On Tue, Apr 01, 2014 at 05:46:32PM +0800, Feng Wu wrote: > Supervisor Mode Access Prevention (SMAP) is a new security feature > disclosed by Intel, please refer to the following document: > > http://software.intel.com/sites/default/files/319433-014.pdf > > Every access to a linear address is either a supervisor-mode access > or a user-mode access. All accesses performed while the current > privilege level (CPL) is less than 3 are supervisor-mode accesses. > If CPL = 3, accesses are generally user-mode accesses. However, some > operations implicitly access system data structures, and the resulting > accesses to those data structures are supervisor-mode accesses regardless > of CPL. Examples of such implicit supervisor accesses include the following: > accesses to the global descriptor table (GDT) or local descriptor table > (LDT) to load a segment descriptor; accesses to the interrupt descriptor > table (IDT) when delivering an interrupt or exception; and accesses to the > task-state segment (TSS) as part of a task switch or change of CPL. > > If CR4.SMAP = 1, supervisor-mode data accesses are not allowed to linear > addresses that are accessible in user mode. If CPL < 3, SMAP protections > are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP applies to all supervisor-mode > data accesses (these are implicit supervisor accesses) regardless of the > value of EFLAGS.AC. > > This patchset pass-through SMAP feature to guests, and let guests > benefit from it. > > Version 1: > * Remove SMAP bit from CR4_RESERVED_BITS. > * Add SMAP support when setting CR4 > * Disable SMAP for guests in EPT realmode and EPT unpaging mode > * Expose SMAP feature to guest > > Version 2: > * Change the logic of updating mmu permission bitmap for SMAP violation > * Expose SMAP feature to guest in the last patch of this series. > > Version 3: > * Changes in update_permission_bitmask(). > * Use a branchless way suggested by Paolo Bonzini to detect SMAP > violation in permission_fault(). > > Version 4: > * Changes to some comments and code style. > > Feng Wu (4): > KVM: Remove SMAP bit from CR4_RESERVED_BITS. > KVM: Add SMAP support when setting CR4 > KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode > KVM: expose SMAP feature to guest > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/cpuid.c | 2 +- > arch/x86/kvm/cpuid.h | 8 ++++++++ > arch/x86/kvm/mmu.c | 34 ++++++++++++++++++++++++++++--- > arch/x86/kvm/mmu.h | 44 +++++++++++++++++++++++++++++++++-------- > arch/x86/kvm/paging_tmpl.h | 2 +- > arch/x86/kvm/vmx.c | 11 ++++++----- > arch/x86/kvm/x86.c | 9 ++++++++- > 8 files changed, 92 insertions(+), 20 deletions(-) Reviewed-by: Marcelo Tosatti <mtosatti@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
