The SMEP feature has to be masked for PV guests, because if the kernel supports SMEP it will set it through writing to CR4. This will fail on Xen guests and anyway X86_64 pv guests run in ring3, which SMEP doesn't apply to. For HVM another approach is possible, and a patch for this has been posted to xen-devel: It is probably reasonable to emulate this in Xen, as it is a security feature after all. However, this emulation would only apply when EPT/NPT is disabled, so perhaps it's not worth it.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
First part of back-port is done. But as for back-porting HVM support for it I've chosen easy way, i.e. mask SMEP from HVM guest (done). It's too much difference in hvm code with upstream, and scary dependencies for example: c/s 17917. Queued reservation of ivy bridge beaker box for testing. Also tested on box without SMEP support: x86_64 host: 32-bit pv guest, 64-bit pv guest Looks like nothing regressed on older hardware so far.
Created attachment 524631 [details] patch for RHEL5 kernel to verify if SMEP is visible via pv_cpuid Kernel build with smep enabled hv and patched kernel to check it. https://brewweb.devel.redhat.com/taskinfo?taskID=3658054
Created attachment 524633 [details] [RHEL5.8 Xen PATCH 1/2] x86: Enable Supervisor Mode Execution Protection (SMEP)
Created attachment 524634 [details] [RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest
Created attachment 526888 [details] [RHEL5.8 Xen PATCH 1/2] xen: mask out SMEP feature from PV guest
Created attachment 526889 [details] [RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest
Closing because CPUID white-listing will cover masking out leaf 7. And there is no point in fixing up CR4 since it's not enabled in hv in first place and guest can't set it. *** This bug has been marked as a duplicate of bug 526862 ***
Moving to POST, since the patch posted for bug 526862 is intended to cover this bug as well.
Patch(es) available in kernel-2.6.18-294.el5 You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5 Detailed testing feedback is always welcomed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0150.html