diff options
| author | Avi Kivity <avi@redhat.com> | 2011-06-06 09:11:54 -0400 |
|---|---|---|
| committer | Avi Kivity <avi@redhat.com> | 2011-07-12 06:16:26 -0400 |
| commit | 411c588dfb863feee78b721d5e7c86ac38921c49 (patch) | |
| tree | bb60c136f0392fbbd8f222fd2049f265746a7eae /Documentation/virtual | |
| parent | a01c8f9b4e266df1d7166d23216f2060648f862d (diff) | |
KVM: MMU: Adjust shadow paging to work when SMEP=1 and CR0.WP=0
When CR0.WP=0, we sometimes map user pages as kernel pages (to allow
the kernel to write to them). Unfortunately this also allows the kernel
to fetch from these pages, even if CR4.SMEP is set.
Adjust for this by also setting NX on the spte in these circumstances.
Signed-off-by: Avi Kivity <avi@redhat.com>
Diffstat (limited to 'Documentation/virtual')
| -rw-r--r-- | Documentation/virtual/kvm/mmu.txt | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt index f46aa58389ca..5dc972c09b55 100644 --- a/Documentation/virtual/kvm/mmu.txt +++ b/Documentation/virtual/kvm/mmu.txt | |||
| @@ -165,6 +165,10 @@ Shadow pages contain the following information: | |||
| 165 | Contains the value of efer.nxe for which the page is valid. | 165 | Contains the value of efer.nxe for which the page is valid. |
| 166 | role.cr0_wp: | 166 | role.cr0_wp: |
| 167 | Contains the value of cr0.wp for which the page is valid. | 167 | Contains the value of cr0.wp for which the page is valid. |
| 168 | role.smep_andnot_wp: | ||
| 169 | Contains the value of cr4.smep && !cr0.wp for which the page is valid | ||
| 170 | (pages for which this is true are different from other pages; see the | ||
| 171 | treatment of cr0.wp=0 below). | ||
| 168 | gfn: | 172 | gfn: |
| 169 | Either the guest page table containing the translations shadowed by this | 173 | Either the guest page table containing the translations shadowed by this |
| 170 | page, or the base page frame for linear translations. See role.direct. | 174 | page, or the base page frame for linear translations. See role.direct. |
| @@ -317,6 +321,20 @@ on fault type: | |||
| 317 | 321 | ||
| 318 | (user write faults generate a #PF) | 322 | (user write faults generate a #PF) |
| 319 | 323 | ||
| 324 | In the first case there is an additional complication if CR4.SMEP is | ||
| 325 | enabled: since we've turned the page into a kernel page, the kernel may now | ||
| 326 | execute it. We handle this by also setting spte.nx. If we get a user | ||
| 327 | fetch or read fault, we'll change spte.u=1 and spte.nx=gpte.nx back. | ||
| 328 | |||
| 329 | To prevent an spte that was converted into a kernel page with cr0.wp=0 | ||
| 330 | from being written by the kernel after cr0.wp has changed to 1, we make | ||
| 331 | the value of cr0.wp part of the page role. This means that an spte created | ||
| 332 | with one value of cr0.wp cannot be used when cr0.wp has a different value - | ||
| 333 | it will simply be missed by the shadow page lookup code. A similar issue | ||
| 334 | exists when an spte created with cr0.wp=0 and cr4.smep=0 is used after | ||
| 335 | changing cr4.smep to 1. To avoid this, the value of !cr0.wp && cr4.smep | ||
| 336 | is also made a part of the page role. | ||
| 337 | |||
| 320 | Large pages | 338 | Large pages |
| 321 | =========== | 339 | =========== |
| 322 | 340 | ||