The following series implements dynamic binary instrumentation upon QEMU. It is based on the following prior sources: - KVM Forum 2017 talk "Instrumenting, Introspection, and Debugging with QEMU" https://www.linux-kvm.org/images/3/3d/Introspect.pdf - Discussion on Lluis Vilanova instrumentation patch series https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg03357.html
There are many implementations of the instrumentation for QEMU. We have our own attempt on github: https://github.com/ispras/qemu/tree/plugins But this series differ from that approach and it is intended to provide a stable interface for adding and extending the QEMU binary analysis functions. We propose adding new instrumentation API for QEMU which will include the following parts: - some translator modifications to enable instrumenting the instructions (and memory operations in the next version of the patches) - dynamic binary instrumentation part (a sample which is currently submitted in this RFC series) - subsystem for dynamically loaded plugins that interact with this API The aim of the instrumentation is implementing different runtime tracers that can track the executed instructions, memory and hardware operations. The implementation should not incur too much overhead to make memory tracing as efficient as it is possible for this heavy task. The plugins should not have too many dependencies from the QEMU core. They should be built as a separate projects using just a couple of the headers. For the current patches the plugins should provide the following callbacks: - "needs" callback to check whether the specific instruction should be instrumented by this plugin - "run" callback which called before executing the instuction Our instrumentation subsystem exploits TCG helper mechanism to embed callbacks into the translation blocks. These callbacks may be inserted before the specific instructions. The aim of submission of this series at that early stage is to get the feedback which will guide the development process. We are faced the following questions: 1. Does every plugins should have its own callback embedded into the TB (which will cause TB extra growth in case of multiple plugins), or the instrumentation layer's callback should invoke the plugins that wanted to instrument that specific instruction? 2. How the plugins should function? Will they work as a binary dynamic libraries or a script on some interpreted language? 3. Should the plugins reuse QEMU configuration script results? Now there is no possibility for using platform-specific macros generated by QEMU configure. 4. Maybe QEMU module infrastructure should be extended to support plugins too? 5. How the GDB-related CPU inspection interface may be used better? We should pass a register code to read the value. These codes are not described in any of the files. Maybe a function for accessing register by name should be added? v2 changes: - added a subsystem for the plugins - added QEMU side API for plugins - added sample plugins for simple tracing --- Pavel Dovgalyuk (7): tcg: add headers for non-target helpers Add plugin support plugins: provide helper functions for plugins tcg: add instrumenting module plugins: add plugin template plugin: add instruction execution logger plugins: add syscall logging plugin sample Makefile.target | 1 accel/tcg/translator.c | 5 + configure | 14 ++++ include/exec/helper-register.h | 53 +++++++++++++++ include/qemu/instrument.h | 7 ++ include/qemu/plugins.h | 8 ++ plugins/exec-log/Makefile | 19 +++++ plugins/exec-log/exec-log.c | 18 +++++ plugins/helper.h | 1 plugins/include/plugins.h | 18 +++++ plugins/plugins.c | 132 +++++++++++++++++++++++++++++++++++++ plugins/qemulib.c | 31 +++++++++ plugins/syscall-log/Makefile | 19 +++++ plugins/syscall-log/syscall-log.c | 44 ++++++++++++ plugins/template/Makefile | 19 +++++ plugins/template/template.c | 19 +++++ qemu-options.hx | 10 +++ tcg/tcg.c | 12 +++ tcg/tcg.h | 3 + vl.c | 8 ++ 20 files changed, 440 insertions(+), 1 deletion(-) create mode 100644 include/exec/helper-register.h create mode 100644 include/qemu/instrument.h create mode 100644 include/qemu/plugins.h create mode 100644 plugins/exec-log/Makefile create mode 100644 plugins/exec-log/exec-log.c create mode 100644 plugins/helper.h create mode 100644 plugins/include/plugins.h create mode 100644 plugins/plugins.c create mode 100644 plugins/qemulib.c create mode 100644 plugins/syscall-log/Makefile create mode 100644 plugins/syscall-log/syscall-log.c create mode 100644 plugins/template/Makefile create mode 100644 plugins/template/template.c -- Pavel Dovgalyuk
