From: Marcelo Tosatti <mtosatti@redhat.com>
To: Feng Wu <feng.wu@intel.com>
Cc: pbonzini@redhat.com, gleb@redhat.com, hpa@zytor.com, kvm@vger.kernel.org
Subject: Re: [PATCH v4 0/4] KVM: enable Intel SMAP for KVM
Date: Thu, 10 Apr 2014 17:16:18 -0300 [thread overview]
Message-ID: <20140410201618.GC26092@amt.cnet> (raw)
In-Reply-To: <1396345596-25682-1-git-send-email-feng.wu@intel.com>
On Tue, Apr 01, 2014 at 05:46:32PM +0800, Feng Wu wrote:
> Supervisor Mode Access Prevention (SMAP) is a new security feature
> disclosed by Intel, please refer to the following document:
>
> http://software.intel.com/sites/default/files/319433-014.pdf
>
> Every access to a linear address is either a supervisor-mode access
> or a user-mode access. All accesses performed while the current
> privilege level (CPL) is less than 3 are supervisor-mode accesses.
> If CPL = 3, accesses are generally user-mode accesses. However, some
> operations implicitly access system data structures, and the resulting
> accesses to those data structures are supervisor-mode accesses regardless
> of CPL. Examples of such implicit supervisor accesses include the following:
> accesses to the global descriptor table (GDT) or local descriptor table
> (LDT) to load a segment descriptor; accesses to the interrupt descriptor
> table (IDT) when delivering an interrupt or exception; and accesses to the
> task-state segment (TSS) as part of a task switch or change of CPL.
>
> If CR4.SMAP = 1, supervisor-mode data accesses are not allowed to linear
> addresses that are accessible in user mode. If CPL < 3, SMAP protections
> are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP applies to all supervisor-mode
> data accesses (these are implicit supervisor accesses) regardless of the
> value of EFLAGS.AC.
>
> This patchset pass-through SMAP feature to guests, and let guests
> benefit from it.
>
> Version 1:
> * Remove SMAP bit from CR4_RESERVED_BITS.
> * Add SMAP support when setting CR4
> * Disable SMAP for guests in EPT realmode and EPT unpaging mode
> * Expose SMAP feature to guest
>
> Version 2:
> * Change the logic of updating mmu permission bitmap for SMAP violation
> * Expose SMAP feature to guest in the last patch of this series.
>
> Version 3:
> * Changes in update_permission_bitmask().
> * Use a branchless way suggested by Paolo Bonzini to detect SMAP
> violation in permission_fault().
>
> Version 4:
> * Changes to some comments and code style.
>
> Feng Wu (4):
> KVM: Remove SMAP bit from CR4_RESERVED_BITS.
> KVM: Add SMAP support when setting CR4
> KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode
> KVM: expose SMAP feature to guest
>
> arch/x86/include/asm/kvm_host.h | 2 +-
> arch/x86/kvm/cpuid.c | 2 +-
> arch/x86/kvm/cpuid.h | 8 ++++++++
> arch/x86/kvm/mmu.c | 34 ++++++++++++++++++++++++++++---
> arch/x86/kvm/mmu.h | 44 +++++++++++++++++++++++++++++++++--------
> arch/x86/kvm/paging_tmpl.h | 2 +-
> arch/x86/kvm/vmx.c | 11 ++++++-----
> arch/x86/kvm/x86.c | 9 ++++++++-
> 8 files changed, 92 insertions(+), 20 deletions(-)
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
prev parent reply other threads:[~2014-04-10 20:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 9:46 [PATCH v4 0/4] KVM: enable Intel SMAP for KVM Feng Wu
2014-04-01 9:46 ` [PATCH v4 1/4] KVM: Remove SMAP bit from CR4_RESERVED_BITS Feng Wu
2014-04-01 9:46 ` [PATCH v4 2/4] KVM: Add SMAP support when setting CR4 Feng Wu
2014-04-10 20:12 ` Marcelo Tosatti
2014-04-12 0:14 ` Paolo Bonzini
2014-04-01 9:46 ` [PATCH v4 3/4] KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode Feng Wu
2014-04-01 9:46 ` [PATCH v4 4/4] KVM: expose SMAP feature to guest Feng Wu
2014-04-03 16:46 ` [PATCH v4 0/4] KVM: enable Intel SMAP for KVM Paolo Bonzini
2014-04-04 2:22 ` Wu, Feng
2014-04-04 7:27 ` Paolo Bonzini
2014-04-08 1:06 ` Wu, Feng
2014-04-08 20:38 ` Paolo Bonzini
2014-04-10 20:01 ` Marcelo Tosatti
2014-04-12 0:16 ` Paolo Bonzini
2014-04-12 0:17 ` Paolo Bonzini
2014-04-13 21:57 ` Marcelo Tosatti
2014-04-13 22:48 ` H. Peter Anvin
2014-04-10 20:16 ` Marcelo Tosatti [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140410201618.GC26092@amt.cnet \
--to=mtosatti@redhat.com \
--cc=feng.wu@intel.com \
--cc=gleb@redhat.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.