x86/vmx: Add force-ept command line option

Add a "force-ept" command line option to allow EPT to be enabled when
VMX feature VM_ENTRY_LOAD_GUEST_PAT is not present.

Due to CVE-2013-2212, this feature is required by default as a
prerequisite for using EPT. If you are not using PCI Passthrough, or
trust the guest administrator who would be using passthrough, then the
requirement can be relaxed. This option is particularly useful for
nested virtualization, to allow the L1 hypervisor to use EPT even if
the L0 hypervisor does not provide VM_ENTRY_LOAD_GUEST_PAT.

Signed-off-by: Aravindh Puthiyaparambil <aravindp@cisco.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index e8d23b4984994f367269426a513432a74d33290f..cf4c16ec509c7faaf37885215e6c171a96eebfcd 100644 (file)
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -545,6 +545,22 @@ versa.  For example to change dom0 without changing domU, use
 
 Specify the font size when using the VESA console driver.
 
+### force-ept (Intel)
+> `= <boolean>`
+
+> Default: `false`
+
+Allow EPT to be enabled when VMX feature VM\_ENTRY\_LOAD\_GUEST\_PAT is not
+present.
+
+*Warning:*
+Due to CVE-2013-2212, VMX feature VM\_ENTRY\_LOAD\_GUEST\_PAT is by default
+required as a prerequisite for using EPT.  If you are not using PCI Passthrough,
+or trust the guest administrator who would be using passthrough, then the
+requirement can be relaxed.  This option is particularly useful for nested
+virtualization, to allow the L1 hypervisor to use EPT even if the L0 hypervisor
+does not provide VM\_ENTRY\_LOAD\_GUEST\_PAT.
+
 ### gdb
 > `= <baud>[/<clock_hz>][,DPS[,<io-base>[,<irq>[,<port-bdf>[,<bridge-bdf>]]]] | pci | amt ] `
 

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 104e6e458e22acf2da6326081fe7d296f863b9f2..4a083d5b414afadc25d7d4988322e4abde024993 100644 (file)
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -58,6 +58,9 @@
 #include <asm/hvm/nestedhvm.h>
 #include <asm/event.h>
 
+static bool_t __initdata opt_force_ept;
+boolean_param("force-ept", opt_force_ept);
+
 enum handler_return { HNDL_done, HNDL_unhandled, HNDL_exception_raised };
 
 static void vmx_ctxt_switch_from(struct vcpu *v);
@@ -1725,7 +1728,7 @@ const struct hvm_function_table * __init start_vmx(void)
      * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
      * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
      */
-    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
+    if ( cpu_has_vmx_ept && (cpu_has_vmx_pat || opt_force_ept) )
     {
         vmx_function_table.hap_supported = 1;