From 293a0a1fd712bb85bc695e86a519e8da67f1a39f Mon Sep 17 00:00:00 2001 From: "Boqun Feng (Intel)" Date: Thu, 10 Aug 2017 12:33:27 +0200 Subject: [PATCH] x86/cpufeatures: expose UMIP to HVM guests User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. With this feature, when the UMIP bit in CR4 set, the following instructions cannot be executed if CPL > 0: SGDT, SIDT, SLDT, SMSW, and STR. An attempt at such execution causes a general- protection exception (#GP). This patch simply adds necessary definitions to expose this feature to hvm guests. Signed-off-by: Boqun Feng (Intel) Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/hvm.c | 1 + xen/include/public/arch-x86/cpufeatureset.h | 1 + 2 files changed, 2 insertions(+) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 555133f2d3..6cb903def5 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -959,6 +959,7 @@ unsigned long hvm_cr4_guest_valid_bits(const struct vcpu *v, bool restore) (p->basic.xsave ? X86_CR4_OSXSAVE : 0) | (p->feat.smep ? X86_CR4_SMEP : 0) | (p->feat.smap ? X86_CR4_SMAP : 0) | + (p->feat.umip ? X86_CR4_UMIP : 0) | (p->feat.pku ? X86_CR4_PKE : 0)); } diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 97dd3534c5..0ee3ea350f 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -225,6 +225,7 @@ XEN_CPUFEATURE(AVX512VL, 5*32+31) /*A AVX-512 Vector Length Extensions */ /* Intel-defined CPU features, CPUID level 0x00000007:0.ecx, word 6 */ XEN_CPUFEATURE(PREFETCHWT1, 6*32+ 0) /*A PREFETCHWT1 instruction */ XEN_CPUFEATURE(AVX512VBMI, 6*32+ 1) /*A AVX-512 Vector Byte Manipulation Instrs */ +XEN_CPUFEATURE(UMIP, 6*32+ 2) /*S User Mode Instruction Prevention */ XEN_CPUFEATURE(PKU, 6*32+ 3) /*H Protection Keys for Userspace */ XEN_CPUFEATURE(OSPKE, 6*32+ 4) /*! OS Protection Keys Enable */ XEN_CPUFEATURE(AVX512_VPOPCNTDQ, 6*32+14) /*A POPCNT for vectors of DW/QW */ -- 2.30.2