I have a number of questions about Intel PT (have been trying to decode the manual but is very difficult). My questions are:
- I am trying to find out if Intel PT can be disabled or reconfigured from within an OS, or, more generally, from within the system it is providing a trace of.
- Does Intel PT generate events on writes to specific registers - such as CR3, IDTR, etc
- Can Intel PT write values back to the system - i.e. can an external debugging machine actively perform writes to register, cache or memory?
Any help is much appreciated, thankyou!!
I'm also currently figuring out how to use Intel PT. As far as I know:
- Yes. From section 36.2.5.2 of the Intel 64 and IA-32 Architectures Software Developer’s Manual:
IA32_RTIT_CTL, at address 570H, is the primary enable and control MSR
for trace packet generation. Bit positions are listed in Table 36-5.
You can clear or set the IA32_RTIT_CTL MSR to disable or enable PT tracing. This can be done from within the system PT is providing a trace of. In fact, I don't think it can be done any other way.
Yes. A Paging Information Packet (PIP) is created when modifications to the CR3 register happen. Not sure about IDTR and others, though. Furthermore, the CR3 register can be used for trace filtering.
The whole idea behind Intel PT is packet encoding and decoding. When x event happens, y packet is generated. It's your job to "decode" this CPU provided data and make some high level sense out of it. Additionally, you can "encode" packets and feed them into the system doing the decoding. Again, decoder (and, optionally, encoder) functionality is your job. You can check out Intel's opensource decoder/encoder library reference implementation here. I'd recommend trying it out under Linux, with the latest stable kernel (4.1.3 as of this writing).
It's worth noting that PT stores its data where you tell it to, generally a reserved memory region, or a debugging port.
This is the patch that enable the use of Intel PT in 4.3:
https://lkml.org/lkml/2013/12/11/233
https://lkml.org/lkml/2015/9/24/181
https://lkml.org/lkml/2015/9/27/45
This is on the interaction of PT with other Intel features like LBT:
https://lkml.org/lkml/2014/7/31/572
Read up the documentation at tools/perf/Documentation/intel-pt.txt on usage how to.
Andi Kleen from Intel is the originator of the patch for Skylakes/Broadwell (only these two processor and the Atom series support Intel PT), and he has the userspace tool for demonstrating its use for debugging:
https://github.com/andikleen/simple-pt
For more details please see:
https://tthtlc.wordpress.com/2016/01/26/intel-processor-trace-how-to-use-it/
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《Can Intel PT (Processor Trace) be disabled/configu》','https://www.manongdao.com/article-600974.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}