[Oneiric][pull-request] Ivy Bridge: KVM support for SMEP (Supervisor Mode Execution Protection)

Pete Graner pgraner at canonical.com
Thu Aug 4 21:00:53 UTC 2011 

On 08/04/2011 02:52 PM, Leann Ogasawara wrote:
> BugLink: http://bugs.launchpad.net/bugs/796476
> 
> It's been requested that we pull the following upstream patches in order
> to enable KVM support for SMEP (Supervisor Mode Execution Protection)
> for Intel's Ivy Bridge.  SMEP prevents execution of user mode pages
> while in supervisor mode and addresses a class of exploits for hijacking
> kernel execution.  
> 
> All patches were clean cherry-picks with the minor exception of "KVM:
> Mask function7 ebx against host capability word9".
> 
> I unfortunately do not have access to Ivy Bridge hardware to test, but I
> have at least tested KVM on other hardware to confirm we're not
> introducing any regressions.  If anyone else is interested in testing,
> I've posted debs at:
> 
> http://people.canonical.com/~ogasawara/lp796476/

I just tried on my Ivy Bridge Alpha SDP. KVM works as expected, but
without a test case I'm not sure if the patches are doing anything useful.

Let me know if I can do anything else.

~pete

> 
> I just wanted to get this out to the mailing list for review before
> applying to Oneiric.  I feel it better to get this applied and tested
> well before we hit kernel freeze to 1) confirm any regressions, if any
> and 2) apply any additional patches if needed.
> 
> Thanks,
> Leann
> 
> The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7:
> 
>   UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700)
> 
> are available in the git repository at:
>   git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476
> 
> Yang, Wei Y (4):
>       KVM: Remove SMEP bit from CR4_RESERVED_BITS
>       KVM: Add SMEP support when setting CR4
>       KVM: Mask function7 ebx against host capability word9
>       KVM: Add instruction fetch checking when walking guest page table
> 
>  arch/x86/include/asm/kvm_host.h |    2 +-
>  arch/x86/kvm/paging_tmpl.h      |    9 ++++++++-
>  arch/x86/kvm/x86.c              |   35 ++++++++++++++++++++++++++++++++---
>  3 files changed, 41 insertions(+), 5 deletions(-)
> 
> 


-- 
Pete Graner          <pgraner at canonical.com>
Manager
Ubuntu Kernel Team
Canonical Ltd.       http://www.canonical.com/

More information about the kernel-team mailing list