[PATCH] solve SMAP/SMEP issues with 32-bit pv guests

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] solve SMAP/SMEP issues with 32-bit pv guests
@ 2016-08-09  9:13 He Chen
  2016-08-09  9:13 ` [PATCH] xen: enable/disable SMAP/SMEP for Xen itself He Chen
  2016-08-10 10:23 ` [PATCH] solve SMAP/SMEP issues with 32-bit pv guests George Dunlap
  0 siblings, 2 replies; 4+ messages in thread
From: He Chen @ 2016-08-09  9:13 UTC (permalink / raw)
  To: Jan Beulich, Andrew Cooper
  Cc: Wu Feng, Wang Yong, Nakajima Jun, xen-devel@lists.xen.org

This patch is going to solve SMAP/SMEP issues with 32-bit pv guests by
adding new xen command line options "xen_smap" and "xen_smep".

For the details, please see: https://lists.xen.org/archives/html/xen-devel/2016-06/msg03441.html

I am sorry that I don't have 32-bit PV environment to test this patch,
I would really appreciate it if someone could help verify this patch :)

He Chen (1):
  xen: enable/disable SMAP/SMEP for Xen itself

 docs/misc/xen-command-line.markdown | 14 ++++++++++++++
 xen/arch/x86/setup.c                | 12 ++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

-- 
1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] xen: enable/disable SMAP/SMEP for Xen itself
  2016-08-09  9:13 [PATCH] solve SMAP/SMEP issues with 32-bit pv guests He Chen
@ 2016-08-09  9:13 ` He Chen
  2016-08-09 12:19   ` Jan Beulich
  2016-08-10 10:23 ` [PATCH] solve SMAP/SMEP issues with 32-bit pv guests George Dunlap
  1 sibling, 1 reply; 4+ messages in thread
From: He Chen @ 2016-08-09  9:13 UTC (permalink / raw)
  To: Jan Beulich, Andrew Cooper
  Cc: Wu Feng, Wang Yong, Nakajima Jun, xen-devel@lists.xen.org

SMAP/SMEP may affect the 32-bit pv guests.
Users can determine whether turn SMAP/SMEP on for Xen hyperviosr when
running 32-bit pv guests.

Signed-off-by: He Chen <he.chen@linux.intel.com>
---
 docs/misc/xen-command-line.markdown | 14 ++++++++++++++
 xen/arch/x86/setup.c                | 12 ++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 3a250cb..a48c4aa 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1434,6 +1434,13 @@ Set the serial transmit buffer size.
 
 Flag to enable Supervisor Mode Execution Protection
 
+### xen_smep
+> `= <boolean>`
+
+> Default: `true`
+
+Flag to enable SMEP for Xen itself
+
 ### smap
 > `= <boolean>`
 
@@ -1441,6 +1448,13 @@ Flag to enable Supervisor Mode Execution Protection
 
 Flag to enable Supervisor Mode Access Prevention
 
+### xen_smap
+> `= <boolean>`
+
+> Default: `true`
+
+Flag to enable SMAP for Xen itself
+
 ### snb\_igd\_quirk
 > `= <boolean> | cap | <integer>`
 
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 217c775..84debc3 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -65,10 +65,18 @@ integer_param("maxcpus", max_cpus);
 static bool_t __initdata opt_smep = 1;
 boolean_param("smep", opt_smep);
 
+/* xen_smep: Enable/disable SMEP for Xen itself (default on). */
+static bool_t __initdata opt_xen_smep = 1;
+boolean_param("xen_smep", opt_xen_smep);
+
 /* smap: Enable/disable Supervisor Mode Access Prevention (default on). */
 static bool_t __initdata opt_smap = 1;
 boolean_param("smap", opt_smap);
 
+/* xen_smap: Enable/disable SMAP for Xen itself (default on). */
+static bool_t __initdata opt_xen_smap = 1;
+boolean_param("xen_smap", opt_xen_smap);
+
 unsigned long __read_mostly cr4_pv32_mask;
 
 /* Boot dom0 in pvh mode */
@@ -1403,12 +1411,12 @@ void __init noreturn __start_xen(unsigned long mbi_p)
 
     if ( !opt_smep )
         setup_clear_cpu_cap(X86_FEATURE_SMEP);
-    if ( cpu_has_smep )
+    if ( cpu_has_smep && opt_xen_smep )
         set_in_cr4(X86_CR4_SMEP);
 
     if ( !opt_smap )
         setup_clear_cpu_cap(X86_FEATURE_SMAP);
-    if ( cpu_has_smap )
+    if ( cpu_has_smap && opt_xen_smap )
         set_in_cr4(X86_CR4_SMAP);
 
     cr4_pv32_mask = mmu_cr4_features & XEN_CR4_PV32_BITS;
-- 
1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] xen: enable/disable SMAP/SMEP for Xen itself
  2016-08-09  9:13 ` [PATCH] xen: enable/disable SMAP/SMEP for Xen itself He Chen
@ 2016-08-09 12:19   ` Jan Beulich
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Beulich @ 2016-08-09 12:19 UTC (permalink / raw)
  To: He Chen
  Cc: Andrew Cooper, Wu Feng, Wang Yong, Nakajima Jun,
	xen-devel@lists.xen.org

>>> On 09.08.16 at 11:13, <he.chen@linux.intel.com> wrote:
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -1434,6 +1434,13 @@ Set the serial transmit buffer size.
>  
>  Flag to enable Supervisor Mode Execution Protection
>  
> +### xen_smep
> +> `= <boolean>`
> +
> +> Default: `true`
> +
> +Flag to enable SMEP for Xen itself
> +
>  ### smap
>  > `= <boolean>`
>  
> @@ -1441,6 +1448,13 @@ Flag to enable Supervisor Mode Execution Protection
>  
>  Flag to enable Supervisor Mode Access Prevention
>  
> +### xen_smap
> +> `= <boolean>`
> +
> +> Default: `true`
> +
> +Flag to enable SMAP for Xen itself
> +
>  ### snb\_igd\_quirk
>  > `= <boolean> | cap | <integer>`
>  

If these were to stay, please obey to the (mostly) alphabetical
sorting. But I'd much rather see the "smap=" and "smep="
options enhanced, e.g. with allowing "hvm" as a value alongside
the currently permitted boolean indicators.

> @@ -1403,12 +1411,12 @@ void __init noreturn __start_xen(unsigned long mbi_p)
>  
>      if ( !opt_smep )
>          setup_clear_cpu_cap(X86_FEATURE_SMEP);
> -    if ( cpu_has_smep )
> +    if ( cpu_has_smep && opt_xen_smep )
>          set_in_cr4(X86_CR4_SMEP);
>  
>      if ( !opt_smap )
>          setup_clear_cpu_cap(X86_FEATURE_SMAP);
> -    if ( cpu_has_smap )
> +    if ( cpu_has_smap && opt_xen_smap )
>          set_in_cr4(X86_CR4_SMAP);
>  
>      cr4_pv32_mask = mmu_cr4_features & XEN_CR4_PV32_BITS;

It's extremely hard to believe that this would be all it takes:
Already the two cpu_has_smap uses further down in this file
would need similar adjustment afaict. Furthermore
mmu_cr4_features (which now won't have the two flags set
if their use for Xen gets disabled) gets used, among other
places, in vmx.c. If indeed no other changes were necessary,
the minimum imo would be for you to justify this in the patch
description.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] solve SMAP/SMEP issues with 32-bit pv guests
  2016-08-09  9:13 [PATCH] solve SMAP/SMEP issues with 32-bit pv guests He Chen
  2016-08-09  9:13 ` [PATCH] xen: enable/disable SMAP/SMEP for Xen itself He Chen
@ 2016-08-10 10:23 ` George Dunlap
  1 sibling, 0 replies; 4+ messages in thread
From: George Dunlap @ 2016-08-10 10:23 UTC (permalink / raw)
  To: He Chen
  Cc: Wu Feng, Jan Beulich, Andrew Cooper, Wang Yong,
	xen-devel@lists.xen.org, Nakajima Jun

On Tue, Aug 9, 2016 at 10:13 AM, He Chen <he.chen@linux.intel.com> wrote:
> This patch is going to solve SMAP/SMEP issues with 32-bit pv guests by
> adding new xen command line options "xen_smap" and "xen_smep".
>
> For the details, please see: https://lists.xen.org/archives/html/xen-devel/2016-06/msg03441.html
>
> I am sorry that I don't have 32-bit PV environment to test this patch,
> I would really appreciate it if someone could help verify this patch :)
>
> He Chen (1):
>   xen: enable/disable SMAP/SMEP for Xen itself
>
>  docs/misc/xen-command-line.markdown | 14 ++++++++++++++
>  xen/arch/x86/setup.c                | 12 ++++++++++--
>  2 files changed, 24 insertions(+), 2 deletions(-)
>
> --
> 1.9.1

There doesn't seem to be any actual content here.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-08-10 10:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-09  9:13 [PATCH] solve SMAP/SMEP issues with 32-bit pv guests He Chen
2016-08-09  9:13 ` [PATCH] xen: enable/disable SMAP/SMEP for Xen itself He Chen
2016-08-09 12:19   ` Jan Beulich
2016-08-10 10:23 ` [PATCH] solve SMAP/SMEP issues with 32-bit pv guests George Dunlap

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).