From mboxrd@z Thu Jan  1 00:00:00 1970
From: Aravindh Puthiyaparambil <aravindp@cisco.com>
Subject: [PATCH] x86/vmx: Add command line option to enable EPT
	without PAT
Date: Wed, 16 Apr 2014 14:15:15 -0700
Message-ID: <1397682915-9084-1-git-send-email-aravindp@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <aravindp@cisco.com>) id 1WaXB3-0007vt-Mh
	for xen-devel@lists.xenproject.org; Wed, 16 Apr 2014 21:15:29 +0000
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xenproject.org
Cc: Kevin Tian <kevin.tian@intel.com>, Eddie Dong <eddie.dong@intel.com>, Jun Nakajima <jun.nakajima@intel.com>
List-Id: xen-devel@lists.xenproject.org

The fix for XSA-60 disables EPT if PAT is not available. This patch
adds a command line option called "ept_without_pat", that allows EPT to
be enabled even when PAT is not present. This is to enable Xen to run as
a nested guest with EPT on hypervisors that have nested EPT but not
nested PAT.

Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: Eddie Dong <eddie.dong@intel.com>
Cc: Kevin Tian <kevin.tian@intel.com>
---
 docs/misc/xen-command-line.markdown | 11 +++++++++++
 xen/arch/x86/hvm/vmx/vmx.c          |  5 ++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 87de2dc..9dc501b 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -523,6 +523,17 @@ Either force retrieval of monitor EDID information via VESA DDC, or
 disable it (edid=no). This option should not normally be required
 except for debugging purposes.
 
+### ept_without_pat
+> `= <boolean>`
+
+Allow EPT to be enabled when PAT is not present. 
+
+*Warning:*
+This is an unsupported option and should be used only to allow Xen to run with
+EPT as a nested guest on hypervisors that do not have nested PAT.
+
+> Default: `false`
+
 ### extra\_guest\_irqs
 > `= [<domU number>][,<dom0 number>]`
 
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 180cf6c..a308a93 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -58,6 +58,9 @@
 #include <asm/hvm/nestedhvm.h>
 #include <asm/event.h>
 
+static bool_t __initdata opt_ept_without_pat= 0;
+boolean_param("ept_without_pat", opt_ept_without_pat);
+
 enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
 
 static void vmx_ctxt_switch_from(struct vcpu *v);
@@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init start_vmx(void)
      * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
      * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
      */
-    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
+    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_ept_without_pat) )
     {
         vmx_function_table.hap_supported = 1;
 
-- 
1.8.3.2