WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] RE: [PATCH v2] Enable SMEP CPU feature support for XEN hyper

To: Keir Fraser <keir@xxxxxxx>
Subject: [Xen-devel] RE: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
From: "Li, Xin" <xin.li@xxxxxxxxx>
Date: Sat, 4 Jun 2011 02:49:11 +0800
Accept-language: zh-CN, en-US
Acceptlanguage: zh-CN, en-US
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 03 Jun 2011 11:50:00 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CA0ED720.2E458%keir@xxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <FC2FB65B4D919844ADE4BE3C2BB739AD5AB9ECA7@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <CA0ED720.2E458%keir@xxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acwh9jTkNLQTp7L0Sd25RhWDyT37cgAHL4yJAACWZxA=
Thread-topic: [PATCH v2] Enable SMEP CPU feature support for XEN hypervisor
> > Intel new CPU supports SMEP (Supervisor Mode Execution Protection). SMEP
> > prevents software operating with CPL < 3 (supervisor mode) from fetching
> > instructions from any linear address with a valid translation for which the
> > U/S
> > flag (bit 2) is 1 in every paging-structure entry controlling the 
> > translation
> > for the linear address.
> >
> > This patch enables SMEP in Xen to protect Xen hypervisor from executing pv
> > guest
> > instructions, whose translation paging-structure entries' U/S flags are all
> > set.
> 
> Xin,
> 
> I have attached a modified version of your patch which I believe deals with
> a number of issues. I briefly outline the major ones here:
> 
> 1. The initialisation in cpu/common.c is misguided. Features like
> set_in_cr4(), setup_clear_cpu_cap(), and cpu_has_xxx, are designed to allow
> the feature initialisation to happen close in code to where the feature is
> used. Hence I have moved the initialisation into traps.c:trap_init().

It's the right way to move.

But trap_init() is called before Xen does leaf 7.0 detection, thus we also need 
to
add leaf 7.0 detection in early_cpu_detect to get 
boot_cpu_data.x86_capability[7]
initialized before trap_init().

> 2. I have renamed the command-line option to 'smep'. Boolean options can be
> inverted by prepending 'no-', or appending '={0,false,off,no}'. We don't
> generally encode the negative within the base option name string.
> 
Thanks for doing in this better way.

> 3. I have pushed interpretation of the pf_type enumeration out to the
> callers of spurious_page_fault(). This is because a SMEP fault while Xen is
> executing should *crash Xen*. So that's what I do. Further, when it is a

I'm still wondering is it overkill to kill Xen?  An evil guest can crash Xen?

> guest fault, we should domain_crash() not domain_crash_synchronous() (which
> is generally a more dangerous function for Xen's own health).
> 
> More generally, I wonder whether SMEP should be enabled only for guests
> (even PV guests) which detect it via CPUID and proactively enable it via
> their virtualised CR4? I mean, it is off in real hardware by default for a
> reason: backward compatibility. Furthermore, we only detect spurious page
> faults for buggy old PV guests, the rest will get the SMEP fault punted up
> to them, which seems odd if they don't understand SMEP. What do you think?

64bit pv guest can't use SMEP as the kernel code is user accessible.  Thus
when guest executes it won't trigger SMEP fault. only when Xen executes
it will. It's okay to crash Xen (or just the guest).

32bit pv guest should be able to make use of SMEP.  When it is from Xen,
we crash Xen.  When it's is from guest kernel executing user code, we
can inject to guest to let it kill the current process.  Of course such cases
the guest should be able to do SMEP handling.

We can't consistently handle it for 64bit and 32bit guest.

Thanks!
-Xin

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel