In January 2017, results arrived. I was accepted at the LSE, a system laboratory in my school. We were 4, and had to find a new project to work on. One wanted to work on the linux kernel security, another on Valgrind, and then, there is me. I didn’t knew how to start, but I wanted to work on something related to GPUs.

My teacher arrived, and explained the current problem with Windows and QEMU: we don’t have any hardware acceleration. Might be useful to do something about it ! I was not ready…

The first step was to understand Linux graphic stack, and then find out how Windows could have done it. Finally, how we can bring this together using Virgl3D and VirtIO queues.

This article will try present you a rapid overview of the graphic stack on Linux. There already is some pretty good articles about the userland part, so I won’t focus on that, and put some links.

OpenGL 101

Let’s begin with a simple OpenGL application:

int main(int argc, char** argv)
{
    glutInit(&argc, argv);
    glutInitWindowSize(300, 300);
    glutCreateWindow("Hello world :D");

    glClear(GL_COLOR_BUFFER_BIT);
    glBegin(GL_TRIANGLE);
        glVertex3f(0.0, 0.0, 0.0);
        glVertex3f(0.5, 0.0, 0.0);
        glVertex3f(0.0, 0.5, 0.0);
    glEnd();
    glFlush();
    return 0;
}

This is a non working dummy sample, for the idea

As we can see, there is three main steps:

• Get a window
• Prepare our vertices, data…
• Render

But how can we do that ?

Linux graphic stack

Level 1: Userland, X and libGL

The first part of our code looked like this:

glutInit(&argc, argv);
glutInitDisplayMode(GLUT_SINGLE);
glutInitWindowSize(300, 300);
glutInitWindowPosition(100, 100);

But in fact, actions can be resumed to something like this:

CTX = glCreateContext()
CONNECTION = xcb_connect()
xcb_create_window(CONNECTION, PARAMS, SURFACE, WINDOW)

What ? a connection, a context ?

To manage our display, Linux can use several programs. A well known is the X server. Since it’s a real server, we have to connect to it first before being able to request anything. To ease our work, we will use the lib XCB. Once a window is created, any desktop manager compatible with X will be able to display it. For more informations about an OpenGL context -> Khronos wiki

Meet Mesa

Mesa is an implementation of OpenGL on Linux. Our entry point is libGL, just a dynamic library letting us interface with the openGL runtime. The idea is the following:

• libGL is used by an OpenGL application to interact with Mesa
• Generic OpenGL state tracker. Shaders are compiled to TGSI and optimized
• GPU layer : A translation layer specific to our graphic chipset

• libDRM and WinSys: an API specific to the kernel, used interface with the DRM

• OpenGL state tracker: from basic commands like GlBegin GlVertex3 and so on, Mesa will be able to generate real calls, to create command buffers, vertex buffers, etc… Shaders will be compiled into an intermediate representation: TGSI. A first batch of optimizations in done on this step.

• GPU layer: We now need to translate TGSI shaders to something our GPU can understand, real instructions. We will also shape our commands for a specific chipset.

• libDRM and WinSys: We send this data to the kernel, using this interface

With this architecture, if I want to add a support to my own graphic card, I will have to replace one part : the GPU layer

For more informations about Mesa and Gallium -> Wikipedia Another good article on the userland part -> Igalia blog

Welcome to KernelLand !

Meet the DRM

DRM: Direct Rendering Manager. This is more or less an IOCTL API composed of several modules. Each driver can add some specific entry points, but there is a common API designed to provide a minimal support. Two modules will be described: KMS and the infamous couple TTM & GEM.

Meet KMS

Remember the first step of our OpenGL application ? Ask for a window, getting a place to put some fancy pixels ? That’s the job of the KMS: Kernel Mode-setting.

A long time ago, we used UMS: user mode setting. The idea was to manage our hardware directly from userland. Problems: every application needed to support all the devices. It means a lot of code was written, again and again. And what if two applications wanted to access to the same resources ? So, KMS. But why ?

Framebuffer: a buffer in memory, designed to store pixels

The story begins with a plane. Picture it like a group of resources used to create a image. A plane can contains several framebuffers. A big one, to store the full picture, and maybe a small one, something like 64x64 for an hardware cursor ? These framebuffers can be mixed together on the hardware to generate a final framebuffer.

Now, we have a buffer storing our picture. We assigned it to a CRTC (Cathode Ray Tube Controller). A CRTC is directly linked to an ouput. It means if your card has two CRTCs, you can have two different output. Final step, printing something on the screen. A screen is connected using a standard port, HDMI, DVI, VGA… this means encoding our stream to a well defined protocol. That’s it, we have some pixels on our screen !

TTM & GEM

We can print some pixels, great ! But how can we do some fancy 3D stuff ? We have our GL calls going through some mumbo-jumbo stuff, and then what ? How can I actually write something on my GPU’s memory ?

There globally two kind of memory architecture: UMA and dedicated

• UMA for Unified Memory Access, is used by Intel Graphics, or on some Android devices. All your memory is accessible from one memory space.
• Dedicated memory: You can’t directly access your memory from the CPU.If you want to write it, you have to map a CPU addressable area, write your data, and then, use specific mechanisms to send it on the dedicated memory.

TTM and GEM are two different APIs designed to manage this. TTM is the old one, designed to covering every possible cases. The result is a big and complex interface no sane developer would use. Around 2008, GEM was introduced. A new and lighter API, designed to manage UMA architectures. Nowadays, GEM is often used as a frontend, but when dedicated memory management is needed, TTM is used as backend.

GEM for dummies

The main idea is to link a resource to a GEM handle. Now you only need to tell when a GEM is needed, and memory will be moved on and out our vram. But there is a small problem. To share resources, GEM uses global identifiers. A GEM is linked to a unique, global identifier. This means any program could ask for a specific GEM and get access to the resource… any.

Gladly, we have DMA-BUF. The idea is to link a buffer to a file descriptor. We add some functions to convert a local GEM identifier to a fd, and can safely share our resources.

I’ll stop here for now, but I invite you to check some articles on DMA (Direct memory access) and read this article about TTM & GEM

Writing an ICD is a problem in itself. Add to this Windows kernel interfaces, virtIO queues management, resources transfer between host and guest, and BOOM, you are lost. This brings us to our first step: something not efficient but simpler, API Forwarding.

Tasks

• Hook OpenGL calls
• Serialize function calls
• Send them to the miniport-driver, then the host
• De-serialize calls and execute them on the host.
• Send some data back to the guest

Realization

ICD

The ICD part (Userland) is pretty straightforward. Make your own opengl32.dll, serialize the calls. Now find a sweet function in gdi32.dll to throw your mumbo-jumbo on the kernel side. Fortunately, we have this:

NTSTATUS APIENTRY DxgkDdiEscape(
  _In_ const HANDLE         hAdapter,
  _In_ const DXGKARG_ESCAPE *pEscape
)
{ ... }

A beautiful function available on both DOD and full display driver. It takes a pointer on an userland buffer, and send it to our display driver. Wait… userland buffer, no check, kernel part ? Mmmmm…. What could go wrong ?

Kernel part

To initialize a display driver, you must call a function: DxgkInitialize This function will take a big structure, containing function pointers to your driver. For a display only driver, you will have a reduced set of function to implement. And for a full featured driver, well…

Anyway, now the game is to run the driver, and see where we crash. Sadly we cannot just hope to add some functions, and run only using the working DOD code base. Windows wants something more, and the game is to find what, Yay ! Since we have a working DOD driver, let’s find how we could trick.

ICD <=> Kernel communication

We can register two type of driver: a DOD driver using DxgkInitializeDisplayOnlyDriver and DxgkInitialize. Windows will then know which kind of features each driver can support (fine tune will be done using query callbacks). Both drivers can implement DxgkDdiEscape. Great, we will fool Windows and use this DOD as a fully featured 3D driver ! WRONG !

Setup of the ICD part, sending everything through our escape functions ? check. But return values seams off. After investigation, and any function taking a userland buffer, I came to a conclusion: OpenGL ICD part cannot communicate with a DOD driver. Windows knows we are display only, and fall-back our ICD calls on it’s own driver.

So now, what’s the plan ? Let’s put this problem aside, and try to focus on the real part: create proper commands for the host.

On my arrival at the lab, I started a little project: working on a display only driver for Windows. A good way to start learning what was hidden under the hood of an OpenGL application. Google Summer of Code 2017 arrived, and subject were published. Among these, QEMU’s ‘Windows Virgl driver’. Great ! Let’s apply !

Applications closed early April. I took a look at the already existing DOD driver (non official repo)

and also decided to learn a bit more about Vulkan. Results came, and I was selected, excellent !

Mission

The idea is to bring 3d acceleration on Windows guests running with QEMU. Using VirtIO devices and Virgl3d.

Context

On this stack, we can work on three parts: opengl32.dll, ICD and Miniport driver.

• OpenGL32.dll is just a dynamic library used to communicate with out runtime driver.
• ICD: this is the OpenGL implementation. This part is the equivalent of Mesa on Linux.
• Miniport-driver: this is the kernel driver. Hardware specific, we are going to do our hypercalls here.

Problems

• Windows is not open source. We have some basic ideas about D3DKrnl subsystem behaviour, but nothing is certain.
• To develop a complete OpenGL state tracker is a lot of work.
• Virgl3D takes some calls, and bytecode for shaders, re-translate it to GLSL, and call OpenGL again. Which means we will do the same work twice. Once on the host, once on the guest.

Vulkan is great, vulkan is love, vulkan is $(COMPLIMENT)

I heard a lot about this API, but never took some time to try it… So why not now ? The goal was to do a simple OBJ file viewer. Then, try to improve performances, and of course, since it’s Vulkan, go multithread! The API is pretty simple to use. We fill out some structs, and call a vkSomething function.

Some samples are available in the SDK, and of course, there is this Vulkan-tutorial website.

So commits after commits, the code grew, until the first “Hello, world !”: displaying a white triangle. 1000 lines of code vs 30, that’s quite steep. After some additional 7641 lines, here it us, a simple obj viewer!

GitHub link

But we are the May the 5th, and Google Summer of Code results are out! 🥳 Time to focus on the next big project: OpenGL driver for a Windows on QEMU VMs.

For my upcoming Vulkan project, I needed a model. So here it is ! R5D4, the unchosen droid from Star Wars.

Tools: 3ds Max, Substance Painter, Photoshop