This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH v2] add SMEP support to HVM guest

At 18:51 +0800 on 06 Jun (1307386302), Li, Xin wrote:
> > > -    if ( hvm_nx_enabled(current) )
> > > +    if ( hvm_nx_enabled(current) ||
> > > +         (!(pfec & PFEC_user_mode) && hvm_smep_enabled(current)) )
> > 
> > Shouldn't that be
> > "if ( hvm_nx_enabled(current) || hvm_smep_enabled(current) )"?
> A smep fault happens when
> 1) current privilege level < 3

But this code is setting the PFEC_insn_fetch bit, not triggering a page
fault.   And the new PRM says (4.7): 

   I/D flag (bit 4).

   This flag is 1 if (1) the access causing the page-fault exception was
   an instruction fetch; and (2) either (a) CR4.SMEP = 1; or (b) both
   (i) CR4.PAE = 1 (either PAE paging or IA-32e paging is in use); and
   (ii) IA32_EFER.NXE = 1. Otherwise, the flag is 0. This flag describes
   the access causing the page-fault exception, not the access rights
   specified by paging.

> > There's no need to add SMEP-specific code at every level.  The existing
> > code already checks for flags that must be clear, so just arrange for
> > _PAGE_USER to be in both mflags and iflags whenever SMEP is enabled and
> > PFEC_user is clear.
> 2) user flags in all page table level entries are set instead of clear.

Oh I see - yes, this introduces a whole new kind of logic in pagetable
walks.  I've attached a version of your patch that I think will do the
right thing, and that's tidied up in a few other places.  Can you check
to see that it does what you need?



Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

Attachment: smep
Description: Text document

Xen-devel mailing list