[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT



> From: Aravindh Puthiyaparambil [mailto:aravindp@xxxxxxxxx]
> Sent: Thursday, April 17, 2014 6:52 AM
> 
> The fix for XSA-60 disables EPT if PAT is not available. This patch
> adds a command line option called "ept_without_pat", that allows EPT to
> be enabled even when PAT is not present. This is to enable Xen to run as
> a nested guest with EPT on hypervisors that have nested EPT but not
> nested PAT.

would "force_ept" be a more extensible name? You can still take XSA-60
as an example of EPT being disabled. Doing so doesn't require introducing
more similar forms in the future, like ept_without_xxx, ept_without_yyy, ...

Thanks
Kevin

> 
> Signed-off-by: Aravindh Puthiyaparambil <aravindp@xxxxxxxxx>
> Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx>
> Cc: Eddie Dong <eddie.dong@xxxxxxxxx>
> Cc: Kevin Tian <kevin.tian@xxxxxxxxx>
> 
> ---
> Changes from version 1:
> 1. Fix and update documentation with suggestion from Andrew Cooper.
> 2. Remove redundant assignment.
> 
>  docs/misc/xen-command-line.markdown | 14 ++++++++++++++
>  xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/misc/xen-command-line.markdown
> b/docs/misc/xen-command-line.markdown
> index 87de2dc..138fee9 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information
> via VESA DDC, or
>  disable it (edid=no). This option should not normally be required
>  except for debugging purposes.
> 
> +### ept\_without\_pat (Intel)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Allow EPT to be enabled when PAT is not present.
> +
> +*Warning:*
> +Due to CVE-2013-2212, PAT is by default required as a prerequisite for
> +using EPT.  If you are not using PCI Passthrough, or trust the guest
> +administrator who would be using passthrough, then the PAT requirement
> +can be relaxed.  This option is useful for nested virtualisation cases
> +where the outer hypervisor does not expose PAT functionality to Xen.
> +
>  ### extra\_guest\_irqs
>  > `= [<domU number>][,<dom0 number>]`
> 
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 180cf6c..fee81c9 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -58,6 +58,9 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
> 
> +static bool_t __initdata opt_ept_without_pat;
> +boolean_param("ept_without_pat", opt_ept_without_pat);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled,
> HNDL_exception_raised };
> 
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init
> start_vmx(void)
>       * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security
> hole
>       * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
>       */
> -    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
> +    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) )
>      {
>          vmx_function_table.hap_supported = 1;
> 
> --
> 1.8.3.2


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.