On 04/11/2019 15:03, Jan Beulich wrote: > On 04.11.2019 15:59, Andrew Cooper wrote: >> On 04/11/2019 13:25, Jan Beulich wrote: >>> On 01.11.2019 21:25, Andrew Cooper wrote: >>>> --- a/xen/arch/x86/cpu/intel.c >>>> +++ b/xen/arch/x86/cpu/intel.c >>>> @@ -270,6 +270,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) >>>> if (disable) { >>>> wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable & ~disable); >>>> bootsym(trampoline_misc_enable_off) |= disable; >>>> + bootsym(trampoline_efer) |= EFER_NX; >>>> } >>> I'm fine with all other changes here, just this one concerns me: >>> Before your change we latch a value into trampoline_misc_enable_off >>> just to be used for subsequent IA32_MISC_ENABLE writes we do. This >>> means that, on a hypervisor (like Xen itself) simply discarding >>> guest writes to the MSR (which is "fine" with the described usage >>> of ours up to now), with your change we'd now end up trying to set >>> EFER.NX when the feature may not actually be enabled in >>> IA32_MISC_ENABLE. Wouldn't such an EFER write be liable to #GP(0)? >>> I.e. don't we need to read back the MSR value here, and verify >>> we actually managed to clear the bit before actually OR-ing in >>> EFER_NX? >> If this is a problem in practice, execution won't continue beyond the >> next if() condition just out of context, which set EFER.NX on the BSP >> with an unguarded WRMSR. > And how is this any good? This kind of crash is exactly what I'm > asking to avoid.
What is the point of working around a theoretical edge case of broken nesting under Xen which demonstrably doesn't exist in practice? ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel