From: Richard Simpson <rs1002@huskydog.org.uk>
To: kvm@vger.kernel.org
Subject: Setting nx bit in virtual CPU
Date: Mon, 29 Mar 2010 23:16:12 +0100 [thread overview]
Message-ID: <4BB126AC.8040401@huskydog.org.uk> (raw)
Hello,
Summary: How can I have a virtual CPU with the nx bit set whilst
enjoying KVM acceleration?
My Host - AMD Athlon(tm) 64 Processor 3200+ running Gentoo
My VM - KVM running hardened Gentoo
My KVM version - 0.12.3
My Task - Implement restricted secure VM to handle services exposed to
internet.
My Command - kvm -hda /dev/mapper/vols-andrew -kernel ./bzImage -append
root=/dev/hda2 -cpu host -runas xxx -net nic -net user -m 256 -k en-gb
-vnc :1 -monitor stdio
In order to maximise the security of my VM, I have enabled PaX which is
supposed to prevent various address space attacks. Sadly, when I run
'paxtest' it reports that my VM is still vulnerable. I have concluded
that the problem is most likely caused by the virtual CPU not having the
nx bit set.
Flags in virtual CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall mmxext fxsr_opt
lm rep_good pni cx16 lahf_lm
Flags in host CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt
rdtscp lm 3dnowext 3dnow rep_good nopl pni cx16 lahf_lm svm extapic
cr8_legacy
As you can see, despite using the '-cpu host' command, several host
flags, including nx, are missing in the VM. Setting '-cpu host,+nx'
doesn't make any difference.
If however, I remove the '-cpu host' option and add the '-no-kvm' option
the virtual CPU has the nx flag and paxtest reports that my VM is
secure. Of course the down side is that everything runs much slower.
Confusingly, the following page about tuning KVM
(http://www.linux-kvm.org/page/Tuning_KVM) lists the flags for the
default qemu64 cpu and nx is clearly included. But, when I set '-cpu
qemu64' I get a model name of QEMU Virtual CPU, but no sign of an nx bit.
So, is there any way of having the nx bit and the benefits of KVM
acceleration.
Thank you.
next reply other threads:[~2010-03-29 22:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-29 22:16 Richard Simpson [this message]
2010-03-30 2:12 ` Setting nx bit in virtual CPU Chris Wright
2010-03-30 20:42 ` Richard Simpson
2010-04-01 8:43 ` Avi Kivity
2010-04-02 21:07 ` Richard Simpson
2010-04-05 8:27 ` Avi Kivity
2010-04-06 22:31 ` Richard Simpson
2010-04-07 5:39 ` Avi Kivity
2010-04-07 12:10 ` Richard Simpson
2010-04-07 12:23 ` Avi Kivity
2010-04-07 20:38 ` Richard Simpson
2010-04-07 20:48 ` Avi Kivity
2010-04-07 23:13 ` Richard Simpson
2010-04-08 7:23 ` Avi Kivity
2010-04-08 23:55 ` Richard Simpson
2010-04-10 19:34 ` Avi Kivity
2010-04-08 8:52 ` Andre Przywara
2010-04-08 21:23 ` Richard Simpson
2010-04-09 23:45 ` Andre Przywara
2010-04-12 21:15 ` Richard Simpson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BB126AC.8040401@huskydog.org.uk \
--to=rs1002@huskydog.org.uk \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox