellcode_kernel/main.c +++ b/shellcode_kernel/main.c @@ -50,17 +50,7 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1, iommu_cb2_pa, iommu_cb3_pa, iommu_eb_pa, (uint64_t)&unk, &n_devices); if (ret != 0) { - putc_uart(args_ptr->dmap_base, 'I'); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'U'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 's'); - putc_uart(args_ptr->dmap_base, 'b'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'X'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"IOMMU sb X\n"}); goto out; } @@ -68,50 +58,20 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1, ret = ((uint64_t(*)(void))args_ptr->fun_hv_iommu_wait_completion)(); if (ret == 0) { - putc_uart(args_ptr->dmap_base, 'I'); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'U'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 's'); - putc_uart(args_ptr->dmap_base, 'b'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'K'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"IOMMU sb OK\n"}); // Allow R/W on HV and Kernel area if (tmr_disable(args_ptr->dmap_base)) { - putc_uart(args_ptr->dmap_base, 'T'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'R'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'X'); - putc_uart(args_ptr->dmap_base, '\n'); - + puts_uart(args_ptr->dmap_base, (char[]){"TMR X\n"}); goto out; } - putc_uart(args_ptr->dmap_base, 'T'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'R'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'K'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"TMR OK\n"}); // Patch HV patch_vmcb(args_ptr); - putc_uart(args_ptr->dmap_base, 'V'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'C'); - putc_uart(args_ptr->dmap_base, 'B'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'K'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"VMCB OK\n"}); // Re-do this to force a VMEXIT without HV injecting faults ((uint64_t(*)(uint64_t, uint64_t, uint64_t, uint64_t, @@ -119,19 +79,7 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1, iommu_cb2_pa, iommu_cb3_pa, iommu_eb_pa, (uint64_t)&unk, &n_devices); ((uint64_t(*)(void))args_ptr->fun_hv_iommu_wait_completion)(); - putc_uart(args_ptr->dmap_base, 'B'); - putc_uart(args_ptr->dmap_base, 'a'); - putc_uart(args_ptr->dmap_base, 'c'); - putc_uart(args_ptr->dmap_base, 'k'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'f'); - putc_uart(args_ptr->dmap_base, 'r'); - putc_uart(args_ptr->dmap_base, 'o'); - putc_uart(args_ptr->dmap_base, 'm'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'H'); - putc_uart(args_ptr->dmap_base, 'V'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"Back from HV\n"}); // We can now initiate the global args variable and use it, as NPTs are // disabled @@ -154,21 +102,7 @@ __attribute__((section(".entry_point"))) uint32_t main(uint64_t add1, printf("We shouldn't be here :(\n"); } else { - putc_uart(args_ptr->dmap_base, 'I'); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'M'); - putc_uart(args_ptr->dmap_base, 'U'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 's'); - putc_uart(args_ptr->dmap_base, 'b'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'N'); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, ' '); - putc_uart(args_ptr->dmap_base, 'O'); - putc_uart(args_ptr->dmap_base, 'K'); - putc_uart(args_ptr->dmap_base, '\n'); + puts_uart(args_ptr->dmap_base, (char[]){"IOMMU sb NO OK\n"}); } out: @@ -202,9 +136,8 @@ iommu_submit_cmd(volatile shellcode_kernel_args *args_ptr, uint64_t *cmd) { cmd_buffer[1] = cmd[1]; __asm__ volatile("" : : : "memory"); // Prevent reordering - *((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8) = - next_tail; // Indicate the IOMMU that there is a CMD - Downscale the size - // of the ptr + // Indicate the IOMMU that there is a CMD - Downscale the size of the ptr + *((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_TAIL / 8) = next_tail; // Wait CMD processing completion - Head will be the Tail while (*((uint64_t *)args_ptr->iommu_mmio_va + IOMMU_MMIO_CB_HEAD / 8) != diff --git a/shellcode_kernel/utils.c b/shellcode_kernel/utils.c index 7e71399..0c9c90e 100644 --- a/shellcode_kernel/utils.c +++ b/shellcode_kernel/utils.c @@ -74,3 +74,20 @@ __attribute__((noinline, optimize("O0"))) uint32_t putc_uart(uint64_t dmap, *uart_tx = (uint32_t)tx_byte & 0xFF; return 0; } + +__attribute__((noinline, optimize("O0"))) int puts_uart(uint64_t dmap, const uint8_t *msg) { + uint32_t max = 255; + int ret = 0; + + for (int i = 0; i < 255; i++) { + if (msg[i] == '\0') { + break; + } + if (msg[i] == '\n') { + putc_uart(dmap, '\r'); + } + ret = putc_uart(dmap, msg[i]); + } + + return ret; +} diff --git a/shellcode_kernel/utils.h b/shellcode_kernel/utils.h index 41171db..7ab3c4c 100644 --- a/shellcode_kernel/utils.h +++ b/shellcode_kernel/utils.h @@ -39,5 +39,6 @@ uint64_t read_cr3(void); uint64_t va_to_pa_kernel(uint64_t va); uint64_t va_to_pa_custom(uint64_t va, uint64_t cr3_custom); uint32_t putc_uart(uint64_t dmap, uint8_t tx_byte); +int puts_uart(uint64_t dmap, const uint8_t *msg); #endif