1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
xen dump-core format
Written by Isaku Yamahata <yamahata at valinux co jp> Feb. 2007
Introduction
------------
With xm dump-core command, the guest domain's core can be created as a file.
Its format was changed to be based on ELF format because elf format is easily
extensible and handy. This document describes the new format.
In this document the new format is called new xen dump-core format,
xen dump-core format or simply dump-core format. The file of xen dump-core
format is called xen dump-core file or dump-core file.
The usual process core file includes program headers and no section header.
On the other hand the xen dump-core file includes no program headers and
some sections because of its peculiar requirements.
Reference
---------
For ELF format itself, see Tool Interface Standard(TIS) Executable and
Linking Format(ELF) Specification version 1.2.
For xen related structure, please see the xen header files.
Elf header
----------
The elf header members are set as follows
e_ident[EI_CLASS] = ELFCLASS64 = 2
e_ident[EI_OSABI] = ELFOSABI_SYSV = 0
e_type = ET_CORE = 4
ELFCLASS64 is always used independent of architecture.
e_ident[EI_DATA] is set as follows
For x86 PV domain case, it is set according to the guest configuration
(i.e. if guest is 32bit it is set to EM_386 even when the dom0 is 64 bit.)
For other domain case (x86 HVM domain case and ia64 domain case),
it is set according to the dumping system's architecture.
e_flags is set according to the dumping system's architecture.
Other members are set as usual.
Sections
--------
Currently the following sections are defined. Some sections are optional.
".note.Xen" section
name ".note.Xen"
type SHT_NOTE
description
This section is used as note section to store xen dump-core
file specific informations. The each detailed informations are
described in note section. This section must exist.
".xen_prstatus" section
name ".xen_prstatus"
type SHT_PROGBITS
structure array of vcpu_guest_context_t
description
This section stores the array of vcpu_guest_context_t
which is obtained by XEN_DOMCTL_getvcpucontext hypercall
when the xen dump-core file is created.
The size of array is stored in xch_nr_vcpus member of header
note descriptor in .note.Xen note section.
This section must exist.
".xen_shared_info" section
name ".xen_shared_info"
type SHT_PROGBITS
structure shared_info_t
description
This section stores the contents of shared info page
of a domain. This section is optional.
".xen_p2m" section
name ".xen_p2m"
type SHT_PROGBITS
structure array of struct xen_dumpcore_p2m
struct xen_dumpcore_p2m {
uint64_t pfn;
uint64_t gmfn;
};
description
This elements represents the frame number of the page
in .xen_pages section.
pfn: guest-specific pseudo-physical frame number
gmfn: machine physical frame number
The size of arrays is stored in xch_nr_pages member of header
note descriptor in .note.Xen note section.
The entries are stored in pfn-ascending order.
The value, {~(uint64_t)0, ~(uint64_t)0}, means invalid
(pfn, gmfn) and the corresponding page has zero. There might
exist invalid (pfn, gmfn)'s at the end part of this array.
This section must exist when the domain is non auto
translated physmap mode. Currently x86 paravirtualized domain.
".xen_pfn" section
name ".xen_pfn"
type SHT_PROGBITS
structure array of uint64_t
description
This elements represents the frame number of the page
in .xen_pages section.
The size of arrays is stored in xch_nr_pages member of header
note descriptor in .note.Xen note section.
The entries are stored in ascending order.
The value, ~(uint64_t)0, means invalid pfn and the
corresponding page has zero. There might exist invalid
pfn's at the end part of this array.
This section must exist when the domain is auto translated
physmap mode. Currently x86 full virtualized domain and
ia64 domain.
".xen_pages" section
name ".xen_pages"
type SHT_PROGBITS
structure array of page where page is page size byte array
description
This section includes the contents of pages.
The corresponding address is described in .xen_p2m section
or .xen_pfn section.
The page size is stored in xch_page_size member of header note
descriptor in .note.Xen section.
The array size is stored in xch_nr_pages member of header note
descriptor in .note.Xen section.
This section must exist.
".xen_ia64_mapped_regs" section
name ".xen_ia64_mapped_regs"
type SHT_PROGBITS
structure array of mapped_regs_t
description
This section stores the array of mapped_regs_t.
The size of array is stored in xch_nr_vcpus member of header
note descriptor in .note.Xen note section.
This section is ia64 specific and must exist for ia64 PV
domain.
This section must not exist for non-ia64 domain or ia64 HVM
domain.
note section
------------
The note types are defined in xen/include/public/elfnote.h.
The note descriptors are defined in tools/libxc/xc_core.h
Currently the following note informations are defined.
elf note section
"Xen" is used as elf note name in elf note info
namesz 4
name "Xen" (null-terminated)
Descriptors
none note descriptor
type XEN_ELFNOTE_DUMPCORE_NONE = 0x2000000
structure struct xen_dumpcore_elfnote_none_desc {
/* nothing is defined */
};
description
This note descriptor is defined to just indicate that this
file is xen dump-core format without any specific information.
This note information must exist.
header note descriptor
type XEN_ELFNOTE_DUMPCORE_HEADER = 0x2000001
structure struct xen_dumpcore_elfnote_header_desc {
uint64_t xch_magic;
uint64_t xch_nr_vcpus;
uint64_t xch_nr_pages;
uint64_t xch_page_size;
};
description
This note descriptor stores basic information of the domain.
xch_magic magic number
XC_CORE_MAGIC = 0xF00FEBED for paravirtualized domain
XC_CORE_MAGIC_HVM = 0xF00FEBEE for full virtualized domain
xch_nr_vcpus the number of vcpus
xch_nr_pages the number of pages
xch_page_size guest OS's page size
This note information must exist.
xen_version descriptor
type XEN_ELFNOTE_DUMPCORE_XEN_VERSION = 0x2000002
structure struct xen_dumpcore_elfnote_xen_version_desc {
uint64_t major_version;
uint64_t minor_version;
xen_extraversion_t extra_version;
xen_compile_info_t compile_info;
xen_capabilities_info_t capabilities;
xen_changeset_info_t changeset;
xen_platform_parameters_t platform_parameters;
uint64_t pagesize;
};
description
This note descriptor stores basic information about xen
hypervisor. The each members store the result of
__HYPERVISOR_xen_version hypercall.
major_version 16msb bit of the result of XENVER_version
minor_version 16lsb bit of the result of XENVER_version
uint64_t is used to make struct
xen_dumpcore_elfnote_xen_version_desc independent
on 32bit/64bit instead of uint32_t.
extra_version the result of XENVER_extraversion
compile_info the result of XENVER_compile_info
capabilities the result of XENVER_capabilities
changeset the result of XENVER_changeset
platform_parameters
the result of XENVER_platform_parameters
pagesize the result of XENVER_pagesize
This note information must exist.
format_version descriptor
type XEN_ELFNOTE_DUMPCORE_FORMAT_VERSION = 0x2000003
structure struct xen_dumpcore_elfnote_format_version_desc {
uint64_t version;
};
description
This note descriptor stores xen dump-core format version.
The 32msb bit is major version and the 32lsb bit is minor
version.
The minor version will be incremented when the format
is changed in compatible way. e.g. new sections, new note
descriptors are added.
the major version will be incremented when the format is
changed in incompatible way.
This note information must exit. Analysis tools should check
this format version.
This note information must exist.
Format version history
----------------------
Currently only (major, minor) = (0, 1) is used.
[When the format is changed, it would be described here.]
(0, 1) update
- .xen_p2m, .xen_pfn section
Invalid pfn/gmfn.
- .xen_p2m, .xen_pfn section
Arrays must be in pfn ascending order for efficient looking up.
- EI_CLASS member of elf header was changed to ELFCLASS64 independent of
architecture. This is mainly for x86_32pae.
The format version isn't bumped because analysis tools can distinguish it.
- .xen_ia64_mapped_regs section was made only for ia64 PV domain.
In case of IA64 HVM domain, this section doesn't exist.
- elf header e_ident[EI_DATA]
On x86 PV domain case, it is set according to the guest configuration.
I.e. 32-on-64 case, the file will be set EM_386 instead of EM_X86_64.
This is the same as 32-on-32 case, so there is no impact on analysis tools.
|