 
	
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v4] x86/vmx: Add force-ept command line option
 > From: Aravindh Puthiyaparambil [mailto:aravindp@xxxxxxxxx] > Sent: Wednesday, April 23, 2014 12:36 AM > > Add a "force-ept" command line option to allow EPT to be enabled when > VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present. > > Due to CVE-2013-2212, this feature is required by default as a > prerequisite for using EPT. If you are not using PCI Passthrough, or > trust the guest administrator who would be using passthrough, then the > requirement can be relaxed. This option is particularly useful for > nested virtualization, to allow the L1 hypervisor to use EPT even if > the L0 hypervisor does not provide VM_ENTRY_LOAD_GUEST_PAT. > > Signed-off-by: Aravindh Puthiyaparambil <aravindp@xxxxxxxxx> > Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx> > Cc: Eddie Dong <eddie.dong@xxxxxxxxx> > Cc: Kevin Tian <kevin.tian@xxxxxxxxx> > Acked-by: Kevin Tian <kevin.tian@xxxxxxxxx> > --- > Changes from version 3: > Update commit and documentation description. > > Changes from version 2: > 1. Update commit and documentation description. > 2. Rename command line option to "force-ept" > > Changes from version 1: > 1. Fix and update documentation with suggestion from Andrew Cooper. > 2. Remove redundant assignment. > --- > docs/misc/xen-command-line.markdown | 16 ++++++++++++++++ > xen/arch/x86/hvm/vmx/vmx.c | 5 ++++- > 2 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/docs/misc/xen-command-line.markdown > b/docs/misc/xen-command-line.markdown > index 87de2dc..e9e17c7 100644 > --- a/docs/misc/xen-command-line.markdown > +++ b/docs/misc/xen-command-line.markdown > @@ -545,6 +545,22 @@ versa. For example to change dom0 without > changing domU, use > > Specify the font size when using the VESA console driver. > > +### force-ept (Intel) > +> `= <boolean>` > + > +> Default: `false` > + > +Allow EPT to be enabled when VMX feature > VM\_ENTRY\_LOAD\_GUEST\_PAT is not > +present. > + > +*Warning:* > +Due to CVE-2013-2212, VMX feature VM\_ENTRY\_LOAD\_GUEST\_PAT is by > default > +required as a prerequisite for using EPT. If you are not using PCI > Passthrough, > +or trust the guest administrator who would be using passthrough, then the > +requirement can be relaxed. This option is particularly useful for nested > +virtualization, to allow the L1 hypervisor to use EPT even if the L0 > hypervisor > +does not provide VM\_ENTRY\_LOAD\_GUEST\_PAT. > + > ### gdb > > `= <baud>[/<clock_hz>][,DPS[,<io-base>[,<irq>[,<port-bdf>[,<bridge-bdf>]]]] > | pci | amt ] ` > > diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c > index 180cf6c..4b3c899 100644 > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -58,6 +58,9 @@ > #include <asm/hvm/nestedhvm.h> > #include <asm/event.h> > > +static bool_t __initdata opt_force_ept; > +boolean_param("force-ept", opt_force_ept); > + > enum handler_return { HNDL_done, HNDL_unhandled, > HNDL_exception_raised }; > > static void vmx_ctxt_switch_from(struct vcpu *v); > @@ -1724,7 +1727,7 @@ const struct hvm_function_table * __init > start_vmx(void) > * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security > hole > * (refer to http://xenbits.xen.org/xsa/advisory-60.html). > */ > - if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) > + if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_force_ept) ) > { > vmx_function_table.hap_supported = 1; > > -- > 1.9.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel 
 
 | 
|  | Lists.xenproject.org is hosted with RackSpace, monitoring our |