Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
On 06/01/2011 10:18 AM, Tian, Kevin wrote: > From: Ingo Molnar > Sent: Monday, May 30, 2011 3:41 PM > > > * Yang, Wei Y wrote: > > > This patch removes SMEP bit from CR4_RESERVED_BITS. > > I'm wondering, what is the best-practice way for tools/kvm/ to set > SMEP for the guest kernel automatically, even if the guest kernel > itsef has not requested SMEP? > enabling SMEP w/o guest's knowledge can be problematic if the guest is doing U/S 0->1 bit change w/o TLB invalidation, which is a required action to ensure SMEP protection working correctly. Linux versions known so far don't have this behavior because TLB invalidation due to P bit change covers U/S 0->1 change. But given that end users may deploy various OS within the guest, to enable SMEP this way requires solid understanding on internals of those OSes. Or else it's uncertain whether SMEP protection fully works on such uncertain guests. That does reduce the attractiveness of the whole thing. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
* Tian, Kevin wrote: > > From: Ingo Molnar > > Sent: Monday, May 30, 2011 3:41 PM > > > > > > * Yang, Wei Y wrote: > > > > > This patch removes SMEP bit from CR4_RESERVED_BITS. > > > > I'm wondering, what is the best-practice way for tools/kvm/ to set > > SMEP for the guest kernel automatically, even if the guest kernel > > itsef has not requested SMEP? > > > > enabling SMEP w/o guest's knowledge can be problematic if the guest > is doing U/S 0->1 bit change w/o TLB invalidation, which is a > required action to ensure SMEP protection working correctly. Linux > versions known so far don't have this behavior because TLB > invalidation due to P bit change covers U/S 0->1 change. [...] We'd like to use this in the 'kvm' tool: git clone git://github.com/penberg/linux-kvm master cd linux-kvm/tools/kvm/ make -j Which is only interested in Linux guests. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
> From: Ingo Molnar > Sent: Monday, May 30, 2011 3:41 PM > > > * Yang, Wei Y wrote: > > > This patch removes SMEP bit from CR4_RESERVED_BITS. > > I'm wondering, what is the best-practice way for tools/kvm/ to set > SMEP for the guest kernel automatically, even if the guest kernel > itsef has not requested SMEP? > enabling SMEP w/o guest's knowledge can be problematic if the guest is doing U/S 0->1 bit change w/o TLB invalidation, which is a required action to ensure SMEP protection working correctly. Linux versions known so far don't have this behavior because TLB invalidation due to P bit change covers U/S 0->1 change. But given that end users may deploy various OS within the guest, to enable SMEP this way requires solid understanding on internals of those OSes. Or else it's uncertain whether SMEP protection fully works on such uncertain guests. Thanks Kevin -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
On 05/30/2011 11:57 AM, Ingo Molnar wrote: Oh, it wasn't clear to me that this was your preference as well - and i didnt see such a capability in this series [let me know if i blindly missed it] so i was wondering what the battle plan was fr that :-) There is no plan. If someone is interested, please post a patch. -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
* Avi Kivity wrote: > On 05/30/2011 11:52 AM, Ingo Molnar wrote: > >* Avi Kivity wrote: > > > >> > Another option would be to try to set the SMEP bit *before* we > >> > enable paging. In theory this should not confuse a Linux guest - > >> > and while i have not tested it i *think* we let it survive in the > >> > saved_cr4_features shadow variable. That would make guest > >> > suspend/resume work out of box as well. > >> > >> Is there any reason not to do it in a hidden way in kvm? Why must > >> we play tricks? > > > > So do you have a suggestion of how to do this cleaner? > > > > Add an ioctl that allows a VCPU to be configured in a way to set > > a cr4 feature without the guest actually seeing that bit? > > [Assuming both cr4 reads and writes are fully captured by KVM and > > thus guest behavior is controllable.] > > Yes, this was what I suggested before. IIRC you liked it. Oh, it wasn't clear to me that this was your preference as well - and i didnt see such a capability in this series [let me know if i blindly missed it] so i was wondering what the battle plan was fr that :-) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
On 05/30/2011 11:52 AM, Ingo Molnar wrote: * Avi Kivity wrote: > > Another option would be to try to set the SMEP bit *before* we > > enable paging. In theory this should not confuse a Linux guest - > > and while i have not tested it i *think* we let it survive in the > > saved_cr4_features shadow variable. That would make guest > > suspend/resume work out of box as well. > > Is there any reason not to do it in a hidden way in kvm? Why must > we play tricks? So do you have a suggestion of how to do this cleaner? Add an ioctl that allows a VCPU to be configured in a way to set a cr4 feature without the guest actually seeing that bit? [Assuming both cr4 reads and writes are fully captured by KVM and thus guest behavior is controllable.] Yes, this was what I suggested before. IIRC you liked it. -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
* Avi Kivity wrote: > > Another option would be to try to set the SMEP bit *before* we > > enable paging. In theory this should not confuse a Linux guest - > > and while i have not tested it i *think* we let it survive in the > > saved_cr4_features shadow variable. That would make guest > > suspend/resume work out of box as well. > > Is there any reason not to do it in a hidden way in kvm? Why must > we play tricks? So do you have a suggestion of how to do this cleaner? Add an ioctl that allows a VCPU to be configured in a way to set a cr4 feature without the guest actually seeing that bit? [Assuming both cr4 reads and writes are fully captured by KVM and thus guest behavior is controllable.] Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
On 05/30/2011 11:05 AM, Ingo Molnar wrote: * Avi Kivity wrote: > On 05/30/2011 10:40 AM, Ingo Molnar wrote: > >* Yang, Wei Y wrote: > > > >> This patch removes SMEP bit from CR4_RESERVED_BITS. > > > >I'm wondering, what is the best-practice way for tools/kvm/ to set > >SMEP for the guest kernel automatically, even if the guest kernel > >itsef has not requested SMEP? > > > > The portion i'm worried about are old KVM versions that have the > > SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just > > unilaterally add SMEP to every cr4 write of the guest. > > tools/kvm doesn't see cr4 writes at all. [...] I feared small complications like that! :-) We can definitely use KVM_GET_SREGS, fiddle the SMEP bit in kvm_regs.cr4 and call KVM_SET_SREGS, once the fine patch above goes upstream. It's not a good idea. First, the guest will see cr4.smep where it hasn't set it before, which may confuse it. Second, the guest may rewrite cr4.smep, clearing it, giving a false sense of security. > [...] The only way to do this is in kvm itself. > > > Is there a way to query whether the host KVM version supports > > SMEP setting in cr4? > > > > KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and > kvm support smep; if one of them doesn't, you'll see smep > disabled). That looks useful. So the way to go appears to be to do a GET_SREGS/SET_SREGS sequence to enable SMEP in the guest, some time after it has booted and has enabled paging. I'm wondering whether there's a suitable place to do that, when we are more or less guaranteed to exit the VM for some other reason - such as the first MMIO done with paging enabled? This solution means that we'll slow down pre-paging MMIOs with a GET_SREGS call, but that's ok, they are rare and the pre-paging bootup phase is very short. So the only worry would be where the guest sets cr4 itself - and since it does not know about SMEP it will probably disable it. Guest suspend/resume is one such place ... Another option would be to try to set the SMEP bit *before* we enable paging. In theory this should not confuse a Linux guest - and while i have not tested it i *think* we let it survive in the saved_cr4_features shadow variable. That would make guest suspend/resume work out of box as well. Is there any reason not to do it in a hidden way in kvm? Why must we play tricks? -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
* Avi Kivity wrote: > On 05/30/2011 10:40 AM, Ingo Molnar wrote: > >* Yang, Wei Y wrote: > > > >> This patch removes SMEP bit from CR4_RESERVED_BITS. > > > >I'm wondering, what is the best-practice way for tools/kvm/ to set > >SMEP for the guest kernel automatically, even if the guest kernel > >itsef has not requested SMEP? > > > > The portion i'm worried about are old KVM versions that have the > > SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just > > unilaterally add SMEP to every cr4 write of the guest. > > tools/kvm doesn't see cr4 writes at all. [...] I feared small complications like that! :-) We can definitely use KVM_GET_SREGS, fiddle the SMEP bit in kvm_regs.cr4 and call KVM_SET_SREGS, once the fine patch above goes upstream. > [...] The only way to do this is in kvm itself. > > > Is there a way to query whether the host KVM version supports > > SMEP setting in cr4? > > > > KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and > kvm support smep; if one of them doesn't, you'll see smep > disabled). That looks useful. So the way to go appears to be to do a GET_SREGS/SET_SREGS sequence to enable SMEP in the guest, some time after it has booted and has enabled paging. I'm wondering whether there's a suitable place to do that, when we are more or less guaranteed to exit the VM for some other reason - such as the first MMIO done with paging enabled? This solution means that we'll slow down pre-paging MMIOs with a GET_SREGS call, but that's ok, they are rare and the pre-paging bootup phase is very short. So the only worry would be where the guest sets cr4 itself - and since it does not know about SMEP it will probably disable it. Guest suspend/resume is one such place ... Another option would be to try to set the SMEP bit *before* we enable paging. In theory this should not confuse a Linux guest - and while i have not tested it i *think* we let it survive in the saved_cr4_features shadow variable. That would make guest suspend/resume work out of box as well. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
On 05/30/2011 10:40 AM, Ingo Molnar wrote: * Yang, Wei Y wrote: > This patch removes SMEP bit from CR4_RESERVED_BITS. I'm wondering, what is the best-practice way for tools/kvm/ to set SMEP for the guest kernel automatically, even if the guest kernel itsef has not requested SMEP? The portion i'm worried about are old KVM versions that have the SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just unilaterally add SMEP to every cr4 write of the guest. tools/kvm doesn't see cr4 writes at all. The only way to do this is in kvm itself. Is there a way to query whether the host KVM version supports SMEP setting in cr4? KVM_GET_SUPPORTED_CPUID (it returns whether both the host cpu and kvm support smep; if one of them doesn't, you'll see smep disabled). -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch v5 1/4] Remove SMEP bit from CR4_RESERVED_BITS
* Yang, Wei Y wrote: > This patch removes SMEP bit from CR4_RESERVED_BITS. I'm wondering, what is the best-practice way for tools/kvm/ to set SMEP for the guest kernel automatically, even if the guest kernel itsef has not requested SMEP? The portion i'm worried about are old KVM versions that have the SMEP bit in CR4_RESERVED_BITS and reject it. So we cannot just unilaterally add SMEP to every cr4 write of the guest. Is there a way to query whether the host KVM version supports SMEP setting in cr4? That way tools/kvm/ could add the SMEP bit if the host CPU has it in /proc/cpuinfo and if KVM supports it. ( With a --no-smep kind of command line option to opt out of this automatic protection, to test it, and for the unlikely case that SMEP causes problems. ) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html