From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 3/4] KVM: Add SMAP support when setting CR4
Date: Fri, 28 Mar 2014 15:09:30 +0100
Message-ID: <5335829A.1060702@redhat.com>
References: <1395923135-15329-1-git-send-email-feng.wu@intel.com> <1395923135-15329-4-git-send-email-feng.wu@intel.com> <53340FA5.1050905@redhat.com> <A9667DDFB95DB7438FA9D7D576C3D87E0AA27593@SHSMSX104.ccr.corp.intel.com> <53351544.2060403@redhat.com> <E959C4978C3B6342920538CF579893F001E86B1E@SHSMSX104.ccr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
To: "Wu, Feng" <feng.wu@intel.com>,
	"Zhang, Yang Z" <yang.z.zhang@intel.com>,
	"gleb@redhat.com" <gleb@redhat.com>,
	"hpa@zytor.com" <hpa@zytor.com>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:53511 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751226AbaC1OJf (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 28 Mar 2014 10:09:35 -0400
In-Reply-To: <E959C4978C3B6342920538CF579893F001E86B1E@SHSMSX104.ccr.corp.intel.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Il 28/03/2014 08:33, Wu, Feng ha scritto:
> In my understanding it is needed, from Intel SDM:
>
> "Every access to a linear address is either a supervisor-mode access
> or a user-mode access. All accesses performed while the current
> privilege level (CPL) is less than 3 are supervisor-mode accesses.
> If CPL = 3, accesses are generally user-mode accesses. However, some
> operations implicitly access system data structures, and the resulting
> accesses to those data structures are supervisor-mode accesses regardless
> of CPL. Examples of such implicit supervisor accesses include the following:
> accesses to the global descriptor table (GDT) or local descriptor table
> (LDT) to load a segment descriptor; accesses to the interrupt descriptor
> table (IDT) when delivering an interrupt or exception; and accesses to the
> task-state segment (TSS) as part of a task switch or change of CPL."
>
> From the above SDM, we can see supervisor-mode access can also
> happen when CPL equals 3.
>
> If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3,
> SMAP applies to all supervisor-mode data accesses (these are implicit
> supervisor accesses) regardless of the value of EFLAGS.AC.
>
> So when we check the value of EFLAGS.AC, we also need to check CPL, since AC
> bit only takes effect when CPL<3.
>
> U==1 means user-mode access are allowed, while !uf means it is a fault
> from Supervisor-mode access, I think both *u* and *uf* cannot reflect the
> value of CPL.
>
> Correct me if I am wrong. Thanks a lot!

You're right!

Paolo