|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] xen/arm64: Hide FEAT_SME
Hi, On 16/08/2024 08:15, Michal Orzel wrote: > On 14/08/2024 23:00, Julien Grall wrote: Newer hardware may support FEAT_SME. Xen doesn't have any knowledge but it will still expose the feature to the VM. If the OS is trying to use SME, then it will crash. Solve by hiding FEAT_SME. Signed-off-by: Julien Grall <julien@xxxxxxx>Acked-by: Michal Orzel <michal.orzel@xxxxxxx>--- The current approach used to create the domain cpuinfo is to hide (i.e. a denylist) what we know Xen is not supporting. The drawback with this approach is for newly introduced feature, Xen will expose it by default. If a kernel is trying to use it then it will crash. I can't really make my mind whether it would be better to expose only what we support (i.e. use an allowlist). AFAICT, there is no security concerns with the current approach because ID_* registers are not a way to tell the kernel which features are supported. A guest kernel could still try to access the new registers.I agree with the security aspect but the part of the sentence in the middle is a bit misleading. Indeed. It was poorly worded. I was meant to say what you wrote below :). ID_ registers *are* a way of informing the kernel about implemented PE features. It's just that the kernel could still access the features. That said, it should be considered an incorrect behavior and definitely not something we should worry about. Cheers, -- Julien Grall
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |