From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [PATCH v2] Enable CPU SMEP feature for KVM Date: Sun, 22 May 2011 09:50:27 +0300 Message-ID: <4DD8B233.7010604@redhat.com> References: <5D8008F58939784290FAB48F54975198419FB02D2B@shsmsx502.ccr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "kvm@vger.kernel.org" To: "Yang, Wei Y" Return-path: Received: from mx1.redhat.com ([209.132.183.28]:62079 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751380Ab1EVGub (ORCPT ); Sun, 22 May 2011 02:50:31 -0400 In-Reply-To: <5D8008F58939784290FAB48F54975198419FB02D2B@shsmsx502.ccr.corp.intel.com> Sender: kvm-owner@vger.kernel.org List-ID: On 05/22/2011 08:23 AM, Yang, Wei Y wrote: > This patch matches with "[PATCH v2] Enable CPU SMEP feature support for QEMU-KVM", no changes since v1. > > Enable newly documented SMEP (Supervisor Mode Execution Protection) CPU feature in KVM module. > > Intel new CPU supports SMEP (Supervisor Mode Execution Protection). SMEP prevents kernel from executing code in application. Updated Intel SDM describes this CPU feature. The document will be published soon. > > This patch is based on Fenghua's SMEP patch series, as referred by: https://lkml.org/lkml/2011/5/17/523 > This patch enables guests' usage of SMEP. > Currently, we don't enable this feature for guests with shadow page tables. Why not? I see nothing that conflicts with shadow. Missing: update kvm_set_cr4() to reject SMEP if it's disabled in cpuid drop SMEP from cr4_guest_owned_bits if SMEP is disabled in cpuid update walk_addr_generic() to fault if SMEP is enabled and fetching from a user page -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain.