From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Simpson Subject: Setting nx bit in virtual CPU Date: Mon, 29 Mar 2010 23:16:12 +0100 Message-ID: <4BB126AC.8040401@huskydog.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit To: kvm@vger.kernel.org Return-path: Received: from server1.huskydog.org.uk ([81.187.172.195]:46472 "EHLO gordon.huskydog.org.uk" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752034Ab0C2W1Y (ORCPT ); Mon, 29 Mar 2010 18:27:24 -0400 Received: from [10.42.42.3] (percy [10.42.42.3]) by gordon.huskydog.org.uk (Postfix) with ESMTP id A2A203DCF for ; Mon, 29 Mar 2010 23:16:13 +0100 (BST) Sender: kvm-owner@vger.kernel.org List-ID: Hello, Summary: How can I have a virtual CPU with the nx bit set whilst enjoying KVM acceleration? My Host - AMD Athlon(tm) 64 Processor 3200+ running Gentoo My VM - KVM running hardened Gentoo My KVM version - 0.12.3 My Task - Implement restricted secure VM to handle services exposed to internet. My Command - kvm -hda /dev/mapper/vols-andrew -kernel ./bzImage -append root=/dev/hda2 -cpu host -runas xxx -net nic -net user -m 256 -k en-gb -vnc :1 -monitor stdio In order to maximise the security of my VM, I have enabled PaX which is supposed to prevent various address space attacks. Sadly, when I run 'paxtest' it reports that my VM is still vulnerable. I have concluded that the problem is most likely caused by the virtual CPU not having the nx bit set. Flags in virtual CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall mmxext fxsr_opt lm rep_good pni cx16 lahf_lm Flags in host CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl pni cx16 lahf_lm svm extapic cr8_legacy As you can see, despite using the '-cpu host' command, several host flags, including nx, are missing in the VM. Setting '-cpu host,+nx' doesn't make any difference. If however, I remove the '-cpu host' option and add the '-no-kvm' option the virtual CPU has the nx flag and paxtest reports that my VM is secure. Of course the down side is that everything runs much slower. Confusingly, the following page about tuning KVM (http://www.linux-kvm.org/page/Tuning_KVM) lists the flags for the default qemu64 cpu and nx is clearly included. But, when I set '-cpu qemu64' I get a model name of QEMU Virtual CPU, but no sign of an nx bit. So, is there any way of having the nx bit and the benefits of KVM acceleration. Thank you.