[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself

  • To: "Li, Xin" <xin.li@xxxxxxxxx>, "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Keir Fraser <keir.xen@xxxxxxxxx>
  • Date: Thu, 02 Jun 2011 07:25:27 +0100
  • Cc:
  • Delivery-date: Thu, 02 Jun 2011 03:41:52 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=U2bUWK+CTpJGx9ctH/5UNhicVJh6PrI3GyucFxwxSDbbSNoU8Ky6HtZOyJDMtGDND5 Bb1Cr/K3NJjNkn0XaS4T/V+gHn73vebMzukXv9yeeXCblCtueGZJ3p+7t8wkO3Y+GQe1 2VM2kXbU6bxdH21TlYHIIktXKHNOF/NPtWD0Q=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcwgVcdx+MEnPLpEQiCW7V8mG/kTcwAB1C2gAATM9UkAATxcMAAJ1pbSAARKp9AAEAaZrA==
  • Thread-topic: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself

On 01/06/2011 23:52, "Li, Xin" <xin.li@xxxxxxxxx> wrote:

>>>>> and kills a pv guest triggering SMEP fault.
>>>> Should only occur when the guest kernel triggers the SMEP.
>>> According to code base size, it's much easier for malicious applications to
>>> explore
>>> security holes in kernel.  But unluckily SMEP doesn't apply to the ring 3
>>> where
>>> x86_64 pv kernel runs on.  It's wiser to use HVM :)
>> Yep, but 32-bit guests can still benefit.
> Can we know a guest will be 32bit or 64bit before it boots?
> Code will be like
> xc_pv_cpuid_policy()
> {
>         case 7, 0:
>             if ( 64 bit pv guest )
>                  disallow smep;
> }
> I don't know if we can distinguish that when creating guest.

Of course you can. See the guest_64bit flag already used in

However, given that the guest cannot influence whether SMEP is
enabled/disabled, perhaps it makes sense to always hide the feature? Also we
should unconditionally be hiding the CPUID feature in any case when Xen does
not support SMEP (because disabled on command line, or in the stable
branches without the feature patch applied) as otherwise guest can detect
the feature and will crash when it tries to enable the feature in CR4. This
is why it's a bad idea that we blacklist CPUID features for PV guests rather
than whitelist them. I will apply such a patch to all trees now.

 -- Keir

> Thanks!
> -Xin

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.