[Oneiric][pull-request] Ivy Bridge: KVM support for SMEP (Supervisor Mode Execution Protection)

Leann Ogasawara leann.ogasawara at canonical.com
Thu Aug 4 18:52:45 UTC 2011

BugLink: http://bugs.launchpad.net/bugs/796476

It's been requested that we pull the following upstream patches in order
to enable KVM support for SMEP (Supervisor Mode Execution Protection)
for Intel's Ivy Bridge.  SMEP prevents execution of user mode pages
while in supervisor mode and addresses a class of exploits for hijacking
kernel execution.  

All patches were clean cherry-picks with the minor exception of "KVM:
Mask function7 ebx against host capability word9".

I unfortunately do not have access to Ivy Bridge hardware to test, but I
have at least tested KVM on other hardware to confirm we're not
introducing any regressions.  If anyone else is interested in testing,
I've posted debs at:


I just wanted to get this out to the mailing list for review before
applying to Oneiric.  I feel it better to get this applied and tested
well before we hit kernel freeze to 1) confirm any regressions, if any
and 2) apply any additional patches if needed.


The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7:

  UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700)

are available in the git repository at:
  git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476

Yang, Wei Y (4):
      KVM: Remove SMEP bit from CR4_RESERVED_BITS
      KVM: Add SMEP support when setting CR4
      KVM: Mask function7 ebx against host capability word9
      KVM: Add instruction fetch checking when walking guest page table

 arch/x86/include/asm/kvm_host.h |    2 +-
 arch/x86/kvm/paging_tmpl.h      |    9 ++++++++-
 arch/x86/kvm/x86.c              |   35 ++++++++++++++++++++++++++++++++---
 3 files changed, 41 insertions(+), 5 deletions(-)

More information about the kernel-team mailing list