[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Patch] Disallow SMEP for PV guest

  • To: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, "Li, Xin" <xin.li@xxxxxxxxx>
  • From: Keir Fraser <keir.xen@xxxxxxxxx>
  • Date: Wed, 01 Jun 2011 21:41:39 +0100
  • Cc: "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>
  • Delivery-date: Thu, 02 Jun 2011 02:47:09 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=gforRuL8Nm+tGAa0+mPZWyN+gf/9LhN5E+j9OqtIhdbH+I6YQ30z79kynHonGOlGZA 1IWR+KJrnjNgeO7bghenOOfseaaziheSbnE0NZvittXwSiNAThfVC5JQ8VXjpssveZP/ s59y59psWdBtttDgzsUjYBqbA84RfWbhkqzns=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcwgnE5ydNF5z5hw3U+1q1jSlo2HsQ==
  • Thread-topic: [Xen-devel] [Patch] Disallow SMEP for PV guest

On 01/06/2011 18:27, "Konrad Rzeszutek Wilk" <konrad.wilk@xxxxxxxxxx> wrote:

>> As it can't apply to ring 3, x86_64 pv guest kernel accessing user code won't
>> trigger instruction fetch page fault.  thus it makes no sense to use it here.
>> Definitely we should hide it from dom0 kernel.  The change should be in Xen
>> or pvops dom0?
> Ugh, if have a patch against the paravirt kernel that would only cover the 3.1
> kernel.
> So you could still run with the SMEP enabled with the older kernels. Sounds
> like
> a candidate for Xen hypervisor?

Definitely, it's a one liner to traps.c:pv_cpuid(). Given that the domU
patching is already done by the hypervisor (in libxc) obviously it should be
done by the hypervisor for dom0 also.

And the feature should be hidden in CR4, by the hypervisor also.

 -- Keir

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.