[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] RE: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
> > That needs > > 1) inject SMEP faults back to the 32-bit pv guest. > > 2) let the guest see SMEP thru CPUID and config it in CR4 (actually it's > > already set, but just to let guest see it). > > > > Anything else? > > I thought about this myself and realised that we can't let PV guests control > this feature if we want Xen to benefit from it. There's little point in a > feature to protect Xen from guests, if an untrusted guest can turn it off! > > Hence I think we probably have to leave the feature always on for PV guests. > Unless we find some guests are incompatible with that. As we talked, 64-bit pv kernel can't trigger SMEP faults. So we decided to not let it see this feature. Maybe it's okay to inject SMEP faults which are triggered from 32-bit pv kernel back to it even the guest is not aware of SMEP. We can refer to Linux SMEP patch, which just turns this feature on without touching any page table handling functions as SMEP handling actually can reuse NX handling code path. Ingo wanted to expose SMEP to KVM guest silently, but it is not architecturally right as it's required to flush TLB when CR4.SMEP is changed, or a kernel page is changed to user page. But luckily Linux doesn't have such cases thus doesn't need to flush TLB. Thanks! -Xin _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |