* Fenghua Yu<fenghua.yu@xxxxxxxxx> wrote:
> From: Fenghua Yu<fenghua.yu@xxxxxxxxx>
> Intel new CPU supports SMEP (Supervisor Mode Execution Protection). SMEP
> prevents kernel from executing code in application. Updated Intel SDM describes
> this CPU feature. The document will be published soon.
> Note: This patch set doesn't enable the SMEP feature in KVM. If it's needed,
> another patch will be pushed for enabling the feature in KVM.
We can do it separately from native kernel support, but i'm sure Avi would
agree that SMEP support in KVM would be nice!
(as long as it's configurable as
well, there might be guest OSs that break if SMEP is enabled, right?)