From mboxrd@z Thu Jan  1 00:00:00 1970
From: Feng Wu <feng.wu@intel.com>
Subject: [PATCH v7 00/10] x86: Enable Supervisor Mode Access
	Prevention (SMAP)
Date: Thu,  8 May 2014 16:15:23 +0800
Message-ID: <1399536927-5411-1-git-send-email-feng.wu@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xen.org
Cc: kevin.tian@intel.com, Feng Wu <feng.wu@intel.com>, JBeulich@suse.com, andrew.cooper3@citrix.com, eddie.dong@intel.com, jun.nakajima@intel.com, ian.campbell@citrix.com
List-Id: xen-devel@lists.xenproject.org

Supervisor Mode Access Prevention (SMAP) is a new security
feature disclosed by Intel, please refer to the following
document:

http://software.intel.com/sites/default/files/319433-014.pdf

Every access to a linear address is either a supervisor-mode
access or a user-mode access. All accesses performed while the
current privilege level (CPL) is less than 3 are supervisor-mode
accesses. If CPL = 3, accesses are generally user-mode accesses.
However, some operations implicitly access system data structures,
and the resulting accesses to those data structures are supervisor-mode
accesses regardless of CPL. Examples of such implicit supervisor
accesses include the following: accesses to the global descriptor
table (GDT) or local descriptor table (LDT) to load a segment descriptor;
accesses to the interrupt descriptor table (IDT) when delivering an
interrupt or exception; and accesses to the task-state segment (TSS) as
part of a task switch or change of CPL.

If CR4.SMAP = 1, supervisor-mode data accesses are not allowed
to linear addresses that are accessible in user mode. If CPL < 3,
SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP
applies to all supervisor-mode data accesses (these are implicit
supervisor accesses) regardless of the value of EFLAGS.AC.

Version 1:
  * Add two macros for STAC/CLAC instructions
  * Temporary disable SMAP to legally access user pages in kernel mode
  * Enable Supervisor Mode Access Prevention (SMAP) for Xen itself
  * Add SMAP support to HVM guest
  * Disable SMAP feature when guest is in non-paging mode

Version 2:
  * Change the definition of ASM_STAC/ASM_CLAC.
  * Clear AC bit at the beginning of exception, interrup, hypercall.
  * Make construct_dom0() wrapped in a stac()/clac() part as a whole.
  * Reorder some patches in the series.
  * Combine some conditionals with SMEP.
  * Typo, etc. 

Version 3:
  * Clean-ups to ASM_STAC/ASM_CLAC
  * Enable SMAP after constructin domain 0
  * Move common_interrupt to entry.S
  * Remove ASM_CLAC calls in some places where exception happens
  * Correct the logic in hvm_vcpu_has_smep()/hvm_vcpu_has_smap() 
  * Make the output message more readable when SMAP violation happens
  * Use hvm_get_segment_register() to get the guest SS in guest_walk_tables()
  * Coding style changes, etc.

Version 4:
  * Use common macro CPUINFO_features instead of CPUINFO86_ext_features in xen/arch/x86/boot/head.S
  * Make ASM_STAC/ASM_CLAC common both in assembly and C code
  * Merge xen/include/asm-x86/x86_64/asm_defns.h into xen/include/asm-x86/asm_defns.h
  * Add a parameter to SAVE_ALL to include ASM_CALC in it optional
  * Remove ASM_STAC/ASM_CLAC pair in compat_create_bounce_frame, since in this chunk of code,
    it only accesses the pv guest's kernel stack, which is in ring 1 for 32-bit pv guests.
  * Call "setup_clear_cpu_cap(X86_FEATURE_SMAP)" before APs get brought up
  * Coding style changes.

Version 5:
  * Remove C verion of CPUINFO_FEATURE_OFFSET.
  * Implement clac()/stac() in C.
  * Set the default value of the parameter to 1 for macro SAVE_ALL.
  * Add const to the second parameter of __page_fault_type().
  * Clear SMAP bit in CR4 before construct_dom0() and set the bit back after it.
  * Coding style changes.

Version 6:
  * Add memory clobbers for clac()/stac()
  * Add ASM_CLAC at the beginning of ignore_int
  * Some comment changes

Version 7:
  Patch "x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP"
    * Remove ASM_CLAC for machine_check
    * Add ASM_STAC/stac() for double_fault and fatal_trap()
    * set AC for MSR_SYSCALL_MASK after S3 resume
    * Make SAVE_ALL parameter a tristate, allowing both CLAC and STAC to be done right there

  Patch "x86: Temporary disable SMAP to legally access user pages in kernel mode"
    * Remove the unnecessary trailing semicolon for macro __put_user_asm, __get_user_asm, and __cmpxchg_user.

  Patch "x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen"
    * Change some comments

  Patch "x86/hvm: Add SMAP support to HVM guest"
    * Pass ecx explicitly to hvm_cpuid() for CPUID.0x7

Feng Wu (10):
  x86: define macros CPUINFO_features and CPUINFO_FEATURE_OFFSET
  x86: move common_interrupt to entry.S
  x86: merge stuff from asm-x86/x86_64/asm_defns.h to
    asm-x86/asm_defns.h
  x86: Add support for STAC/CLAC instructions
  x86: Clear AC bit in RFLAGS to protect Xen itself by SMAP
  x86: Temporary disable SMAP to legally access user pages in kernel
    mode
  VMX: Disable SMAP feature when guest is in non-paging mode
  x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen
  x86/hvm: Add SMAP support to HVM guest
  x86/tools: Expose SMAP to HVM guests

 docs/misc/xen-command-line.markdown    |   7 +
 tools/libxc/xc_cpufeature.h            |   1 +
 tools/libxc/xc_cpuid_x86.c             |   1 +
 xen/arch/x86/acpi/suspend.c            |   2 +-
 xen/arch/x86/boot/head.S               |   3 +-
 xen/arch/x86/hvm/hvm.c                 |   3 +
 xen/arch/x86/hvm/vmx/vmx.c             |   6 +-
 xen/arch/x86/i8259.c                   |   2 -
 xen/arch/x86/mm/guest_walk.c           |  40 +++--
 xen/arch/x86/setup.c                   |  20 +++
 xen/arch/x86/traps.c                   |  76 ++++++++--
 xen/arch/x86/usercopy.c                |   6 +
 xen/arch/x86/x86_64/asm-offsets.c      |   2 +-
 xen/arch/x86/x86_64/compat/entry.S     |   3 +-
 xen/arch/x86/x86_64/entry.S            |  20 ++-
 xen/arch/x86/x86_64/traps.c            |   2 +-
 xen/include/asm-x86/asm_defns.h        | 263 ++++++++++++++++++++++++++++++++-
 xen/include/asm-x86/cpufeature.h       |   5 +
 xen/include/asm-x86/domain.h           |   6 +-
 xen/include/asm-x86/hvm/hvm.h          |  22 ++-
 xen/include/asm-x86/uaccess.h          |   8 +-
 xen/include/asm-x86/x86_64/asm_defns.h | 231 -----------------------------
 xen/include/asm-x86/x86_64/system.h    |   4 +-
 23 files changed, 455 insertions(+), 278 deletions(-)
 delete mode 100644 xen/include/asm-x86/x86_64/asm_defns.h

-- 
1.8.3.1