[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 00/10] x86/hvm: pkeys, add memory protection-key support
On 16/11/15 10:31, Huaitong Han wrote: > The protection-key feature provides an additional mechanism by which IA-32e > paging controls access to usermode addresses. > > Hardware support for protection keys for user pages is enumerated with CPUID > feature flag CPUID.7.0.ECX[3]:PKU. Software support is CPUID.7.0.ECX[4]:OSPKE > with the setting of CR4.PKE(bit 22). > > When CR4.PKE = 1, every linear address is associated with the 4-bit protection > key located in bits 62:59 of the paging-structure entry that mapped the page > containing the linear address. The PKRU register determines, for each > protection key, whether user-mode addresses with that protection key may be > read or written. > > The PKRU register (protection key rights for user pages) is a 32-bit register > with the following format: for each i (0 â i â 15), PKRU[2i] is the > access-disable bit for protection key i (ADi); PKRU[2i+1] is the write-disable > bit for protection key i (WDi). > > Software can use the RDPKRU and WRPKRU instructions with ECX = 0 to read and > write PKRU. In addition, the PKRU register is XSAVE-managed state and can thus > be read and written by instructions in the XSAVE feature set. > > PFEC.PK (bit 5) is defined as protection key violations. > > The specification of Protection Keys can be found at SDM (4.6.2, volume 3) > http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf. Thankyou for this series. On the whole, it is fairly good. However, a couple of issues have surfaced. The use of the software-defined bits are an ABI with PV guests. (With many things from those days, nothing is actually written down about this ABI). As such, it does not appear to be safe to enable PKE in the context of an unaware PV guest. Furthermore, it is unclear (given the unwritten ABI) whether it is even safe to move _PAGE_GNTTAB out of the way, as this is visible to a PV guest. Finally, do you have some example usecases for PKE? As WRPKRU lacks a cpl check, any entity on the system can arbitrarily change the protection keys, meaning that it can't be used for any system level enforcement. I can't currently see a situation where it is actually a useful feature, but I presume there is one. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |