[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2 0/7] x86: Enable Supervisor Mode Access Prevention (SMAP)



Supervisor Mode Access Prevention (SMAP) is a new security
feature disclosed by Intel, please refer to the following
document:

http://software.intel.com/sites/default/files/319433-014.pdf

Every access to a linear address is either a supervisor-mode
access or a user-mode access. All accesses performed while the
current privilege level (CPL) is less than 3 are supervisor-mode
accesses. If CPL = 3, accesses are generally user-mode accesses.
However, some operations implicitly access system data structures,
and the resulting accesses to those data structures are supervisor-mode
accesses regardless of CPL. Examples of such implicit supervisor
accesses include the following: accesses to the global descriptor
table (GDT) or local descriptor table (LDT) to load a segment descriptor;
accesses to the interrupt descriptor table (IDT) when delivering an
interrupt or exception; and accesses to the task-state segment (TSS) as
part of a task switch or change of CPL.

If CR4.SMAP = 1, supervisor-mode data accesses are not allowed
to linear addresses that are accessible in user mode. If CPL < 3,
SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP
applies to all supervisor-mode data accesses (these are implicit
supervisor accesses) regardless of the value of EFLAGS.AC.

Version 1:
  * Add two macros for STAC/CLAC instructions
  * Temporary disable SMAP to legally access user pages in kernel mode
  * Enable Supervisor Mode Access Prevention (SMAP) for Xen itself
  * Add SMAP support to HVM guest
  * Disable SMAP feature when guest is in non-paging mode

Version 2:
  * Change the definition of ASM_STAC/ASM_CLAC.
  * Clear AC bit at the beginning of exception, interrup, hypercall.
  * Make construct_dom0() wrapped in a stac()/clac() part as a whole.
  * Reorder some patches in the series.
  * Combine some conditionals with SMEP.
  * Some minal changes: typo, etc. 

Since Linux kernel has already supported SMAP, I tested this patch both
in EPT and shadow mode with Linux guest, they work well. And I also
tested the failure case, in which, I triggered an SMAP violation in
the guest kernel and Linux successfully received the related page
fault.

Feng Wu (7):
  x86: Add support for STAC/CLAC instructions
  Clear AC bit in RFLAGS to protect Xen itself by SMAP
  x86: Temporary disable SMAP to legally access user pages in kernel
    mode
  VMX: Disable SMAP feature when guest is in non-paging mode
  x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen
  x86/hvm: Add SMAP support to HVM guest
  x86/tools: Expose SMAP to HVM guests

 docs/misc/xen-command-line.markdown    |  7 +++++
 tools/libxc/xc_cpufeature.h            |  1 +
 tools/libxc/xc_cpuid_x86.c             |  1 +
 xen/arch/x86/domain_build.c            |  3 ++
 xen/arch/x86/hvm/hvm.c                 |  3 ++
 xen/arch/x86/hvm/vmx/vmx.c             |  9 ++++--
 xen/arch/x86/mm/guest_walk.c           | 37 ++++++++++++++++++-------
 xen/arch/x86/setup.c                   |  9 ++++++
 xen/arch/x86/traps.c                   | 50 ++++++++++++++++++++++++----------
 xen/arch/x86/usercopy.c                |  6 ++++
 xen/arch/x86/x86_64/asm-offsets.c      |  1 +
 xen/arch/x86/x86_64/compat/entry.S     |  3 ++
 xen/arch/x86/x86_64/entry.S            | 30 ++++++++++++++++++++
 xen/include/asm-x86/asm_defns.h        | 43 +++++++++++++++++++++++++++++
 xen/include/asm-x86/cpufeature.h       |  5 ++++
 xen/include/asm-x86/domain.h           |  6 ++--
 xen/include/asm-x86/hvm/hvm.h          | 12 ++++++++
 xen/include/asm-x86/uaccess.h          |  4 +++
 xen/include/asm-x86/x86_64/asm_defns.h |  1 +
 xen/include/asm-x86/x86_64/system.h    |  2 ++
 20 files changed, 204 insertions(+), 29 deletions(-)

-- 
1.8.3.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.