Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 711070 - mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM
mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel-xen (Show other bugs)
5.7
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Igor Mammedov
Virtualization Bugs
: Reopened
Depends On: 526862
Blocks: 514489
  Show dependency treegraph
 
Reported: 2011-06-06 08:47 EDT by Paolo Bonzini
Modified: 2012-02-20 22:35 EST (History)
9 users (show)

See Also:
Fixed In Version: kernel-2.6.18-294.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-20 22:35:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for RHEL5 kernel to verify if SMEP is visible via pv_cpuid (1.21 KB, patch)
2011-09-23 10:49 EDT, Igor Mammedov 		no flags Details | Diff
[RHEL5.8 Xen PATCH 1/2] x86: Enable Supervisor Mode Execution Protection (SMEP) (13.96 KB, patch)
2011-09-23 10:50 EDT, Igor Mammedov 		no flags Details | Diff
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest (1.61 KB, patch)
2011-09-23 10:51 EDT, Igor Mammedov 		no flags Details | Diff
[RHEL5.8 Xen PATCH 1/2] xen: mask out SMEP feature from PV guest (2.02 KB, patch)
2011-10-07 08:45 EDT, Igor Mammedov 		no flags Details | Diff
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest (2.32 KB, patch)
2011-10-07 08:46 EDT, Igor Mammedov 		no flags Details | Diff
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0150 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 5.8 kernel update 2012-02-21 02:35:24 EST

  None (edit)
Description Paolo Bonzini 2011-06-06 08:47:52 EDT 
The SMEP feature has to be masked for PV guests, because if the kernel supports SMEP it will set it through writing to CR4.  This will fail on Xen guests and anyway X86_64 pv guests run in ring3, which SMEP doesn't apply to.

For HVM another approach is possible, and a patch for this has been posted to xen-devel: It is probably reasonable to emulate this in Xen, as it is a security feature after all.  However, this emulation would only apply when EPT/NPT is disabled, so perhaps it's not worth it.
Comment 1 RHEL Product and Program Management 2011-08-12 12:30:19 EDT 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Igor Mammedov 2011-09-21 10:40:07 EDT 
First part of back-port is done.

But as for back-porting HVM support for it I've chosen easy way, i.e. mask SMEP
from HVM guest (done). It's too much difference in hvm code with upstream, and scary dependencies for example: c/s 17917.

Queued reservation of ivy bridge beaker box for testing.

Also tested on box without SMEP support:
  x86_64 host: 32-bit pv guest, 64-bit pv guest
Looks like nothing regressed on older hardware so far.
Comment 3 Igor Mammedov 2011-09-23 10:49:56 EDT 
Created attachment 524631 [details]
patch for RHEL5 kernel to verify if SMEP is visible via pv_cpuid

Kernel build with smep enabled hv and patched kernel to check it.
https://brewweb.devel.redhat.com/taskinfo?taskID=3658054
Comment 4 Igor Mammedov 2011-09-23 10:50:40 EDT 
Created attachment 524633 [details]
[RHEL5.8 Xen PATCH 1/2] x86: Enable Supervisor Mode Execution Protection (SMEP)
Comment 5 Igor Mammedov 2011-09-23 10:51:10 EDT 
Created attachment 524634 [details]
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest
Comment 6 Igor Mammedov 2011-10-07 08:45:52 EDT 
Created attachment 526888 [details]
[RHEL5.8 Xen PATCH 1/2] xen: mask out SMEP feature from PV guest
Comment 7 Igor Mammedov 2011-10-07 08:46:51 EDT 
Created attachment 526889 [details]
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest
Comment 8 Igor Mammedov 2011-10-10 08:50:52 EDT 
Closing because CPUID white-listing will cover masking out leaf 7.
And there is no point in fixing up CR4 since it's not enabled in hv in first place and guest can't set it.

*** This bug has been marked as a duplicate of bug 526862 ***
Comment 9 Jarod Wilson 2011-10-20 15:55:49 EDT 
Moving to POST, since the patch posted for bug 526862 is intended to cover this bug as well.
Comment 11 Jarod Wilson 2011-10-27 09:11:14 EDT 
Patch(es) available in kernel-2.6.18-294.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.
Comment 14 errata-xmlrpc 2012-02-20 22:35:01 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0150.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.