[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] x86/vmx: Add command line option to enable EPT without PAT
The fix for XSA-60 disables EPT if PAT is not available. This patch adds a command line option called "ept_without_pat", that allows EPT to be enabled even when PAT is not present. This is to enable Xen to run as a nested guest with EPT on hypervisors that have nested EPT but not nested PAT. Signed-off-by: Aravindh Puthiyaparambil <aravindp@xxxxxxxxx> Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx> Cc: Eddie Dong <eddie.dong@xxxxxxxxx> Cc: Kevin Tian <kevin.tian@xxxxxxxxx> --- docs/misc/xen-command-line.markdown | 11 +++++++++++ xen/arch/x86/hvm/vmx/vmx.c | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 87de2dc..9dc501b 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -523,6 +523,17 @@ Either force retrieval of monitor EDID information via VESA DDC, or disable it (edid=no). This option should not normally be required except for debugging purposes. +### ept_without_pat +> `= <boolean>` + +Allow EPT to be enabled when PAT is not present. + +*Warning:* +This is an unsupported option and should be used only to allow Xen to run with +EPT as a nested guest on hypervisors that do not have nested PAT. + +> Default: `false` + ### extra\_guest\_irqs > `= [<domU number>][,<dom0 number>]` diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 180cf6c..a308a93 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -58,6 +58,9 @@ #include <asm/hvm/nestedhvm.h> #include <asm/event.h> +static bool_t __initdata opt_ept_without_pat= 0; +boolean_param("ept_without_pat", opt_ept_without_pat); + enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised }; static void vmx_ctxt_switch_from(struct vcpu *v); @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init start_vmx(void) * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole * (refer to http://xenbits.xen.org/xsa/advisory-60.html). */ - if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) + if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) ) { vmx_function_table.hap_supported = 1; -- 1.8.3.2 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |