[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/vmx: Add command line option to enable EPT without PAT



>>  docs/misc/xen-command-line.markdown | 11 +++++++++++
>>  xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
>>  2 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/misc/xen-command-line.markdown
>> b/docs/misc/xen-command-line.markdown
>> index 87de2dc..9dc501b 100644
>> --- a/docs/misc/xen-command-line.markdown
>> +++ b/docs/misc/xen-command-line.markdown
>> @@ -523,6 +523,17 @@ Either force retrieval of monitor EDID
>> information via VESA DDC, or  disable it (edid=no). This option should
>> not normally be required  except for debugging purposes.
>>
>> +### ept_without_pat
>
>Need to escape underscores with a backslash so markdown doesn't try to
>italicise 'without'
>
>Also, this in an Intel-specific option so should be annotated.  See the
>documentation for 'vpid' as an example.
>
>> +> `= <boolean>`
>> +
>> +Allow EPT to be enabled when PAT is not present.
>> +
>> +*Warning:*
>> +This is an unsupported option and should be used only to allow Xen to
>> +run with EPT as a nested guest on hypervisors that do not have nested
>PAT.
>
>I would not necessarily describe it as an unsupported option.  The reason for
>the PAT requirement is because XSA-60 was a DoS attack with HVM guests
>switching CR0.CD in combination with PCIPassthrough.
>
>In the case that the administrator has weighed the risks, it need not be
>unsupported.  In an environment without PCIPassthrough then it should be
>unconditionally safe as flipping CR0.CD should turn into a noop, and the
>benefit is the addition of nested EPT.  As a result, I might word the paragraph
>a little more like this:
>
>*Warning:*
>Due to CVE-2013-2212, PAT is by default required as a prerequisite for using
>EPT.  If you are not PCI Passthrough, or trust the guest administrator who
>would be using passthrough, then the PAT requirement can be relaxed.  This
>option is useful for nested virtualisation cases where the outer hypervisor
>does not expose PAT functionality to Xen.
>
>Or words to that effect, subject to taste.
>
>> +
>> +> Default: `false`
>
>Default statement should be ahead of the description.
>
>> +
>>  ### extra\_guest\_irqs
>>  > `= [<domU number>][,<dom0 number>]`
>>
>> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
>> index 180cf6c..a308a93 100644
>> --- a/xen/arch/x86/hvm/vmx/vmx.c
>> +++ b/xen/arch/x86/hvm/vmx/vmx.c
>> @@ -58,6 +58,9 @@
>>  #include <asm/hvm/nestedhvm.h>
>>  #include <asm/event.h>
>>
>> +static bool_t __initdata opt_ept_without_pat= 0;
>
>space before =, but the assignment of 0 is redundant and can be dropped.

Thanks for the feedback. I will send out a patch with the changes you asked for.

Thanks,
Aravindh


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.