* [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path
@ 2011-06-29 10:24 Yang, Wei
2011-07-01 8:05 ` Xiao Guangrong
0 siblings, 1 reply; 4+ messages in thread
From: Yang, Wei @ 2011-06-29 10:24 UTC (permalink / raw)
To: avi; +Cc: kvm, Yang, Wei
This patch adds SMEP to all test cases and checks SMEP on prefetch
pte path when cr0.wp=0.
changes since v1:
Add SMEP to all test cases and verify it before setting cr4
Signed-off-by: Yang, Wei <wei.y.yang@intel.com>
Signed-off-by: Shan, Haitao <haitao.shan@intel.com>
Signed-off-by: Li, Xin <xin.li@intel.com>
---
x86/access.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
x86/cstart64.S | 1 +
2 files changed, 106 insertions(+), 3 deletions(-)
diff --git a/x86/access.c b/x86/access.c
index 7c8b9a5..22e5988 100644
--- a/x86/access.c
+++ b/x86/access.c
@@ -27,6 +27,7 @@ typedef unsigned long pt_element_t;
#define PT_NX_MASK ((pt_element_t)1 << 63)
#define CR0_WP_MASK (1UL << 16)
+#define CR4_SMEP_MASK (1UL << 20)
#define PFERR_PRESENT_MASK (1U << 0)
#define PFERR_WRITE_MASK (1U << 1)
@@ -70,6 +71,7 @@ enum {
AC_CPU_EFER_NX,
AC_CPU_CR0_WP,
+ AC_CPU_CR4_SMEP,
NR_AC_FLAGS
};
@@ -96,6 +98,7 @@ const char *ac_names[] = {
[AC_ACCESS_TWICE] = "twice",
[AC_CPU_EFER_NX] = "efer.nx",
[AC_CPU_CR0_WP] = "cr0.wp",
+ [AC_CPU_CR4_SMEP] = "cr4.smep",
};
static inline void *va(pt_element_t phys)
@@ -130,6 +133,14 @@ typedef struct {
static void ac_test_show(ac_test_t *at);
+int write_cr4_checking(unsigned long val)
+{
+ asm volatile(ASM_TRY("1f")
+ "mov %0,%%cr4\n\t"
+ "1:": : "r" (val));
+ return exception_vector();
+}
+
void set_cr0_wp(int wp)
{
unsigned long cr0 = read_cr0();
@@ -140,6 +151,16 @@ void set_cr0_wp(int wp)
write_cr0(cr0);
}
+void set_cr4_smep(int smep)
+{
+ unsigned long cr4 = read_cr4();
+
+ cr4 &= ~CR4_SMEP_MASK;
+ if (smep)
+ cr4 |= CR4_SMEP_MASK;
+ write_cr4(cr4);
+}
+
void set_efer_nx(int nx)
{
unsigned long long efer;
@@ -187,7 +208,12 @@ int ac_test_bump_one(ac_test_t *at)
_Bool ac_test_legal(ac_test_t *at)
{
- if (at->flags[AC_ACCESS_FETCH] && at->flags[AC_ACCESS_WRITE])
+ /*
+ * Since we convert current page to kernel page when cr4.smep=1,
+ * we can't switch to user mode.
+ */
+ if ((at->flags[AC_ACCESS_FETCH] && at->flags[AC_ACCESS_WRITE]) ||
+ (at->flags[AC_ACCESS_USER] && at->flags[AC_CPU_CR4_SMEP]))
return false;
return true;
}
@@ -287,6 +313,9 @@ void ac_set_expected_status(ac_test_t *at)
if (at->flags[AC_PDE_PSE]) {
if (at->flags[AC_ACCESS_WRITE] && !at->expected_fault)
at->expected_pde |= PT_DIRTY_MASK;
+ if (at->flags[AC_ACCESS_FETCH] && at->flags[AC_PDE_USER]
+ && at->flags[AC_CPU_CR4_SMEP])
+ at->expected_fault = 1;
goto no_pte;
}
@@ -306,7 +335,11 @@ void ac_set_expected_status(ac_test_t *at)
&& (at->flags[AC_CPU_CR0_WP] || at->flags[AC_ACCESS_USER]))
at->expected_fault = 1;
- if (at->flags[AC_ACCESS_FETCH] && at->flags[AC_PTE_NX])
+ if (at->flags[AC_ACCESS_FETCH]
+ && (at->flags[AC_PTE_NX]
+ || (at->flags[AC_CPU_CR4_SMEP]
+ && at->flags[AC_PDE_USER]
+ && at->flags[AC_PTE_USER])))
at->expected_fault = 1;
if (at->expected_fault)
@@ -320,7 +353,7 @@ no_pte:
fault:
if (!at->expected_fault)
at->ignore_pde = 0;
- if (!at->flags[AC_CPU_EFER_NX])
+ if (!at->flags[AC_CPU_EFER_NX] && !at->flags[AC_CPU_CR4_SMEP])
at->expected_error &= ~PFERR_FETCH_MASK;
}
@@ -469,6 +502,14 @@ int ac_test_do_access(ac_test_t *at)
unsigned r = unique;
set_cr0_wp(at->flags[AC_CPU_CR0_WP]);
set_efer_nx(at->flags[AC_CPU_EFER_NX]);
+ if (at->flags[AC_CPU_CR4_SMEP] && !(cpuid(7).b & (1 << 7))) {
+ unsigned long cr4 = read_cr4();
+ if (write_cr4_checking(cr4 | CR4_SMEP_MASK) == GP_VECTOR)
+ goto done;
+ printf("Set SMEP in CR4 - expect #GP: FAIL!\n");
+ return 0;
+ }
+ set_cr4_smep(at->flags[AC_CPU_CR4_SMEP]);
if (at->flags[AC_ACCESS_TWICE]) {
asm volatile (
@@ -544,6 +585,7 @@ int ac_test_do_access(ac_test_t *at)
!pt_match(*at->pdep, at->expected_pde, at->ignore_pde),
"pde %x expected %x", *at->pdep, at->expected_pde);
+done:
if (success && verbose) {
printf("PASS\n");
}
@@ -645,6 +687,59 @@ err:
return 0;
}
+static int check_smep_on_prefetch_pte(ac_pool_t *pool)
+{
+ ac_test_t at1;
+ int err_prepare_notwp, err_smep_notwp;
+ extern u64 ptl2[];
+
+ ac_test_init(&at1, (void *)(0x123406001000));
+
+ at1.flags[AC_PDE_PRESENT] = 1;
+ at1.flags[AC_PTE_PRESENT] = 1;
+ at1.flags[AC_PDE_USER] = 1;
+ at1.flags[AC_PTE_USER] = 1;
+ at1.flags[AC_PDE_ACCESSED] = 1;
+ at1.flags[AC_PTE_ACCESSED] = 1;
+ at1.flags[AC_CPU_CR4_SMEP] = 1;
+ at1.flags[AC_CPU_CR0_WP] = 0;
+ at1.flags[AC_ACCESS_WRITE] = 1;
+ ac_test_setup_pte(&at1, pool);
+ ptl2[2] -= 0x4;
+
+ /*
+ * Here we write the ro user page when
+ * cr0.wp=0, then we execute it and SMEP
+ * fault should happen.
+ */
+ err_prepare_notwp = ac_test_do_access(&at1);
+ if (!err_prepare_notwp) {
+ printf("%s: SMEP prepare fail\n", __FUNCTION__);
+ goto clean_up;
+ }
+
+ at1.flags[AC_ACCESS_WRITE] = 0;
+ at1.flags[AC_ACCESS_FETCH] = 1;
+ ac_set_expected_status(&at1);
+ err_smep_notwp = ac_test_do_access(&at1);
+
+clean_up:
+ set_cr4_smep(0);
+ ptl2[2] += 0x4;
+
+ if (!err_prepare_notwp)
+ goto err;
+ if (!err_smep_notwp) {
+ printf("%s: check SMEP on prefetch pte path without wp"
+ "fail\n", __FUNCTION__);
+ goto err;
+ }
+ return 1;
+
+err:
+ return 0;
+}
+
int ac_test_exec(ac_test_t *at, ac_pool_t *pool)
{
int r;
@@ -662,6 +757,7 @@ const ac_test_fn ac_test_cases[] =
{
corrupt_hugepage_triger,
check_pfec_on_prefetch_pte,
+ check_smep_on_prefetch_pte
};
int ac_test_run(void)
@@ -669,16 +765,22 @@ int ac_test_run(void)
ac_test_t at;
ac_pool_t pool;
int i, tests, successes;
+ extern u64 ptl2[];
printf("run\n");
tests = successes = 0;
ac_env_int(&pool);
ac_test_init(&at, (void *)(0x123400000000 + 16 * smp_id()));
do {
+ if (at.flags[AC_CPU_CR4_SMEP] && (ptl2[2] & 0x4))
+ ptl2[2] -= 0x4;
++tests;
successes += ac_test_exec(&at, &pool);
} while (ac_test_bump(&at));
+ set_cr4_smep(0);
+ ptl2[2] += 0x4;
+
for (i = 0; i < ARRAY_SIZE(ac_test_cases); i++) {
++tests;
successes += ac_test_cases[i](&pool);
diff --git a/x86/cstart64.S b/x86/cstart64.S
index 71014d8..24df5f8 100644
--- a/x86/cstart64.S
+++ b/x86/cstart64.S
@@ -21,6 +21,7 @@ ring0stacktop:
.data
.align 4096
+.globl ptl2
ptl2:
i = 0
.rept 512 * 4
--
1.7.4.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path
2011-06-29 10:24 [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path Yang, Wei
@ 2011-07-01 8:05 ` Xiao Guangrong
2011-07-05 1:24 ` Yang, Wei Y
0 siblings, 1 reply; 4+ messages in thread
From: Xiao Guangrong @ 2011-07-01 8:05 UTC (permalink / raw)
To: Yang, Wei; +Cc: avi, kvm
On 06/29/2011 06:24 PM, Yang, Wei wrote:
> +
> + /*
> + * Here we write the ro user page when
> + * cr0.wp=0, then we execute it and SMEP
> + * fault should happen.
> + */
> + err_prepare_notwp = ac_test_do_access(&at1);
> + if (!err_prepare_notwp) {
> + printf("%s: SMEP prepare fail\n", __FUNCTION__);
> + goto clean_up;
> + }
> +
> + at1.flags[AC_ACCESS_WRITE] = 0;
> + at1.flags[AC_ACCESS_FETCH] = 1;
> + ac_set_expected_status(&at1);
> + err_smep_notwp = ac_test_do_access(&at1);
> +
The address is accessed in the fist test, it is really "prefetch"-ed
in the second test?
>
> int ac_test_run(void)
> @@ -669,16 +765,22 @@ int ac_test_run(void)
> ac_test_t at;
> ac_pool_t pool;
> int i, tests, successes;
> + extern u64 ptl2[];
>
> printf("run\n");
> tests = successes = 0;
> ac_env_int(&pool);
> ac_test_init(&at, (void *)(0x123400000000 + 16 * smp_id()));
> do {
> + if (at.flags[AC_CPU_CR4_SMEP] && (ptl2[2] & 0x4))
> + ptl2[2] -= 0x4;
It seems you just remove the "U/S" bit, but forget to recover it, it can
break the test if AC_ACCESS_USER && !SMEP
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path
2011-07-01 8:05 ` Xiao Guangrong
@ 2011-07-05 1:24 ` Yang, Wei Y
2011-07-05 5:49 ` Xiao Guangrong
0 siblings, 1 reply; 4+ messages in thread
From: Yang, Wei Y @ 2011-07-05 1:24 UTC (permalink / raw)
To: Xiao Guangrong; +Cc: avi@redhat.com, kvm@vger.kernel.org
> -----Original Message-----
> From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On
> Behalf Of Xiao Guangrong
> Sent: Friday, July 01, 2011 4:06 PM
> To: Yang, Wei Y
> Cc: avi@redhat.com; kvm@vger.kernel.org
> Subject: Re: [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte
> path
>
> On 06/29/2011 06:24 PM, Yang, Wei wrote:
>
> > +
> > + /*
> > + * Here we write the ro user page when
> > + * cr0.wp=0, then we execute it and SMEP
> > + * fault should happen.
> > + */
> > + err_prepare_notwp = ac_test_do_access(&at1);
> > + if (!err_prepare_notwp) {
> > + printf("%s: SMEP prepare fail\n", __FUNCTION__);
> > + goto clean_up;
> > + }
> > +
> > + at1.flags[AC_ACCESS_WRITE] = 0;
> > + at1.flags[AC_ACCESS_FETCH] = 1;
> > + ac_set_expected_status(&at1);
> > + err_smep_notwp = ac_test_do_access(&at1);
> > +
>
> The address is accessed in the fist test, it is really "prefetch"-ed
> in the second test?
What do you mean? Could you please elaborate it?
>
> >
> > int ac_test_run(void)
> > @@ -669,16 +765,22 @@ int ac_test_run(void)
> > ac_test_t at;
> > ac_pool_t pool;
> > int i, tests, successes;
> > + extern u64 ptl2[];
> >
> > printf("run\n");
> > tests = successes = 0;
> > ac_env_int(&pool);
> > ac_test_init(&at, (void *)(0x123400000000 + 16 * smp_id()));
> > do {
> > + if (at.flags[AC_CPU_CR4_SMEP] && (ptl2[2] & 0x4))
> > + ptl2[2] -= 0x4;
>
> It seems you just remove the "U/S" bit, but forget to recover it, it can
> break the test if AC_ACCESS_USER && !SMEP
Thanks. I'll correct it:)
>
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path
2011-07-05 1:24 ` Yang, Wei Y
@ 2011-07-05 5:49 ` Xiao Guangrong
0 siblings, 0 replies; 4+ messages in thread
From: Xiao Guangrong @ 2011-07-05 5:49 UTC (permalink / raw)
To: Yang, Wei Y; +Cc: avi@redhat.com, kvm@vger.kernel.org
On 07/05/2011 09:24 AM, Yang, Wei Y wrote:
>
>
>> -----Original Message-----
>> From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On
>> Behalf Of Xiao Guangrong
>> Sent: Friday, July 01, 2011 4:06 PM
>> To: Yang, Wei Y
>> Cc: avi@redhat.com; kvm@vger.kernel.org
>> Subject: Re: [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte
>> path
>>
>> On 06/29/2011 06:24 PM, Yang, Wei wrote:
>>
>>> +
>>> + /*
>>> + * Here we write the ro user page when
>>> + * cr0.wp=0, then we execute it and SMEP
>>> + * fault should happen.
>>> + */
>>> + err_prepare_notwp = ac_test_do_access(&at1);
>>> + if (!err_prepare_notwp) {
>>> + printf("%s: SMEP prepare fail\n", __FUNCTION__);
>>> + goto clean_up;
>>> + }
>>> +
>>> + at1.flags[AC_ACCESS_WRITE] = 0;
>>> + at1.flags[AC_ACCESS_FETCH] = 1;
>>> + ac_set_expected_status(&at1);
>>> + err_smep_notwp = ac_test_do_access(&at1);
>>> +
>>
>> The address is accessed in the fist test, it is really "prefetch"-ed
>> in the second test?
>
> What do you mean? Could you please elaborate it?
The title and the test case is "prefetch pte", is it really "prefetch" in
your test case? :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-05 5:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-29 10:24 [PATCH kvm-unit-tests v2] access: check SMEP on prefetch pte path Yang, Wei
2011-07-01 8:05 ` Xiao Guangrong
2011-07-05 1:24 ` Yang, Wei Y
2011-07-05 5:49 ` Xiao Guangrong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox