XEN_PV paravirtualizes read/write_c3. This does not work with KAISER as the CR3 switch from and to user space PGD would require to map the whole XEN_PV machinery into both. It's also not clear whether the register space is sufficient to do so. All other PV guests use the native implementations and are compatible with KAISER. Add detection for XEN_PV and disable KAISER in the early boot process when the kernel is running as a XEN_PV guest. Signed-off-by: Thomas Gleixner --- arch/x86/include/asm/hypervisor.h | 25 +++++++++++++++---------- arch/x86/mm/kaiser.c | 3 +++ security/Kconfig | 2 +- 3 files changed, 19 insertions(+), 11 deletions(-) --- a/arch/x86/include/asm/hypervisor.h +++ b/arch/x86/include/asm/hypervisor.h @@ -20,16 +20,7 @@ #ifndef _ASM_X86_HYPERVISOR_H #define _ASM_X86_HYPERVISOR_H -#ifdef CONFIG_HYPERVISOR_GUEST - -#include -#include -#include - -/* - * x86 hypervisor information - */ - +/* x86 hypervisor types */ enum x86_hypervisor_type { X86_HYPER_NATIVE = 0, X86_HYPER_VMWARE, @@ -39,6 +30,12 @@ enum x86_hypervisor_type { X86_HYPER_KVM, }; +#ifdef CONFIG_HYPERVISOR_GUEST + +#include +#include +#include + struct hypervisor_x86 { /* Hypervisor name */ const char *name; @@ -58,7 +55,15 @@ struct hypervisor_x86 { extern enum x86_hypervisor_type x86_hyper_type; extern void init_hypervisor_platform(void); +static inline bool hypervisor_is_type(enum x86_hypervisor_type type) +{ + return x86_hyper_type == type; +} #else static inline void init_hypervisor_platform(void) { } +static inline bool hypervisor_is_type(enum x86_hypervisor_type type) +{ + return type == X86_HYPER_NATIVE; +} #endif /* CONFIG_HYPERVISOR_GUEST */ #endif /* _ASM_X86_HYPERVISOR_H */ --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -34,6 +34,7 @@ #include #include +#include #include #include #include @@ -53,6 +54,8 @@ void __init kaiser_check_cmdline(void) { if (cmdline_find_option_bool(boot_command_line, "nokaiser")) kaiser_enabled = false; + if (hypervisor_is_type(X86_HYPER_XEN_PV)) + kaiser_enabled = false; } /* --- a/security/Kconfig +++ b/security/Kconfig @@ -56,7 +56,7 @@ config SECURITY_NETWORK config KAISER bool "Remove the kernel mapping in user mode" - depends on X86_64 && SMP && !PARAVIRT && JUMP_LABEL + depends on X86_64 && SMP && JUMP_LABEL help This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped