cachepc

Prime+Probe cache-based side-channel attack on AMD SEV-SNP protected virtual machines
git clone https://git.sinitax.com/sinitax/cachepc
Log | Files | Refs | Submodules | README | sfeed.txt
commit 5e21196a9c7ee8eee921d74f6b5eef2f1980ec97
parent cb7c6b3d6767335d13892451c141cfb717807712
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu, 26 Jan 2023 04:24:19 +0100

Basic qemu eviction test with signalled stepping and added rip syscall

Diffstat:

MMakefile | 27++++++++++++++++-----------


Mcachepc/cachepc.c | 11++++++++---


Mcachepc/cachepc.h | 3+++


Mcachepc/event.c | 2+-


Mcachepc/kvm.c | 113+++++++++++++++++++++++++++++++------------------------------------------------


Acachepc/svm.c | 22++++++++++++++++++++++


Mcachepc/uapi.h | 30+++++++++++++++++++-----------


Mtest/kvm-eviction.c | 10++++++----


Rtest/guest.lds -> test/kvm-guest.lds | 0


Mtest/kvm-pagestep.c | 12++++++------


Mtest/kvm-step.c | 43++++++++++++++++++-------------------------


Mtest/kvm.c | 103++++++++++++++++---------------------------------------------------------------


Mtest/kvm.h | 8+++-----


Mtest/qemu-eviction.c | 396+++++++++++++++++++------------------------------------------------------------


Mtest/qemu-eviction_guest.c | 6++++--


Mtest/util.c | 39++++++++++++++++++++++++++++++++++++++-


Mtest/util.h | 1+


17 files changed, 303 insertions(+), 523 deletions(-)

diff --git a/Makefile b/Makefile
@@ -9,13 +9,15 @@ BINS = test/eviction test/kvm-eviction
 BINS += test/kvm-eviction-with_guest test/kvm-eviction-without_guest
 BINS += test/kvm-step test/kvm-step_guest
 BINS += test/kvm-pagestep test/kvm-pagestep_guest
-# BINS += test/qemu-eviction_guest test/qemu-eviction
+BINS += test/qemu-eviction test/qemu-eviction_guest
 # BINS += test/qemu-aes_guest test/qemu-aes
 BINS += util/debug util/reset
 
 CFLAGS = -I . -I linux/usr/include
 CFLAGS += -g -Wunused-variable -Wunknown-pragmas -Wunused-function
-CFLAGS += -fsanitize=address
+
+HOST_CFLAGS = $(CFLAGS) -fsanitize=address
+GUEST_CFLAGS = $(CFLAGS) -static
 
 LDLIBS = -lpthread
 
@@ -67,19 +69,22 @@ test/%.o: test/%.c
 test/%.o: test/%.S
 	$(CC) -c -o $@ $^ $(CFLAGS)
 
-test/%_guest: test/%_guest.o test/guest.lds
-	$(LD) -Ttest/guest.lds -o $@ $<
-
-test/eviction: test/eviction.c test/util.c $(TEST_SRCS)
+test/%: test/%.c $(TEST_SRCS)
 	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
 
+test/kvm-%_guest: test/kvm-%_guest.o test/guest.lds
+	$(LD) -Ttest/kvm-guest.lds -o $@ $<
+
+test/kvm-%: test/kvm-%.c $(TEST_SRCS)
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(HOST_CFLAGS) $(LDLIBS)
+
 test/kvm-eviction: test/kvm-eviction.c test/kvm-eviction.h $(TEST_SRCS)
-	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(HOST_CFLAGS) $(LDLIBS)
 
-test/kvm-step: test/kvm-step.c $(TEST_SRCS)
-	$(CC) -o $@  $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
+test/qemu-%: test/qemu-%.c $(TEST_SRCS)
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(HOST_CFLAGS) $(LDLIBS)
 
-test/kvm-pagestep: test/kvm-pagestep.c $(TEST_SRCS)
-	$(CC) -o $@  $(filter %.c,$^) $(filter %.S,$^) $(CFLAGS) $(LDLIBS)
+test/qemu-%_guest: test/qemu-%_guest.c
+	$(CC) -o $@ $(filter %.c,$^) $(filter %.S,$^) $(GUEST_CFLAGS) $(LDLIBS)
 
 .PHONY: all clean host build load prep
diff --git a/cachepc/cachepc.c b/cachepc/cachepc.c
@@ -161,9 +161,10 @@ cachepc_save_msrmts(struct cacheline *head)
 	do {
 		if (cl->first) {
 			BUG_ON(cl->cache_set >= L1_SETS);
-			if (cl->count > L1_ASSOC)
+			if (cl->count > L1_ASSOC) {
 				CPC_ERR("Read count %llu for set %u line %u",
 					cl->count, cl->cache_set, cl->cache_line);
+			}
 			cachepc_msrmts[cl->cache_set] = cl->count;
 		} else {
 			BUG_ON(cl->count != 0);
@@ -182,8 +183,12 @@ cachepc_save_msrmts(struct cacheline *head)
 
 	if (cachepc_baseline_active) {
 		for (i = 0; i < L1_SETS; i++) {
-			if (!cachepc_baseline_active)
-				WARN_ON(cachepc_msrmts[i] < cachepc_baseline[i]);
+			if (cachepc_msrmts[i] < cachepc_baseline[i]) {
+				CPC_ERR("Count (%u) under baseline (%u) "
+					"for set %u line %u",
+					cachepc_msrmts[i], cachepc_baseline[i],
+					cl->cache_set, cl->cache_line);
+			}
 			cachepc_msrmts[i] -= cachepc_baseline[i];
 		}
 	}
diff --git a/cachepc/cachepc.h b/cachepc/cachepc.h
@@ -78,6 +78,8 @@ extern bool cachepc_baseline_active;
 
 extern bool cachepc_pause_vm;
 
+extern bool cachepc_prime_probe;
+
 extern bool cachepc_singlestep;
 extern bool cachepc_singlestep_reset;
 extern bool cachepc_long_step;
@@ -97,6 +99,7 @@ extern uint64_t cachepc_rip_prev;
 extern bool cachepc_rip_prev_set;
 
 extern struct cpc_track_exec cachepc_track_exec;
+extern bool cachepc_track_signalled_enable;
 
 extern struct list_head cachepc_faults;
 
diff --git a/cachepc/event.c b/cachepc/event.c
@@ -80,7 +80,7 @@ cachepc_send_guest_event(uint64_t type, uint64_t val)
 {
 	struct cpc_event event;
 
-	event.type = CPC_EVENT_CPUID;
+	event.type = CPC_EVENT_GUEST;
 	event.guest.type = type;
 	event.guest.val = val;
 
diff --git a/cachepc/kvm.c b/cachepc/kvm.c
@@ -34,6 +34,9 @@ EXPORT_SYMBOL(cachepc_baseline_active);
 bool cachepc_pause_vm = false;
 EXPORT_SYMBOL(cachepc_pause_vm);
 
+bool cachepc_prime_probe = false;
+EXPORT_SYMBOL(cachepc_prime_probe);
+
 uint64_t cachepc_retinst = 0;
 uint64_t cachepc_retinst_prev = 0;
 EXPORT_SYMBOL(cachepc_retinst);
@@ -69,7 +72,9 @@ LIST_HEAD(cachepc_faults);
 EXPORT_SYMBOL(cachepc_faults);
 
 struct cpc_track_exec cachepc_track_exec;
+bool cachepc_track_signalled_enable;
 EXPORT_SYMBOL(cachepc_track_exec);
+EXPORT_SYMBOL(cachepc_track_signalled_enable);
 
 struct cacheline *cachepc_ds_ul = NULL;
 struct cacheline *cachepc_ds = NULL;
@@ -89,11 +94,14 @@ static noinline void cachepc_stream_hwpf_test(void);
 void cachepc_single_eviction_test_asm(void *ptr);
 static noinline void cachepc_single_eviction_test(void *p);
 
+static void cachepc_kvm_pmc_setup(void *p);
 static void cachepc_kvm_system_setup(void);
 
 static int cachepc_kvm_reset_ioctl(void __user *arg_user);
 static int cachepc_kvm_debug_ioctl(void __user *arg_user);
 
+static int cachepc_kvm_memory_encrypt_op_ioctl(void __user *arg_user);
+
 static int cachepc_kvm_test_eviction_ioctl(void __user *arg_user);
 
 static int cachepc_kvm_read_counts_ioctl(void __user *arg_user);
@@ -215,6 +223,18 @@ cachepc_single_eviction_test(void *p)
 }
 
 void
+cachepc_kvm_pmc_setup(void *p)
+{
+	/* L1 misses in host kernel */
+	cachepc_init_pmc(CPC_L1MISS_PMC, 0x64, 0xD8,
+		PMC_HOST, PMC_KERNEL);
+
+	/* retired instructions in guest */
+	cachepc_init_pmc(CPC_RETINST_PMC, 0xC0, 0x00,
+		PMC_GUEST, PMC_KERNEL | PMC_USER);
+}
+
+void
 cachepc_kvm_system_setup(void)
 {
 	/* NOTE: since most of these MSRs are poorly documented and some
@@ -247,23 +267,11 @@ cachepc_kvm_system_setup(void)
 int
 cachepc_kvm_reset_ioctl(void __user *arg_user)
 {
-	int cpu;
-
-	cpu = get_cpu();
-	if (cpu != CPC_ISOLCPU) {
-		put_cpu();
-		return -EFAULT;
-	}
-
-	/* L1 misses in host kernel */
-	cachepc_init_pmc(CPC_L1MISS_PMC, 0x64, 0xD8,
-		PMC_HOST, PMC_KERNEL);
-
-	/* retired instructions in guest */
-	cachepc_init_pmc(CPC_RETINST_PMC, 0xC0, 0x00,
-		PMC_GUEST, PMC_KERNEL | PMC_USER);
+	int ret;
 
-	put_cpu();
+	ret = smp_call_function_single(CPC_ISOLCPU,
+		cachepc_kvm_pmc_setup, NULL, true);
+	if (ret) return -EFAULT;
 
 	cachepc_events_reset();
 
@@ -300,51 +308,11 @@ cachepc_kvm_debug_ioctl(void __user *arg_user)
 }
 
 int
-cachepc_kvm_get_regs_ioctl(void __user *arg_user)
+cachepc_kvm_memory_encrypt_op_ioctl(void __user *arg_user)
 {
-	struct kvm_regs *regs;
-	struct kvm_vcpu *vcpu;
-
-	if (!arg_user) return -EINVAL;
+	if (!arg_user || !main_vm) return -EFAULT;
 
-	if (!main_vm || xa_empty(&main_vm->vcpu_array))
-		return -EFAULT;
-
-	vcpu = xa_load(&main_vm->vcpu_array, 0);
-
-	regs = kzalloc(sizeof(struct kvm_regs), GFP_KERNEL_ACCOUNT);
-	if (!regs) return -ENOMEM;
-
-	regs->rax = kvm_rax_read(vcpu);
-	regs->rbx = kvm_rbx_read(vcpu);
-	regs->rcx = kvm_rcx_read(vcpu);
-	regs->rdx = kvm_rdx_read(vcpu);
-	regs->rsi = kvm_rsi_read(vcpu);
-	regs->rdi = kvm_rdi_read(vcpu);
-	regs->rsp = kvm_rsp_read(vcpu);
-	regs->rbp = kvm_rbp_read(vcpu);
-#ifdef CONFIG_X86_64
-	regs->r8 = kvm_r8_read(vcpu);
-	regs->r9 = kvm_r9_read(vcpu);
-	regs->r10 = kvm_r10_read(vcpu);
-	regs->r11 = kvm_r11_read(vcpu);
-	regs->r12 = kvm_r12_read(vcpu);
-	regs->r13 = kvm_r13_read(vcpu);
-	regs->r14 = kvm_r14_read(vcpu);
-	regs->r15 = kvm_r15_read(vcpu);
-#endif
-
-	regs->rip = kvm_rip_read(vcpu);
-	regs->rflags = kvm_get_rflags(vcpu);
-
-	if (copy_to_user(arg_user, regs, sizeof(struct kvm_regs))) {
-		kfree(regs);
-		return -EFAULT;
-	}
-
-	kfree(regs);
-
-	return 0;
+	return static_call(kvm_x86_mem_enc_ioctl)(main_vm, arg_user);
 }
 
 int
@@ -459,8 +427,6 @@ cachepc_kvm_reset_tracking_ioctl(void __user *arg_user)
 	cachepc_track_start_gfn = 0;
 	cachepc_track_end_gfn = 0;
 
-	memset(&cachepc_track_exec, 0, sizeof(cachepc_track_exec));
-
 	cachepc_singlestep = false;
 	cachepc_singlestep_reset = false;
 
@@ -495,21 +461,32 @@ cachepc_kvm_track_mode_ioctl(void __user *arg_user)
 	cachepc_untrack_all(vcpu, KVM_PAGE_TRACK_WRITE);
 
 	cachepc_apic_oneshot = false;
+	cachepc_prime_probe = false;
 	cachepc_singlestep = false;
 	cachepc_singlestep_reset = false;
 	cachepc_long_step = false;
 
 	switch (mode) {
-	case CPC_TRACK_FULL:
+	case CPC_TRACK_FAULT_NO_RUN:
+		cachepc_prime_probe = true;
 		cachepc_track_all(vcpu, KVM_PAGE_TRACK_ACCESS);
-		cachepc_singlestep_reset = true;
 		break;
-	case CPC_TRACK_EXEC:
+	case CPC_TRACK_EXIT_EVICTIONS:
+		cachepc_prime_probe = true;
+		cachepc_long_step = true;
+		break;
+	case CPC_TRACK_PAGES:
+		memset(&cachepc_track_exec, 0, sizeof(cachepc_track_exec));
 		cachepc_track_all(vcpu, KVM_PAGE_TRACK_EXEC);
 		cachepc_singlestep_reset = true;
 		break;
-	case CPC_TRACK_FAULT_NO_RUN:
+	case CPC_TRACK_STEPS:
+		cachepc_prime_probe = true;
 		cachepc_track_all(vcpu, KVM_PAGE_TRACK_ACCESS);
+		cachepc_singlestep_reset = true;
+		break;
+	case CPC_TRACK_STEPS_SIGNALLED:
+		cachepc_track_signalled_enable = false;
 		break;
 	case CPC_TRACK_NONE:
 		break;
@@ -603,8 +580,8 @@ cachepc_kvm_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 		return cachepc_kvm_reset_ioctl(arg_user);
 	case KVM_CPC_DEBUG:
 		return cachepc_kvm_debug_ioctl(arg_user);
-	case KVM_CPC_GET_REGS:
-		return cachepc_kvm_get_regs_ioctl(arg_user);
+	case KVM_CPC_MEMORY_ENCRYPT_OP:
+		return cachepc_kvm_memory_encrypt_op_ioctl(arg_user);
 	case KVM_CPC_TEST_EVICTION:
 		return cachepc_kvm_test_eviction_ioctl(arg_user);
 	case KVM_CPC_READ_COUNTS:
@@ -688,8 +665,6 @@ cachepc_kvm_init(void)
 	cachepc_apic_oneshot = false;
 	cachepc_apic_timer = 0;
 
-	memset(&cachepc_track_exec, 0, sizeof(cachepc_track_exec));
-
 	INIT_LIST_HEAD(&cachepc_faults);
 
 	cachepc_msrmts = kzalloc(L1_SETS, GFP_KERNEL);
diff --git a/cachepc/svm.c b/cachepc/svm.c
@@ -0,0 +1,22 @@
+
+
+int
+cachepc_kvm_get_rip_ioctl(void __user *arg_user)
+{
+	struct kvm_regs *regs;
+	struct kvm_vcpu *vcpu;
+
+	if (!arg_user) return -EINVAL;
+
+	if (!main_vm || xa_empty(&main_vm->vcpu_array))
+		return -EFAULT;
+
+	vcpu = xa_load(&main_vm->vcpu_array, 0);
+
+	if (sev_es_guest(vcpu)) {
+
+	}
+	kvm_rip_read(vcpu);
+
+	return 0;
+}
diff --git a/cachepc/uapi.h b/cachepc/uapi.h
@@ -7,15 +7,14 @@
 #include <linux/ioctl.h>
 
 #define CPC_DO_VMMCALL(action, type, val) \
-	asm volatile("vmmcall" : : "a" (KVM_HC_CPC_VMMCALL_ ## action), \
-		"b"(type), "c" (val) : "rdx")
+	asm volatile("vmmcall" : : "a" (action), "b"(type), "c" (val) : "rdx")
 
 #define KVM_CPC_RESET _IOWR(KVMIO, 0x20, __u32)
 #define KVM_CPC_DEBUG _IOW(KVMIO, 0x21, __u32)
 
-#define KVM_CPC_GET_REGS _IOW(KVMIO, 0x22, __u32)
+#define KVM_CPC_MEMORY_ENCRYPT_OP _IOWR(KVMIO, 0x22, struct kvm_sev_cmd)
 
-#define KVM_CPC_TEST_EVICTION _IOWR(KVMIO, 0x23, __u32)
+#define KVM_CPC_TEST_EVICTION _IOWR(KVMIO, 0x24, __u32)
 
 #define KVM_CPC_READ_COUNTS _IOR(KVMIO, 0x25, __u64)
 
@@ -26,9 +25,6 @@
 
 #define KVM_CPC_LONG_STEP _IO(KVMIO, 0x2A)
 
-#define KVM_CPC_VMSA_READ _IOR(KVMIO, 0x2C, __u64)
-#define KVM_CPC_SVME_READ _IOR(KVMIO, 0x2D, __u32)
-
 #define KVM_CPC_TRACK_MODE _IOWR(KVMIO, 0x40, __u32)
 #define KVM_CPC_RESET_TRACKING _IO(KVMIO, 0x44)
 
@@ -37,12 +33,14 @@
 
 #define KVM_CPC_VM_REQ_PAUSE _IO(KVMIO, 0x50)
 
+#define KVM_SEV_CACHEPC 0xd0
+
 enum {
 	CPC_EVENT_NONE,
 	CPC_EVENT_TRACK_STEP,
 	CPC_EVENT_TRACK_PAGE,
 	CPC_EVENT_PAUSE,
-	CPC_EVENT_CPUID,
+	CPC_EVENT_GUEST,
 };
 
 enum {
@@ -53,9 +51,14 @@ enum {
 enum {
 	CPC_TRACK_NONE,
 	CPC_TRACK_FAULT_NO_RUN,
-	CPC_TRACK_EXEC,
-	CPC_TRACK_FULL,
-	CPC_TRACK_AUTO_FULL,
+	CPC_TRACK_EXIT_EVICTIONS,
+	CPC_TRACK_PAGES,
+	CPC_TRACK_STEPS,
+	CPC_TRACK_STEPS_SIGNALLED,
+};
+
+enum {
+	SEV_CPC_GET_RIP
 };
 
 struct cpc_track_config {
@@ -92,3 +95,8 @@ struct cpc_event {
 		struct cpc_guest_event guest;
 	};
 };
+
+struct cpc_sev_cmd {
+	__u32 id;
+	__u64 data;
+};
diff --git a/test/kvm-eviction.c b/test/kvm-eviction.c
@@ -28,10 +28,10 @@ collect(struct kvm *kvm, uint8_t *counts)
 
 	if (kvm->run->exit_reason == KVM_EXIT_MMIO) {
 		errx(1, "KVM died from OOB access! rip:%lu addr:%lu",
-			vm_get_rip(kvm), kvm->run->mmio.phys_addr);
+			vm_get_rip(), kvm->run->mmio.phys_addr);
 	} else if (kvm->run->exit_reason != KVM_EXIT_HLT) {
 		errx(1, "KVM died! rip:%lu code:%i",
-			vm_get_rip(kvm), kvm->run->exit_reason);
+			vm_get_rip(), kvm->run->exit_reason);
 	}
 
 	ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
@@ -45,6 +45,7 @@ main(int argc, const char **argv)
 	struct guest guests[2];
 	uint8_t counts[2][SAMPLE_COUNT][L1_SETS];
 	uint8_t baseline[L1_SETS];
+	uint32_t arg;
 	int i, k, ret;
 
 	vmtype = "kvm";
@@ -72,8 +73,9 @@ main(int argc, const char **argv)
 	ret = ioctl(kvm_dev, KVM_CPC_RESET);
 	if (ret == -1) err(1, "KVM_CPC_RESET");
 
-	ret = ioctl(kvm_dev, KVM_CPC_LONG_STEP);
-	if (ret == -1) err(1, "KVM_CPC_LONG_STEP");
+	arg = CPC_TRACK_EXIT_EVICTIONS;
+	ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
+	if (ret == -1) err(1, "KVM_CPC_TRACK_MODE");
 
 	/* resolve page faults in advance (code only covers 1 page)..
 	 * we want the read counts to apply between KVM_RUN and KVM_EXIT_HLT,
diff --git a/test/guest.lds b/test/kvm-guest.lds
diff --git a/test/kvm-pagestep.c b/test/kvm-pagestep.c
@@ -29,18 +29,18 @@ monitor(struct kvm *kvm, bool baseline)
 	/* Get page fault info */
 	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
 	if (ret && errno == EAGAIN) return 0;
-	if (ret) err(1, "ioctl KVM_CPC_POLL_EVENT");
+	if (ret) err(1, "KVM_CPC_POLL_EVENT");
 
 	if (event.type != CPC_EVENT_TRACK_PAGE)
 		errx(1, "unexpected event type %i", event.type);
 
 	printf("Event: rip:%08llx prev:%llu next:%llu ret:%llu\n",
-		vm_get_rip(kvm), event.page.inst_gfn_prev,
+		vm_get_rip(), event.page.inst_gfn_prev,
 		event.page.inst_gfn, event.page.retinst);
 	printf("\n");
 
 	ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-	if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
+	if (ret) err(1, "KVM_CPC_ACK_EVENT");
 
 	return 1;
 }
@@ -86,7 +86,7 @@ main(int argc, const char **argv)
 
 		/* reset kernel module state */
 		ret = ioctl(kvm_dev, KVM_CPC_RESET, NULL);
-		if (ret < 0) err(1, "ioctl KVM_CPC_RESET");
+		if (ret < 0) err(1, "KVM_CPC_RESET");
 
 		ipc_signal_parent(ipc);
 		ipc_wait_parent(ipc);
@@ -113,9 +113,9 @@ main(int argc, const char **argv)
 
 		printf("Monitor start\n");
 
-		arg = CPC_TRACK_EXEC;
+		arg = CPC_TRACK_PAGES;
 		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-		if (ret) err(1, "ioctl KVM_CPC_TRACK_MODE");
+		if (ret) err(1, "KVM_CPC_TRACK_MODE");
 
 		ipc_signal_child(ipc);
 
diff --git a/test/kvm-step.c b/test/kvm-step.c
@@ -24,22 +24,21 @@ static struct cpc_event event;
 uint64_t
 monitor(struct kvm *kvm, bool baseline)
 {
-	uint8_t counts[64];
+	uint8_t counts[L1_SETS];
 	int ret;
 
-	/* Get page fault info */
 	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
 	if (ret && errno == EAGAIN) return 0;
-	if (ret) err(1, "ioctl KVM_CPC_POLL_EVENT");
+	if (ret) err(1, "KVM_CPC_POLL_EVENT");
 
 	if (event.type != CPC_EVENT_TRACK_STEP)
 		errx(1, "unexpected event type %i", event.type);
 
 	ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
-	if (ret) err(1, "ioctl KVM_CPC_READ_COUNTS");
+	if (ret) err(1, "KVM_CPC_READ_COUNTS");
 
 	printf("Event: rip:%llu cnt:%llu inst:%llu data:%llu ret:%llu\n",
-		vm_get_rip(kvm), event.step.fault_count,
+		vm_get_rip(), event.step.fault_count,
 		event.step.fault_gfns[0], event.step.fault_gfns[1],
 		event.step.retinst);
 	print_counts(counts);
@@ -48,7 +47,7 @@ monitor(struct kvm *kvm, bool baseline)
 	printf("\n");
 
 	ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-	if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
+	if (ret) err(1, "KVM_CPC_ACK_EVENT");
 
 	return 1;
 }
@@ -96,7 +95,7 @@ main(int argc, const char **argv)
 
 		/* reset kernel module state */
 		ret = ioctl(kvm_dev, KVM_CPC_RESET, NULL);
-		if (ret < 0) err(1, "ioctl KVM_CPC_RESET");
+		if (ret < 0) err(1, "KVM_CPC_RESET");
 
 		ipc_signal_parent(ipc);
 		ipc_wait_parent(ipc);
@@ -123,15 +122,14 @@ main(int argc, const char **argv)
 
 		printf("Monitor start\n");
 
-		/* capture baseline by just letting it fault over and over */
-		arg = CPC_TRACK_FAULT_NO_RUN;
+		/* single step and log all accessed pages */
+		arg = CPC_TRACK_STEPS;
 		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-		if (ret) err(1, "ioctl KVM_CPC_TRACK_MODE");
+		if (ret) err(1, "KVM_CPC_TRACK_MODE");
 
-		/* calculate baseline while running vm */
 		arg = true;
 		ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
-		if (ret) err(1, "ioctl KVM_CPC_CALC_BASELINE");
+		if (ret) err(1, "KVM_CPC_CALC_BASELINE");
 
 		ipc_signal_child(ipc);
 
@@ -141,30 +139,30 @@ main(int argc, const char **argv)
 			eventcnt += monitor(&kvm, true);
 		}
 
-		printf("Req pause\n");
+		printf("Monitor req pause\n");
 		ret = ioctl(kvm_dev, KVM_CPC_VM_REQ_PAUSE);
-		if (ret) err(1, "ioctl KVM_CPC_VM_REQ_PAUSE");
+		if (ret) err(1, "KVM_CPC_VM_REQ_PAUSE");
 
 		while (1) {
 			printf("Monitor Polling\n");
 			ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
 			if (ret && errno == EAGAIN) continue;
-			if (ret) err(1, "ioctl KVM_CPC_POLL_EVENT");
+			if (ret) err(1, "KVM_CPC_POLL_EVENT");
 			printf("Monitor Event\n");
 
 			if (event.type == CPC_EVENT_PAUSE) break;
 
 			printf("Skipping non-pause event..\n");
 			ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-			if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
+			if (ret) err(1, "KVM_CPC_ACK_EVENT");
 		}
 
 		arg = false;
 		ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
-		if (ret) err(1, "ioctl KVM_CPC_CALC_BASELINE");
+		if (ret) err(1, "KVM_CPC_CALC_BASELINE");
 
 		ret = ioctl(kvm_dev, KVM_CPC_READ_BASELINE, baseline);
-		if (ret) err(1, "ioctl KVM_CPC_READ_BASELINE");
+		if (ret) err(1, "KVM_CPC_READ_BASELINE");
 
 		printf("\nBaseline:\n");
 		print_counts(baseline);
@@ -174,15 +172,10 @@ main(int argc, const char **argv)
 
 		arg = true;
 		ret = ioctl(kvm_dev, KVM_CPC_APPLY_BASELINE, &arg);
-		if (ret) err(1, "ioctl KMV_CPC_APPLY_BASELINE");
-
-		/* single step and log all accessed pages */
-		arg = CPC_TRACK_FULL;
-		ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-		if (ret) err(1, "ioctl KVM_CPC_TRACK_MODE");
+		if (ret) err(1, "KMV_CPC_APPLY_BASELINE");
 
 		ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-		if (ret) err(1, "ioctl KVM_CPC_ACK_EVENT");
+		if (ret) err(1, "KVM_CPC_ACK_EVENT");
 
 		eventcnt = 0;
 		while (eventcnt < 50) {
diff --git a/test/kvm.c b/test/kvm.c
@@ -100,8 +100,13 @@ sev_ioctl(int vmfd, int cmd, void *data, int *error)
 	input.sev_fd = sev_dev;
 	input.data = (uintptr_t) data;
 
-	ret = ioctl(vmfd, KVM_MEMORY_ENCRYPT_OP, &input);
-	if (error) *error = input.error;
+	if (vmfd == MAIN_VMFD) {
+		ret = ioctl(kvm_dev, KVM_CPC_MEMORY_ENCRYPT_OP, &input);
+		if (error) *error = input.error;
+	} else {
+		ret = ioctl(vmfd, KVM_MEMORY_ENCRYPT_OP, &input);
+		if (error) *error = input.error;
+	}
 
 	return ret;
 }
@@ -144,66 +149,6 @@ sev_guest_state(int vmfd, uint32_t handle)
 }
 
 void
-sev_dbg_decrypt(int vmfd, void *src, void *dst, size_t size)
-{
-	struct kvm_sev_dbg enc;
-	int ret, fwerr;
-
-	enc.src_uaddr = (uintptr_t) src;
-	enc.dst_uaddr = (uintptr_t) dst;
-	enc.len = size;
-	ret = sev_ioctl(vmfd, KVM_SEV_DBG_DECRYPT, &enc, &fwerr);
-	if (ret == -1) errx(1, "KVM_SEV_DBG_DECRYPT: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-}
-
-uint64_t
-sev_dbg_decrypt_rip(int vmfd)
-{
-	uint8_t vmsa[PAGE_SIZE];
-	uint64_t rip;
-
-	memset(vmsa, 0, PAGE_SIZE);
-	sev_dbg_decrypt(vmfd, vmsa, CPC_VMSA_MAGIC_ADDR, PAGE_SIZE);
-
-	rip = *(uint64_t *)(vmsa + 0x178);
-
-	return rip;
-}
-
-void
-snp_dbg_decrypt(int vmfd, void *src, void *dst, size_t size)
-{
-	struct kvm_sev_dbg enc;
-	int ret, fwerr;
-
-	assert(src == CPC_VMSA_MAGIC_ADDR);
-
-	memset(&enc, 0, sizeof(struct kvm_sev_dbg));
-	enc.src_uaddr = (uintptr_t) src;
-	enc.dst_uaddr = (uintptr_t) dst;
-	enc.len = size;
-
-	ret = sev_ioctl(vmfd, KVM_SEV_DBG_DECRYPT, &enc, &fwerr);
-	if (ret < 0) errx(1, "KVM_SEV_DBG_DECRYPT: (%s) %s",
-		strerror(errno), sev_fwerr_str(fwerr));
-}
-
-uint64_t
-snp_dbg_decrypt_rip(int vmfd)
-{
-	uint8_t vmsa[PAGE_SIZE];
-	uint64_t rip;
-
-	memset(vmsa, 0, PAGE_SIZE);
-	snp_dbg_decrypt(vmfd, CPC_VMSA_MAGIC_ADDR, vmsa, PAGE_SIZE);
-
-	rip = *(uint64_t *)(vmsa + 0x178);
-
-	return rip;
-}
-
-void
 guest_init(struct guest *guest, const char *filename)
 {
 	FILE *f;
@@ -487,6 +432,20 @@ kvm_deinit(struct kvm *kvm)
 	munmap(kvm->run, kvm->runsize);
 }
 
+uint64_t
+vm_get_rip(void)
+{
+	struct cpc_sev_cmd cmd;
+	int ret, fwerr;
+
+	cmd.id = SEV_CPC_GET_RIP;
+	ret = sev_ioctl(MAIN_VMFD, KVM_SEV_CACHEPC, &cmd, &fwerr);
+	if (ret == -1) errx(1, "KVM_SEV_CACHEPC: (%s) %s",
+		strerror(errno), sev_fwerr_str(fwerr));
+
+	return cmd.data;
+}
+
 void
 parse_vmtype(int argc, const char **argv)
 {
@@ -498,26 +457,6 @@ parse_vmtype(int argc, const char **argv)
 		errx(1, "invalid vm mode: %s", vmtype);
 }
 
-uint64_t
-vm_get_rip(struct kvm *kvm)
-{
-	struct kvm_regs regs;
-	uint64_t rip;
-	int ret;
-
-	if (!strcmp(vmtype, "sev-snp")) {
-		rip = snp_dbg_decrypt_rip(kvm->vmfd);
-	} else if (!strcmp(vmtype, "sev-es")) {
-		rip = sev_dbg_decrypt_rip(kvm->vmfd);
-	} else {
-		ret = ioctl(kvm_dev, KVM_CPC_GET_REGS, &regs);
-		if (ret == -1) err(1, "KVM_CPC_GET_REGS");
-		rip = regs.rip;
-	}
-
-	return rip;
-}
-
 void
 vm_init(struct kvm *kvm, struct guest *guest)
 {
diff --git a/test/kvm.h b/test/kvm.h
@@ -5,6 +5,8 @@
 #include <stdint.h>
 #include <stdlib.h>
 
+#define MAIN_VMFD -0x42
+
 enum { WITH, WITHOUT };
 
 enum {
@@ -36,10 +38,6 @@ const char *sev_gstate_str(int code);
 int sev_ioctl(int vmfd, int cmd, void *data, int *error);
 void sev_get_measure(int vmfd);
 uint8_t sev_guest_state(int vmfd, uint32_t handle);
-void sev_dbg_decrypt(int vmfd, void *src, void *dst, size_t size);
-uint64_t sev_dbg_decrypt_rip(int vmfd);
-void snp_dbg_decrypt(int vmfd, void *src, void *dst, size_t size);
-uint64_t snp_dbg_decrypt_rip(int vmfd);
 
 void guest_init(struct guest *guest, const char *filename);
 void guest_deinit(struct guest *guest);
@@ -50,8 +48,8 @@ void sev_es_kvm_init(struct kvm *kvm, struct guest *guest);
 void sev_snp_kvm_init(struct kvm *kvm, struct guest *guest);
 void kvm_deinit(struct kvm *kvm);
 
+uint64_t vm_get_rip(void);
 void parse_vmtype(int argc, const char **argv);
-uint64_t vm_get_rip(struct kvm *kvm);
 void vm_init(struct kvm *kvm, struct guest *guest);
 void vm_deinit(struct kvm *kvm);
 
diff --git a/test/qemu-eviction.c b/test/qemu-eviction.c
@@ -1,361 +1,151 @@
-#define _GNU_SOURCE
-
+#include "test/kvm-eviction.h"
+#include "test/kvm.h"
+#include "test/util.h"
 #include "cachepc/uapi.h"
 
-#include <linux/psp-sev.h>
-#include <linux/kvm.h>
-#include <sys/syscall.h>
-#include <sys/ioctl.h>
-#include <sys/user.h>
-#include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
 #include <signal.h>
-#include <dirent.h>
-#include <assert.h>
+#include <unistd.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <err.h>
-#include <fcntl.h>
-#include <sched.h>
-#include <dirent.h>
 #include <string.h>
 #include <stdbool.h>
-#include <stdlib.h>
-#include <stdint.h>
 #include <stdio.h>
-#include <stdarg.h>
-
-#define ARRLEN(x) (sizeof(x) / sizeof((x)[0]))
-#define MIN(a,b) ((a) > (b) ? (b) : (a))
+#include <stdlib.h>
 
 #define TARGET_CORE 2
 #define SECONDARY_CORE 3
 
-#define TARGET_SET 15
-
-/* ioctl dev fds */
-static int kvm_dev;
-static int faultcnt;
-
-void
-hexdump(void *data, int len)
-{
-	int i;
-
-	for (i = 0; i < len; i++) {
-		if (i % 16 == 0 && i)
-			printf("\n");
-		printf("%02X ", *(uint8_t *)(data + i));
-	}
-	printf("\n");
-}
-
-bool
-pin_process(pid_t pid, int cpu, bool assert)
-{
-	cpu_set_t cpuset;
-	int ret;
-
-	CPU_ZERO(&cpuset);
-	CPU_SET(cpu, &cpuset);
-	ret = sched_setaffinity(pid, sizeof(cpu_set_t), &cpuset);
-	if (ret < 0) {
-		if (assert) err(1, "sched_setaffinity");
-		return false;
-	}
-
-	return true;
-}
-
-cpc_msrmt_t *
-read_counts()
-{
-	cpc_msrmt_t *counts;
-	int i, ret;
-
-	counts = malloc(L1_SETS * sizeof(cpc_msrmt_t));
-	if (!counts) err(1, "malloc");
-
-	ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
-	if (ret) err(1, "ioctl READ_COUNTS");
-
-	for (i = 0; i < L1_SETS; i++) {
-		if (counts[i] > 8)
-			errx(1, "Invalid counts set %i", i);
-	}	
-
-	return counts;
-}
-
-void
-print_counts(cpc_msrmt_t *counts)
-{
-	int i;
-
-	for (i = 0; i < 64; i++) {
-		if (i % 16 == 0 && i)
-			printf("\n");
-		if (counts[i] == 1)
-			printf("\x1b[38;5;88m");
-		else if (counts[i] > 1)
-			printf("\x1b[38;5;196m");
-		printf("%2i ", i);
-		if (counts[i] > 0)
-			printf("\x1b[0m");
-	}
-	printf("\n");
-}
-
-void
-print_counts_raw(cpc_msrmt_t *counts)
-{
-	int i;
-
-	for (i = 0; i < 64; i++) {
-		if (i % 16 == 0 && i)
-			printf("\n");
-		if (counts[i] == 1)
-			printf("\x1b[38;5;88m");
-		else if (counts[i] > 1)
-			printf("\x1b[38;5;196m");
-		printf("%02X ", (uint8_t) counts[i]);
-		if (counts[i] > 0)
-			printf("\x1b[0m");
-	}
-	printf("\n");
-}
+static struct cpc_event event;
 
 int
 monitor(bool baseline)
 {
-	struct cpc_event event;
-	cpc_msrmt_t counts[64];
-	uint64_t inst_fault_gfn;
-	uint64_t read_fault_gfn;
-	uint64_t arg;
-	int ret, i;
-
-	/* Get page fault info */
-	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
-	if (ret) {
-		if (errno == EAGAIN)
-			return 0;
-		perror("ioctl POLL_EVENT");
-		return 1;
-	}
-
-	if (event.type == CPC_EVENT_CPUID) {
-		printf("CPUID EVENT\n");
-		if (event.guest.type == CPC_GUEST_START_TRACK) {
-			ret = ioctl(kvm_dev, KVM_CPC_TRACK_EXEC_CUR, &inst_fault_gfn);
-			if (ret) err(1, "ioctl TRACK_EXEC_CUR");
-
-			printf("CPUID INST PAGE: %lu\n", inst_fault_gfn);
-
-			arg = inst_fault_gfn;
-			ret = ioctl(kvm_dev, KVM_CPC_TRACK_RANGE_START, &arg);
-			if (ret) err(1, "ioctl TRACK_RANGE_START");
-
-			arg = inst_fault_gfn+8;
-			ret = ioctl(kvm_dev, KVM_CPC_TRACK_RANGE_END, &arg);
-			if (ret) err(1, "ioctl TRACK_RANGE_END");
-		} else if (event.guest.type == CPC_GUEST_STOP_TRACK) {
-			arg = 0;
-			ret = ioctl(kvm_dev, KVM_CPC_TRACK_RANGE_START, &arg);
-			if (ret) err(1, "ioctl TRACK_RANGE_START");
-
-			arg = 0;
-			ret = ioctl(kvm_dev, KVM_CPC_TRACK_RANGE_END, &arg);
-			if (ret) err(1, "ioctl TRACK_RANGE_END");
-		}
-
-		faultcnt++;
-	} else if (event.type == CPC_EVENT_TRACK_STEP) {
-		printf("STEP EVENT\n");
+	uint8_t counts[L1_SETS];
+	int ret;
 
+	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
+	if (ret && errno == EAGAIN) return 0;
+	if (ret) err(1, "KVM_CPC_POLL_EVENT");
+
+	switch (event.type) {
+	case CPC_EVENT_GUEST:
+		if (event.guest.type == CPC_GUEST_STOP_TRACK)
+			return 2;
+		break;
+	case CPC_EVENT_TRACK_STEP:
 		ret = ioctl(kvm_dev, KVM_CPC_READ_COUNTS, counts);
-		if (ret) err(1, "ioctl READ_COUNTS");
-
-		inst_fault_gfn = 0;
-		read_fault_gfn = 0;
-		for (i = 0; i < event.step.fault_count; i++) {
-			if ((event.step.fault_errs[i] & 0b11111) == 0b10100)
-				inst_fault_gfn = event.step.fault_gfns[i];
-			else if ((event.step.fault_errs[i] & 0b00110) == 0b00100)
-				read_fault_gfn = event.step.fault_gfns[i];
-		}
-
-		if (!baseline) {
-			printf("Event: cnt:%llu inst:%lu data:%lu retired:%llu\n",
-				event.step.fault_count, inst_fault_gfn,
-				read_fault_gfn, event.step.retinst);
-			print_counts(counts);
-			printf("\n");
-		}
-
-		for (i = 0; i < 64; i++) {
-			if (counts[i] > 8) {
-				warnx("Invalid count for set %i (%llu)",
-					i, counts[i]);
-				counts[i] = 8;
-			}
-		}
-
-		if (baseline) faultcnt++;
-	} else if (event.type == CPC_EVENT_TRACK_PAGE) {
-		printf("PAGE EVENT\n");
-
-		printf("Event: prev:%llu new:%llu retired:%llu\n",
-			event.page.inst_gfn_prev, event.page.inst_gfn,
-		       	event.page.retinst);
+		if (ret) err(1, "KVM_CPC_READ_COUNTS");
+
+		printf("Event: rip:%016llx cnt:%llu "
+			"inst:%08llu data:%08llx ret:%llu\n",
+			vm_get_rip(), event.step.fault_count,
+			event.step.fault_gfns[0], event.step.fault_gfns[1],
+			event.step.retinst);
+		print_counts(counts);
+		printf("\n");
+		print_counts_raw(counts);
+		printf("\n");
+		break;
+	default:
+		errx(1, "unexpected event type %i", event.type);
 	}
 
 	ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-	if (ret) err(1, "ioctl ACK_EVENT");
+	if (ret) err(1, "KVM_CPC_ACK_EVENT");
 
-	return 0;
+	return 1;
 }
 
-int
-pgrep(const char *bin)
+void
+reset(int sig)
 {
-	char path[PATH_MAX];
-	char buf[PATH_MAX];
-	char *cmp;
-	struct dirent *ent;
-	FILE *f;
-	DIR *dir;
-
-	dir = opendir("/proc");
-	if (!dir) err(1, "opendir");
-
-	while ((ent = readdir(dir))) {
-		snprintf(path, sizeof(path), "/proc/%s/cmdline", ent->d_name);
-		f = fopen(path, "rb");
-		if (!f) continue;
-		memset(buf, 0, sizeof(buf));
-		fread(buf, 1, sizeof(buf), f);
-		if ((cmp = strrchr(buf, '/')))
-			cmp += 1;
-		else
-			cmp = buf;
-		if (!strcmp(cmp, bin))
-			return atoi(ent->d_name);
-		fclose(f);
-	}
-
-	closedir(dir);
+	int ret;
 
-	return 0;
+	ret = ioctl(kvm_dev, KVM_CPC_RESET);
+	if (ret) err(1, "KVM_CPC_RESET");
 }
 
 int
 main(int argc, const char **argv)
 {
-	pid_t pid;
+	uint8_t baseline[L1_SETS];
+	uint32_t eventcnt;
 	uint32_t arg;
-	struct cpc_event event;
-	cpc_msrmt_t baseline[64];
-	int ret, i;
-
-	kvm_setup_init();
-
-	setvbuf(stdout, NULL, _IONBF, 0);
-
-	pid = pgrep("qemu-system-x86_64");
-	if (!pid) errx(1, "Failed to find qemu instance");
-	printf("PID %i\n", pid);
+	pid_t qemu;
+	int ret;
 
-	pin_process(pid, TARGET_CORE, true);
-	pin_process(0, TARGET_CORE, true);
+	qemu = pgrep("qemu-system-x86_64");
+	if (!qemu) errx(1, "pgrep failed");
 
-	/* Setup needed performance counters */
-	ret = ioctl(kvm_dev, KVM_CPC_SETUP_PMC, NULL);
-	if (ret < 0) err(1, "ioctl SETUP_PMC");
+	pin_process(0, SECONDARY_CORE, true);
 
-	/* Reset previous tracking */
-	ret = ioctl(kvm_dev, KVM_CPC_RESET_TRACKING, NULL);
-	if (ret) err(1, "ioctl RESET_TRACKING");
+	setvbuf(stdout, NULL, _IONBF, 0);
 
-	pin_process(0, SECONDARY_CORE, true);
-	printf("PINNED\n");
+	kvm_setup_init();
 
-	// arg = false;
-	// ret = ioctl(kvm_dev, KVM_CPC_SUB_BASELINE, &arg);
-	// if (ret) err(1, "ioctl SUB_BASELINE");
+	ret = ioctl(kvm_dev, KVM_CPC_RESET);
+	if (ret) err(1, "KVM_CPC_RESET");
 
-	// arg = true;
-	// ret = ioctl(kvm_dev, KVM_CPC_MEASURE_BASELINE, &arg);
-	// if (ret) err(1, "ioctl MEASURE_BASELINE");
+	arg = true;
+	ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
+	if (ret) err(1, "KVM_CPC_CALC_BASELINE");
 
-	// arg = KVM_PAGE_TRACK_ACCESS;
-	// ret = ioctl(kvm_dev, KVM_CPC_TRACK_ALL, &arg);
-	// if (ret) err(1, "ioctl TRACK_ALL");
+	arg = CPC_TRACK_STEPS;
+	ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
+	if (ret) err(1, "KVM_CPC_RESET");
 
-	// arg = CPC_TRACK_DATA_ACCESS;
-	// ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-	// if (ret) err(1, "ioctl TRACK_MODE");
+	eventcnt = 0;
+	while (eventcnt < 50) {
+		eventcnt += monitor(true);
+	}
 
-	// faultcnt = 0;
-	// while (faultcnt < 100) {
-	// 	if (monitor(true)) break;
-	// }
+	ret = ioctl(kvm_dev, KVM_CPC_VM_REQ_PAUSE);
+	if (ret) err(1, "KVM_CPC_VM_REQ_PAUSE");
 
-	// do {
-	// 	ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
-	// 	if (ret && errno != EAGAIN)
-	// 		err(1, "ioctl POLL_EVENT");
-	// } while (ret && errno == EAGAIN);
+	while (1) {
+		ret = ioctl(kvm_dev, KVM_CPC_POLL_EVENT, &event);
+		if (ret && errno == EAGAIN) continue;
+		if (ret) err(1, "KVM_CPC_POLL_EVENT");
 
-	// arg = KVM_PAGE_TRACK_ACCESS;
-	// ret = ioctl(kvm_dev, KVM_CPC_UNTRACK_ALL, &arg);
-	// if (ret) err(1, "ioctl UNTRACK_ALL");
+		if (event.type == CPC_EVENT_PAUSE) break;
 
-	arg = CPC_TRACK_EXEC;
-	ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
-	if (ret) err(1, "ioctl TRACK_MODE");
+		ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
+		if (ret) err(1, "KVM_CPC_ACK_EVENT");
+	}
 
-	arg = KVM_PAGE_TRACK_EXEC;
-	ret = ioctl(kvm_dev, KVM_CPC_TRACK_ALL, &arg);
-	if (ret) err(1, "ioctl TRACK_ALL");
+	arg = false;
+	ret = ioctl(kvm_dev, KVM_CPC_CALC_BASELINE, &arg);
+	if (ret) err(1, "KVM_CPC_CALC_BASELINE");
 
-	// arg = false;
-	// ret = ioctl(kvm_dev, KVM_CPC_MEASURE_BASELINE, &arg);
-	// if (ret) err(1, "ioctl MEASURE_BASELINE");
+	arg = true;
+	ret = ioctl(kvm_dev, KVM_CPC_APPLY_BASELINE, &arg);
+	if (ret) err(1, "KVM_CPC_APPLY_BASELINE");
 
-	// ret = ioctl(kvm_dev, KVM_CPC_READ_BASELINE, baseline);
-	// if (ret) err(1, "ioctl READ_BASELINE");
+	ret = ioctl(kvm_dev, KVM_CPC_READ_BASELINE, baseline);
+	if (ret) err(1, "KVM_CPC_READ_BASELINE");
 
-	// printf("\n>>> BASELINE:\n");
-	// print_counts(baseline);
-	// printf("\n");
-	// print_counts_raw(baseline);
-	// printf("\n");
+	printf("\nBaseline:\n");
+	print_counts(baseline);
+	printf("\n");
+	print_counts_raw(baseline);
+	printf("\n\n");
 
-	// /* Check baseline for saturated sets */
-	// for (i = 0; i < 64; i++) {
-	// 	if (baseline[i] >= 8)
-	// 		errx(1, "!!! Baseline set %i full\n", i);
-	// }
+	arg = CPC_TRACK_STEPS_SIGNALLED;
+	ret = ioctl(kvm_dev, KVM_CPC_TRACK_MODE, &arg);
+	if (ret) err(1, "KVM_CPC_RESET");
 
-	// arg = true;
-	// ret = ioctl(kvm_dev, KVM_CPC_SUB_BASELINE, &arg);
-	// if (ret) err(1, "ioctl SUB_BASELINE");
+	ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
+	if (ret) err(1, "KVM_CPC_ACK_EVENT");
 
-	// ret = ioctl(kvm_dev, KVM_CPC_ACK_EVENT, &event.id);
-	// if (ret) err(1, "ioctl ACK_EVENT");
+	signal(SIGINT, reset);
 
-	faultcnt = 0;
-	while (faultcnt < 10) {
-		if (monitor(false)) break;
-	}
+	while (monitor(false) != 2);
 
-	arg = KVM_PAGE_TRACK_EXEC;
-	ret = ioctl(kvm_dev, KVM_CPC_UNTRACK_ALL, &arg);
-	if (ret) err(1, "ioctl UNTRACK_ALL");
+	ret = ioctl(kvm_dev, KVM_CPC_RESET);
+	if (ret) err(1, "KVM_CPC_RESET");
 
 	kvm_setup_deinit();
 }
diff --git a/test/qemu-eviction_guest.c b/test/qemu-eviction_guest.c
@@ -23,8 +23,10 @@ main(int argc, const char **argv)
 
 	while (1) {
 		printf("LOOP\n");
-		CPC_DO_VMMCALL(CPC_GUEST_START_TRACK, 0);
+		CPC_DO_VMMCALL(KVM_HC_CPC_VMMCALL_SIGNAL,
+			CPC_GUEST_START_TRACK, 0);
 		*(uint8_t *)(buf + L1_LINESIZE * 15) = 1;
-		CPC_DO_VMMCALL(CPC_GUEST_STOP_TRACK, 0);
+		CPC_DO_VMMCALL(KVM_HC_CPC_VMMCALL_SIGNAL,
+			CPC_GUEST_STOP_TRACK, 0);
 	}
 }
diff --git a/test/util.c b/test/util.c
@@ -2,8 +2,10 @@
 
 #include "test/util.h"
 
-#include <pthread.h>
+#include <sys/types.h>
 #include <sys/mman.h>
+#include <dirent.h>
+#include <pthread.h>
 #include <err.h>
 #include <sched.h>
 #include <string.h>
@@ -69,6 +71,41 @@ read_stat_core(pid_t pid)
 	return cpu;
 }
 
+pid_t
+pgrep(const char *bin)
+{
+	char path[PATH_MAX];
+	char buf[PATH_MAX];
+	struct dirent *ent;
+	char *cmp;
+	FILE *f;
+	DIR *dir;
+	pid_t pid;
+
+	dir = opendir("/proc");
+	if (!dir) err(1, "opendir");
+
+	pid = 0;
+	while (!pid && (ent = readdir(dir))) {
+		snprintf(path, sizeof(path), "/proc/%s/cmdline", ent->d_name);
+		f = fopen(path, "rb");
+		if (!f) continue;
+		memset(buf, 0, sizeof(buf));
+		fread(buf, 1, sizeof(buf), f);
+		if ((cmp = strrchr(buf, '/')))
+			cmp += 1;
+		else
+			cmp = buf;
+		if (!strcmp(cmp, bin))
+			pid = atoi(ent->d_name);
+		fclose(f);
+	}
+
+	closedir(dir);
+
+	return pid;
+}
+
 void
 print_counts(uint8_t *counts)
 {
diff --git a/test/util.h b/test/util.h
@@ -21,6 +21,7 @@ void hexdump(void *data, int len);
 bool pin_process(pid_t pid, int cpu, bool assert);
 
 int read_stat_core(pid_t pid);
+int pgrep(const char *cmd);
 
 void print_counts(uint8_t *counts);
 void print_counts_raw(uint8_t *counts);