|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] [Patch] Enable SMEP CPU feature support for XEN itself
> > I don't know if we can distinguish that when creating guest. > > Of course you can. See the guest_64bit flag already used in > xc_pv_cpuid_policy()! > > However, given that the guest cannot influence whether SMEP is > enabled/disabled, perhaps it makes sense to always hide the feature? Also we SMEP can protect Xen hypervisor and 32bit guest kernel from application, but as 32bit guests run in ring 1, it still can exploit null pointer in Xen, although it's rare. I vaguely remember Windows disallows execution from first page (or 4M?) of virtual address space. Does Xen disallow PV guest kernel executing from there? > should unconditionally be hiding the CPUID feature in any case when Xen does > not support SMEP (because disabled on command line, or in the stable > branches without the feature patch applied) as otherwise guest can detect > the feature and will crash when it tries to enable the feature in CR4. This > is why it's a bad idea that we blacklist CPUID features for PV guests rather > than whitelist them. I will apply such a patch to all trees now. You're right. We will rebase the patch on your new code. Thanks! -Xin _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |