Hello, Summary: How can I have a virtual CPU with the nx bit set whilst enjoying KVM acceleration?
My Host - AMD Athlon(tm) 64 Processor 3200+ running Gentoo My VM - KVM running hardened Gentoo My KVM version - 0.12.3 My Task - Implement restricted secure VM to handle services exposed to internet. My Command - kvm -hda /dev/mapper/vols-andrew -kernel ./bzImage -append root=/dev/hda2 -cpu host -runas xxx -net nic -net user -m 256 -k en-gb -vnc :1 -monitor stdio In order to maximise the security of my VM, I have enabled PaX which is supposed to prevent various address space attacks. Sadly, when I run 'paxtest' it reports that my VM is still vulnerable. I have concluded that the problem is most likely caused by the virtual CPU not having the nx bit set. Flags in virtual CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall mmxext fxsr_opt lm rep_good pni cx16 lahf_lm Flags in host CPU: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl pni cx16 lahf_lm svm extapic cr8_legacy As you can see, despite using the '-cpu host' command, several host flags, including nx, are missing in the VM. Setting '-cpu host,+nx' doesn't make any difference. If however, I remove the '-cpu host' option and add the '-no-kvm' option the virtual CPU has the nx flag and paxtest reports that my VM is secure. Of course the down side is that everything runs much slower. Confusingly, the following page about tuning KVM (http://www.linux-kvm.org/page/Tuning_KVM) lists the flags for the default qemu64 cpu and nx is clearly included. But, when I set '-cpu qemu64' I get a model name of QEMU Virtual CPU, but no sign of an nx bit. So, is there any way of having the nx bit and the benefits of KVM acceleration. Thank you. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
