SMAP/SMEP issues with 32-bit pv guests

SMAP/SMEP issues with 32-bit pv guests

[Wu, Feng]

Hi Andy,

As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed internally, our current idea is that we can just disable this two feature for Xen hypervisor itself, hence only enable it for HVM guests. Do you think this is acceptable from your perspective?

Thanks,
Feng

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Jan Beulich]

>>> On 28.06.16 at 03:58, <feng.wu@intel.com> wrote:
> As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed 
> internally, our current idea is that we can just disable this two feature for 
> Xen hypervisor itself, hence only enable it for HVM guests. Do you think this 
> is acceptable from your perspective?

I think at most we should go as far as making this an option. That's
better than requiring people to turn off SMEP/SMAP completely to
gain back performance, and better than forcing people to accept
this security wise step backwards without any alternative. And once
an option, I think I'd still like to have current behavior remain the
default; distros could choose to alter that default with - presumably -
a one line patch.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Wu, Feng]

Hi Andrew,

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Tuesday, June 28, 2016 3:42 PM
> To: Wu, Feng <feng.wu@intel.com>
> Cc: Andrew Cooper (andrew.cooper3@citrix.com)
> <andrew.cooper3@citrix.com>; Nakajima, Jun <jun.nakajima@intel.com>;
> Wang, Yong Y <yong.y.wang@intel.com>; xen-devel@lists.xen.org
> Subject: Re: SMAP/SMEP issues with 32-bit pv guests
> 
> >>> On 28.06.16 at 03:58, <feng.wu@intel.com> wrote:
> > As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed
> > internally, our current idea is that we can just disable this two feature for
> > Xen hypervisor itself, hence only enable it for HVM guests. Do you think this
> > is acceptable from your perspective?
> 
> I think at most we should go as far as making this an option. That's
> better than requiring people to turn off SMEP/SMAP completely to
> gain back performance, and better than forcing people to accept
> this security wise step backwards without any alternative. And once
> an option, I think I'd still like to have current behavior remain the
> default; distros could choose to alter that default with - presumably -
> a one line patch.

What is your opinion about doing it this way? If you also agree with it, we
will start to implement it.

Thanks,
Feng

> 
> Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Jan Beulich]

>>> On 01.08.16 at 02:48, <feng.wu@intel.com> wrote:
>> From: Jan Beulich [mailto:JBeulich@suse.com]
>> Sent: Tuesday, June 28, 2016 3:42 PM
>> >>> On 28.06.16 at 03:58, <feng.wu@intel.com> wrote:
>> > As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed
>> > internally, our current idea is that we can just disable this two feature for
>> > Xen hypervisor itself, hence only enable it for HVM guests. Do you think this
>> > is acceptable from your perspective?
>> 
>> I think at most we should go as far as making this an option. That's
>> better than requiring people to turn off SMEP/SMAP completely to
>> gain back performance, and better than forcing people to accept
>> this security wise step backwards without any alternative. And once
>> an option, I think I'd still like to have current behavior remain the
>> default; distros could choose to alter that default with - presumably -
>> a one line patch.
> 
> What is your opinion about doing it this way? If you also agree with it, we
> will start to implement it.

To be honest, with it having been over a month since the original
mail, and with it (presumably) not being a very intrusive change
(hence not requiring an awful lot of work) I don't see why you
couldn't simply prepare and submit the patch instead of waiting
for further replies.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Wu, Feng]

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Monday, August 1, 2016 4:16 PM
> To: Wu, Feng <feng.wu@intel.com>
> Cc: Andrew Cooper(andrew.cooper3@citrix.com)
> <andrew.cooper3@citrix.com>; Nakajima, Jun <jun.nakajima@intel.com>;
> Wang, Yong Y <yong.y.wang@intel.com>; xen-devel@lists.xen.org
> Subject: RE: SMAP/SMEP issues with 32-bit pv guests
> 
> >>> On 01.08.16 at 02:48, <feng.wu@intel.com> wrote:
> >> From: Jan Beulich [mailto:JBeulich@suse.com]
> >> Sent: Tuesday, June 28, 2016 3:42 PM
> >> >>> On 28.06.16 at 03:58, <feng.wu@intel.com> wrote:
> >> > As you know, SMAP/SMEP may affect the 32-bit pv guests, after
> discussed
> >> > internally, our current idea is that we can just disable this two feature
> for
> >> > Xen hypervisor itself, hence only enable it for HVM guests. Do you think
> this
> >> > is acceptable from your perspective?
> >>
> >> I think at most we should go as far as making this an option. That's
> >> better than requiring people to turn off SMEP/SMAP completely to
> >> gain back performance, and better than forcing people to accept
> >> this security wise step backwards without any alternative. And once
> >> an option, I think I'd still like to have current behavior remain the
> >> default; distros could choose to alter that default with - presumably -
> >> a one line patch.
> >
> > What is your opinion about doing it this way? If you also agree with it, we
> > will start to implement it.
> 
> To be honest, with it having been over a month since the original
> mail, and with it (presumably) not being a very intrusive change
> (hence not requiring an awful lot of work) I don't see why you
> couldn't simply prepare and submit the patch instead of waiting
> for further replies.
> 

We would like to hear the comments from Citrix before coding, we don't
want to waste time writing unacceptable patches.

Thanks,
Feng

> Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Andrew Cooper]

On 28/06/16 02:58, Wu, Feng wrote:
> Hi Andy,
>
> As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed internally, our current idea is that we can just disable this two feature for Xen hypervisor itself, hence only enable it for HVM guests. Do you think this is acceptable from your perspective?

So you are suggesting that Xen detects SMEP/SMAP, doesn't turn it on for
itself, but does allow HVM guests to use it?

I suppose that is a slight improvement over the current situation.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Wang, Yong Y]

> -----Original Message-----
> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com]
> Sent: Monday, August 1, 2016 6:16 PM
> To: Wu, Feng <feng.wu@intel.com>
> Cc: Nakajima, Jun <jun.nakajima@intel.com>; Wang, Yong Y
> <yong.y.wang@intel.com>; Jan Beulich (JBeulich@suse.com)
> <JBeulich@suse.com>; xen-devel@lists.xen.org
> Subject: Re: SMAP/SMEP issues with 32-bit pv guests
> 
> On 28/06/16 02:58, Wu, Feng wrote:
> > Hi Andy,
> >
> > As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed
> internally, our current idea is that we can just disable this two feature for Xen
> hypervisor itself, hence only enable it for HVM guests. Do you think this is
> acceptable from your perspective?
> 
> So you are suggesting that Xen detects SMEP/SMAP, doesn't turn it on for
> itself, but does allow HVM guests to use it?
> 

Yes, that is correct.

> I suppose that is a slight improvement over the current situation.
> 

Do you mind being a bit more clear on this? Is this something you want to see or do you want something else?

Thanks
-Yong


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Andrew Cooper]

On 01/08/16 13:24, Wang, Yong Y wrote:
>> -----Original Message-----
>> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com]
>> Sent: Monday, August 1, 2016 6:16 PM
>> To: Wu, Feng <feng.wu@intel.com>
>> Cc: Nakajima, Jun <jun.nakajima@intel.com>; Wang, Yong Y
>> <yong.y.wang@intel.com>; Jan Beulich (JBeulich@suse.com)
>> <JBeulich@suse.com>; xen-devel@lists.xen.org
>> Subject: Re: SMAP/SMEP issues with 32-bit pv guests
>>
>> On 28/06/16 02:58, Wu, Feng wrote:
>>> Hi Andy,
>>>
>>> As you know, SMAP/SMEP may affect the 32-bit pv guests, after discussed
>> internally, our current idea is that we can just disable this two feature for Xen
>> hypervisor itself, hence only enable it for HVM guests. Do you think this is
>> acceptable from your perspective?
>>
>> So you are suggesting that Xen detects SMEP/SMAP, doesn't turn it on for
>> itself, but does allow HVM guests to use it?
>>
> Yes, that is correct.
>
>> I suppose that is a slight improvement over the current situation.
>>
> Do you mind being a bit more clear on this? Is this something you want to see or do you want something else?

It is an improvement, so go ahead.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: SMAP/SMEP issues with 32-bit pv guests

[Wu, Feng]

> -----Original Message-----
> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com]
> Sent: Monday, August 1, 2016 8:31 PM
> To: Wang, Yong Y <yong.y.wang@intel.com>; Wu, Feng <feng.wu@intel.com>
> Cc: Nakajima, Jun <jun.nakajima@intel.com>; Jan Beulich
> (JBeulich@suse.com) <JBeulich@suse.com>; xen-devel@lists.xen.org
> Subject: Re: SMAP/SMEP issues with 32-bit pv guests
> 
> On 01/08/16 13:24, Wang, Yong Y wrote:
> >> -----Original Message-----
> >> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com]
> >> Sent: Monday, August 1, 2016 6:16 PM
> >> To: Wu, Feng <feng.wu@intel.com>
> >> Cc: Nakajima, Jun <jun.nakajima@intel.com>; Wang, Yong Y
> >> <yong.y.wang@intel.com>; Jan Beulich (JBeulich@suse.com)
> >> <JBeulich@suse.com>; xen-devel@lists.xen.org
> >> Subject: Re: SMAP/SMEP issues with 32-bit pv guests
> >>
> >> On 28/06/16 02:58, Wu, Feng wrote:
> >>> Hi Andy,
> >>>
> >>> As you know, SMAP/SMEP may affect the 32-bit pv guests, after
> discussed
> >> internally, our current idea is that we can just disable this two feature for
> Xen
> >> hypervisor itself, hence only enable it for HVM guests. Do you think this is
> >> acceptable from your perspective?
> >>
> >> So you are suggesting that Xen detects SMEP/SMAP, doesn't turn it on for
> >> itself, but does allow HVM guests to use it?
> >>
> > Yes, that is correct.
> >
> >> I suppose that is a slight improvement over the current situation.
> >>
> > Do you mind being a bit more clear on this? Is this something you want to
> see or do you want something else?
> 
> It is an improvement, so go ahead.
> 

Great, Thanks Andrew!

Thanks,
Feng

> ~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel