[Xen-devel] Re: [PATCH v2] Enable SMEP CPU feature support for X

To:	"Li, Xin" <xin.li@xxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxxxx>
Subject:	[Xen-devel] Re: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
From:	Keir Fraser <keir.xen@xxxxxxxxx>
Date:	Sun, 05 Jun 2011 16:10:17 +0100
Cc:	"xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date:	Sun, 05 Jun 2011 08:11:12 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:user-agent:date:subject:from:to:cc:message-id :thread-topic:thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=UUTKIxs/SGwYKJYAVpRsipJTWHmSh1YLLVXF13uD7Qw=; b=qPeBfrUdrKpLEKpX8poQOlJBSN6qdQwPUt1GskwP2qfrnME895Z1G64kel50Ugvcql yTeFMn5Qm6ADjK+5hCtRKClbPMaKBPkXNSItqObSsMmT8EN6NhzZCiAYn4lOLOiy/Azg 03FG442zaiF3QuY2lnFj7akU9l/fs6/NRkdUk=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=hxDhbk0XmXWP1gbPVTfekJUKgZz/Aq8NdGIVYqt6o3dzRH7rYSXcevdiN0wG7r5HSt dKYt2ADl66xMKNhVIVHwPC/oJaVSO0Vjpvdmnvyoi960uxVsnHO+1m/kkpkLIP7Coh4E fimVaX4sDpR/BF2M0FJaUTqevjddjN5P2bqdE=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<FC2FB65B4D919844ADE4BE3C2BB739AD5AB9EE16@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index:	AcwjU0w8vlsr1zIxRuCnN1Lck9yOlQAB+c7AAA3egwg=
Thread-topic:	[PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
User-agent:	Microsoft-Entourage/12.29.0.110113

On 05/06/2011 09:39, "Li, Xin" <xin.li@xxxxxxxxx> wrote:

>> I mean, I know we may as well just hide the feature from PV 64b guests
>> totally. That's obvious. Let's stop talking about PV 64b guests already! The
>> question is: what to do about PV 32b guests?
> 
>> Quite obviously we ought to allow 32-bit pv guests to control this for
>> themselves (and hence see the feature).
> 
> That needs
> 1) inject SMEP faults back to the 32-bit pv guest.
> 2) let the guest see SMEP thru CPUID and config it in CR4 (actually it's
> already set, but just to let guest see it).
> 
> Anything else?

I thought about this myself and realised that we can't let PV guests control
this feature if we want Xen to benefit from it. There's little point in a
feature to protect Xen from guests, if an untrusted guest can turn it off!

Hence I think we probably have to leave the feature always on for PV guests.
Unless we find some guests are incompatible with that.

 -- Keir

>> Besides that, assuming Xin verified it's working, your latest patch
>> looks great to me.
> 
> Yeah, verified, the system crashed from a SMEP fault from 64-bit pv kernel.
> Thanks!
> -Xin



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] Re: [PATCH v2] Enable SMEP CPU feature support for XEN hyper