> From: Avi Kivity [mailto:avi@xxxxxxxxxx] > Sent: Monday, May 30, 2011 6:00 PM > > On 05/30/2011 12:18 PM, Tian, Kevin wrote: > > > From: Avi Kivity [mailto:avi@xxxxxxxxxx] > > > Sent: Monday, May 30, 2011 5:14 PM > > > > > > On 05/30/2011 12:08 PM, Tian, Kevin wrote: > > > > > From: Avi Kivity > > > > > Sent: Monday, May 30, 2011 4:52 PM > > > > > > > > > > On 05/30/2011 06:01 AM, Yang, Wei Y wrote: > > > > > > This patchset enables a new CPU feature SMEP (Supervisor > Mode > > > Execution > > > > > > Protection) in KVM. SMEP prevents kernel from executing > code in > > > application. > > > > > > Updated Intel SDM describes this CPU feature. The > document will be > > > > > > published soon. > > > > > > > > > > > > This patchset is based on Fenghua's SMEP patch series, as > referred > > > by: > > > > > > https://lkml.org/lkml/2011/5/17/523 > > > > > > > > > > Looks good. I'll post the cr0.wp=0 fixup soon. > > > > > > > > > > > > > what's your planned fix? through NX bit? :-) > > > > > > Yes. > > > > > > > btw, why is current scheme used to emulate cr0.wp=0 case instead of > simply > > > > emulating it? > > > > > > How would you simply emulate it? > > > > > > We have to force cr0.wp=1, otherwise we cannot write-protect guest > page > > > tables. Once we do that, we have to set U=1 to allow user reads or U=0 > > > to allow kernel writes. > > > > > > > I mean using instruction emulation instead of changing permission to > re-execute > > faulting instruction. Or is current KVM instruction emulator not complete > enough > > to handle various memory access instructions (just designed for page table > access > > and real mode instructions?)? > > I think by now it's complete enough (it wasn't when the shadow mmu was > written). But emulation will be slow if the guest writes a lot of data > to the page. OK, got it. Thanks Kevin -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
