From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Subject: Re: [PATCH 0/4] KVM: enable Intel SMAP for KVM Date: Thu, 27 Mar 2014 12:50:05 +0100 Message-ID: <5334106D.9050904@redhat.com> References: <1395923135-15329-1-git-send-email-feng.wu@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit To: Feng Wu , gleb@redhat.com, hpa@zytor.com, kvm@vger.kernel.org Return-path: Received: from mail-ee0-f49.google.com ([74.125.83.49]:55783 "EHLO mail-ee0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751242AbaC0LuL (ORCPT ); Thu, 27 Mar 2014 07:50:11 -0400 Received: by mail-ee0-f49.google.com with SMTP id c41so2761068eek.8 for ; Thu, 27 Mar 2014 04:50:10 -0700 (PDT) In-Reply-To: <1395923135-15329-1-git-send-email-feng.wu@intel.com> Sender: kvm-owner@vger.kernel.org List-ID: Il 27/03/2014 13:25, Feng Wu ha scritto: > Supervisor Mode Access Prevention (SMAP) is a new security feature > disclosed by Intel, please refer to the following document: > > http://software.intel.com/sites/default/files/319433-014.pdf > > Every access to a linear address is either a supervisor-mode access > or a user-mode access. All accesses performed while the current > privilege level (CPL) is less than 3 are supervisor-mode accesses. > If CPL = 3, accesses are generally user-mode accesses. However, some > operations implicitly access system data structures, and the resulting > accesses to those data structures are supervisor-mode accesses regardless > of CPL. Examples of such implicit supervisor accesses include the following: > accesses to the global descriptor table (GDT) or local descriptor table > (LDT) to load a segment descriptor; accesses to the interrupt descriptor > table (IDT) when delivering an interrupt or exception; and accesses to the > task-state segment (TSS) as part of a task switch or change of CPL. > > If CR4.SMAP = 1, supervisor-mode data accesses are not allowed to linear > addresses that are accessible in user mode. If CPL < 3, SMAP protections > are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP applies to all supervisor-mode > data accesses (these are implicit supervisor accesses) regardless of the > value of EFLAGS.AC. > > This patchset pass-through SMAP feature to guests, and let guests > benefit from it. There is a problem in patch 3, to which I replied separately. Also, patch 1 should be last in the series. You also need a matching QEMU patch to enable SMAP on Haswell CPUs (do all Haswells have SMAP?), though only for a 2.1 or newer machine type. But this can be covered later. Paolo