From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: [Patch v5 0/4] Enable SMEP feature support for kvm
Date: Mon, 30 May 2011 13:00:03 +0300
Message-ID: <4DE36AA3.3020704@redhat.com>
References: <5D8008F58939784290FAB48F5497519844E92781DD@shsmsx502.ccr.corp.intel.com> <4DE35ACB.9000503@redhat.com> <625BA99ED14B2D499DC4E29D8138F1505CA61C0506@shsmsx502.ccr.corp.intel.com> <4DE35FC5.5030804@redhat.com> <625BA99ED14B2D499DC4E29D8138F1505CA61C051C@shsmsx502.ccr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Yang, Wei Y" <wei.y.yang@intel.com>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>
To: "Tian, Kevin" <kevin.tian@intel.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:62291 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752818Ab1E3KAL (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 30 May 2011 06:00:11 -0400
In-Reply-To: <625BA99ED14B2D499DC4E29D8138F1505CA61C051C@shsmsx502.ccr.corp.intel.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 05/30/2011 12:18 PM, Tian, Kevin wrote:
> >  From: Avi Kivity [mailto:avi@redhat.com]
> >  Sent: Monday, May 30, 2011 5:14 PM
> >
> >  On 05/30/2011 12:08 PM, Tian, Kevin wrote:
> >  >  >   From: Avi Kivity
> >  >  >   Sent: Monday, May 30, 2011 4:52 PM
> >  >  >
> >  >  >   On 05/30/2011 06:01 AM, Yang, Wei Y wrote:
> >  >  >   >   This patchset enables a new CPU feature SMEP (Supervisor Mode
> >  Execution
> >  >  >   >   Protection) in KVM. SMEP prevents kernel from executing code in
> >  application.
> >  >  >   >   Updated Intel SDM describes this CPU feature. The document will be
> >  >  >   >   published soon.
> >  >  >   >
> >  >  >   >   This patchset is based on Fenghua's SMEP patch series, as referred
> >  by:
> >  >  >   >   https://lkml.org/lkml/2011/5/17/523
> >  >  >
> >  >  >   Looks good.  I'll post the cr0.wp=0 fixup soon.
> >  >  >
> >  >
> >  >  what's your planned fix? through NX bit? :-)
> >
> >  Yes.
> >
> >  >  btw, why is current scheme used to emulate cr0.wp=0 case instead of simply
> >  >  emulating it?
> >
> >  How would you simply emulate it?
> >
> >  We have to force cr0.wp=1, otherwise we cannot write-protect guest page
> >  tables.  Once we do that, we have to set U=1 to allow user reads or U=0
> >  to allow kernel writes.
> >
>
> I mean using instruction emulation instead of changing permission to re-execute
> faulting instruction. Or is current KVM instruction emulator not complete enough
> to handle various memory access instructions (just designed for page table access
> and real mode instructions?)?

I think by now it's complete enough (it wasn't when the shadow mmu was 
written).  But emulation will be slow if the guest writes a lot of data 
to the page.

-- 
error compiling committee.c: too many arguments to function