| Message ID | 20210615164535.2146172-1-seanjc@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: x86: Require EFER.NX support unless EPT is on | expand |
On 15/06/21 18:45, Sean Christopherson wrote: > KVM has silently required EFER.NX support for shadow paging for well over > a year, and for NPT for roughly the same amount of time. Attempting to > run any VM with shadow paging on a system without NX support will fail due > to invalid state, while enabling nx_huge_pages with NPT and no NX will > explode due to setting a reserved bit in the page tables. > > I really, really wanted to require NX across the board, because the lack > of bug reports for the shadow paging change strongly suggests no one is > running KVM on a CPU that truly doesn't have NX. But, Intel CPUs let > firmware disable NX via MISC_ENABLES, so it's plausible that there are > users running KVM with EPT and no NX. > > Sean Christopherson (4): > KVM: VMX: Refuse to load kvm_intel if EPT and NX are disabled > KVM: SVM: Refuse to load kvm_amd if NX support is not available > KVM: x86: WARN and reject loading KVM if NX is supported but not > enabled > KVM: x86: Simplify logic to handle lack of host NX support > > arch/x86/kvm/cpuid.c | 13 +++++-------- > arch/x86/kvm/svm/svm.c | 13 ++++++++++--- > arch/x86/kvm/vmx/vmx.c | 6 ++++++ > arch/x86/kvm/x86.c | 3 +++ > 4 files changed, 24 insertions(+), 11 deletions(-) > Queued 1-3, thanks. Paolo
KVM has silently required EFER.NX support for shadow paging for well over a year, and for NPT for roughly the same amount of time. Attempting to run any VM with shadow paging on a system without NX support will fail due to invalid state, while enabling nx_huge_pages with NPT and no NX will explode due to setting a reserved bit in the page tables. I really, really wanted to require NX across the board, because the lack of bug reports for the shadow paging change strongly suggests no one is running KVM on a CPU that truly doesn't have NX. But, Intel CPUs let firmware disable NX via MISC_ENABLES, so it's plausible that there are users running KVM with EPT and no NX. Sean Christopherson (4): KVM: VMX: Refuse to load kvm_intel if EPT and NX are disabled KVM: SVM: Refuse to load kvm_amd if NX support is not available KVM: x86: WARN and reject loading KVM if NX is supported but not enabled KVM: x86: Simplify logic to handle lack of host NX support arch/x86/kvm/cpuid.c | 13 +++++-------- arch/x86/kvm/svm/svm.c | 13 ++++++++++--- arch/x86/kvm/vmx/vmx.c | 6 ++++++ arch/x86/kvm/x86.c | 3 +++ 4 files changed, 24 insertions(+), 11 deletions(-)