From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS Date: Wed, 01 Jun 2011 10:55:39 +0300 Message-ID: <4DE5F07B.3070008@redhat.com> References: <5D8008F58939784290FAB48F5497519844E92781DF@shsmsx502.ccr.corp.intel.com> <20110530074033.GB27557@elte.hu> <625BA99ED14B2D499DC4E29D8138F1505CA61C0F62@shsmsx502.ccr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Ingo Molnar , "Yang, Wei Y" , Pekka Enberg , "kvm@vger.kernel.org" To: "Tian, Kevin" Return-path: Received: from mx1.redhat.com ([209.132.183.28]:21589 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755636Ab1FAHz5 (ORCPT ); Wed, 1 Jun 2011 03:55:57 -0400 In-Reply-To: <625BA99ED14B2D499DC4E29D8138F1505CA61C0F62@shsmsx502.ccr.corp.intel.com> Sender: kvm-owner@vger.kernel.org List-ID: On 06/01/2011 10:18 AM, Tian, Kevin wrote: > > From: Ingo Molnar > > Sent: Monday, May 30, 2011 3:41 PM > > > > > > * Yang, Wei Y wrote: > > > > > This patch removes SMEP bit from CR4_RESERVED_BITS. > > > > I'm wondering, what is the best-practice way for tools/kvm/ to set > > SMEP for the guest kernel automatically, even if the guest kernel > > itsef has not requested SMEP? > > > > enabling SMEP w/o guest's knowledge can be problematic if the guest > is doing U/S 0->1 bit change w/o TLB invalidation, which is a required > action to ensure SMEP protection working correctly. Linux versions > known so far don't have this behavior because TLB invalidation due to > P bit change covers U/S 0->1 change. But given that end users may > deploy various OS within the guest, to enable SMEP this way requires > solid understanding on internals of those OSes. Or else it's uncertain > whether SMEP protection fully works on such uncertain guests. That does reduce the attractiveness of the whole thing. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain.