- Setup VFIO device passthrough
# vfio/bind.sh
- Start QEMU with PCI passthrough and vfio tracing enabled
-device vfio-pci,host=01:00.0,x-no-mmap=true,x-no-kvm-intx=true,x-no-kvm-msi=true,x-no-kvm-msix=true -trace events=events
The vfio trace data are stored in the trace.log file.
- Extract pci-replay data out of the trace data by using the script
$ convert-qemu-trace.py trace.log
$ extract-ram-image.py <region> <start addr>
$ extract-seq-data.py <region> <start addr>
The scripts will extract initial RAM images for the memory regions and register value sequences for the memory addresses.
For initial analysis, we leveraged the record/replay functionalities of PANDA for deterministic executions with some modifications and plugins that can be found here. It allowed us to inspect and dump exchanged data buffers to be used for harnessing and as initial test cases.
Create a model of the PCI device by implementing a QEMU device class similar to pci-nvidia.c.
At the minimum, you should adjust the device/vendor IDs and the structure of the BARs.
Then add the sources into the QEMU tree and build it.
With the extracted data from the tracing process in place, start QEMU with the pci-replay device.