lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Jul 2016 11:20:41 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	Bandan Das <bsd@...hat.com>, kvm@...r.kernel.org
Cc:	guangrong.xiao@...ux.intel.com, kernellwp@...il.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/5] Add support for EPT execute only for nested
 hypervisors



On 13/07/2016 00:18, Bandan Das wrote:
> v1 of this series posted at https://lkml.org/lkml/2016/6/28/7
> 
> Changes since v1:
>  - 1/5 : modify is_shadow_present_pte to check against 0xffffffff
>    Reasoning provided in commit message.
>  - 2/5 : Removed 2/5 from v1 since kvm doesn't use execute only.
>    3/5 from v1 is now 2/5. Introduce shadow_present_mask that
>    signifies whether ept execute only is supported. Add/remove some
>    comments as suggested in v1.
>  - 3/5 : 4/5 from v1 is now 3/5.
>  - 4/5 : update_permission_bitmask now sets u=1 only if host doesn't
>    support ept execute only.
>  - 5/5 : No change

These are the diffs I have after review, do they look okay?

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 190c0559c221..bd2535fdb9eb 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2524,11 +2524,10 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 		return 0;
 
 	/*
-	 * In the non-EPT case, execonly is not valid and so
-	 * the following line is equivalent to spte |= PT_PRESENT_MASK.
 	 * For the EPT case, shadow_present_mask is 0 if hardware
-	 * supports it and we honor whatever way the guest set it.
-	 * See: FNAME(gpte_access) in paging_tmpl.h
+	 * supports exec-only page table entries.  In that case,
+	 * ACC_USER_MASK and shadow_user_mask are used to represent
+	 * read access.  See FNAME(gpte_access) in paging_tmpl.h.
 	 */
 	spte |= shadow_present_mask;
 	if (!speculative)
@@ -3923,9 +3922,6 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
 				 *   clearer.
 				 */
 				smap = cr4_smap && u && !uf && !ff;
-			} else {
-				if (shadow_present_mask)
-					u = 1;
 			}
 
 			fault = (ff && !x) || (uf && !u) || (wf && !w) ||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 576c47cda1a3..dfef081e76c0 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6120,12 +6120,14 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
 	gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
 	trace_kvm_page_fault(gpa, exit_qualification);
 
-	/* It is a write fault? */
+	/* it is a read fault? */
+	error_code = (exit_qualification << 2) & PFERR_USER_MASK;
+	/* it is a write fault? */
 	error_code = exit_qualification & PFERR_WRITE_MASK;
 	/* It is a fetch fault? */
 	error_code |= (exit_qualification << 2) & PFERR_FETCH_MASK;
 	/* ept page table is present? */
-	error_code |= (exit_qualification >> 3) & PFERR_PRESENT_MASK;
+	error_code |= (exit_qualification & 0x38) != 0;
 
 	vcpu->arch.exit_qualification = exit_qualification;
 
@@ -6474,8 +6476,7 @@ static __init int hardware_setup(void)
 			(enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull,
 			0ull, VMX_EPT_EXECUTABLE_MASK,
 			cpu_has_vmx_ept_execute_only() ?
-				      0ull : PT_PRESENT_MASK);
-		BUILD_BUG_ON(PT_PRESENT_MASK != VMX_EPT_READABLE_MASK);
+				      0ull : VMX_EPT_READABLE_MASK);
 		ept_set_mmio_spte_mask();
 		kvm_enable_tdp();
 	} else

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ