dgit.raspbian.org Git - xen.git/commit

author	Feng Wu <feng.wu@intel.com>
	Mon, 12 May 2014 15:03:38 +0000 (17:03 +0200)
committer	Jan Beulich <jbeulich@suse.com>
	Mon, 12 May 2014 15:03:38 +0000 (17:03 +0200)
commit	64df8742aa4f6ff2037ebdf7c9985ad16a3d107d
tree	68490a5c57f77f02aeeb88577d5142d750230d89	tree \| snapshot
parent	67fa47753f55cbfdada11f8f517ddd07bc9f6be8	commit \| diff

x86: enable Supervisor Mode Access Prevention (SMAP) for Xen

Supervisor Mode Access Prevention (SMAP) is a new security
feature disclosed by Intel, please refer to the following
document:

http://software.intel.com/sites/default/files/319433-014.pdf

If CR4.SMAP = 1, supervisor-mode data accesses are not allowed
to linear addresses that are accessible in user mode. If CPL < 3,
SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3, SMAP
applies to all supervisor-mode data accesses (these are implicit
supervisor accesses) regardless of the value of EFLAGS.AC.

This patch enables SMAP in Xen to prevent Xen hypervisor from
accessing pv guest data, whose translation paging-structure
entries' U/S flags are all set.

Signed-off-by: Feng Wu <feng.wu@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

docs/misc/xen-command-line.markdown		diff \| blob \| history
xen/arch/x86/setup.c		diff \| blob \| history
xen/arch/x86/traps.c		diff \| blob \| history
xen/include/asm-x86/cpufeature.h		diff \| blob \| history
xen/include/asm-x86/domain.h		diff \| blob \| history