Can't have SMEP processor capability in VMs

[serialuser]

Hi there,

I'm using proxmox for Windows kernel debugging.
SMEP (Supervisor Mode Execution Prevention) is enabled by default on Windows since a long time ago.

My host supports SMEP, but I can't manage to have a Windows VM under proxmox that has SMEP turned on. Therefore, my VM's don't have the same kernel protection mecanisms as a real machine, which is a problem for me.

I tried to modify pve configuration (added: +smep in cpu, used different processors, nothing worked).

I'm currently using Virtual Environment 7.0-13, but I can migrate if recent versions allow this to happen.

Thank you

 

[VictorSTS]

AFAIK, the smep flag passthrough got enabled long time ago [1]

I've checked on PVE8.2 and it's definitely enabled for a VM using CPU type "host" on an intel n100 host CPU:

lscpu | grep smep
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves avx_vnni arat vnmi umip pku ospke waitpkg gfni vaes vpclmulqdq rdpid movdiri movdir64b fsrm md_clear serialize flush_l1d arch_capabilities

Are you sure the host has smep supported and enabled? Check with lscpu | grep smep.

[1] https://patchwork.kernel.org/projec...7519844E9278F02@shsmsx502.ccr.corp.intel.com/

 

[serialuser]

Hi,

Thanks for your answer. In fact I had tried the "host" type before, but noticed :
- smep was enabled (good)
- kaslr is disabled (does not make any sense... its an OS feature not a processor one).

So i wanted to use another processor to have everything running as in real life.