[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6] xen/sm{e, a}p: allow disabling sm{e, a}p for Xen itself

>>> On 05.09.16 at 07:17, <he.chen@xxxxxxxxxxxxxxx> wrote:
> SMEP/SMAP is a security feature to prevent kernel executing/accessing
> user address involuntarily, any such behavior will lead to a page fault.
> 
> SMEP/SMAP is open (in CR4) for both Xen and HVM guest in earlier code.
> SMEP/SMAP bit set in Xen CR4 would enforce security checking for 32-bit
> PV guest which will suffer unknown SMEP/SMAP page fault when guest
> kernel attempt to access user address although SMEP/SMAP is close for
> PV guests.
> 
> This patch introduces a new boot option value "hvm" for "sm{e,a}p", it
> is going to diable SMEP/SMAP for Xen hypervisor while enable them for
> HVM. In this way, 32-bit PV guest will not suffer SMEP/SMAP security
> issue. Users can choose whether open SMEP/SMAP for Xen itself,
> especially when they are going to run 32-bit PV guests.
> 
> Signed-off-by: He Chen <he.chen@xxxxxxxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

albeit one style issue still wasn't taken care of (I'll try to remember
to clean this up when committing):

> @@ -111,6 +103,62 @@ struct cpuinfo_x86 __read_mostly boot_cpu_data = { 0, 0, 
> 0, 0, -1 };
>  
>  unsigned long __read_mostly mmu_cr4_features = XEN_MINIMAL_CR4;
>  
> +/* smep: Enable/disable Supervisor Mode Execution Protection (default on). */
> +#define SMEP_HVM_ONLY (-1)
> +static s8 __initdata opt_smep = 1;
> +static void __init parse_smep_param(char *s)
> +{
> +    if ( !*s )
> +    {
> +        opt_smep = 1;
> +        return;
> +    }
> +
> +    switch ( parse_bool(s) )
> +    {
> +    case 0:
> +        opt_smep = 0;
> +        return;
> +    case 1:
> +        opt_smep = 1;
> +        return;
> +    }
> +
> +    if ( !strcmp(s, "hvm") )
> +    {
> +        opt_smep = SMEP_HVM_ONLY;
> +    }

You still left unnecessary braces here.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.