[PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Aravindh Puthiyaparambil]

The fix for XSA-60 disables EPT if PAT is not available. This patch
adds a command line option called "ept_without_pat", that allows EPT to
be enabled even when PAT is not present. This is to enable Xen to run as
a nested guest with EPT on hypervisors that have nested EPT but not
nested PAT.

Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: Eddie Dong <eddie.dong@intel.com>
Cc: Kevin Tian <kevin.tian@intel.com>

---
Changes from version 1:
1. Fix and update documentation with suggestion from Andrew Cooper.
2. Remove redundant assignment.

 docs/misc/xen-command-line.markdown | 14 ++++++++++++++
 xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 87de2dc..138fee9 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information via VESA DDC, or
 disable it (edid=no). This option should not normally be required
 except for debugging purposes.
 
+### ept\_without\_pat (Intel)
+> `= <boolean>`
+
+> Default: `false`
+
+Allow EPT to be enabled when PAT is not present. 
+
+*Warning:*
+Due to CVE-2013-2212, PAT is by default required as a prerequisite for
+using EPT.  If you are not using PCI Passthrough, or trust the guest
+administrator who would be using passthrough, then the PAT requirement
+can be relaxed.  This option is useful for nested virtualisation cases
+where the outer hypervisor does not expose PAT functionality to Xen.
+
 ### extra\_guest\_irqs
 > `= [<domU number>][,<dom0 number>]`
 
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 180cf6c..fee81c9 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -58,6 +58,9 @@
 #include <asm/hvm/nestedhvm.h>
 #include <asm/event.h>
 
+static bool_t __initdata opt_ept_without_pat;
+boolean_param("ept_without_pat", opt_ept_without_pat);
+
 enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
 
 static void vmx_ctxt_switch_from(struct vcpu *v);
@@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init start_vmx(void)
      * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
      * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
      */
-    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
+    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) )
     {
         vmx_function_table.hap_supported = 1;
 
-- 
1.8.3.2

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Andrew Cooper]

On 16/04/2014 23:52, Aravindh Puthiyaparambil wrote:
> The fix for XSA-60 disables EPT if PAT is not available. This patch
> adds a command line option called "ept_without_pat", that allows EPT to
> be enabled even when PAT is not present. This is to enable Xen to run as
> a nested guest with EPT on hypervisors that have nested EPT but not
> nested PAT.
>
> Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
> Cc: Jun Nakajima <jun.nakajima@intel.com>
> Cc: Eddie Dong <eddie.dong@intel.com>
> Cc: Kevin Tian <kevin.tian@intel.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

>
> ---
> Changes from version 1:
> 1. Fix and update documentation with suggestion from Andrew Cooper.
> 2. Remove redundant assignment.
>
>  docs/misc/xen-command-line.markdown | 14 ++++++++++++++
>  xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
> index 87de2dc..138fee9 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information via VESA DDC, or
>  disable it (edid=no). This option should not normally be required
>  except for debugging purposes.
>  
> +### ept\_without\_pat (Intel)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Allow EPT to be enabled when PAT is not present. 
> +
> +*Warning:*
> +Due to CVE-2013-2212, PAT is by default required as a prerequisite for
> +using EPT.  If you are not using PCI Passthrough, or trust the guest
> +administrator who would be using passthrough, then the PAT requirement
> +can be relaxed.  This option is useful for nested virtualisation cases
> +where the outer hypervisor does not expose PAT functionality to Xen.
> +
>  ### extra\_guest\_irqs
>  > `= [<domU number>][,<dom0 number>]`
>  
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 180cf6c..fee81c9 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -58,6 +58,9 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
>  
> +static bool_t __initdata opt_ept_without_pat;
> +boolean_param("ept_without_pat", opt_ept_without_pat);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
>  
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init start_vmx(void)
>       * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
>       * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
>       */
> -    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
> +    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) )
>      {
>          vmx_function_table.hap_supported = 1;
>  

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Jan Beulich]

>>> On 17.04.14 at 00:52, <aravindp@cisco.com> wrote:
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information via 
> VESA DDC, or
>  disable it (edid=no). This option should not normally be required
>  except for debugging purposes.
>  
> +### ept\_without\_pat (Intel)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Allow EPT to be enabled when PAT is not present. 

This is a little too broad and hence confusing statement: I'm pretty
certain PAT (the MSR) gets implemented/emulated by hypervisors.
What's needed here (and potentially missing in emulations) is the
VMX feature VM_ENTRY_LOAD_GUEST_PAT, and it should be said
so.

Jan

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Tian, Kevin]

> From: Aravindh Puthiyaparambil [mailto:aravindp@cisco.com]
> Sent: Thursday, April 17, 2014 6:52 AM
> 
> The fix for XSA-60 disables EPT if PAT is not available. This patch
> adds a command line option called "ept_without_pat", that allows EPT to
> be enabled even when PAT is not present. This is to enable Xen to run as
> a nested guest with EPT on hypervisors that have nested EPT but not
> nested PAT.

would "force_ept" be a more extensible name? You can still take XSA-60
as an example of EPT being disabled. Doing so doesn't require introducing
more similar forms in the future, like ept_without_xxx, ept_without_yyy, ...

Thanks
Kevin

> 
> Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
> Cc: Jun Nakajima <jun.nakajima@intel.com>
> Cc: Eddie Dong <eddie.dong@intel.com>
> Cc: Kevin Tian <kevin.tian@intel.com>
> 
> ---
> Changes from version 1:
> 1. Fix and update documentation with suggestion from Andrew Cooper.
> 2. Remove redundant assignment.
> 
>  docs/misc/xen-command-line.markdown | 14 ++++++++++++++
>  xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/misc/xen-command-line.markdown
> b/docs/misc/xen-command-line.markdown
> index 87de2dc..138fee9 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information
> via VESA DDC, or
>  disable it (edid=no). This option should not normally be required
>  except for debugging purposes.
> 
> +### ept\_without\_pat (Intel)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Allow EPT to be enabled when PAT is not present.
> +
> +*Warning:*
> +Due to CVE-2013-2212, PAT is by default required as a prerequisite for
> +using EPT.  If you are not using PCI Passthrough, or trust the guest
> +administrator who would be using passthrough, then the PAT requirement
> +can be relaxed.  This option is useful for nested virtualisation cases
> +where the outer hypervisor does not expose PAT functionality to Xen.
> +
>  ### extra\_guest\_irqs
>  > `= [<domU number>][,<dom0 number>]`
> 
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 180cf6c..fee81c9 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -58,6 +58,9 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
> 
> +static bool_t __initdata opt_ept_without_pat;
> +boolean_param("ept_without_pat", opt_ept_without_pat);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled,
> HNDL_exception_raised };
> 
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init
> start_vmx(void)
>       * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security
> hole
>       * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
>       */
> -    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
> +    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) )
>      {
>          vmx_function_table.hap_supported = 1;
> 
> --
> 1.8.3.2

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Aravindh Puthiyaparambil (aravindp)]

>> --- a/docs/misc/xen-command-line.markdown
>> +++ b/docs/misc/xen-command-line.markdown
>> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information
>via
>> VESA DDC, or
>>  disable it (edid=no). This option should not normally be required
>>  except for debugging purposes.
>>
>> +### ept\_without\_pat (Intel)
>> +> `= <boolean>`
>> +
>> +> Default: `false`
>> +
>> +Allow EPT to be enabled when PAT is not present.
>
>This is a little too broad and hence confusing statement: I'm pretty
>certain PAT (the MSR) gets implemented/emulated by hypervisors.
>What's needed here (and potentially missing in emulations) is the
>VMX feature VM_ENTRY_LOAD_GUEST_PAT, and it should be said
>so.

OK, I will update the description to reflect that. What should I call the option? ept_without_vmx_pat?

Thanks,
Aravindh

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Jan Beulich]

>>> On 17.04.14 at 17:29, <aravindp@cisco.com> wrote:
>> > --- a/docs/misc/xen-command-line.markdown
>>> +++ b/docs/misc/xen-command-line.markdown
>>> @@ -523,6 +523,20 @@ Either force retrieval of monitor EDID information
>>via
>>> VESA DDC, or
>>>  disable it (edid=no). This option should not normally be required
>>>  except for debugging purposes.
>>>
>>> +### ept\_without\_pat (Intel)
>>> +> `= <boolean>`
>>> +
>>> +> Default: `false`
>>> +
>>> +Allow EPT to be enabled when PAT is not present.
>>
>>This is a little too broad and hence confusing statement: I'm pretty
>>certain PAT (the MSR) gets implemented/emulated by hypervisors.
>>What's needed here (and potentially missing in emulations) is the
>>VMX feature VM_ENTRY_LOAD_GUEST_PAT, and it should be said
>>so.
> 
> OK, I will update the description to reflect that. What should I call the 
> option? ept_without_vmx_pat?

I think I like Kevin's suggestion, e.g. "force-ept".

Jan

Re: [PATCH v2] x86/vmx: Add command line option to enable EPT without PAT

[Aravindh Puthiyaparambil (aravindp)]

>>>> +### ept\_without\_pat (Intel)
>>>> +> `= <boolean>`
>>>> +
>>>> +> Default: `false`
>>>> +
>>>> +Allow EPT to be enabled when PAT is not present.
>>>
>>>This is a little too broad and hence confusing statement: I'm pretty
>>>certain PAT (the MSR) gets implemented/emulated by hypervisors.
>>>What's needed here (and potentially missing in emulations) is the
>>>VMX feature VM_ENTRY_LOAD_GUEST_PAT, and it should be said
>>>so.
>>
>> OK, I will update the description to reflect that. What should I call the
>> option? ept_without_vmx_pat?
>
>I think I like Kevin's suggestion, e.g. "force-ept".

Sounds good. I will resubmit.

I guess in the future if we have more situations arising where we need to force ept, we could make "force_ept" in to a bitmask to have some granularity in forcing EPT to be turned on.

Thanks,
Aravindh