[PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Feng Wu]

Supervisor Mode Access Prevention (SMAP) is a new security
feature disclosed by Intel, please refer to the following
document:

http://software.intel.com/sites/default/files/319433-014.pdf

Every access to a linear address is either a supervisor-mode
access or a user-mode access. All accesses performed while the
current privilege level (CPL) is less than 3 are supervisor-mode
accesses. If CPL = 3, accesses are generally user-mode accesses.
However, some operations implicitly access system data structures,
and the resulting accesses to those data structures are supervisor-mode
accesses regardless of CPL. Examples of such implicit supervisor
accesses include the following: accesses to the global descriptor
table (GDT) or local descriptor table (LDT) to load a segment descriptor;
accesses to the interrupt descriptor table (IDT) when delivering an
interrupt or exception; and accesses to the task-state segment (TSS) as
part of a task switch or change of CPL.

If CR4.SMAP = 1, supervisor-mode data accesses are not allowed
to linear addresses that are accessible in user mode. If CPL < 3,
SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP
applies to all supervisor-mode data accesses (these are implicit
supervisor accesses) regardless of the value of EFLAGS.AC.

Version 1:
  * Add two macros for STAC/CLAC instructions
  * Temporary disable SMAP to legally access user pages in kernel mode
  * Enable Supervisor Mode Access Prevention (SMAP) for Xen itself
  * Add SMAP support to HVM guest
  * Disable SMAP feature when guest is in non-paging mode

Version 2:
  * Change the definition of ASM_STAC/ASM_CLAC.
  * Clear AC bit at the beginning of exception, interrup, hypercall.
  * Make construct_dom0() wrapped in a stac()/clac() part as a whole.
  * Reorder some patches in the series.
  * Combine some conditionals with SMEP.
  * Typo, etc. 

Version 3:
  * Clean-ups to ASM_STAC/ASM_CLAC
  * Enable SMAP after constructin domain 0
  * Move common_interrupt to entry.S
  * Remove ASM_CLAC calls in some places where exception happens
  * Correct the logic in hvm_vcpu_has_smep()/hvm_vcpu_has_smap() 
  * Make the output message more readable when SMAP violation happens
  * Use hvm_get_segment_register() to get the guest SS in guest_walk_tables()
  * Coding style changes, etc.

Version 4:
  * Use common macro CPUINFO_features instead of CPUINFO86_ext_features in xen/arch/x86/boot/head.S
  * Make ASM_STAC/ASM_CLAC common both in assembly and C code
  * Merge xen/include/asm-x86/x86_64/asm_defns.h into xen/include/asm-x86/asm_defns.h
  * Add a parameter to SAVE_ALL to include ASM_CALC in it optional
  * Remove ASM_STAC/ASM_CLAC pair in compat_create_bounce_frame, since in this chunk of code,
    it only accesses the pv guest's kernel stack, which is in ring 1 for 32-bit pv guests.
  * Call "setup_clear_cpu_cap(X86_FEATURE_SMAP)" before APs get brought up
  * Coding style changes.

Since Linux kernel has already supported SMAP, I tested this patch both
in EPT and shadow mode with Linux guest, they work well. And I also
tested the failure case, in which, I triggered an SMAP violation in
the guest kernel and Linux successfully received the related page
fault.

Feng Wu (10):
  x86: define macros CPUINFO_features and CPUINFO_FEATURE_OFFSET
  x86: move common_interrupt to entry.S
  x86: merge stuff from asm-x86/x86_64/asm_defns.h to
    asm-x86/asm_defns.h
  x86: Add support for STAC/CLAC instructions
  Clear AC bit in RFLAGS to protect Xen itself by SMAP
  x86: Temporary disable SMAP to legally access user pages in kernel
    mode
  VMX: Disable SMAP feature when guest is in non-paging mode
  x86: Enable Supervisor Mode Access Prevention (SMAP) for Xen
  x86/hvm: Add SMAP support to HVM guest
  x86/tools: Expose SMAP to HVM guests

 docs/misc/xen-command-line.markdown    |   7 +
 tools/libxc/xc_cpufeature.h            |   1 +
 tools/libxc/xc_cpuid_x86.c             |   1 +
 xen/arch/x86/boot/head.S               |   3 +-
 xen/arch/x86/hvm/hvm.c                 |   3 +
 xen/arch/x86/hvm/vmx/vmx.c             |   6 +-
 xen/arch/x86/i8259.c                   |   2 -
 xen/arch/x86/mm/guest_walk.c           |  40 +++--
 xen/arch/x86/setup.c                   |  14 ++
 xen/arch/x86/traps.c                   |  70 +++++++--
 xen/arch/x86/usercopy.c                |   6 +
 xen/arch/x86/x86_64/asm-offsets.c      |   2 +-
 xen/arch/x86/x86_64/compat/entry.S     |   1 +
 xen/arch/x86/x86_64/entry.S            |  19 ++-
 xen/arch/x86/x86_64/traps.c            |   2 +-
 xen/include/asm-x86/asm_defns.h        | 262 ++++++++++++++++++++++++++++++++-
 xen/include/asm-x86/cpufeature.h       |   5 +
 xen/include/asm-x86/domain.h           |   6 +-
 xen/include/asm-x86/hvm/hvm.h          |  16 ++
 xen/include/asm-x86/uaccess.h          |   4 +
 xen/include/asm-x86/x86_64/asm_defns.h | 231 -----------------------------
 xen/include/asm-x86/x86_64/system.h    |   2 +
 22 files changed, 432 insertions(+), 271 deletions(-)
 delete mode 100644 xen/include/asm-x86/x86_64/asm_defns.h

-- 
1.8.3.1

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Ian Campbell]

On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:

Please, again, fix your email setup to properly thread the series into a
single thread, not 11 separate threads.

Ian.

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Wu, Feng]

> -----Original Message-----
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
> Sent: Tuesday, May 06, 2014 4:38 PM
> To: Wu, Feng
> Cc: Tian, Kevin; JBeulich@suse.com; andrew.cooper3@citrix.com; Dong, Eddie;
> xen-devel@lists.xen.org; Nakajima, Jun
> Subject: Re: [Xen-devel] [PATCH v4 00/10] x86: Enable Supervisor Mode Access
> Prevention (SMAP)
> 
> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
> 
> Please, again, fix your email setup to properly thread the series into a
> single thread, not 11 separate threads.
> 

Ian, I am not quite understand this, seems the format of my patch set is the same
as other people's. I remember you said " emails {1..6}/6 should be replies to 0/6. ", 
but I don't see patch set following this way in the mailing list. Do I understanding something
wrong?

> Ian.
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Thanks,
Feng

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Hongyang Yang]

On 05/07/2014 09:14 AM, Wu, Feng wrote:
>
>> -----Original Message-----
>> From: xen-devel-bounces@lists.xen.org
>> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
>> Sent: Tuesday, May 06, 2014 4:38 PM
>> To: Wu, Feng
>> Cc: Tian, Kevin; JBeulich@suse.com; andrew.cooper3@citrix.com; Dong, Eddie;
>> xen-devel@lists.xen.org; Nakajima, Jun
>> Subject: Re: [Xen-devel] [PATCH v4 00/10] x86: Enable Supervisor Mode Access
>> Prevention (SMAP)
>>
>> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
>>
>> Please, again, fix your email setup to properly thread the series into a
>> single thread, not 11 separate threads.
>>
> Ian, I am not quite understand this, seems the format of my patch set is the same
> as other people's. I remember you said " emails {1..6}/6 should be replies to 0/6. ",
> but I don't see patch set following this way in the mailing list. Do I understanding something
> wrong?

Hi, wu, you could take a look at git send-email command and use the
command to send your patchset. hope it will help.

>> Ian.
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org
>> http://lists.xen.org/xen-devel
> Thanks,
> Feng
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
>

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Jan Beulich]

>>> On 07.05.14 at 03:14, <feng.wu@intel.com> wrote:
>> From: xen-devel-bounces@lists.xen.org 
>> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
>> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
>> 
>> Please, again, fix your email setup to properly thread the series into a
>> single thread, not 11 separate threads.
>> 
> 
> Ian, I am not quite understand this, seems the format of my patch set is the 
> same
> as other people's. I remember you said " emails {1..6}/6 should be replies 
> to 0/6. ", 
> but I don't see patch set following this way in the mailing list.

This is the problem, but since it is being introduced by you (and not
the list server), it's also up to you to address it. Whether you use
git to get this done properly or some other approach is up to you.

Jan

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Wu, Feng]

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Wednesday, May 07, 2014 3:38 PM
> To: Wu, Feng
> Cc: andrew.cooper3@citrix.com; Ian Campbell; Dong, Eddie; Nakajima, Jun;
> Tian, Kevin; xen-devel@lists.xen.org
> Subject: RE: [Xen-devel] [PATCH v4 00/10] x86: Enable Supervisor Mode Access
> Prevention (SMAP)
> 
> >>> On 07.05.14 at 03:14, <feng.wu@intel.com> wrote:
> >> From: xen-devel-bounces@lists.xen.org
> >> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
> >> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
> >>
> >> Please, again, fix your email setup to properly thread the series into a
> >> single thread, not 11 separate threads.
> >>
> >
> > Ian, I am not quite understand this, seems the format of my patch set is the
> > same
> > as other people's. I remember you said " emails {1..6}/6 should be replies
> > to 0/6. ",
> > but I don't see patch set following this way in the mailing list.
> 
> This is the problem, but since it is being introduced by you (and not
> the list server), it's also up to you to address it. Whether you use
> git to get this done properly or some other approach is up to you.

I was using git send-email to send the patch. I add some setting for git just now,
I think it should work now. Thanks!

> 
> Jan

Thanks,
Feng

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Konrad Rzeszutek Wilk]

On Wed, May 07, 2014 at 08:37:50AM +0100, Jan Beulich wrote:
> >>> On 07.05.14 at 03:14, <feng.wu@intel.com> wrote:
> >> From: xen-devel-bounces@lists.xen.org 
> >> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
> >> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
> >> 
> >> Please, again, fix your email setup to properly thread the series into a
> >> single thread, not 11 separate threads.
> >> 
> > 
> > Ian, I am not quite understand this, seems the format of my patch set is the 
> > same
> > as other people's. I remember you said " emails {1..6}/6 should be replies 
> > to 0/6. ", 
> > but I don't see patch set following this way in the mailing list.
> 
> This is the problem, but since it is being introduced by you (and not
> the list server), it's also up to you to address it. Whether you use
> git to get this done properly or some other approach is up to you.

How do you use 'git send-email'? Are you using any specific over-rides 
or just the default parameters? Anything in your .gitconfig?

FYI, this is what I have:

[user]
        name = Konrad Rzeszutek Wilk
        email = konrad.wilk@oracle.com
        signingkey = F1DB09BF

[color]
        branch = true
        diff = true
        grep = 1
[merge]
        summary = true
        tool = kdiff3
        conflictstyle = diff3

[rerere]
        enabled = 1

[sendemail]
            smtpserver     = mail.kernel.org
            smtpserverport = 587
            smtpencryption = tls
            from           = konrad@kernel.org
            smtpuser       = konrad
            smtppass       = HAHAHAHAHA

[external]
    diff = kdiff3

And when I send patches out I do:

git format-patch origin/staging..
git send-email --to "linux-kernel@vger.kernel.org" --to "xen-devel@lists.xensource.com" --cc "Konrad Rzeszutek Wilk <konrad@kernel.org>"  --annotate --compose --subject "[PATCH vX] blah *.patch



> 
> Jan
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: [PATCH v4 00/10] x86: Enable Supervisor Mode Access Prevention (SMAP)

[Wu, Feng]

> -----Original Message-----
> From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@oracle.com]
> Sent: Wednesday, May 07, 2014 9:11 PM
> To: Jan Beulich
> Cc: Wu, Feng; Tian, Kevin; Ian Campbell; andrew.cooper3@citrix.com; Dong,
> Eddie; xen-devel@lists.xen.org; Nakajima, Jun
> Subject: Re: [Xen-devel] [PATCH v4 00/10] x86: Enable Supervisor Mode Access
> Prevention (SMAP)
> 
> On Wed, May 07, 2014 at 08:37:50AM +0100, Jan Beulich wrote:
> > >>> On 07.05.14 at 03:14, <feng.wu@intel.com> wrote:
> > >> From: xen-devel-bounces@lists.xen.org
> > >> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Ian Campbell
> > >> On Mon, 2014-05-05 at 16:18 +0800, Feng Wu wrote:
> > >>
> > >> Please, again, fix your email setup to properly thread the series into a
> > >> single thread, not 11 separate threads.
> > >>
> > >
> > > Ian, I am not quite understand this, seems the format of my patch set is the
> > > same
> > > as other people's. I remember you said " emails {1..6}/6 should be replies
> > > to 0/6. ",
> > > but I don't see patch set following this way in the mailing list.
> >
> > This is the problem, but since it is being introduced by you (and not
> > the list server), it's also up to you to address it. Whether you use
> > git to get this done properly or some other approach is up to you.
> 
> How do you use 'git send-email'? Are you using any specific over-rides
> or just the default parameters? Anything in your .gitconfig?
> 
> FYI, this is what I have:
> 
> [user]
>         name = Konrad Rzeszutek Wilk
>         email = konrad.wilk@oracle.com
>         signingkey = F1DB09BF
> 
> [color]
>         branch = true
>         diff = true
>         grep = 1
> [merge]
>         summary = true
>         tool = kdiff3
>         conflictstyle = diff3
> 
> [rerere]
>         enabled = 1
> 
> [sendemail]
>             smtpserver     = mail.kernel.org
>             smtpserverport = 587
>             smtpencryption = tls
>             from           = konrad@kernel.org
>             smtpuser       = konrad
>             smtppass       = HAHAHAHAHA
> 
> [external]
>     diff = kdiff3
> 
> And when I send patches out I do:
> 
> git format-patch origin/staging..
> git send-email --to "linux-kernel@vger.kernel.org" --to
> "xen-devel@lists.xensource.com" --cc "Konrad Rzeszutek Wilk
> <konrad@kernel.org>"  --annotate --compose --subject "[PATCH vX] blah
> *.patch
> 
> 

Thanks for the sharing, that should be very helpful! I use the default setting for "git send-email" for v1 to v5. For v6 I got
another .gitconfig like this:

[user]
        name = Feng Wu
        email = feng.wu@intel.com

[sendemail]
        smtpserver = smtp.intel.com
        smtpport = 25
        confirm = auto
        thread = yes
        chainreplyto = no
        from = "Feng Wu <feng.wu@intel.com>"

After using this .gitconfig, the patches is threaded.

> 
> >
> > Jan
> >
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel

Thanks,
Feng