The disclosed subject matter relates generally to interrupts and, more particularly, to controllably remapping selected interrupts.
Typical computer systems are generally comprised of a processor, memory and external or peripheral devices. Ordinarily, the processor is busy executing instructions retrieved from memory that are associated with an operating system and one or more application programs, such as a word processor, a graphics program, a game, or the like. However, execution of these application programs may be temporarily suspended to handle more urgent matters. For example, in some computer systems, the peripheral devices are configured to generate interrupt signals that are associated with a high priority concern, such as a hardware error, low-voltage or power-loss situation, a high-temperature situation, or the like. Owing to the urgency of this type of message, the processor promptly discontinues execution of the application program and begins to execute an interrupt handling routine that identifies a course of action to be taken by the processor in response to the particular type of interrupt.
Those skilled in the art will appreciate that if one or more of the peripheral devices generates a significant number of interrupts, the operation of the processor may be substantially engaged in executing the numerous interrupt handling routines, rather than executing the application programs. Such a condition may appear to the user as a slow and unresponsive application program.
In some instances one or more peripheral devices may fail or otherwise begin to operate in an undesirable fashion in which numerous interrupts are generated. In other instances, an attack may occur in which the security of one or more peripheral devices may be compromised and put into a mode of operation in which a rapid sequence of interrupts are generated to intentionally slow or substantially freeze the operation of the processor with respect to the application programs.
Interrupt messages are defined by the PCI-SIG PCI Express (PCIe) specification and the HyperTransport® specification as being in the form of a posted-write to a specific system address. There are several types of interrupts that are encoded in to a 3-bit field called the Delivery Mode field for PCIe MSI and Message Type (MT) field for the HyperTransport® protocol. Interrupt types are defined for: fixed, Lowest Priority (LPr), system management interrupt (SMI), non-maskable interrupt (NMI), initialization interrupt (INIT), startup interrupt (Startup), external interrupt (ExtInt), and APIC EOI (end-of-interrupt). By definition, a peripheral device should not issue a Startup or an APIC EOI, and thus, these two types of interrupts are considered “reserved” when defining the types of interrupt messages that peripherals can generate. Each peripheral is programmed by BIOS and system software (hypervisor or operating system) with information necessary to generate correct interrupts. The specifications and implementations, however, do not restrict peripherals from forming any type of interrupt, including these reserved interrupts.
Message-signaled interrupts (which includes all interrupt message types listed above) can be generated either by interrupt hardware on the peripheral or by memory accesses. An MSI is simply a posted-write to a special system memory address that is defined in the PCIe and HT specifications. Therefore, a malicious or defective hardware or software (device/device driver) could cause a peripheral to attempt a “DMA operation” to the special memory addresses and cause an interrupt storm, or cause the peripheral interrupt registers to contain detrimental interrupt values. This could lead to denial-of service as the processor spends excessive time handling spurious interrupts, especially in the case of falsely generated SMI requests.
Some systems, such as a virtualized system, allow a peripheral to be directly mapped (made directly accessible) to a guest Virtual Machine (VM). Thus, a guest VM can cause an interrupt storm that denies service to other guest VMs on the system, magnifying the impact of the attack.
Some systems contain control bits that allow system software to pass or block some of the interrupt types, but not all. In particular, SMI and the two reserved MT interrupts have no corresponding pass/block control mechanism. This means that interrupt storms caused by rogue guest VM device drivers are a threat because there is no hardware mechanism to throttle or stop the incoming interrupts. If an interrupt storm is created by a peripheral, the computing capacity of the system can be completely consumed processing the spurious interrupts, preventing forward progress on the primary computation duties of the system.