 Home |
Products |
Support |
Community |
News |
xen-devel
Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself
| To: | "Li, Xin" <xin.li@xxxxxxxxx>, "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself |
| From: | Keir Fraser <keir.xen@xxxxxxxxx> |
| Date: | Wed, 01 Jun 2011 21:43:42 +0100 |
| Cc: | |
| Delivery-date: | Thu, 02 Jun 2011 03:28:34 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:user-agent:date:subject:from:to:message-id :thread-topic:thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=XmoGSKKQrIlpgW36jvw/4URhAk4+74KzRO9pC5yrEeU=; b=gQC02s+2Ptdk9GKq7+4qeGIYV9dklFgsbtHqeHRnrHn0dXJ8XXFJqZYBSNzE+9qdOX XW4sv1U0/fcMT9vPh2pK6hRa6Q8RQbm6Yg8mh8M91FWxqXRgSNAwFovpKVOKOBgrWeiy J6gmZJ47E1Xi807PCW6QVQWSgojtVKQxKo96A= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=JeuryyTisoLKM2kPPPMGtZ2AZ6XD9Ry0U8fXKD5DYMTlUhWLcPLYXivUEPqJ9klAuY 0RvMVisL4VfSooW4z10Cg75SyrulCdcaSXYh2cBkHPKqSLGA75y4m73zSWvSVC3DWKoo XlfHUum8M1ZhUUBRn153UFifYmyT1ON+onN/U= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <FC2FB65B4D919844ADE4BE3C2BB739AD5AB18386@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
| Thread-index: | AcwgVcdx+MEnPLpEQiCW7V8mG/kTcwAB1C2gAATM9UkAATxcMAAJ1pbS |
| Thread-topic: | [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself |
| User-agent: | Microsoft-Entourage/12.29.0.110113 |
On 01/06/2011 17:15, "Li, Xin" <xin.li@xxxxxxxxx> wrote: >>> This patch enables SMEP in Xen to protect Xen hypervisor from executing pv >>> guest code, >> >> Well not really. In the case that *Xen* execution triggers SMEP, you should >> crash. > > You don't expect Xen can trigger SMEP? somehow I agree, but in case there is > any null pointer in Xen, an evil pv guest can easily get control of the > system. Of course. I don't disagree there can be bugs in Xen. :-) >> >>> and kills a pv guest triggering SMEP fault. >> >> Should only occur when the guest kernel triggers the SMEP. > > According to code base size, it's much easier for malicious applications to > explore > security holes in kernel. But unluckily SMEP doesn't apply to the ring 3 > where > x86_64 pv kernel runs on. It's wiser to use HVM :) Yep, but 32-bit guests can still benefit. >> Basically you need to pull your check out of spurious_page_fault() and into >> the two callers, because their responses should differ (one crashes the >> guest, the other crashes the hypervisor). >> Please define an enumeration for the return codes from spurious_pf, rather >> than using magic numbers. > > Will do. Thanks. - Keir _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel |
| Previous by Date: | RE: [Xen-devel] RFC: Nested VMX patch series 00, Dong, Eddie |
|---|---|
| Next by Date: | [Xen-devel] [Patch] libxl: fix wrong mask of function number, Zhang, Yang Z |
| Previous by Thread: | RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Li, Xin |
| Next by Thread: | RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself, Li, Xin |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
