From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: [PATCH v2] Enable CPU SMEP feature for KVM
Date: Sun, 22 May 2011 11:11:04 +0300
Message-ID: <4DD8C518.7010606@redhat.com>
References: <5D8008F58939784290FAB48F54975198419FB02D2B@shsmsx502.ccr.corp.intel.com> <4DD8B233.7010604@redhat.com> <5D8008F58939784290FAB48F54975198419FB02D33@shsmsx502.ccr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"Li, Xin" <xin.li@intel.com>, "Tian, Kevin" <kevin.tian@intel.com>,
	"Shan, Haitao" <haitao.shan@intel.com>
To: "Yang, Wei Y" <wei.y.yang@intel.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:47814 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752270Ab1EVILN (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sun, 22 May 2011 04:11:13 -0400
In-Reply-To: <5D8008F58939784290FAB48F54975198419FB02D33@shsmsx502.ccr.corp.intel.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 05/22/2011 11:08 AM, Yang, Wei Y wrote:
> >  This patch matches with "[PATCH v2] Enable CPU SMEP feature support for QEMU-KVM", no changes since v1.
> >
> >  Enable newly documented SMEP (Supervisor Mode Execution Protection) CPU feature in KVM module.
> >
> >  Intel new CPU supports SMEP (Supervisor Mode Execution Protection). SMEP prevents kernel from executing code in application. Updated Intel SDM describes this CPU feature. The document will be published soon.
> >
> >  This patch is based on Fenghua's SMEP patch series, as referred by: https://lkml.org/lkml/2011/5/17/523
> >  This patch enables guests' usage of SMEP.
> >  Currently, we don't enable this feature for guests with shadow page tables.
>
> >  Why not?  I see nothing that conflicts with shadow.
>
> We don't need to enable it for shadow page table, because shadow has mask against guest/shadow PTE, which may cause problem.  Let's keep shadow as it is because it's already very complex. Assume SMEP machines should have EPT.
>

I don't understand why.  Can you elaborate?

Shadow implements the U bit, which is all that is needed by SMEP as far 
as I can tell.


> >    update walk_addr_generic() to fault if SMEP is enabled and fetching
>
> Comments above.
>
> >  from a user page
>

Needs to be done even from EPT, in case walk_addr_generic() is invoked 
by the emulator.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.