[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 0/6] x86: Enable Supervisor Mode Execution Prevention (SMAP)



> -----Original Message-----
> From: Tian, Kevin
> Sent: Tuesday, April 15, 2014 1:31 PM
> To: Wu, Feng; JBeulich@xxxxxxxx; Ian.Campbell@xxxxxxxxxx;
> xen-devel@xxxxxxxxxxxxx
> Cc: Wu, Feng; Dong, Eddie; Nakajima, Jun
> Subject: RE: [Xen-devel] [PATCH v1 0/6] x86: Enable Supervisor Mode Execution
> Prevention (SMAP)
> 
> the title is incorrect: "Supervisor Mode Execution Prevention (SMAP)"

Will correct it now, sorry for that! Thanks, Kevin!

> 
> > From: Feng Wu
> > Sent: Tuesday, April 15, 2014 8:58 PM
> >
> > Supervisor Mode Access Prevention (SMAP) is a new security
> > feature disclosed by Intel, please refer to the following
> > document:
> >
> > http://software.intel.com/sites/default/files/319433-014.pdf
> >
> > Every access to a linear address is either a supervisor-mode
> > access or a user-mode access. All accesses performed while the
> > current privilege level (CPL) is less than 3 are supervisor-mode
> > accesses. If CPL = 3, accesses are generally user-mode accesses.
> > However, some operations implicitly access system data structures,
> > and the resulting accesses to those data structures are supervisor-mode
> > accesses regardless of CPL. Examples of such implicit supervisor
> > accesses include the following: accesses to the global descriptor
> > table (GDT) or local descriptor table (LDT) to load a segment descriptor;
> > accesses to the interrupt descriptor table (IDT) when delivering an
> > interrupt or exception; and accesses to the task-state segment (TSS) as
> > part of a task switch or change of CPL.
> >
> > If CR4.SMAP = 1, supervisor-mode data accesses are not allowed
> > to linear addresses that are accessible in user mode. If CPL < 3,
> > SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP
> > applies to all supervisor-mode data accesses (these are implicit
> > supervisor accesses) regardless of the value of EFLAGS.AC.
> >
> > Version 1:
> >   * Add two macros for STAC/CLAC instructions
> >   * Temporary disable SMAP to legally access user pages in kernel mode
> >   * Enable Supervisor Mode Execution Prevention (SMAP) for Xen itself
> >   * Add SMAP support to HVM guest
> >   * Disable SMAP feature when guest is in non-paging mode
> >
> > Since Linux kernel has already supported SMAP, I tested this patch both
> > in EPT and shadow mode with Linux guest, they work well. And I also
> > tested the failure case, in which, I triggered an SMAP violation in
> > the guest kernel and Linux successfully received the related page
> > fault.
> >
> > Feng Wu (6):
> >   x86: Add support for STAC/CLAC instructions
> >   x86: Temporary disable SMAP to legally access user pages in kernel
> >     mode
> >   x86: Enable Supervisor Mode Execution Prevention (SMAP) for Xen
> >   x86/hvm: Add SMAP support to HVM guest
> >   VMX: Disable SMAP feature when guest is in non-paging mode
> >   x86/tools: Expose SMAP to HVM guests
> >
> >  tools/libxc/xc_cpufeature.h            |  1 +
> >  tools/libxc/xc_cpuid_x86.c             |  1 +
> >  xen/arch/x86/clear_page.S              |  3 ++
> >  xen/arch/x86/domain_build.c            | 16 ++++++++
> >  xen/arch/x86/hvm/hvm.c                 |  3 ++
> >  xen/arch/x86/hvm/vmx/vmx.c             |  6 +--
> >  xen/arch/x86/mm/guest_walk.c           | 27 +++++++++++--
> >  xen/arch/x86/setup.c                   |  9 +++++
> >  xen/arch/x86/traps.c                   | 34 +++++++++++++----
> >  xen/arch/x86/usercopy.c                |  6 +++
> >  xen/arch/x86/x86_64/asm-offsets.c      |  1 +
> >  xen/arch/x86/x86_64/compat/entry.S     |  2 +
> >  xen/arch/x86/x86_64/entry.S            |  4 ++
> >  xen/include/asm-x86/cpufeature.h       |  1 +
> >  xen/include/asm-x86/domain.h           |  6 ++-
> >  xen/include/asm-x86/hvm/hvm.h          | 13 +++++++
> >  xen/include/asm-x86/uaccess.h          |  4 ++
> >  xen/include/asm-x86/x86_64/asm_defns.h | 70
> > ++++++++++++++++++++++++++++++++++
> >  xen/include/asm-x86/x86_64/system.h    |  2 +
> >  19 files changed, 192 insertions(+), 17 deletions(-)
> >
> > --
> > 1.8.3.1
> >
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxx
> > http://lists.xen.org/xen-devel

Thanks,
Feng

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.