Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Andrew Cooper]

On 15/04/14 14:02, Feng Wu wrote:
> SMAP is disabled if CPU is in non-paging mode in hardware.
> However Xen always uses paging mode to emulate guest non-paging
> mode with HAP. To emulate this behavior, SMAP needs to be manually
> disabled when guest switches to non-paging mode.
>
> This logic is similiar with SMEP.
>
> Signed-off-by: Feng Wu <feng.wu@intel.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

> ---
>  xen/arch/x86/hvm/vmx/vmx.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 94f3db2..79dd272 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -1310,12 +1310,12 @@ static void vmx_update_guest_cr(struct vcpu *v, unsigned int cr)
>          if ( !hvm_paging_enabled(v) )
>          {
>              /*
> -             * SMEP is disabled if CPU is in non-paging mode in hardware.
> +             * SMEP/SMAP is disabled if CPU is in non-paging mode in hardware.
>               * However Xen always uses paging mode to emulate guest non-paging
> -             * mode. To emulate this behavior, SMEP needs to be manually
> +             * mode. To emulate this behavior, SMEP/SMAP needs to be manually
>               * disabled when guest VCPU is in non-paging mode.
>               */
> -            v->arch.hvm_vcpu.hw_cr[4] &= ~X86_CR4_SMEP;
> +            v->arch.hvm_vcpu.hw_cr[4] &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
>          }
>          __vmwrite(GUEST_CR4, v->arch.hvm_vcpu.hw_cr[4]);
>          break;

Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Jan Beulich]

>>> On 15.04.14 at 15:02, <feng.wu@intel.com> wrote:
> SMAP is disabled if CPU is in non-paging mode in hardware.
> However Xen always uses paging mode to emulate guest non-paging
> mode with HAP. To emulate this behavior, SMAP needs to be manually
> disabled when guest switches to non-paging mode.
> 
> This logic is similiar with SMEP.

The change is certainly fine, but shouldn't this be done earlier in the
series (i.e. the patch moved up)?

Jan

[PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Feng Wu]

SMAP is disabled if CPU is in non-paging mode in hardware.
However Xen always uses paging mode to emulate guest non-paging
mode with HAP. To emulate this behavior, SMAP needs to be manually
disabled when guest switches to non-paging mode.

This logic is similiar with SMEP.

Signed-off-by: Feng Wu <feng.wu@intel.com>
---
 xen/arch/x86/hvm/vmx/vmx.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 94f3db2..79dd272 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1310,12 +1310,12 @@ static void vmx_update_guest_cr(struct vcpu *v, unsigned int cr)
         if ( !hvm_paging_enabled(v) )
         {
             /*
-             * SMEP is disabled if CPU is in non-paging mode in hardware.
+             * SMEP/SMAP is disabled if CPU is in non-paging mode in hardware.
              * However Xen always uses paging mode to emulate guest non-paging
-             * mode. To emulate this behavior, SMEP needs to be manually
+             * mode. To emulate this behavior, SMEP/SMAP needs to be manually
              * disabled when guest VCPU is in non-paging mode.
              */
-            v->arch.hvm_vcpu.hw_cr[4] &= ~X86_CR4_SMEP;
+            v->arch.hvm_vcpu.hw_cr[4] &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
         }
         __vmwrite(GUEST_CR4, v->arch.hvm_vcpu.hw_cr[4]);
         break;
-- 
1.8.3.1

Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Wu, Feng]

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Tuesday, April 15, 2014 7:51 PM
> To: Wu, Feng
> Cc: Ian.Campbell@citrix.com; Dong, Eddie; Nakajima, Jun;
> xen-devel@lists.xen.org
> Subject: Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in
> non-paging mode
> 
> >>> On 15.04.14 at 15:02, <feng.wu@intel.com> wrote:
> > SMAP is disabled if CPU is in non-paging mode in hardware.
> > However Xen always uses paging mode to emulate guest non-paging
> > mode with HAP. To emulate this behavior, SMAP needs to be manually
> > disabled when guest switches to non-paging mode.
> >
> > This logic is similiar with SMEP.
> 
> The change is certainly fine, but shouldn't this be done earlier in the
> series (i.e. the patch moved up)?

Yes, maybe we should put it right before "v1-0004-x86-hvm-Add-SMAP-support-to-HVM-guest.patch",
since this changes is for HVM guest. what do you think of this? Thanks!


> 
> Jan

Thanks,
Feng

Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Jan Beulich]

>>> On 16.04.14 at 04:07, <feng.wu@intel.com> wrote:

> 
>> -----Original Message-----
>> From: Jan Beulich [mailto:JBeulich@suse.com]
>> Sent: Tuesday, April 15, 2014 7:51 PM
>> To: Wu, Feng
>> Cc: Ian.Campbell@citrix.com; Dong, Eddie; Nakajima, Jun;
>> xen-devel@lists.xen.org 
>> Subject: Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in
>> non-paging mode
>> 
>> >>> On 15.04.14 at 15:02, <feng.wu@intel.com> wrote:
>> > SMAP is disabled if CPU is in non-paging mode in hardware.
>> > However Xen always uses paging mode to emulate guest non-paging
>> > mode with HAP. To emulate this behavior, SMAP needs to be manually
>> > disabled when guest switches to non-paging mode.
>> >
>> > This logic is similiar with SMEP.
>> 
>> The change is certainly fine, but shouldn't this be done earlier in the
>> series (i.e. the patch moved up)?
> 
> Yes, maybe we should put it right before 
> "v1-0004-x86-hvm-Add-SMAP-support-to-HVM-guest.patch",
> since this changes is for HVM guest. what do you think of this? Thanks!

The change here needs to be done prior (or along with) the feature
getting enabled for the host, whenever that is in the series.

Jan

Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in non-paging mode

[Wu, Feng]

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Wednesday, April 16, 2014 4:52 PM
> To: Wu, Feng
> Cc: Ian.Campbell@citrix.com; Dong, Eddie; Nakajima, Jun;
> xen-devel@lists.xen.org
> Subject: RE: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in
> non-paging mode
> 
> >>> On 16.04.14 at 04:07, <feng.wu@intel.com> wrote:
> 
> >
> >> -----Original Message-----
> >> From: Jan Beulich [mailto:JBeulich@suse.com]
> >> Sent: Tuesday, April 15, 2014 7:51 PM
> >> To: Wu, Feng
> >> Cc: Ian.Campbell@citrix.com; Dong, Eddie; Nakajima, Jun;
> >> xen-devel@lists.xen.org
> >> Subject: Re: [PATCH v1 5/6] VMX: Disable SMAP feature when guest is in
> >> non-paging mode
> >>
> >> >>> On 15.04.14 at 15:02, <feng.wu@intel.com> wrote:
> >> > SMAP is disabled if CPU is in non-paging mode in hardware.
> >> > However Xen always uses paging mode to emulate guest non-paging
> >> > mode with HAP. To emulate this behavior, SMAP needs to be manually
> >> > disabled when guest switches to non-paging mode.
> >> >
> >> > This logic is similiar with SMEP.
> >>
> >> The change is certainly fine, but shouldn't this be done earlier in the
> >> series (i.e. the patch moved up)?
> >
> > Yes, maybe we should put it right before
> > "v1-0004-x86-hvm-Add-SMAP-support-to-HVM-guest.patch",
> > since this changes is for HVM guest. what do you think of this? Thanks!
> 
> The change here needs to be done prior (or along with) the feature
> getting enabled for the host, whenever that is in the series.

Okay, will change the order in the next version.

> 
> Jan

Thanks,
Feng