[Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Yang, Wei Y]

This patch removes SMEP bit from CR4_RESERVED_BITS.

 Signed-off-by: Yang, Wei <wei.y.yang@intel.com>
 Signed-off-by: Shan, Haitao <haitao.shan@intel.com>
 Signed-off-by: Li, Xin <xin.li@intel.com>
---
 arch/x86/include/asm/kvm_host.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index d2ac8e2..4e63432 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -48,7 +48,7 @@
 	(~(unsigned long)(X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE\
 			  | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE     \
 			  | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR  \
-			  | X86_CR4_OSXSAVE \
+			  | X86_CR4_OSXSAVE | X86_CR4_SMEP              \
 			  | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE))

 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
--
1.7.4.1

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Ingo Molnar]

* Yang, Wei Y <wei.y.yang@intel.com> wrote:

> This patch removes SMEP bit from CR4_RESERVED_BITS.

I'm wondering, what is the best-practice way for tools/kvm/ to set 
SMEP for the guest kernel automatically, even if the guest kernel 
itsef has not requested SMEP?

The portion i'm worried about are old KVM versions that have the SMEP 
bit in CR4_RESERVED_BITS and reject it. So we cannot just 
unilaterally add SMEP to every cr4 write of the guest. Is there a way 
to query whether the host KVM version supports SMEP setting in cr4?

That way tools/kvm/ could add the SMEP bit if the host CPU has it in 
/proc/cpuinfo and if KVM supports it.

( With a --no-smep kind of command line option to opt out of this 
  automatic protection, to test it, and for the unlikely case that
  SMEP causes problems. )

Thanks,

	Ingo

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Avi Kivity]

On 05/30/2011 10:40 AM, Ingo Molnar wrote:
> * Yang, Wei Y<wei.y.yang@intel.com>  wrote:
>
> >  This patch removes SMEP bit from CR4_RESERVED_BITS.
>
> I'm wondering, what is the best-practice way for tools/kvm/ to set
> SMEP for the guest kernel automatically, even if the guest kernel
> itsef has not requested SMEP?
>
> The portion i'm worried about are old KVM versions that have the SMEP
> bit in CR4_RESERVED_BITS and reject it. So we cannot just
> unilaterally add SMEP to every cr4 write of the guest.

tools/kvm doesn't see cr4 writes at all.  The only way to do this is in 
kvm itself.

> Is there a way
> to query whether the host KVM version supports SMEP setting in cr4?
>

KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and kvm 
support smep; if one of them doesn't, you'll see smep disabled).

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Ingo Molnar]

* Avi Kivity <avi@redhat.com> wrote:

> On 05/30/2011 10:40 AM, Ingo Molnar wrote:
> >* Yang, Wei Y<wei.y.yang@intel.com>  wrote:
> >
> >>  This patch removes SMEP bit from CR4_RESERVED_BITS.
> >
> >I'm wondering, what is the best-practice way for tools/kvm/ to set
> >SMEP for the guest kernel automatically, even if the guest kernel
> >itsef has not requested SMEP?
> >
> > The portion i'm worried about are old KVM versions that have the 
> > SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just 
> > unilaterally add SMEP to every cr4 write of the guest.
> 
> tools/kvm doesn't see cr4 writes at all. [...]

I feared small complications like that! :-)

We can definitely use KVM_GET_SREGS, fiddle the SMEP bit in 
kvm_regs.cr4 and call KVM_SET_SREGS, once the fine patch above goes 
upstream.

> [...]  The only way to do this is in kvm itself.
> 
> > Is there a way to query whether the host KVM version supports 
> > SMEP setting in cr4?
> >
> 
> KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and 
> kvm support smep; if one of them doesn't, you'll see smep 
> disabled).

That looks useful.

So the way to go appears to be to do a GET_SREGS/SET_SREGS sequence 
to enable SMEP in the guest, some time after it has booted and has 
enabled paging.

I'm wondering whether there's a suitable place to do that, when we 
are more or less guaranteed to exit the VM for some other reason - 
such as the first MMIO done with paging enabled?

This solution means that we'll slow down pre-paging MMIOs with a 
GET_SREGS call, but that's ok, they are rare and the pre-paging 
bootup phase is very short.

So the only worry would be where the guest sets cr4 itself - and 
since it does not know about SMEP it will probably disable it. Guest 
suspend/resume is one such place ...

Another option would be to try to set the SMEP bit *before* we enable 
paging. In theory this should not confuse a Linux guest - and while i 
have not tested it i *think* we let it survive in the 
saved_cr4_features shadow variable. That would make guest 
suspend/resume work out of box as well.

Thanks,

	Ingo

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Avi Kivity]

On 05/30/2011 11:05 AM, Ingo Molnar wrote:
> * Avi Kivity<avi@redhat.com>  wrote:
>
> >  On 05/30/2011 10:40 AM, Ingo Molnar wrote:
> >  >* Yang, Wei Y<wei.y.yang@intel.com>   wrote:
> >  >
> >  >>   This patch removes SMEP bit from CR4_RESERVED_BITS.
> >  >
> >  >I'm wondering, what is the best-practice way for tools/kvm/ to set
> >  >SMEP for the guest kernel automatically, even if the guest kernel
> >  >itsef has not requested SMEP?
> >  >
> >  >  The portion i'm worried about are old KVM versions that have the
> >  >  SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just
> >  >  unilaterally add SMEP to every cr4 write of the guest.
> >
> >  tools/kvm doesn't see cr4 writes at all. [...]
>
> I feared small complications like that! :-)
>
> We can definitely use KVM_GET_SREGS, fiddle the SMEP bit in
> kvm_regs.cr4 and call KVM_SET_SREGS, once the fine patch above goes
> upstream.

It's not a good idea.  First, the guest will see cr4.smep where it 
hasn't set it before, which may confuse it.  Second, the guest may 
rewrite cr4.smep, clearing it, giving a false sense of security.

> >  [...]  The only way to do this is in kvm itself.
> >
> >  >  Is there a way to query whether the host KVM version supports
> >  >  SMEP setting in cr4?
> >  >
> >
> >  KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and
> >  kvm support smep; if one of them doesn't, you'll see smep
> >  disabled).
>
> That looks useful.
>
> So the way to go appears to be to do a GET_SREGS/SET_SREGS sequence
> to enable SMEP in the guest, some time after it has booted and has
> enabled paging.
>
> I'm wondering whether there's a suitable place to do that, when we
> are more or less guaranteed to exit the VM for some other reason -
> such as the first MMIO done with paging enabled?
>
> This solution means that we'll slow down pre-paging MMIOs with a
> GET_SREGS call, but that's ok, they are rare and the pre-paging
> bootup phase is very short.
>
> So the only worry would be where the guest sets cr4 itself - and
> since it does not know about SMEP it will probably disable it. Guest
> suspend/resume is one such place ...
>
> Another option would be to try to set the SMEP bit *before* we enable
> paging. In theory this should not confuse a Linux guest - and while i
> have not tested it i *think* we let it survive in the
> saved_cr4_features shadow variable. That would make guest
> suspend/resume work out of box as well.

Is there any reason not to do it in a hidden way in kvm?  Why must we 
play tricks?

-- 
error compiling committee.c: too many arguments to function

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Ingo Molnar]

* Avi Kivity <avi@redhat.com> wrote:

> > Another option would be to try to set the SMEP bit *before* we 
> > enable paging. In theory this should not confuse a Linux guest - 
> > and while i have not tested it i *think* we let it survive in the 
> > saved_cr4_features shadow variable. That would make guest 
> > suspend/resume work out of box as well.
> 
> Is there any reason not to do it in a hidden way in kvm?  Why must 
> we play tricks?

So do you have a suggestion of how to do this cleaner?

Add an ioctl that allows a VCPU to be configured in a way to set a 
cr4 feature without the guest actually seeing that bit? [Assuming 
both cr4 reads and writes are fully captured by KVM and thus guest 
behavior is controllable.]

Thanks,

	Ingo

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Avi Kivity]

On 05/30/2011 11:52 AM, Ingo Molnar wrote:
> * Avi Kivity<avi@redhat.com>  wrote:
>
> >  >  Another option would be to try to set the SMEP bit *before* we
> >  >  enable paging. In theory this should not confuse a Linux guest -
> >  >  and while i have not tested it i *think* we let it survive in the
> >  >  saved_cr4_features shadow variable. That would make guest
> >  >  suspend/resume work out of box as well.
> >
> >  Is there any reason not to do it in a hidden way in kvm?  Why must
> >  we play tricks?
>
> So do you have a suggestion of how to do this cleaner?
>
> Add an ioctl that allows a VCPU to be configured in a way to set a
> cr4 feature without the guest actually seeing that bit? [Assuming
> both cr4 reads and writes are fully captured by KVM and thus guest
> behavior is controllable.]

Yes, this was what I suggested before.  IIRC you liked it.

-- 
error compiling committee.c: too many arguments to function

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Ingo Molnar]

* Avi Kivity <avi@redhat.com> wrote:

> On 05/30/2011 11:52 AM, Ingo Molnar wrote:
> >* Avi Kivity<avi@redhat.com>  wrote:
> >
> >>  >  Another option would be to try to set the SMEP bit *before* we
> >>  >  enable paging. In theory this should not confuse a Linux guest -
> >>  >  and while i have not tested it i *think* we let it survive in the
> >>  >  saved_cr4_features shadow variable. That would make guest
> >>  >  suspend/resume work out of box as well.
> >>
> >>  Is there any reason not to do it in a hidden way in kvm?  Why must
> >>  we play tricks?
> >
> > So do you have a suggestion of how to do this cleaner?
> >
> > Add an ioctl that allows a VCPU to be configured in a way to set 
> > a cr4 feature without the guest actually seeing that bit? 
> > [Assuming both cr4 reads and writes are fully captured by KVM and 
> > thus guest behavior is controllable.]
> 
> Yes, this was what I suggested before.  IIRC you liked it.

Oh, it wasn't clear to me that this was your preference as well - and 
i didnt see such a capability in this series [let me know if i 
blindly missed it] so i was wondering what the battle plan was fr 
that :-)

Thanks,

	Ingo

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Avi Kivity]

On 05/30/2011 11:57 AM, Ingo Molnar wrote:
> Oh, it wasn't clear to me that this was your preference as well - and
> i didnt see such a capability in this series [let me know if i
> blindly missed it] so i was wondering what the battle plan was fr
> that :-)

There is no plan.  If someone is interested, please post a patch.

-- 
error compiling committee.c: too many arguments to function

RE: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Tian, Kevin]

> From: Ingo Molnar
> Sent: Monday, May 30, 2011 3:41 PM
> 
> 
> * Yang, Wei Y <wei.y.yang@intel.com> wrote:
> 
> > This patch removes SMEP bit from CR4_RESERVED_BITS.
> 
> I'm wondering, what is the best-practice way for tools/kvm/ to set
> SMEP for the guest kernel automatically, even if the guest kernel
> itsef has not requested SMEP?
> 

enabling SMEP w/o guest's knowledge can be problematic if the guest
is doing U/S 0->1 bit change w/o TLB invalidation, which is a required
action to ensure SMEP protection working correctly. Linux versions 
known so far don't have this behavior because TLB invalidation due to
P bit change covers U/S 0->1 change. But given that end users may
deploy various OS within the guest, to enable SMEP this way requires
solid understanding on internals of those OSes. Or else it's uncertain
whether SMEP protection fully works on such uncertain guests.

Thanks
Kevin

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Ingo Molnar]

* Tian, Kevin <kevin.tian@intel.com> wrote:

> > From: Ingo Molnar
> > Sent: Monday, May 30, 2011 3:41 PM
> > 
> > 
> > * Yang, Wei Y <wei.y.yang@intel.com> wrote:
> > 
> > > This patch removes SMEP bit from CR4_RESERVED_BITS.
> > 
> > I'm wondering, what is the best-practice way for tools/kvm/ to set
> > SMEP for the guest kernel automatically, even if the guest kernel
> > itsef has not requested SMEP?
> > 
> 
> enabling SMEP w/o guest's knowledge can be problematic if the guest 
> is doing U/S 0->1 bit change w/o TLB invalidation, which is a 
> required action to ensure SMEP protection working correctly. Linux 
> versions known so far don't have this behavior because TLB 
> invalidation due to P bit change covers U/S 0->1 change. [...]

We'd like to use this in the 'kvm' tool:

  git clone git://github.com/penberg/linux-kvm master
  cd linux-kvm/tools/kvm/
  make -j

Which is only interested in Linux guests.

Thanks,

	Ingo

Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS

[Avi Kivity]

On 06/01/2011 10:18 AM, Tian, Kevin wrote:
> >  From: Ingo Molnar
> >  Sent: Monday, May 30, 2011 3:41 PM
> >
> >
> >  * Yang, Wei Y<wei.y.yang@intel.com>  wrote:
> >
> >  >  This patch removes SMEP bit from CR4_RESERVED_BITS.
> >
> >  I'm wondering, what is the best-practice way for tools/kvm/ to set
> >  SMEP for the guest kernel automatically, even if the guest kernel
> >  itsef has not requested SMEP?
> >
>
> enabling SMEP w/o guest's knowledge can be problematic if the guest
> is doing U/S 0->1 bit change w/o TLB invalidation, which is a required
> action to ensure SMEP protection working correctly. Linux versions
> known so far don't have this behavior because TLB invalidation due to
> P bit change covers U/S 0->1 change. But given that end users may
> deploy various OS within the guest, to enable SMEP this way requires
> solid understanding on internals of those OSes. Or else it's uncertain
> whether SMEP protection fully works on such uncertain guests.

That does reduce the attractiveness of the whole thing.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.