711070 – mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM

Bug 711070 - mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM

Summary: mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	kernel-xen
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Igor Mammedov
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	526862
Blocks:	514489
TreeView+	depends on / blocked

Reported:	2011-06-06 12:47 UTC by Paolo Bonzini
Modified:	2012-02-21 03:35 UTC (History)
CC List:	9 users (show)
Fixed In Version:	kernel-2.6.18-294.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-21 03:35:01 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch for RHEL5 kernel to verify if SMEP is visible via pv_cpuid (1.21 KB, patch) 2011-09-23 14:49 UTC, Igor Mammedov	no flags	Details \| Diff
[RHEL5.8 Xen PATCH 1/2] x86: Enable Supervisor Mode Execution Protection (SMEP) (13.96 KB, patch) 2011-09-23 14:50 UTC, Igor Mammedov	no flags	Details \| Diff
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest (1.61 KB, patch) 2011-09-23 14:51 UTC, Igor Mammedov	no flags	Details \| Diff
[RHEL5.8 Xen PATCH 1/2] xen: mask out SMEP feature from PV guest (2.02 KB, patch) 2011-10-07 12:45 UTC, Igor Mammedov	no flags	Details \| Diff
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest (2.32 KB, patch) 2011-10-07 12:46 UTC, Igor Mammedov	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0150	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise Linux 5.8 kernel update	2012-02-21 07:35:24 UTC

Description Paolo Bonzini 2011-06-06 12:47:52 UTC

The SMEP feature has to be masked for PV guests, because if the kernel supports SMEP it will set it through writing to CR4.  This will fail on Xen guests and anyway X86_64 pv guests run in ring3, which SMEP doesn't apply to.

For HVM another approach is possible, and a patch for this has been posted to xen-devel: It is probably reasonable to emulate this in Xen, as it is a security feature after all.  However, this emulation would only apply when EPT/NPT is disabled, so perhaps it's not worth it.

Comment 1 RHEL Program Management 2011-08-12 16:30:19 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 2 Igor Mammedov 2011-09-21 14:40:07 UTC

First part of back-port is done.

But as for back-porting HVM support for it I've chosen easy way, i.e. mask SMEP
from HVM guest (done). It's too much difference in hvm code with upstream, and scary dependencies for example: c/s 17917.

Queued reservation of ivy bridge beaker box for testing.

Also tested on box without SMEP support:
  x86_64 host: 32-bit pv guest, 64-bit pv guest
Looks like nothing regressed on older hardware so far.

Comment 3 Igor Mammedov 2011-09-23 14:49:56 UTC

Created attachment 524631 [details]
patch for RHEL5 kernel to verify if SMEP is visible via pv_cpuid

Kernel build with smep enabled hv and patched kernel to check it.
https://brewweb.devel.redhat.com/taskinfo?taskID=3658054

Comment 4 Igor Mammedov 2011-09-23 14:50:40 UTC

Created attachment 524633 [details]
[RHEL5.8 Xen PATCH 1/2] x86: Enable Supervisor Mode Execution Protection (SMEP)

Comment 5 Igor Mammedov 2011-09-23 14:51:10 UTC

Created attachment 524634 [details]
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest

Comment 6 Igor Mammedov 2011-10-07 12:45:52 UTC

Created attachment 526888 [details]
[RHEL5.8 Xen PATCH 1/2] xen: mask out SMEP feature from PV guest

Comment 7 Igor Mammedov 2011-10-07 12:46:51 UTC

Created attachment 526889 [details]
[RHEL5.8 Xen PATCH 2/2] x86: Hide SMEP support from HVM guest

Comment 8 Igor Mammedov 2011-10-10 12:50:52 UTC

Closing because CPUID white-listing will cover masking out leaf 7.
And there is no point in fixing up CR4 since it's not enabled in hv in first place and guest can't set it.

*** This bug has been marked as a duplicate of bug 526862 ***

Comment 9 Jarod Wilson 2011-10-20 19:55:49 UTC

Moving to POST, since the patch posted for bug 526862 is intended to cover this bug as well.

Comment 11 Jarod Wilson 2011-10-27 13:11:14 UTC

Patch(es) available in kernel-2.6.18-294.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.

Comment 14 errata-xmlrpc 2012-02-21 03:35:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0150.html

Note You need to log in before you can comment on or make changes to this bug.