On 23/03/2018 15:27, Wanpeng Li wrote: > 2018-03-22 21:53 GMT+08:00 Andrew Cooper <andrew.cooper3@xxxxxxxxxx>: >> On 22/03/18 13:39, Wanpeng Li wrote: >>> 2018-03-22 20:38 GMT+08:00 Paolo Bonzini <pbonzini@xxxxxxxxxx>: >>>> On 22/03/2018 12:04, Andrew Cooper wrote: >>>>> We've got a Force Emulation Prefix (ud2a; .ascii "xen") for doing >>>>> magic. Originally, this was used for PV guests to explicitly request an >>>>> emulated CPUID, but I extended it to HVM guests for "emulate the next >>>>> instruction", after we had some guest user => guest kernel privilege >>>>> escalations because of incorrect emulation. >>>> Wanpeng, why don't you add it behind a new kvm module parameter? :) >>> Great point! I will have a try. Thanks Paolo and Andrew. :) >> >> Using the force emulation prefix requires intercepting #UD, which is in >> general a BadThing(tm) for security. Therefore, we have a build time > > Yeah, however kvm intercepts and emulates #UD by default, should we > add a new kvm module parameter to enable it and disable by default? No, the module parameter should only be about the force-emulation prefix. Paolo
