Message ID | 1312483965.24699.14.camel@adamo |
---|---|
State | New |
Headers | show |
On 08/04/2011 02:52 PM, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ I just tried on my Ivy Bridge Alpha SDP. KVM works as expected, but without a test case I'm not sure if the patches are doing anything useful. Let me know if I can do anything else. ~pete > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) > >
On Thu, Aug 04, 2011 at 11:52:45AM -0700, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) These patches look fairly self contained and dependant on SMEP. The last one is interesting as, if I have read it correctly, actually adds emulation. This should make Kees happy. I am concered at the SHA1s in these patches as they puport to be upstream commit ids and yet I cannot find them in mainline? With the SHA1s resolved: Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to Oneiric. Thanks, Leann On Thu, 2011-08-04 at 11:52 -0700, Leann Ogasawara wrote: > BugLink: http://bugs.launchpad.net/bugs/796476 > > It's been requested that we pull the following upstream patches in order > to enable KVM support for SMEP (Supervisor Mode Execution Protection) > for Intel's Ivy Bridge. SMEP prevents execution of user mode pages > while in supervisor mode and addresses a class of exploits for hijacking > kernel execution. > > All patches were clean cherry-picks with the minor exception of "KVM: > Mask function7 ebx against host capability word9". > > I unfortunately do not have access to Ivy Bridge hardware to test, but I > have at least tested KVM on other hardware to confirm we're not > introducing any regressions. If anyone else is interested in testing, > I've posted debs at: > > http://people.canonical.com/~ogasawara/lp796476/ > > I just wanted to get this out to the mailing list for review before > applying to Oneiric. I feel it better to get this applied and tested > well before we hit kernel freeze to 1) confirm any regressions, if any > and 2) apply any additional patches if needed. > > Thanks, > Leann > > The following changes since commit a5c2202c4ca41d438f0502fce3f67a8ab25b64e7: > > UBUNTU: [Config] Disable config IWLWIFI_DEVICE_SVTOOL (2011-08-02 11:08:28 -0700) > > are available in the git repository at: > git://kernel.ubuntu.com/ogasawara/ubuntu-oneiric lp796476 > > Yang, Wei Y (4): > KVM: Remove SMEP bit from CR4_RESERVED_BITS > KVM: Add SMEP support when setting CR4 > KVM: Mask function7 ebx against host capability word9 > KVM: Add instruction fetch checking when walking guest page table > > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/paging_tmpl.h | 9 ++++++++- > arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++--- > 3 files changed, 41 insertions(+), 5 deletions(-) > >