Re: [Xen-devel] [PATCH v4] x86/vmx: Add force-ept command line option

["Tian, Kevin" <kevin.tian@xxxxxxxxx>]

> From: Aravindh Puthiyaparambil [mailto:aravindp@xxxxxxxxx]
> Sent: Wednesday, April 23, 2014 12:36 AM
> 
> Add a "force-ept" command line option to allow EPT to be enabled when
> VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present.
> 
> Due to CVE-2013-2212, this feature is required by default as a
> prerequisite for using EPT. If you are not using PCI Passthrough, or
> trust the guest administrator who would be using passthrough, then the
> requirement can be relaxed. This option is particularly useful for
> nested virtualization, to allow the L1 hypervisor to use EPT even if
> the L0 hypervisor does not provide VM_ENTRY_LOAD_GUEST_PAT.
> 
> Signed-off-by: Aravindh Puthiyaparambil <aravindp@xxxxxxxxx>
> Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx>
> Cc: Eddie Dong <eddie.dong@xxxxxxxxx>
> Cc: Kevin Tian <kevin.tian@xxxxxxxxx>
> 

Acked-by: Kevin Tian <kevin.tian@xxxxxxxxx>

> ---
> Changes from version 3:
> Update commit and documentation description.
> 
> Changes from version 2:
> 1. Update commit and documentation description.
> 2. Rename command line option to "force-ept"
> 
> Changes from version 1:
> 1. Fix and update documentation with suggestion from Andrew Cooper.
> 2. Remove redundant assignment.
> ---
>  docs/misc/xen-command-line.markdown | 16 ++++++++++++++++
>  xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
>  2 files changed, 20 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/misc/xen-command-line.markdown
> b/docs/misc/xen-command-line.markdown
> index 87de2dc..e9e17c7 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -545,6 +545,22 @@ versa.  For example to change dom0 without
> changing domU, use
> 
>  Specify the font size when using the VESA console driver.
> 
> +### force-ept (Intel)
> +> `= <boolean>`
> +
> +> Default: `false`
> +
> +Allow EPT to be enabled when VMX feature
> VM\_ENTRY\_LOAD\_GUEST\_PAT is not
> +present.
> +
> +*Warning:*
> +Due to CVE-2013-2212, VMX feature VM\_ENTRY\_LOAD\_GUEST\_PAT is by
> default
> +required as a prerequisite for using EPT.  If you are not using PCI
> Passthrough,
> +or trust the guest administrator who would be using passthrough, then the
> +requirement can be relaxed.  This option is particularly useful for nested
> +virtualization, to allow the L1 hypervisor to use EPT even if the L0 
> hypervisor
> +does not provide VM\_ENTRY\_LOAD\_GUEST\_PAT.
> +
>  ### gdb
>  > `= <baud>[/<clock_hz>][,DPS[,<io-base>[,<irq>[,<port-bdf>[,<bridge-bdf>]]]]
> | pci | amt ] `
> 
> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> index 180cf6c..4b3c899 100644
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -58,6 +58,9 @@
>  #include <asm/hvm/nestedhvm.h>
>  #include <asm/event.h>
> 
> +static bool_t __initdata opt_force_ept;
> +boolean_param("force-ept", opt_force_ept);
> +
>  enum handler_return { HNDL_done, HNDL_unhandled,
> HNDL_exception_raised };
> 
>  static void vmx_ctxt_switch_from(struct vcpu *v);
> @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init
> start_vmx(void)
>       * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security
> hole
>       * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
>       */
> -    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
> +    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_force_ept) )
>      {
>          vmx_function_table.hap_supported = 1;
> 
> --
> 1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel