This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [Patch] Disallow SMEP for PV guest

To: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, "Li, Xin" <xin.li@xxxxxxxxx>
Subject: Re: [Xen-devel] [Patch] Disallow SMEP for PV guest
From: Keir Fraser <keir.xen@xxxxxxxxx>
Date: Wed, 01 Jun 2011 21:41:39 +0100
Cc: "Yang, Wei Y" <wei.y.yang@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>
Delivery-date: Thu, 02 Jun 2011 02:47:09 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:user-agent:date:subject:from:to:cc:message-id :thread-topic:thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=sBFwZ2kmQGHkp/Kr/wLFXH3Y0rxyAkq+G97asQAbjsg=; b=DC262bNDpvPpYafbP74D0UnZN22U7LsQwUIKz5rk7lhT/ltOilf2M0aa7lAqzs5tTw DesXwIgOravLY+aymwwiK/WLW9hvyPHbp7WhX5lQCGlfM1X7EsHqK3G5PQ+28LrpDROs lwwzXTO2OV5jKInKSZQRloDuIxA6e4oTs5eyE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=gforRuL8Nm+tGAa0+mPZWyN+gf/9LhN5E+j9OqtIhdbH+I6YQ30z79kynHonGOlGZA 1IWR+KJrnjNgeO7bghenOOfseaaziheSbnE0NZvittXwSiNAThfVC5JQ8VXjpssveZP/ s59y59psWdBtttDgzsUjYBqbA84RfWbhkqzns=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20110601172725.GA11261@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcwgnE5ydNF5z5hw3U+1q1jSlo2HsQ==
Thread-topic: [Xen-devel] [Patch] Disallow SMEP for PV guest
User-agent: Microsoft-Entourage/
On 01/06/2011 18:27, "Konrad Rzeszutek Wilk" <konrad.wilk@xxxxxxxxxx> wrote:

>> As it can't apply to ring 3, x86_64 pv guest kernel accessing user code won't
>> trigger instruction fetch page fault.  thus it makes no sense to use it here.
>> Definitely we should hide it from dom0 kernel.  The change should be in Xen
>> or pvops dom0?
> Ugh, if have a patch against the paravirt kernel that would only cover the 3.1
> kernel.
> So you could still run with the SMEP enabled with the older kernels. Sounds
> like
> a candidate for Xen hypervisor?

Definitely, it's a one liner to traps.c:pv_cpuid(). Given that the domU
patching is already done by the hypervisor (in libxc) obviously it should be
done by the hypervisor for dom0 also.

And the feature should be hidden in CR4, by the hypervisor also.

 -- Keir

Xen-devel mailing list