cachepc

Prime+Probe cache-based side-channel attack on AMD SEV-SNP protected virtual machines
git clone https://git.sinitax.com/sinitax/cachepc
Log | Files | Refs | Submodules | README | sfeed.txt
commit 1fe8249bbc782d28185e0e893504e8ac3a1fcaec
parent 0dc0595ee1d84bc77cb431b2417223f3b4a5bd57
Author: Louis Burda <quent.burda@gmail.com>
Date:   Mon, 23 Jan 2023 22:24:55 +0100

Move kvm to guest process and add ipc for synchronization

Diffstat:

MMakefile | 14++++++++++----


Mtest/kvm-eviction.c | 47-----------------------------------------------


Mtest/kvm-pagestep.c | 593++++++++++++-------------------------------------------------------------------


Atest/kvm-pagestep_guest.S | 19+++++++++++++++++++


Mtest/kvm-step.c | 116+++++++++++++++++++++++++------------------------------------------------------


Mtest/kvm.c | 57+++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mtest/kvm.h | 6++++++


Mtest/util.c | 88+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mtest/util.h | 16++++++++++++++++


9 files changed, 317 insertions(+), 639 deletions(-)

diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ JOBS ?= $(CORES)
 PWD := $(shell pwd)
 
 BINS = test/eviction test/kvm-eviction
-BINS += test/kvm-step #test/kvm-execstep
+BINS += test/kvm-step test/kvm-pagestep
 # BINS += test/qemu-eviction_guest test/qemu-eviction_host
 # BINS += test/qemu-aes_guest test/qemu-aes_host
 BINS += util/debug util/reset
@@ -15,6 +15,8 @@ CFLAGS = -I . -I linux/usr/include
 CFLAGS += -g -Wunused-variable -Wunknown-pragmas -Wunused-function
 CFLAGS += -fsanitize=address
 
+LDLIBS = -lpthread
+
 CACHEPC_UAPI = cachepc/uapi.h cachepc/const.h
 
 all: build $(BINS)
@@ -56,14 +58,18 @@ prep:
 util/%: util/%.c $(CACHEPC_UAPI)
 
 test/eviction: test/eviction.c test/util.c $(CACHEPC_UAPI)
-	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS)
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
 
 test/kvm-eviction: test/kvm-eviction.c test/kvm-eviction_guest.S test/util.c \
 		test/util.h test/kvm.c test/kvm.h test/kvm-eviction.h $(CACHEPC_UAPI)
-	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS)
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
 
 test/kvm-step: test/kvm-step.c test/kvm-step_guest.S \
 		test/util.c test/util.h test/kvm.c test/kvm.h $(CACHEPC_UAPI)
-	$(CC) -o $@  $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS)
+	$(CC) -o $@  $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
+
+test/kvm-pagestep: test/kvm-pagestep.c test/kvm-pagestep_guest.S \
+		test/util.c test/util.h test/kvm.c test/kvm.h $(CACHEPC_UAPI)
+	$(CC) -o $@  $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
 
 .PHONY: all clean host build load prep
diff --git a/test/kvm-eviction.c b/test/kvm-eviction.c
@@ -23,53 +23,6 @@ extern uint8_t guest_with_stop[];
 extern uint8_t guest_without_start[];
 extern uint8_t guest_without_stop[];
 
-static const char *vmtype;
-
-uint64_t
-vm_get_rip(struct kvm *kvm)
-{
-	struct kvm_regs regs;
-	uint64_t rip;
-	int ret;
-
-	if (!strcmp(vmtype, "sev-snp")) {
-		rip = snp_dbg_decrypt_rip(kvm->vmfd);
-	} else if (!strcmp(vmtype, "sev-es")) {
-		rip = sev_dbg_decrypt_rip(kvm->vmfd);
-	} else {
-		ret = ioctl(kvm->vcpufd, KVM_GET_REGS, &regs);
-		if (ret == -1) err(1, "KVM_GET_REGS");
-		rip = regs.rip;
-	}
-
-	return rip;
-}
-
-void
-vm_init(struct kvm *kvm, void *code_start, void *code_end)
-{
-	size_t ramsize;
-
-	ramsize = L1_SIZE;
-	if (!strcmp(vmtype, "kvm")) {
-		kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev")) {
-		sev_kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev-es")) {
-		sev_es_kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev-snp")) {
-		sev_snp_kvm_init(kvm, ramsize, code_start, code_end);
-	} else {
-		errx(1, "invalid version");
-	}
-}
-
-void
-vm_deinit(struct kvm *kvm)
-{
-	kvm_deinit(kvm);
-}
-
 void
 collect(struct kvm *kvm, uint8_t *counts)
 {
diff --git a/test/kvm-pagestep.c b/test/kvm-pagestep.c
@@ -1,515 +1,81 @@
-#define _GNU_SOURCE
-
+#include "test/kvm-eviction.h"
+#include "test/kvm.h"
+#include "test/util.h"
 #include "cachepc/uapi.h"
 
-#include <linux/psp-sev.h>
-#include <linux/kvm.h>
-#include <sys/syscall.h>
-#include <sys/ioctl.h>
-#include <sys/user.h>
-#include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
-#include <sys/stat.h>
-#include <sys/types.h>
 #include <unistd.h>
 #include <signal.h>
-#include <dirent.h>
-#include <assert.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <err.h>
-#include <fcntl.h>
-#include <sched.h>
 #include <string.h>
 #include <stdbool.h>
-#include <stdlib.h>
-#include <stdint.h>
 #include <stdio.h>
-#include <stdarg.h>
-
-#define ARRLEN(x) (sizeof(x) / sizeof((x)[0]))
-#define MIN(a,b) ((a) > (b) ? (b) : (a))
+#include <stdlib.h>
 
 #define TARGET_CORE 2
 #define SECONDARY_CORE 3
 
-#define TARGET_SET 15
-
-struct kvm {
-	int vmfd, vcpufd;
-	void *mem;
-	size_t memsize;
-	struct kvm_run *run;
-};
-
-/* start and end for guest assembly */
-extern uint8_t __start_guest_with[];
-extern uint8_t __stop_guest_with[];
-
-/* ioctl dev fds */
-static int kvm_dev, sev_dev, kvm_dev;
-static int faultcnt;
-
-enum {
-	GSTATE_INIT,
-	GSTATE_LAUNCH,
-	GSTATE_RUNNING,
-};
-
-const char *sev_fwerr_strs[] = {
-	[0x00] = "Success",
-	[0x01] = "Platform state is invalid",
-	[0x02] = "Guest state is invalid",
-	[0x03] = "Platform configuration is invalid",
-	[0x04] = "Buffer too small",
-	[0x05] = "Platform is already owned",
-	[0x06] = "Certificate is invalid",
-	[0x07] = "Request not allowed by policy",
-	[0x08] = "Guest is inactive",
-	[0x09] = "Invalid address",
-	[0x0A] = "Bad signature",
-	[0x0B] = "Bad measurement",
-	[0x0C] = "Asid is already owned",
-	[0x0D] = "Invalid ASID",
-	[0x0E] = "WBINVD is required",
-	[0x0F] = "DF_FLUSH is required",
-	[0x10] = "Guest handle is invalid",
-	[0x11] = "Invalid command",
-	[0x12] = "Guest is active",
-	[0x13] = "Hardware error",
-	[0x14] = "Hardware unsafe",
-	[0x15] = "Feature not supported",
-	[0x16] = "Invalid parameter",
-	[0x17] = "Out of resources",
-	[0x18] = "Integrity checks failed",
-	[0x19] = "RMP page size is incorrect",
-	[0x1A] = "RMP page state is incorrect",
-};
-
-const char *sev_gstate_strs[] = {
-	"INIT",
-	"LAUNCH",
-	"RUNNING",
-};
-
-void
-hexdump(void *data, int len)
-{
-	int i;
-
-	for (i = 0; i < len; i++) {
-		if (i % 16 == 0 && i)
-			printf("\n");
-		printf("%02X ", *(uint8_t *)(data + i));
-	}
-	printf("\n");
-}
-
-__attribute__((section("guest_with"))) void
-vm_guest_with(void)
-{
-	asm volatile ("mov %rbp, %rsp; pop %rbp; \
-			movq $4096, %rcx; movq $0, %rdx; cmp %rcx, %rdx; \
-			cmovne %rdx, %rcx; jmp *%rcx");
-}
-
-bool
-pin_process(pid_t pid, int cpu, bool assert)
-{
-	cpu_set_t cpuset;
-	int ret;
-
-	CPU_ZERO(&cpuset);
-	CPU_SET(cpu, &cpuset);
-	ret = sched_setaffinity(pid, sizeof(cpu_set_t), &cpuset);
-	if (ret < 0) {
-		if (assert) err(1, "sched_setaffinity");
-		return false;
-	}
-
-	return true;
-}
-
-int
-read_stat_core(pid_t pid)
-{
-	char path[256];
-	char line[2048];
-	FILE *file;
-	char *p;
-	int i, cpu;
-
-	snprintf(path, sizeof(path), "/proc/%u/stat", pid);
-	file = fopen(path, "r");
-	if (!file) return -1;
-
-	if (!fgets(line, sizeof(line), file))
-		err(1, "read stat");
-
-	p = line;
-	for (i = 0; i < 38 && (p = strchr(p, ' ')); i++)
-		p += 1;
-
-	if (!p) errx(1, "stat format");
-	cpu = atoi(p);
-
-	fclose(file);
-
-	return cpu;
-}
-
-const char *
-sev_fwerr_str(int code)
-{
-	if (code < 0 || code >= ARRLEN(sev_fwerr_strs)) {
-		warnx("Unknown firmware error %i", code);
-		return "Unknown error";
-	}
-
-	return sev_fwerr_strs[code];
-}
-
-const char *
-sev_gstate_str(int code)
-{
-	if (code < 0 || code >= ARRLEN(sev_gstate_strs)) {
-		warnx("Unknown guest state %i", code);
-		return "Unknown gstate";
-	}
-
-	return sev_gstate_strs[code];
-}
-
-int
-sev_ioctl(int vmfd, int cmd, void *data, int *error)
-{	
-	struct kvm_sev_cmd input;
-	int ret;
-
-	memset(&input, 0, sizeof(input));
-	input.id = cmd;
-	input.sev_fd = sev_dev;
-	input.data = (uintptr_t) data;
-
-	ret = ioctl(vmfd, KVM_MEMORY_ENCRYPT_OP, &input);
-	if (error) *error = input.error;
-
-	return ret;
-}
-
-uint8_t
-snp_guest_state(int vmfd)
-{
-	struct kvm_sev_guest_status status;
-	int ret, fwerr;
-
-	assert(false); /* ioctl not implemented yet */
-
-	ret = sev_ioctl(vmfd, KVM_SEV_GUEST_STATUS, &status, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_GUEST_STATUS: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-
-	return status.state;
-}
-
-void
-snp_dbg_decrypt(int vmfd, void *dst, void *src, size_t size)
-{
-	struct kvm_sev_dbg enc;
-	int ret, fwerr;
-
-	// assert(false); /* ioctl not implemented yet */
-
-	memset(&enc, 0, sizeof(struct kvm_sev_dbg));
-	enc.src_uaddr = (uintptr_t) src;
-	enc.dst_uaddr = (uintptr_t) dst;
-	enc.len = size;
-
-	ret = sev_ioctl(vmfd, KVM_SEV_DBG_DECRYPT, &enc, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_DBG_DECRYPT: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-}
+extern uint8_t guest_start[];
+extern uint8_t guest_stop[];
 
 uint64_t
-snp_dbg_decrypt_rip(int vmfd)
-{
-	uint8_t vmsa[PAGE_SIZE];
-	uint64_t rip;
-
-	memset(vmsa, 0, PAGE_SIZE);
-	snp_dbg_decrypt(vmfd, vmsa, CPC_VMSA_MAGIC_ADDR, PAGE_SIZE);
-
-	rip = *(uint64_t *)(vmsa + 0x178);
-
-	return rip;
-}
-
-void
-sev_snp_kvm_init(struct kvm *kvm, size_t ramsize, void *code_start, void *code_stop)
-{
-	// REF: https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
-	struct kvm_sev_snp_launch_update update;
-	struct kvm_sev_snp_launch_start start;
-	struct kvm_sev_snp_launch_finish finish;
-	struct kvm_snp_init init;
-	struct kvm_userspace_memory_region region;
-	struct kvm_enc_region enc_region;
-	struct kvm_regs regs;
-	struct kvm_sregs sregs;
-	int ret, fwerr;
-
-	/* Create a kvm instance */
-	kvm->vmfd = ioctl(kvm_dev, KVM_CREATE_VM, 0);
-	if (kvm->vmfd < 0) err(1, "KVM_CREATE_VM");
-
-	/* Allocate guest memory */
-	kvm->memsize = ramsize;
-	kvm->mem = mmap(NULL, kvm->memsize, PROT_READ | PROT_WRITE,
-		MAP_SHARED | MAP_ANONYMOUS, -1, 0);
-	if (!kvm->mem) err(1, "Allocating guest memory");
-	assert(code_stop - code_start <= kvm->memsize);
-
-	/* Fill memory with nops and put jump code a bit from start
-	 * such that we access multiple different pages while running */
-	memset(kvm->mem, 0x90, kvm->memsize);
-	memcpy(kvm->mem + L1_SIZE, // - (code_stop - code_start),
-		code_start, code_stop - code_start);
-
-	/* Map it into the vm */
-	memset(&region, 0, sizeof(region));
-	region.slot = 0;
-	region.memory_size = kvm->memsize;
-	region.guest_phys_addr = 0;
-	region.userspace_addr = (uintptr_t) kvm->mem;
-	ret = ioctl(kvm->vmfd, KVM_SET_USER_MEMORY_REGION, &region);
-	if (ret < 0) err(1, "KVM_SET_USER_MEMORY_REGION");
-
-	/* Enable SEV for vm */
-	memset(&init, 0, sizeof(init));
-	ret = sev_ioctl(kvm->vmfd, KVM_SEV_SNP_INIT, &init, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_SNP_INIT: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-
-	/* Register memory region */
-	memset(&enc_region, 0, sizeof(enc_region));
-	enc_region.addr = (uintptr_t) kvm->mem;
-	enc_region.size = kvm->memsize;
-	ret = ioctl(kvm->vmfd, KVM_MEMORY_ENCRYPT_REG_REGION, &enc_region);
-	if (ret < 0) err(1, "KVM_MEMORY_ENCRYPT_REG_REGION");
-
-	/* Create virtual cpu */
-	kvm->vcpufd = ioctl(kvm->vmfd, KVM_CREATE_VCPU, 0);
-	if (kvm->vcpufd < 0) err(1, "KVM_CREATE_VCPU");
-
-	/* Map the shared kvm_run structure and following data */
-	ret = ioctl(kvm_dev, KVM_GET_VCPU_MMAP_SIZE, NULL);
-	if (ret < 0) err(1, "KVM_GET_VCPU_MMAP_SIZE");
-	if (ret < sizeof(struct kvm_run))
-		errx(1, "KVM_GET_VCPU_MMAP_SIZE too small");
-	kvm->run = mmap(NULL, ret, PROT_READ | PROT_WRITE,
-		MAP_SHARED, kvm->vcpufd, 0);
-	if (!kvm->run) err(1, "mmap vcpu");
-
-	/* Initialize segment regs */
-	memset(&sregs, 0, sizeof(sregs));
-	ret = ioctl(kvm->vcpufd, KVM_GET_SREGS, &sregs);
-	if (ret < 0) err(1, "KVM_GET_SREGS");
-	sregs.cs.base = 0;
-	sregs.cs.selector = 0;
-	ret = ioctl(kvm->vcpufd, KVM_SET_SREGS, &sregs);
-	if (ret < 0) err(1, "KVM_SET_SREGS");
-
-	/* Initialize rest of registers */
-	memset(&regs, 0, sizeof(regs));
-	regs.rip = 0;
-	regs.rsp = kvm->memsize - L1_SETS * L1_LINESIZE - 8;
-	regs.rbp = kvm->memsize - L1_SETS * L1_LINESIZE - 8;
-	ret = ioctl(kvm->vcpufd, KVM_SET_REGS, &regs);
-	if (ret < 0) err(1, "KVM_SET_REGS");
-
-	/* Generate encryption keys and set policy */
-	memset(&start, 0, sizeof(start));
-	start.policy = 1 << 17; /* must be set */
-	start.policy |= 1 << 19; /* allow debug */
-	start.policy |= 1 << 16; /* allow simultaneous multi-threading */ 
-	ret = sev_ioctl(kvm->vmfd, KVM_SEV_SNP_LAUNCH_START, &start, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_SNP_LAUNCH_START: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-
-	/* Prepare the vm memory */
-	memset(&update, 0, sizeof(update));
-	update.uaddr = (uintptr_t) kvm->mem;
-	update.len = ramsize;
-	update.start_gfn = 0;
-	update.page_type = KVM_SEV_SNP_PAGE_TYPE_NORMAL;
-	ret = sev_ioctl(kvm->vmfd, KVM_SEV_SNP_LAUNCH_UPDATE, &update, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_SNP_LAUNCH_UPDATE: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-
-	/* Finalize launch process */
-	memset(&finish, 0, sizeof(finish));
-	ret = sev_ioctl(kvm->vmfd, KVM_SEV_SNP_LAUNCH_FINISH, &finish, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_SNP_LAUNCH_FINISH: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-}
-
-void
-sev_snp_kvm_deinit(struct kvm *kvm)
-{
-	close(kvm->vmfd);
-	close(kvm->vcpufd);
-	munmap(kvm->mem, kvm->memsize);
-}
-
-uint8_t *
-read_counts()
-{
-	uint8_t *counts;
-	int i, ret;
-
-	counts = malloc(L1_SETS * sizeof(uint8_t));
-	if (!counts) err(1, "malloc");
-
-	ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
-	if (ret) err(1, "ioctl READ_COUNTS");
-
-	for (i = 0; i < L1_SETS; i++) {
-		if (counts[i] > 8)
-			errx(1, "Invalid counts set %i", i);
-	}	
-
-	return counts;
-}
-
-void
-print_counts(uint8_t *counts)
-{
-	int i;
-
-	for (i = 0; i < 64; i++) {
-		if (i % 16 == 0 && i)
-			printf("\n");
-		if (counts[i] == 1)
-			printf("\x1b[38;5;88m");
-		else if (counts[i] > 1)
-			printf("\x1b[38;5;196m");
-		printf("%2i ", i);
-		if (counts[i] > 0)
-			printf("\x1b[0m");
-	}
-	printf("\n");
-}
-
-
-
-void
-runonce(struct kvm *kvm)
-{
-	int ret;
-
-	ret = ioctl(kvm->vcpufd, KVM_RUN, NULL);
-	if (ret < 0) err(1, "KVM_RUN");
-}
-
-int
 monitor(struct kvm *kvm, bool baseline)
 {
 	struct cpc_event event;
 	uint8_t counts[64];
-	int ret, i;
+	int ret;
 
 	/* Get page fault info */
 	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
-	if (ret) {
-		if (errno == EAGAIN)
-			return 0;
-		warn("ioctl POLL_EVENT");
-		return 1;
-	}
-
-	if (event.type == CPC_EVENT_TRACK_STEP) {
-		ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
-		if (ret) err(1, "ioctl READ_COUNTS");
-
-		if (!baseline) {
-			printf("Event: cnt:%llu rip:%lu, inst:%llu data:%llu retired:%llu\n",
-				event.step.fault_count,
-				0, // snp_dbg_decrypt_rip(kvm->vmfd),
-				event.step.fault_gfns[0],
-				event.step.fault_gfns[1],
-				event.step.retinst);
-			print_counts(counts);
-			printf("\n");
-		}
+	if (ret && errno == EAGAIN) return 0;
+	if (ret) err(1, "ioctl KVM_CPC_POLL_EVENT");
 
-		for (i = 0; i < 64; i++) {
-			if (counts[i] > 8) {
-				warnx("Invalid count for set %i (%llu)",
-					i, counts[i]);
-			}
-		}
+	if (event.type != CPC_EVENT_TRACK_STEP)
+		errx(1, "unexpected event type %i", event.type);
 
-		if (baseline) faultcnt++;
-	} else if (event.type == CPC_EVENT_TRACK_PAGE) {
-		printf("Event: inst page from:%llu to:%llu rip:%lu\n\n",
-			event.page.inst_gfn_prev, event.page.inst_gfn,
-			0); //snp_dbg_decrypt_rip(kvm->vmfd));
+	ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
+	if (ret) err(1, "ioctl KVM_CPC_READ_COUNTS");
 
-		if (!baseline) faultcnt++;
-	}
+	printf("Event: rip:%llu cnt:%llu inst:%llu data:%llu ret:%llu\n",
+		vm_get_rip(kvm), event.step.fault_count,
+		event.step.fault_gfns[0], event.step.fault_gfns[1],
+		event.step.retinst);
+	print_counts(counts);
+	printf("\n");
 
 	ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-	if (ret) err(1, "ioctl ACK_EVENT");
+	if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
 
-	return 0;
+	return 1;
 }
 
 int
 main(int argc, const char **argv)
 {
-	struct kvm kvm_with_access;
-	uint64_t track_mode;
+	struct kvm kvm;
+	uint8_t baseline[L1_SETS];
+	struct cpc_event event;
+	uint64_t eventcnt;
 	pid_t ppid, pid;
 	uint32_t arg;
-	struct cpc_event event;
-	uint8_t baseline[64];
-	int ret, i;
+	int ret;
+
+	parse_vmtype(argc, argv);
 
 	setvbuf(stdout, NULL, _IONBF, 0);
 
 	pin_process(0, TARGET_CORE, true);
 
-	sev_dev = open("/dev/sev", O_RDWR | O_CLOEXEC);
-	if (sev_dev < 0) err(1, "open /dev/sev");
-
-	kvm_dev = open("/dev/kvm", O_RDWR | O_CLOEXEC);
-	if (kvm_dev < 0) err(1, "open /dev/kvm");
+	kvm_setup_init();
 
-	/* ensure we have the stable version of the api */
-	ret = ioctl(kvm_dev, KVM_GET_API_VERSION, NULL);
-	if (ret < 0) err(1, "KVM_GET_API_VERSION");
-	if (ret != 12) errx(1, "KVM_GET_API_VERSION %d, expected 12", ret);
-
-	sev_snp_kvm_init(&kvm_with_access, L1_SIZE * 2,
-		__start_guest_with, __stop_guest_with);
+	vm_init(&kvm, guest_start, guest_stop);
 
 	/* reset kernel module state */
 	ret = ioctl(kvm_dev, KVM_CPC_RESET, NULL);
-	if (ret) err(1, "ioctl RESET_TRACKING");
-
-	/* Do data access stepping */
-	arg = CPC_TRACK_STUB;
-	ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-	if (ret) err(1, "ioctl TRACK_MODE");
-
-	/* Init page tracking */
-	track_mode = KVM_PAGE_TRACK_EXEC;
-	ret = ioctl(kvm_dev, KVM_CPC_TRACK_ALL, &track_mode);
-	if (ret) err(1, "ioctl TRACK_ALL");
-
-	arg = true;
-	ret = ioctl(kvm_dev, KVM_CPC_MEASURE_BASELINE, &arg);
-	if (ret) err(1, "ioctl MEASURE_BASELINE");
+	if (ret < 0) err(1, "ioctl KVM_CPC_RESET");
 
 	ppid = getpid();
 	if ((pid = fork())) {
@@ -517,73 +83,84 @@ main(int argc, const char **argv)
 
 		sleep(1); /* give time for child to pin other core */
 
-		printf("VMRUN\n");
-		runonce(&kvm_with_access);
-		printf("VMRUN DONE\n");
+		printf("VM start\n");
+
+		do {
+			ret = ioctl(kvm.vcpufd, KVM_RUN, NULL);
+			if (ret < 0) err(1, "KVM_RUN");
+
+			if (kvm.run->exit_reason == KVM_EXIT_HLT)
+				printf("VM halt\n");
+		} while (kvm.run->exit_reason == KVM_EXIT_HLT);
+
+		printf("VM exit\n");
 	} else {
 		pin_process(0, SECONDARY_CORE, true);
-		printf("PINNED\n");
 
-		faultcnt = 0;
-		while (faultcnt < 300) {
-			if (monitor(&kvm_with_access, true)) break;
+		/* capture baseline by just letting it fault over and over */
+		arg = CPC_TRACK_EXEC;
+		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
+		if (ret) err(1, "ioctl KVM_CPC_TRACK_MODE");
+
+		printf("Monitor ready\n");
+
+		/* run vm while baseline is calculated */
+		eventcnt = 0;
+		while (eventcnt < 50) {
+			eventcnt += monitor(&kvm, true);
 		}
 
-		do {
+		ret = ioctl(kvm_dev, KVM_CPC_VM_REQ_PAUSE);
+		if (ret) err(1, "ioctl KVM_CPC_VM_REQ_PAUSE");
+
+		while (1) {
 			ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
-			if (ret && errno != EAGAIN)
-				err(1, "ioctl POLL_EVENT");
-		} while (ret && errno == EAGAIN);
+			if (ret && errno == EAGAIN) continue;
+			if (ret) err(1, "ioctl KVM_CPC_POLL_EVENT");
+
+			if (event.type == CPC_EVENT_PAUSE) break;
+
+			printf("Skipping non-pause event..\n");
+			ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
+			if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
+		}
 
 		arg = false;
-		ret = ioctl(kvm_dev, KVM_CPC_MEASURE_BASELINE, &arg);
-		if (ret) err(1, "ioctl MEASURE_BASELINE");
+		ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
+		if (ret) err(1, "ioctl KVM_CPC_CALC_BASELINE");
 
 		ret = ioctl(kvm_dev, KVM_CPC_READ_BASELINE, baseline);
-		if (ret) err(1, "ioctl READ_BASELINE");
+		if (ret) err(1, "ioctl KVM_CPC_READ_BASELINE");
 
-		printf("\n>>> BASELINE:\n");
+		printf("\nBaseline:\n");
 		print_counts(baseline);
 		printf("\n");
 		print_counts_raw(baseline);
-		printf("\n");
-
-		/* Check baseline for saturated sets */
-		for (i = 0; i < 64; i++) {
-			if (baseline[i] >= 8)
-				warnx("!!! Baseline set %i full\n", i);
-		}
+		printf("\n\n");
 
 		arg = true;
-		ret = ioctl(kvm_dev, KVM_CPC_SUB_BASELINE, &arg);
-		if (ret) err(1, "ioctl SUB_BASELINE");
+		ret = ioctl(kvm_dev, KVM_CPC_APPLY_BASELINE, &arg);
+		if (ret) err(1, "ioctl KMV_CPC_APPLY_BASELINE");
 
-		ret = ioctl(kvm_dev, KVM_CPC_RESET_TRACKING, NULL);
-		if (ret) err(1, "ioctl RESET_TRACKING");
-
-		arg = CPC_TRACK_EXEC;
+		/* single step and log all accessed pages */
+		arg = CPC_TRACK_FULL;
 		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-		if (ret) err(1, "ioctl TRACK_MODE");
-
-		track_mode = KVM_PAGE_TRACK_EXEC;
-		ret = ioctl(kvm_dev, KVM_CPC_TRACK_ALL, &track_mode);
-		if (ret) err(1, "ioctl TRACK_ALL");
+		if (ret) err(1, "ioctl KVM_CPC_TRACK_MODE");
 
 		ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-		if (ret) err(1, "ioctl ACK_EVENT");
+		if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
 
-		faultcnt = 0;
-		while (faultcnt < 20) {
-			if (monitor(&kvm_with_access, false)) break;
+		eventcnt = 0;
+		while (eventcnt < 50) {
+			eventcnt += monitor(&kvm, false);
 		}
 
-		kill(ppid, SIGTERM);
+		kill(ppid, SIGINT);
 		exit(0);
 	}
 
-	sev_snp_kvm_deinit(&kvm_with_access);
-	
-	close(kvm_dev);
-	close(sev_dev);
+	vm_deinit(&kvm);
+
+	kvm_setup_deinit();
 }
 
diff --git a/test/kvm-pagestep_guest.S b/test/kvm-pagestep_guest.S
@@ -0,0 +1,19 @@
+#include "cachepc/const.h"
+
+#define TARGET_SET 15
+
+.global guest_start
+.global guest_stop
+
+.align(16)
+.code16gcc
+
+guest_start:
+.rept L1_SIZE
+	nop
+.endr
+
+	mov $0x00, %ax
+	jmp *%ax
+guest_stop:
+
diff --git a/test/kvm-step.c b/test/kvm-step.c
@@ -1,33 +1,19 @@
-#define _GNU_SOURCE
-
+#include "test/kvm-eviction.h"
 #include "test/kvm.h"
 #include "test/util.h"
 #include "cachepc/uapi.h"
 
-#include <linux/psp-sev.h>
-#include <linux/kvm.h>
-#include <sys/syscall.h>
-#include <sys/ioctl.h>
-#include <sys/user.h>
-#include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
 #include <signal.h>
-#include <dirent.h>
-#include <assert.h>
+#include <unistd.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <err.h>
-#include <fcntl.h>
-#include <sched.h>
 #include <string.h>
 #include <stdbool.h>
-#include <stdlib.h>
-#include <stdint.h>
 #include <stdio.h>
-#include <stdarg.h>
+#include <stdlib.h>
 
 #define TARGET_CORE 2
 #define SECONDARY_CORE 3
@@ -35,52 +21,7 @@
 extern uint8_t guest_start[];
 extern uint8_t guest_stop[];
 
-static const char *vmtype;
-
-uint64_t
-vm_get_rip(struct kvm *kvm)
-{
-	struct kvm_regs regs;
-	uint64_t rip;
-	int ret;
-
-	if (!strcmp(vmtype, "sev-snp")) {
-		rip = snp_dbg_decrypt_rip(kvm->vmfd);
-	} else if (!strcmp(vmtype, "sev-es")) {
-		rip = sev_dbg_decrypt_rip(kvm->vmfd);
-	} else {
-		ret = ioctl(kvm_dev, KVM_CPC_GET_REGS, &regs);
-		if (ret == -1) err(1, "KVM_CPC_GET_REGS");
-		rip = regs.rip;
-	}
-
-	return rip;
-}
-
-void
-vm_init(struct kvm *kvm, void *code_start, void *code_end)
-{
-	size_t ramsize;
-
-	ramsize = L1_SIZE * 2;
-	if (!strcmp(vmtype, "kvm")) {
-		kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev")) {
-		sev_kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev-es")) {
-		sev_es_kvm_init(kvm, ramsize, code_start, code_end);
-	} else if (!strcmp(vmtype, "sev-snp")) {
-		sev_snp_kvm_init(kvm, ramsize, code_start, code_end);
-	} else {
-		errx(1, "invalid version");
-	}
-}
-
-void
-vm_deinit(struct kvm *kvm)
-{
-	kvm_deinit(kvm);
-}
+static int child;
 
 uint64_t
 monitor(struct kvm *kvm, bool baseline)
@@ -113,14 +54,20 @@ monitor(struct kvm *kvm, bool baseline)
 	return 1;
 }
 
+void
+kill_child(void)
+{
+	kill(child, SIGKILL);
+}
+
 int
 main(int argc, const char **argv)
 {
+	struct ipc *ipc;
 	struct kvm kvm;
 	uint8_t baseline[L1_SETS];
 	struct cpc_event event;
 	uint64_t eventcnt;
-	pid_t ppid, pid;
 	uint32_t arg;
 	int ret;
 
@@ -133,21 +80,24 @@ main(int argc, const char **argv)
 
 	setvbuf(stdout, NULL, _IONBF, 0);
 
-	pin_process(0, TARGET_CORE, true);
-
 	kvm_setup_init();
 
-	vm_init(&kvm, guest_start, guest_stop);
+	ipc = ipc_alloc();
+
+	child = fork();
+	if (child < 0) err(1, "fork");
+
+	if (child == 0) {
+		pin_process(0, TARGET_CORE, true);
 
-	/* reset kernel module state */
-	ret = ioctl(kvm_dev, KVM_CPC_RESET, NULL);
-	if (ret < 0) err(1, "ioctl KVM_CPC_RESET");
+		vm_init(&kvm, guest_start, guest_stop);
 
-	ppid = getpid();
-	if ((pid = fork())) {
-		if (pid < 0) err(1, "fork");
+		/* reset kernel module state */
+		ret = ioctl(kvm_dev, KVM_CPC_RESET, NULL);
+		if (ret < 0) err(1, "ioctl KVM_CPC_RESET");
 
-		sleep(1); /* give time for child to pin other core */
+		ipc_signal_parent(ipc);
+		ipc_wait_parent(ipc);
 
 		printf("VM start\n");
 
@@ -160,9 +110,17 @@ main(int argc, const char **argv)
 		} while (kvm.run->exit_reason == KVM_EXIT_HLT);
 
 		printf("VM exit\n");
+
+		vm_deinit(&kvm);
 	} else {
 		pin_process(0, SECONDARY_CORE, true);
 
+		atexit(kill_child);
+
+		ipc_wait_child(ipc);
+
+		printf("Monitor start\n");
+
 		/* capture baseline by just letting it fault over and over */
 		arg = CPC_TRACK_FAULT_NO_RUN;
 		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
@@ -173,14 +131,13 @@ main(int argc, const char **argv)
 		ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
 		if (ret) err(1, "ioctl KVM_CPC_CALC_BASELINE");
 
-		printf("Monitor ready\n");
+		ipc_signal_child(ipc);
 
 		/* run vm while baseline is calculated */
 		eventcnt = 0;
 		while (eventcnt < 50) {
 			eventcnt += monitor(&kvm, true);
 		}
-		printf("Baseline done\n");
 
 		ret = ioctl(kvm_dev, KVM_CPC_VM_REQ_PAUSE);
 		if (ret) err(1, "ioctl KVM_CPC_VM_REQ_PAUSE");
@@ -227,11 +184,10 @@ main(int argc, const char **argv)
 			eventcnt += monitor(&kvm, false);
 		}
 
-		kill(ppid, SIGINT);
-		exit(0);
+		printf("Monitor exit\n");
 	}
 
-	vm_deinit(&kvm);
+	ipc_free(ipc);
 
 	kvm_setup_deinit();
 }
diff --git a/test/kvm.c b/test/kvm.c
@@ -29,6 +29,7 @@
 #include <stdlib.h>
 
 int kvm_dev, sev_dev;
+const char *vmtype;
 
 const char *sev_fwerr_strs[] = {
 	[0x00] = "Success",
@@ -466,6 +467,62 @@ kvm_deinit(struct kvm *kvm)
 }
 
 void
+parse_vmtype(int argc, const char **argv)
+{
+	vmtype = "kvm";
+	if (argc > 1) vmtype = argv[1];
+	if (strcmp(vmtype, "kvm") && strcmp(vmtype, "sev")
+			&& strcmp(vmtype, "sev-es")
+			&& strcmp(vmtype, "sev-snp"))
+		errx(1, "invalid vm mode: %s", vmtype);
+}
+
+uint64_t
+vm_get_rip(struct kvm *kvm)
+{
+	struct kvm_regs regs;
+	uint64_t rip;
+	int ret;
+
+	if (!strcmp(vmtype, "sev-snp")) {
+		rip = snp_dbg_decrypt_rip(kvm->vmfd);
+	} else if (!strcmp(vmtype, "sev-es")) {
+		rip = sev_dbg_decrypt_rip(kvm->vmfd);
+	} else {
+		ret = ioctl(kvm_dev, KVM_CPC_GET_REGS, &regs);
+		if (ret == -1) err(1, "KVM_CPC_GET_REGS");
+		rip = regs.rip;
+	}
+
+	return rip;
+}
+
+void
+vm_init(struct kvm *kvm, void *code_start, void *code_end)
+{
+	size_t ramsize;
+
+	ramsize = L1_SIZE * 2;
+	if (!strcmp(vmtype, "kvm")) {
+		kvm_init(kvm, ramsize, code_start, code_end);
+	} else if (!strcmp(vmtype, "sev")) {
+		sev_kvm_init(kvm, ramsize, code_start, code_end);
+	} else if (!strcmp(vmtype, "sev-es")) {
+		sev_es_kvm_init(kvm, ramsize, code_start, code_end);
+	} else if (!strcmp(vmtype, "sev-snp")) {
+		sev_snp_kvm_init(kvm, ramsize, code_start, code_end);
+	} else {
+		errx(1, "invalid version");
+	}
+}
+
+void
+vm_deinit(struct kvm *kvm)
+{
+	kvm_deinit(kvm);
+}
+
+void
 kvm_setup_init(void)
 {
 	int ret;
diff --git a/test/kvm.h b/test/kvm.h
@@ -43,8 +43,14 @@ void sev_snp_kvm_init(struct kvm *kvm, size_t ramsize,
 	void *code_start, void *code_stop);
 void kvm_deinit(struct kvm *kvm);
 
+void parse_vmtype(int argc, const char **argv);
+uint64_t vm_get_rip(struct kvm *kvm);
+void vm_init(struct kvm *kvm, void *code_start, void *code_end);
+void vm_deinit(struct kvm *kvm);
+
 void kvm_setup_init(void);
 void kvm_setup_deinit(void);
 
 extern int kvm_dev, sev_dev;
+extern const char *vmtype;
 
diff --git a/test/util.c b/test/util.c
@@ -2,6 +2,8 @@
 
 #include "test/util.h"
 
+#include <pthread.h>
+#include <sys/mman.h>
 #include <err.h>
 #include <sched.h>
 #include <string.h>
@@ -104,3 +106,89 @@ print_counts_raw(uint8_t *counts)
 	}
 	printf("\n");
 }
+
+struct ipc *
+ipc_alloc(void)
+{
+	pthread_mutexattr_t mutex_attr;
+	pthread_condattr_t cond_attr;
+	struct ipc *ipc;
+
+	pthread_condattr_init(&cond_attr);
+	pthread_condattr_setpshared(&cond_attr, PTHREAD_PROCESS_SHARED);
+
+	pthread_mutexattr_init(&mutex_attr);
+	pthread_mutexattr_setpshared(&mutex_attr, PTHREAD_PROCESS_SHARED);
+
+	ipc = mmap(NULL, sizeof(struct ipc), PROT_READ | PROT_WRITE,
+		MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	if (ipc == MAP_FAILED) err(1, "mmap");
+
+	pthread_mutex_init(&ipc->lock, &mutex_attr);
+
+	pthread_cond_init(&ipc->sig_parent, &cond_attr);
+	ipc->has_sig_parent = false;
+
+	pthread_cond_init(&ipc->sig_child, &cond_attr);
+	ipc->has_sig_child = false;
+
+	ipc->init = true;
+
+	return ipc;
+}
+
+void
+ipc_free(struct ipc *ipc)
+{
+	if (ipc->init) {
+		pthread_mutex_destroy(&ipc->lock);
+		pthread_cond_destroy(&ipc->sig_parent);
+		pthread_cond_destroy(&ipc->sig_child);
+		ipc->init = false;
+	}
+	munmap(ipc, sizeof(ipc));
+}
+
+void
+ipc_signal_parent(struct ipc *ipc)
+{
+	if (!ipc->init) errx(1, "ipc deinit");
+	pthread_mutex_lock(&ipc->lock);
+	if (!ipc->has_sig_child)
+		pthread_cond_signal(&ipc->sig_child);
+	ipc->has_sig_child = true;
+	pthread_mutex_unlock(&ipc->lock);
+}
+
+void
+ipc_wait_child(struct ipc *ipc)
+{
+	if (!ipc->init) errx(1, "ipc deinit");
+	pthread_mutex_lock(&ipc->lock);
+	while (!ipc->has_sig_child)
+		pthread_cond_wait(&ipc->sig_child, &ipc->lock);
+	ipc->has_sig_child = false;
+	pthread_mutex_unlock(&ipc->lock);
+}
+
+void
+ipc_signal_child(struct ipc *ipc)
+{
+	if (!ipc->init) errx(1, "ipc deinit");
+	pthread_mutex_lock(&ipc->lock);
+	if (!ipc->has_sig_parent)
+		pthread_cond_signal(&ipc->sig_parent);
+	ipc->has_sig_parent = true;
+	pthread_mutex_unlock(&ipc->lock);
+}
+
+void
+ipc_wait_parent(struct ipc *ipc)
+{
+	if (!ipc->init) errx(1, "ipc deinit");
+	pthread_mutex_lock(&ipc->lock);
+	while (!ipc->has_sig_parent)
+		pthread_cond_wait(&ipc->sig_parent, &ipc->lock);
+	ipc->has_sig_parent = false;
+	pthread_mutex_unlock(&ipc->lock);
+}
diff --git a/test/util.h b/test/util.h
@@ -7,6 +7,15 @@
 #define ARRLEN(x) (sizeof(x) / sizeof((x)[0]))
 #define MIN(a,b) ((a) > (b) ? (b) : (a))
 
+struct ipc {
+	pthread_mutex_t lock;
+	pthread_cond_t sig_parent;
+	bool has_sig_parent;
+	pthread_cond_t sig_child;
+	bool has_sig_child;
+	bool init;
+};
+
 void hexdump(void *data, int len);
 
 bool pin_process(pid_t pid, int cpu, bool assert);
@@ -15,3 +24,10 @@ int read_stat_core(pid_t pid);
 
 void print_counts(uint8_t *counts);
 void print_counts_raw(uint8_t *counts);
+
+struct ipc *ipc_alloc(void);
+void ipc_free(struct ipc *ipc);
+void ipc_signal_child(struct ipc *ipc);
+void ipc_wait_child(struct ipc *ipc);
+void ipc_signal_parent(struct ipc *ipc);
+void ipc_wait_parent(struct ipc *ipc);