From patchwork Thu Aug 4 18:52:45 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leann Ogasawara X-Patchwork-Id: 108560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id D5BE5B6F7A for ; Fri, 5 Aug 2011 04:53:12 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qp32M-0001H4-Q5; Thu, 04 Aug 2011 18:52:54 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qp32K-0001Gz-F8 for kernel-team@lists.ubuntu.com; Thu, 04 Aug 2011 18:52:52 +0000 Received: from c-24-21-156-70.hsd1.or.comcast.net ([24.21.156.70] helo=[192.168.1.3]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Qp32K-00010v-3Z for kernel-team@lists.ubuntu.com; Thu, 04 Aug 2011 18:52:52 +0000 Subject: [Oneiric][pull-request] Ivy Bridge: KVM support for SMEP (Supervisor Mode Execution Protection) From: Leann Ogasawara To: kernel-team Date: Thu, 04 Aug 2011 11:52:45 -0700 Message-ID: <1312483965.24699.14.camel@adamo> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/796476 It's been requested that we pull the following upstream patches in order to enable KVM support for SMEP (Supervisor Mode Execution Protection) for Intel's Ivy Bridge. SMEP prevents execution of user mode pages while in supervisor mode and addresses a class of exploits for hijacking kernel execution. All patches were clean cherry-picks with the minor exception of "KVM: Mask function7 ebx against host capability word9". I unfortunately do not have access to Ivy Bridge hardware to test, but I have at least tested KVM on other hardware to confirm we're not introducing any regressions. If anyone else is interested in testing, I've posted debs at: http://people.canonical.com/~ogasawara/lp796476/ I just wanted to get this out to the mailing list for review before applying to Oneiric. I feel it better to get this applied and tested well before we hit kernel freeze to 1) confirm any regressions, if any and 2) apply any additional patches if needed. Thanks, Leann The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 Yang, Wei Y (4): KVM: Remove SMEP bit from CR4_RESERVED_BITS KVM: Add SMEP support when setting CR4 KVM: Mask function7 ebx against host capability word9 KVM: Add instruction fetch checking when walking guest page table arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/paging_tmpl.h | 9 ++++++++- arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- 3 files changed, 41 insertions(+), 5 deletions(-) Acked-by: Andy Whitcroft