Add a option MCE_ON_PSC_WORKAROUND_DISABLED to disable the software
workaround for the issue Machine Check Error on Page Size Change.
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Only apply the software workaround on the models that might be
affected by MCE on page size change. For these models that are
known immune to the issue, the mitigation is turned off.
Atom processors are not afftected by the issue.
Also check the CPUID & MSR to check whether the model is immune to the issue:
CPU is not vulnerable when both CPUID.(EAX=07H,ECX=0H).EDX[29] and
IA32_ARCH_CAPABILITIES[IF_PSCHANGE_MC_NO] are 1.
Other cases not listed above, CPU may be vulnerable.
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Issue description:
-----------------
Machine Check Error on Page Size Change
Instruction fetch may cause machine check error if page size
and memory type was changed without invalidation on some
processors[1][2]. Malicious guest kernel could trigger this issue.
This issue applies to both primary page table and extended page
tables (EPT), however the primary page table is controlled by
hypervisor only. This patch mitigates the situation in EPT.
Mitigation details:
------------------
Implement non-execute huge pages in EPT.
This patch series clears the execute permission (bit 2) in the
EPT entries for large pages. When EPT violation is triggered by
guest instruction fetch, hypervisor converts the large page to
smaller 4 KB pages and restore the execute permission, and then
re-execute the guest instruction.
The current patch turns on the mitigation by default.
The follow-up patches will conditionally turn on/off the feature
per processor model.
[1] Refer to erratum KBL002 in "7th Generation Intel Processor
Family and 8th Generation Intel Processor Family for U Quad Core
Platforms Specification Update"
https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/7th-gen-core-family-spec-update.pdf
[2] Refer to erratum SKL002 in "6th Generation Intel Processor
Family Specification Update"
https://www.intel.com/content/www/us/en/products/docs/processors/core/desktop-6th-gen-core-family-spec-update.html
Tracked-On: #4121
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
Reviewed-by: Eddie Dong <eddie.dong@intel.com>
1. add guest secure boot with OVMF.
2. delete obsolete content.
3. SOS -> Service VM and UOS -> User VM.
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
The default binary will not support 2 core/2 thread hardware from V1.3;
KBL NUC7i5DNH has serial port;
Add cores and threads for CPU of hardware listed;
Signed-off-by: Xie Zhengtian <zhengtian.xie@intel.com>
As reported in PR #3959, doc build errors were being masked by a script
error. This PR fixes a chunk of them.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Cleaned up the presentation and formatting problems from the conversion
to ReST, along with English grammar and spelling edits.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
1. Some security features are added into ACRN HV memory management.
2. Dynamic memory allocation is removed. Instead, static memory page allocation is added.
3. The guest to host mapping is not static any more for Service OS after it begins running
since the Service OS support PCI BAR re-pregramming now.
Signed-off-by: Li, Fei1 <fei1.li@intel.com>
Change APL getting started guide to KBL getting started guide;
Merge some of the contents into preempt-rt getting started guide;
Move the modified kbl getting started guide to the behind of the configuration tutorials;
Fix issues for acrn_quick_setup.sh script.
Signed-off-by: lirui34 <ruix.li@intel.com>
Remove redundant copy of ovmf.fd firmware as the lunach script now
instructs the DM to user the OVMF.fd firmware directly from the rootfs.
Tracked-On: #3972
Signed-off-by: Tonny Tzeng <tonny.tzeng@intel.com>
This commit updates the DM parameters reference document to reflect
the removal of the guest cpu number option '-c' implementation.
Tracked-On: #3989
Signed-off-by: Tonny Tzeng <tonny.tzeng@intel.com>
updated this chapter based on latest master
some part still need update:
- vSBL need be replaced by OVMF after removed all vSBL stuff
Tracked-On: #3882
Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com>
PR #3665 moved all the doc build artifacts into the _build folder and
updated scripts and Makefile to account for this, except missed a fix in
the script that checks for known issues. This patch fixes that but shows
we've got a bunch of issues that have not been being reported so we'll
need to fix those problems to resolve failing doc builds.
Also fixed process of the VERSION file in conf.py since the path to that
file was changed by PR #3665 as well and was raising an exeception that
was being masked.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
