WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself

from [Li, Xin] [Permanent Link][Original]
To: Keir Fraser <keir.xen@xxxxxxxxx>, "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself
From: "Li, Xin" <xin.li@xxxxxxxxx>
Date: Thu, 2 Jun 2011 18:07:29 +0800
Accept-language: zh-CN, en-US
Acceptlanguage: zh-CN, en-US
Cc:
Delivery-date: Thu, 02 Jun 2011 03:12:27 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CA0CEB67.1B699%keir.xen@xxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <FC2FB65B4D919844ADE4BE3C2BB739AD5AB183C0@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <CA0CEB67.1B699%keir.xen@xxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcwgVcdx+MEnPLpEQiCW7V8mG/kTcwAB1C2gAATM9UkAATxcMAAJ1pbSAARKp9AAEAaZrAAA0DoQ
Thread-topic: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself 
> > I don't know if we can distinguish that when creating guest.
> 
> Of course you can. See the guest_64bit flag already used in
> xc_pv_cpuid_policy()!
> 
> However, given that the guest cannot influence whether SMEP is
> enabled/disabled, perhaps it makes sense to always hide the feature? Also we

SMEP can protect Xen hypervisor and 32bit guest kernel from application, but as
32bit guests run in ring 1, it still can exploit null pointer in Xen, although 
it's rare.

I vaguely remember Windows disallows execution from first page (or 4M?) of
virtual address space. Does Xen disallow PV guest kernel executing from there?

> should unconditionally be hiding the CPUID feature in any case when Xen does
> not support SMEP (because disabled on command line, or in the stable
> branches without the feature patch applied) as otherwise guest can detect
> the feature and will crash when it tries to enable the feature in CR4. This
> is why it's a bad idea that we blacklist CPUID features for PV guests rather
> than whitelist them. I will apply such a patch to all trees now.

You're right.  We will rebase the patch on your new code.
Thanks!
-Xin

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Li, Xin
Next by Date:  RE: [Xen-devel] RFC: Nested VMX patch series 00, Dong, Eddie
Previous by Thread:  Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Keir Fraser
Next by Thread:  RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Jan Beulich
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy