__supported_pte_mask has not been correctly configured at this point and Xen prevents us from using the NX bit if the hardware does not support it. Some BIOSes seem to offer the option to disable NX.
Signed-off-by: Ian Campbell ian.campbell@citrix.com Cc: Mark McLoughlin markmc@redhat.com Cc: Jon Swanson jswanson@valuecommerce.co.jp Cc: fedora-virt@redhat.com Cc: Jeremy Fitzhardinge jeremy@goop.org Cc: Ingo Molnar mingo@elte.hu --- arch/x86/xen/enlighten.c | 24 +++++++++++++----------- 1 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c index bea2152..e705bdf 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -53,6 +53,8 @@ #include "mmu.h" #include "multicalls.h"
+#define _KERNPG_TABLE_RO __pgprot(_KERNPG_TABLE & ~_PAGE_RW) + EXPORT_SYMBOL_GPL(hypercall_page);
DEFINE_PER_CPU(struct vcpu_info *, xen_vcpu); @@ -1487,9 +1489,9 @@ static __init void xen_map_identity_early(pmd_t *pmd, unsigned long max_pfn) }
for (pteidx = 0; pteidx < ident_pte; pteidx += PTRS_PER_PTE) - set_page_prot(&level1_ident_pgt[pteidx], PAGE_KERNEL_RO); + set_page_prot(&level1_ident_pgt[pteidx], _KERNPG_TABLE_RO);
- set_page_prot(pmd, PAGE_KERNEL_RO); + set_page_prot(pmd, _KERNPG_TABLE_RO); }
#ifdef CONFIG_X86_64 @@ -1543,12 +1545,12 @@ static __init pgd_t *xen_setup_kernel_pagetable(pgd_t *pgd, xen_map_identity_early(level2_ident_pgt, max_pfn);
/* Make pagetable pieces RO */ - set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); - set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); - set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); - set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO); - set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); - set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); + set_page_prot(init_level4_pgt, _KERNPG_TABLE_RO); + set_page_prot(level3_ident_pgt, _KERNPG_TABLE_RO); + set_page_prot(level3_kernel_pgt, _KERNPG_TABLE_RO); + set_page_prot(level3_user_vsyscall, _KERNPG_TABLE_RO); + set_page_prot(level2_kernel_pgt, _KERNPG_TABLE_RO); + set_page_prot(level2_fixmap_pgt, _KERNPG_TABLE_RO);
/* Pin down new L4 */ pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE, @@ -1597,9 +1599,9 @@ static __init pgd_t *xen_setup_kernel_pagetable(pgd_t *pgd, set_pgd(&swapper_pg_dir[KERNEL_PGD_BOUNDARY], __pgd(__pa(level2_kernel_pgt) | _PAGE_PRESENT));
- set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); - set_page_prot(swapper_pg_dir, PAGE_KERNEL_RO); - set_page_prot(empty_zero_page, PAGE_KERNEL_RO); + set_page_prot(level2_kernel_pgt, _KERNPG_TABLE_RO); + set_page_prot(swapper_pg_dir, _KERNPG_TABLE_RO); + set_page_prot(empty_zero_page, _KERNPG_TABLE_RO);
pin_pagetable_pfn(MMUEXT_UNPIN_TABLE, PFN_DOWN(__pa(pgd)));
I meant to CC lkml and stable@ (some of the original reports are against 2.6.27) and fat-fingered the to: line.
A few previous threads on the subject: http://lists.xensource.com/archives/html/xen-devel/2009-01/msg00176.html http://www.redhat.com/archives/fedora-xen/2009-January/msg00022.html http://www.redhat.com/archives/fedora-virt/2009-January/msg00013.html
Ian.
On Fri, 2009-01-30 at 18:19 +0000, Ian Campbell wrote:
__supported_pte_mask has not been correctly configured at this point and Xen prevents us from using the NX bit if the hardware does not support it. Some BIOSes seem to offer the option to disable NX.
Signed-off-by: Ian Campbell ian.campbell@citrix.com Cc: Mark McLoughlin markmc@redhat.com Cc: Jon Swanson jswanson@valuecommerce.co.jp Cc: fedora-virt@redhat.com Cc: Jeremy Fitzhardinge jeremy@goop.org Cc: Ingo Molnar mingo@elte.hu
arch/x86/xen/enlighten.c | 24 +++++++++++++----------- 1 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c index bea2152..e705bdf 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -53,6 +53,8 @@ #include "mmu.h" #include "multicalls.h"
+#define _KERNPG_TABLE_RO __pgprot(_KERNPG_TABLE & ~_PAGE_RW)
EXPORT_SYMBOL_GPL(hypercall_page);
DEFINE_PER_CPU(struct vcpu_info *, xen_vcpu); @@ -1487,9 +1489,9 @@ static __init void xen_map_identity_early(pmd_t *pmd, unsigned long max_pfn) }
for (pteidx = 0; pteidx < ident_pte; pteidx += PTRS_PER_PTE)
set_page_prot(&level1_ident_pgt[pteidx], PAGE_KERNEL_RO);
set_page_prot(&level1_ident_pgt[pteidx], _KERNPG_TABLE_RO);
- set_page_prot(pmd, PAGE_KERNEL_RO);
- set_page_prot(pmd, _KERNPG_TABLE_RO);
}
#ifdef CONFIG_X86_64 @@ -1543,12 +1545,12 @@ static __init pgd_t *xen_setup_kernel_pagetable(pgd_t *pgd, xen_map_identity_early(level2_ident_pgt, max_pfn);
/* Make pagetable pieces RO */
- set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
- set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
- set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
- set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
- set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
- set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
set_page_prot(init_level4_pgt, _KERNPG_TABLE_RO);
set_page_prot(level3_ident_pgt, _KERNPG_TABLE_RO);
set_page_prot(level3_kernel_pgt, _KERNPG_TABLE_RO);
set_page_prot(level3_user_vsyscall, _KERNPG_TABLE_RO);
set_page_prot(level2_kernel_pgt, _KERNPG_TABLE_RO);
set_page_prot(level2_fixmap_pgt, _KERNPG_TABLE_RO);
/* Pin down new L4 */ pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
@@ -1597,9 +1599,9 @@ static __init pgd_t *xen_setup_kernel_pagetable(pgd_t *pgd, set_pgd(&swapper_pg_dir[KERNEL_PGD_BOUNDARY], __pgd(__pa(level2_kernel_pgt) | _PAGE_PRESENT));
- set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
- set_page_prot(swapper_pg_dir, PAGE_KERNEL_RO);
- set_page_prot(empty_zero_page, PAGE_KERNEL_RO);
set_page_prot(level2_kernel_pgt, _KERNPG_TABLE_RO);
set_page_prot(swapper_pg_dir, _KERNPG_TABLE_RO);
set_page_prot(empty_zero_page, _KERNPG_TABLE_RO);
pin_pagetable_pfn(MMUEXT_UNPIN_TABLE, PFN_DOWN(__pa(pgd)));
Ian Campbell wrote:
__supported_pte_mask has not been correctly configured at this point and Xen prevents us from using the NX bit if the hardware does not support it. Some BIOSes seem to offer the option to disable NX.
Could we sniff EFER and update __supported_pte_mask accordingly?
J
On Fri, 2009-01-30 at 10:56 -0800, Jeremy Fitzhardinge wrote:
Ian Campbell wrote:
__supported_pte_mask has not been correctly configured at this point and Xen prevents us from using the NX bit if the hardware does not support it. Some BIOSes seem to offer the option to disable NX.
Could we sniff EFER and update __supported_pte_mask accordingly?
Perhaps, we might also have to handle the various noexec= command line options? I don't suppose they matter so much in a guest though.
The equivalent native seems to use _KERNPG_TABLE as well (e.g. head_64.S) -- is there something later on which comes along and tries to apply the NX bit to those pages which didn't get it at start of day?
Ian.
Hi list,
Thanks for all your efforts in trying to resolve the NX CPU capability issue.
Turns out that in our circumstance, IBM xSeries 336 machines had Irwindale? CPUs. Intel documentation says this was one of the first CPUs to have Execute Disable (XD).
Herein lies some misunderstanding. NX really means XD that is: "No Execute" is "Execute Disable" in IntelSpeak. Armed with this knowledge I went into the bios and "Enabled Execute Disable".
The NX capability is now in the /proc/cpuinfo listing. The F10 kernel works on the F8 host in 64 bit mode.
For IBM xSeries 336 owners, Execute Disable was Disabled by default (on delivery).
Hope this helps someone out there. Cheers Phill.
On Fri, 2009-01-30 at 19:07 +0000, Ian Campbell wrote:
On Fri, 2009-01-30 at 10:56 -0800, Jeremy Fitzhardinge wrote:
Ian Campbell wrote:
__supported_pte_mask has not been correctly configured at this point and Xen prevents us from using the NX bit if the hardware does not support it. Some BIOSes seem to offer the option to disable NX.
Could we sniff EFER and update __supported_pte_mask accordingly?
Perhaps, we might also have to handle the various noexec= command line options? I don't suppose they matter so much in a guest though.
The equivalent native seems to use _KERNPG_TABLE as well (e.g. head_64.S) -- is there something later on which comes along and tries to apply the NX bit to those pages which didn't get it at start of day?
Ian.
Fedora-virt mailing list Fedora-virt@redhat.com https://www.redhat.com/mailman/listinfo/fedora-virt
-
Ian Campbell -
Jeremy Fitzhardinge -
Virgil