This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Re: [PATCH v2] Enable SMEP CPU feature support for XEN hyper

To: "Li, Xin" <xin.li@xxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
From: Keir Fraser <keir.xen@xxxxxxxxx>
Date: Sun, 05 Jun 2011 16:10:17 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Sun, 05 Jun 2011 08:11:12 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:user-agent:date:subject:from:to:cc:message-id :thread-topic:thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=UUTKIxs/SGwYKJYAVpRsipJTWHmSh1YLLVXF13uD7Qw=; b=qPeBfrUdrKpLEKpX8poQOlJBSN6qdQwPUt1GskwP2qfrnME895Z1G64kel50Ugvcql yTeFMn5Qm6ADjK+5hCtRKClbPMaKBPkXNSItqObSsMmT8EN6NhzZCiAYn4lOLOiy/Azg 03FG442zaiF3QuY2lnFj7akU9l/fs6/NRkdUk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=hxDhbk0XmXWP1gbPVTfekJUKgZz/Aq8NdGIVYqt6o3dzRH7rYSXcevdiN0wG7r5HSt dKYt2ADl66xMKNhVIVHwPC/oJaVSO0Vjpvdmnvyoi960uxVsnHO+1m/kkpkLIP7Coh4E fimVaX4sDpR/BF2M0FJaUTqevjddjN5P2bqdE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <FC2FB65B4D919844ADE4BE3C2BB739AD5AB9EE16@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcwjU0w8vlsr1zIxRuCnN1Lck9yOlQAB+c7AAA3egwg=
Thread-topic: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
User-agent: Microsoft-Entourage/
On 05/06/2011 09:39, "Li, Xin" <xin.li@xxxxxxxxx> wrote:

>> I mean, I know we may as well just hide the feature from PV 64b guests
>> totally. That's obvious. Let's stop talking about PV 64b guests already! The
>> question is: what to do about PV 32b guests?
>> Quite obviously we ought to allow 32-bit pv guests to control this for
>> themselves (and hence see the feature).
> That needs
> 1) inject SMEP faults back to the 32-bit pv guest.
> 2) let the guest see SMEP thru CPUID and config it in CR4 (actually it's
> already set, but just to let guest see it).
> Anything else?

I thought about this myself and realised that we can't let PV guests control
this feature if we want Xen to benefit from it. There's little point in a
feature to protect Xen from guests, if an untrusted guest can turn it off!

Hence I think we probably have to leave the feature always on for PV guests.
Unless we find some guests are incompatible with that.

 -- Keir

>> Besides that, assuming Xin verified it's working, your latest patch
>> looks great to me.
> Yeah, verified, the system crashed from a SMEP fault from 64-bit pv kernel.
> Thanks!
> -Xin

Xen-devel mailing list