WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself

from [Li, Xin] [Permanent Link][Original]
To: Keir Fraser <keir.xen@xxxxxxxxx>, "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself
From: "Li, Xin" <xin.li@xxxxxxxxx>
Date: Thu, 2 Jun 2011 06:52:38 +0800
Accept-language: zh-CN, en-US
Acceptlanguage: zh-CN, en-US
Cc:
Delivery-date: Thu, 02 Jun 2011 02:48:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CA0C630E.1B68C%keir.xen@xxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <FC2FB65B4D919844ADE4BE3C2BB739AD5AB18386@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <CA0C630E.1B68C%keir.xen@xxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcwgVcdx+MEnPLpEQiCW7V8mG/kTcwAB1C2gAATM9UkAATxcMAAJ1pbSAARKp9A=
Thread-topic: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself 
> >>> and kills a pv guest triggering SMEP fault.
> >>
> >> Should only occur when the guest kernel triggers the SMEP.
> >
> > According to code base size, it's much easier for malicious applications to
> > explore
> > security holes in kernel.  But unluckily SMEP doesn't apply to the ring 3
> > where
> > x86_64 pv kernel runs on.  It's wiser to use HVM :)
> 
> Yep, but 32-bit guests can still benefit.

Can we know a guest will be 32bit or 64bit before it boots?
Code will be like
        xc_pv_cpuid_policy()
        {
        case 7, 0:
            if ( 64 bit pv guest )
                 disallow smep;
        }
I don't know if we can distinguish that when creating guest.
Thanks!
-Xin

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [Patch] Disallow SMEP for PV guest, Keir Fraser
Next by Date:  [Xen-devel] [PATCH 20 of 20] n2 MSR handling and capability exposure, Eddie Dong
Previous by Thread:  Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Keir Fraser
Next by Thread:  Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Keir Fraser
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy