[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Enable Data Execution Prevention for DomU

  • To: xen-users@xxxxxxxxxxxxx
  • From: Thomas Strobel <ts468@xxxxxxxxx>
  • Date: Mon, 09 Feb 2015 10:29:23 +0100
  • Delivery-date: Mon, 09 Feb 2015 09:29:40 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
Hi!

I'm new to the xen-user mailing list, so before I start asking specific
questions, some general information. I'm trying to integrate Xen, the
XAPI toolstack and parts of Qubes into NixOS. NixOS is a declaratively
managed Linux distribution, and I want to exploit the declarative nature
of NixOS to manage Xen VMs in a purely functional way as well. The whole
work if part of my effort to make it easier for people to use
virtualization technologies, especially on Linux enduser devices like
laptops or desktop PCs. There are a few questions that I would have
about Xen in general and how to configure it for which I would be very
thankful for advice or help. I will split the questions into separate
emails over the next days.

At the moment I'm having trouble to run a VM for which the CPU exports
the NX-bit capability. The hypervisor is Xen 4.5 with patches from
xenserver/xen-4.5.pg, the dom0 host system is NixOS with a current Linux
Kernel 3.18.5 and the cpu is a Intel(R) Core(TM) i7-4702HQ.

The cpu flags that are shown in /proc/cpuinfo in dom0 are:
fpu de tsc msr pae mce cx8 apic sep mca cmov pat clflush acpi mmx fxsr
sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl nonstop_tsc
eagerfpu pni pclmulqdq monitor vmx est ssse3 fma cx16 sse4_1 sse4_2
movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor
lahf_lm abm ida arat epb pln pts dtherm tpr_shadow vnmi flexpriority ept
vpid fsgsbase bmi1 avx2 bmi2 erms xsaveopt

The cpu flags from within domU however are:
fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush mmx fxsr sse sse2 syscall rdtscp lm constant_tsc rep_good nopl
eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic
movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor
lahf_lm abm xsaveopt tpr_shadow vnmi flexpriority ept vpid fsgsbase
tsc_adjust bmi1 avx2 smep bmi2 erms invpcid

So if I compared it correctly, the cpu in dom0 has the following flags
that domU does not have:
acpi arat dtherm epb est ht ida monitor nonstop_tsc nx pln pts ss

For the cpu in domU it are:
invpcid mtrr pcid pge pse pse36 rdtscp smep tsc_adjust vme x2apic

The important part out of the VM configuration is:
builder="hvm"
memory=4096
vcpus=4
nx='1'
nestedhvm='1'


My question now is how do I enable the NX-bit capability in the domU VM?
What does the NX capability depend on? Are there specific configurations
for the kernel in dom0, boot parameters for Xen or a specially
configured QEMU that I need to pass the NX capability into domU? Do you
have any advice or help what to look for or what to try so that I can
narrow the problem down?

Many thanks in advance!
Thomas

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.