Xen project Mailing List

Re: [Xen-devel] [PATCH] xen: enable/disable SMAP/SMEP for Xen itself

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Tue, 09 Aug 2016 06:19:07 -0600

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wu Feng <feng.wu@xxxxxxxxx>, Wang Yong <yong.y.wang@xxxxxxxxx>, Nakajima Jun <jun.nakajima@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Tue, 09 Aug 2016 12:19:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 09.08.16 at 11:13, <he.chen@xxxxxxxxxxxxxxx> wrote: > --- a/docs/misc/xen-command-line.markdown > +++ b/docs/misc/xen-command-line.markdown > @@ -1434,6 +1434,13 @@ Set the serial transmit buffer size. > > Flag to enable Supervisor Mode Execution Protection > > +### xen_smep > +> `= <boolean>` > + > +> Default: `true` > + > +Flag to enable SMEP for Xen itself > + > ### smap > > `= <boolean>` > > @@ -1441,6 +1448,13 @@ Flag to enable Supervisor Mode Execution Protection > > Flag to enable Supervisor Mode Access Prevention > > +### xen_smap > +> `= <boolean>` > + > +> Default: `true` > + > +Flag to enable SMAP for Xen itself > + > ### snb\_igd\_quirk > > `= <boolean> | cap | <integer>` > If these were to stay, please obey to the (mostly) alphabetical sorting. But I'd much rather see the "smap=" and "smep=" options enhanced, e.g. with allowing "hvm" as a value alongside the currently permitted boolean indicators. > @@ -1403,12 +1411,12 @@ void __init noreturn __start_xen(unsigned long mbi_p) > > if ( !opt_smep ) > setup_clear_cpu_cap(X86_FEATURE_SMEP); > - if ( cpu_has_smep ) > + if ( cpu_has_smep && opt_xen_smep ) > set_in_cr4(X86_CR4_SMEP); > > if ( !opt_smap ) > setup_clear_cpu_cap(X86_FEATURE_SMAP); > - if ( cpu_has_smap ) > + if ( cpu_has_smap && opt_xen_smap ) > set_in_cr4(X86_CR4_SMAP); > > cr4_pv32_mask = mmu_cr4_features & XEN_CR4_PV32_BITS; It's extremely hard to believe that this would be all it takes: Already the two cpu_has_smap uses further down in this file would need similar adjustment afaict. Furthermore mmu_cr4_features (which now won't have the two flags set if their use for Xen gets disabled) gets used, among other places, in vmx.c. If indeed no other changes were necessary, the minimum imo would be for you to justify this in the patch description. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.