| Message ID | 1312483965.24699.14.camel@adamo |
|---|---|
| State | New |
| Headers | show |
On 08/04/2011 02:52 PM, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ I just tried on my Ivy Bridge Alpha SDP. KVM works as expected, but without a test case I'm not sure if the patches are doing anything useful. Let me know if I can do anything else. ~pete > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) > >
On Thu, Aug 04, 2011 at 11:52:45AM -0700, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) These patches look fairly self contained and dependant on SMEP. The last one is interesting as, if I have read it correctly, actually adds emulation. This should make Kees happy. I am concered at the SHA1s in these patches as they puport to be upstream commit ids and yet I cannot find them in mainline? With the SHA1s resolved: Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to Oneiric. Thanks, Leann On Thu, 2011-08-04 at 11:52 -0700, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) > >
BugLink: http://bugs.launchpad.net/bugs/796476 It's been requested that we pull the following upstream patches in order to enable KVM support for SMEP (Supervisor Mode Execution Protection) for Intel's Ivy Bridge. SMEP prevents execution of user mode pages while in supervisor mode and addresses a class of exploits for hijacking kernel execution. All patches were clean cherry-picks with the minor exception of "KVM: Mask function7 ebx against host capability word9". I unfortunately do not have access to Ivy Bridge hardware to test, but I have at least tested KVM on other hardware to confirm we're not introducing any regressions. If anyone else is interested in testing, I've posted debs at: http://people.canonical.com/~ogasawara/lp796476/ I just wanted to get this out to the mailing list for review before applying to Oneiric. I feel it better to get this applied and tested well before we hit kernel freeze to 1) confirm any regressions, if any and 2) apply any additional patches if needed. Thanks, Leann The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 Yang, Wei Y (4): KVM: Remove SMEP bit from CR4_RESERVED_BITS KVM: Add SMEP support when setting CR4 KVM: Mask function7 ebx against host capability word9 KVM: Add instruction fetch checking when walking guest page table arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/paging_tmpl.h | 9 ++++++++- arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- 3 files changed, 41 insertions(+), 5 deletions(-)