untrusted comment: verify with openbsd-64-base.pub RWQq6XmS4eDAcbbz7TR4/6ehlfYTKckJ+j0NXXnCMXLE0xcP1oJ1LPWB4Nk8K0pnFO2ss1Iy14Dg0IKkYr6+kI7OBewyIdE88Q4= OpenBSD 6.4 errata 018, May 29, 2019: Intel CPUs have a cross privilege side-channel attack (MDS). Apply by doing: signify -Vep /etc/signify/openbsd-64-base.pub -x 018_mds.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: fw_update KK=`sysctl -n kern.osversion | cut -d# -f1` cd /usr/src/sys/arch/`machine`/compile/$KK make obj make config make make install Index: sys/arch/amd64/amd64/cpu.c =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/cpu.c,v retrieving revision 1.129 diff -u -p -r1.129 cpu.c --- sys/arch/amd64/amd64/cpu.c 4 Oct 2018 05:00:40 -0000 1.129 +++ sys/arch/amd64/amd64/cpu.c 26 May 2019 02:13:14 -0000 @@ -141,6 +141,7 @@ struct cpu_softc { void replacesmap(void); void replacemeltdown(void); +void replacemds(void); extern long _stac; extern long _clac; @@ -185,6 +186,129 @@ replacemeltdown(void) splx(s); } +void +replacemds(void) +{ + static int replacedone = 0; + extern long mds_handler_bdw, mds_handler_ivb, mds_handler_skl; + extern long mds_handler_skl_sse, mds_handler_skl_avx; + extern long mds_handler_silvermont, mds_handler_knights; + struct cpu_info *ci = &cpu_info_primary; + CPU_INFO_ITERATOR cii; + void *handler = NULL, *vmm_handler = NULL; + const char *type; + int has_verw, s; + + /* ci_mds_tmp must be 32byte aligned for AVX instructions */ + CTASSERT((offsetof(struct cpu_info, ci_mds_tmp) - + offsetof(struct cpu_info, ci_PAGEALIGN)) % 32 == 0); + + if (replacedone) + return; + replacedone = 1; + + if (strcmp(cpu_vendor, "GenuineIntel") != 0 || + ((ci->ci_feature_sefflags_edx & SEFF0EDX_ARCH_CAP) && + (rdmsr(MSR_ARCH_CAPABILITIES) & ARCH_CAPABILITIES_MDS_NO))) { + /* Unaffected, nop out the handling code */ + has_verw = 0; + } else if (ci->ci_feature_sefflags_edx & SEFF0EDX_MD_CLEAR) { + /* new firmware, use VERW */ + has_verw = 1; + } else { + int family = ci->ci_family; + int model = ci->ci_model; + int stepping = CPUID2STEPPING(ci->ci_signature); + + has_verw = 0; + if (family == 0x6 && + (model == 0x2e || model == 0x1e || model == 0x1f || + model == 0x1a || model == 0x2f || model == 0x25 || + model == 0x2c || model == 0x2d || model == 0x2a || + model == 0x3e || model == 0x3a)) { + /* Nehalem, SandyBridge, IvyBridge */ + handler = vmm_handler = &mds_handler_ivb; + type = "IvyBridge"; + CPU_INFO_FOREACH(cii, ci) { + ci->ci_mds_buf = malloc(672, M_DEVBUF, + M_WAITOK); + memset(ci->ci_mds_buf, 0, 16); + } + } else if (family == 0x6 && + (model == 0x3f || model == 0x3c || model == 0x45 || + model == 0x46 || model == 0x56 || model == 0x4f || + model == 0x47 || model == 0x3d)) { + /* Haswell and Broadwell */ + handler = vmm_handler = &mds_handler_bdw; + type = "Broadwell"; + CPU_INFO_FOREACH(cii, ci) { + ci->ci_mds_buf = malloc(1536, M_DEVBUF, + M_WAITOK); + } + } else if (family == 0x6 && + ((model == 0x55 && stepping <= 5) || model == 0x4e || + model == 0x5e || (model == 0x8e && stepping <= 0xb) || + (model == 0x9e && stepping <= 0xc))) { + /* + * Skylake, KabyLake, CoffeeLake, WhiskeyLake, + * CascadeLake + */ + /* XXX mds_handler_skl_avx512 */ + if (xgetbv(0) & XCR0_AVX) { + handler = &mds_handler_skl_avx; + type = "Skylake AVX"; + } else { + handler = &mds_handler_skl_sse; + type = "Skylake SSE"; + } + vmm_handler = &mds_handler_skl; + CPU_INFO_FOREACH(cii, ci) { + vaddr_t b64; + b64 = (vaddr_t)malloc(6 * 1024 + 64 + 63, + M_DEVBUF, M_WAITOK); + ci->ci_mds_buf = (void *)((b64 + 63) & ~63); + memset(ci->ci_mds_buf, 0, 64); + } + } else if (family == 0x6 && + (model == 0x37 || model == 0x4a || model == 0x4c || + model == 0x4d || model == 0x5a || model == 0x5d || + model == 0x6e || model == 0x65 || model == 0x75)) { + /* Silvermont, Airmont */ + handler = vmm_handler = &mds_handler_silvermont; + type = "Silvermont"; + CPU_INFO_FOREACH(cii, ci) { + ci->ci_mds_buf = malloc(256, M_DEVBUF, + M_WAITOK); + memset(ci->ci_mds_buf, 0, 16); + } + } else if (family == 0x6 && (model == 0x85 || model == 0x57)) { + handler = vmm_handler = &mds_handler_knights; + type = "KnightsLanding"; + CPU_INFO_FOREACH(cii, ci) { + vaddr_t b64; + b64 = (vaddr_t)malloc(1152 + 63, M_DEVBUF, + M_WAITOK); + ci->ci_mds_buf = (void *)((b64 + 63) & ~63); + } + } + } + + if (handler != NULL) { + printf("cpu0: using %s MDS workaround\n", type); + s = splhigh(); + codepatch_call(CPTAG_MDS, handler); + codepatch_call(CPTAG_MDS_VMM, vmm_handler); + splx(s); + } else if (has_verw) + printf("cpu0: using %s MDS workaround\n", "VERW"); + else { + s = splhigh(); + codepatch_nop(CPTAG_MDS); + codepatch_nop(CPTAG_MDS_VMM); + splx(s); + } +} + #ifdef MULTIPROCESSOR int mp_cpu_start(struct cpu_info *); void mp_cpu_start_cleanup(struct cpu_info *); @@ -910,6 +1034,9 @@ extern vector Xsyscall_meltdown, Xsyscal void cpu_init_msrs(struct cpu_info *ci) { + uint64_t msr; + int family; + wrmsr(MSR_STAR, ((uint64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) | ((uint64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48)); @@ -921,6 +1048,16 @@ cpu_init_msrs(struct cpu_info *ci) wrmsr(MSR_FSBASE, 0); wrmsr(MSR_GSBASE, (u_int64_t)ci); wrmsr(MSR_KERNELGSBASE, 0); + + family = ci->ci_family; + if (strcmp(cpu_vendor, "GenuineIntel") == 0 && + (family > 6 || (family == 6 && ci->ci_model >= 0xd)) && + rdmsr_safe(MSR_MISC_ENABLE, &msr) == 0 && + (msr & MISC_ENABLE_FAST_STRINGS) == 0) { + msr |= MISC_ENABLE_FAST_STRINGS; + wrmsr(MSR_MISC_ENABLE, msr); + DPRINTF("%s: enabled fast strings\n", ci->ci_dev->dv_xname); + } } void Index: sys/arch/amd64/amd64/genassym.cf =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/genassym.cf,v retrieving revision 1.39 diff -u -p -r1.39 genassym.cf --- sys/arch/amd64/amd64/genassym.cf 4 Oct 2018 05:00:40 -0000 1.39 +++ sys/arch/amd64/amd64/genassym.cf 26 May 2019 02:13:14 -0000 @@ -129,6 +129,8 @@ member CPU_INFO_KERN_CR3 ci_kern_cr3 member CPU_INFO_USER_CR3 ci_user_cr3 member CPU_INFO_KERN_RSP ci_kern_rsp member CPU_INFO_INTR_RSP ci_intr_rsp +member CPU_INFO_MDS_BUF ci_mds_buf +member CPU_INFO_MDS_TMP ci_mds_tmp export CPUF_USERSEGS export CPUF_USERXSTATE Index: sys/arch/amd64/amd64/identcpu.c =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/identcpu.c,v retrieving revision 1.109 diff -u -p -r1.109 identcpu.c --- sys/arch/amd64/amd64/identcpu.c 4 Oct 2018 05:00:40 -0000 1.109 +++ sys/arch/amd64/amd64/identcpu.c 26 May 2019 02:13:14 -0000 @@ -207,6 +207,8 @@ const struct { }, cpu_seff0_edxfeatures[] = { { SEFF0EDX_AVX512_4FNNIW, "AVX512FNNIW" }, { SEFF0EDX_AVX512_4FMAPS, "AVX512FMAPS" }, + { SEFF0EDX_MD_CLEAR, "MD_CLEAR" }, + { SEFF0EDX_TSXFA, "TSXFA" }, { SEFF0EDX_IBRS, "IBRS,IBPB" }, { SEFF0EDX_STIBP, "STIBP" }, { SEFF0EDX_L1DF, "L1DF" }, Index: sys/arch/amd64/amd64/locore.S =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/locore.S,v retrieving revision 1.111 diff -u -p -r1.111 locore.S --- sys/arch/amd64/amd64/locore.S 7 Oct 2018 22:43:06 -0000 1.111 +++ sys/arch/amd64/amd64/locore.S 26 May 2019 02:13:14 -0000 @@ -662,8 +662,6 @@ IDTVEC_NOALIGN(syscall) .Lsyscall_restore_registers: RET_STACK_REFILL_WITH_RCX - movq TF_RDI(%rsp),%rdi - movq TF_RSI(%rsp),%rsi movq TF_R8(%rsp),%r8 movq TF_R9(%rsp),%r9 movq TF_R10(%rsp),%r10 @@ -671,6 +669,14 @@ IDTVEC_NOALIGN(syscall) movq TF_R13(%rsp),%r13 movq TF_R14(%rsp),%r14 movq TF_R15(%rsp),%r15 + + CODEPATCH_START + movw %ds,TF_R8(%rsp) + verw TF_R8(%rsp) + CODEPATCH_END(CPTAG_MDS) + + movq TF_RDI(%rsp),%rdi + movq TF_RSI(%rsp),%rsi movq TF_RBP(%rsp),%rbp movq TF_RBX(%rsp),%rbx @@ -829,8 +835,6 @@ intr_user_exit_post_ast: .Lintr_restore_registers: RET_STACK_REFILL_WITH_RCX - movq TF_RDI(%rsp),%rdi - movq TF_RSI(%rsp),%rsi movq TF_R8(%rsp),%r8 movq TF_R9(%rsp),%r9 movq TF_R10(%rsp),%r10 @@ -838,6 +842,14 @@ intr_user_exit_post_ast: movq TF_R13(%rsp),%r13 movq TF_R14(%rsp),%r14 movq TF_R15(%rsp),%r15 + + CODEPATCH_START + movw %ds,TF_R8(%rsp) + verw TF_R8(%rsp) + CODEPATCH_END(CPTAG_MDS) + + movq TF_RDI(%rsp),%rdi + movq TF_RSI(%rsp),%rsi movq TF_RBP(%rsp),%rbp movq TF_RBX(%rsp),%rbx @@ -1141,6 +1153,28 @@ ENTRY(pagezero) jne 1b sfence RETGUARD_CHECK(pagezero, r11) + ret + +/* int rdmsr_safe(u_int msr, uint64_t *data) */ +ENTRY(rdmsr_safe) + RETGUARD_SETUP(rdmsr_safe, r10) + + movl %edi, %ecx /* u_int msr */ + .globl rdmsr_safe_fault +rdmsr_safe_fault: + rdmsr + salq $32, %rdx + movl %eax, %eax + orq %rdx, %rax + movq %rax, (%rsi) /* *data */ + xorq %rax, %rax + + RETGUARD_CHECK(rdmsr_safe, r10) + ret + +NENTRY(rdmsr_resume) + movl $0x1, %eax + RETGUARD_CHECK(rdmsr_safe, r10) ret #if NXEN > 0 Index: sys/arch/amd64/amd64/mainbus.c =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/mainbus.c,v retrieving revision 1.45 diff -u -p -r1.45 mainbus.c --- sys/arch/amd64/amd64/mainbus.c 22 Sep 2018 17:41:52 -0000 1.45 +++ sys/arch/amd64/amd64/mainbus.c 26 May 2019 02:13:14 -0000 @@ -73,6 +73,8 @@ #include #endif +void replacemds(void); + int mainbus_match(struct device *, void *, void *); void mainbus_attach(struct device *, struct device *, void *); @@ -204,6 +206,9 @@ mainbus_attach(struct device *parent, st config_found(self, &caa, mainbus_print); } + + /* All CPUs are attached, handle MDS */ + replacemds(); #if NACPI > 0 if (!acpi_hasprocfvs) Index: sys/arch/amd64/amd64/mds.S =================================================================== RCS file: sys/arch/amd64/amd64/mds.S diff -N sys/arch/amd64/amd64/mds.S --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/arch/amd64/amd64/mds.S 26 May 2019 02:13:14 -0000 @@ -0,0 +1,192 @@ +/* $OpenBSD$ */ +/* + * Copyright (c) 2019 Philip Guenther + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +/* + * ASM sequences for mitigating MDS on different Intel CPU models, taken from + * https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling + * and adjusted to fit OpenBSD style and kernel usage. + * Some naming inspired by FreeBSD's usage of these sequences. + */ + +#include "assym.h" + +#include +#include + +ENTRY(mds_handler_ivb) + RETGUARD_SETUP(mds_handler_ivb, r11) + movq CPUVAR(MDS_BUF),%rax + movdqa %xmm0,CPUVAR(MDS_TMP) + pxor %xmm0,%xmm0 + + lfence + orpd (%rax),%xmm0 + orpd (%rax),%xmm0 + mfence + movl $40,%ecx + addq $16,%rax +1: movntdq %xmm0,(%rax) + addq $16,%rax + decl %ecx + jnz 1b + mfence + + movdqa CPUVAR(MDS_TMP),%xmm0 + RETGUARD_CHECK(mds_handler_ivb, r11) + retq +END(mds_handler_ivb) + +ENTRY(mds_handler_bdw) + RETGUARD_SETUP(mds_handler_bdw, r11) + movq CPUVAR(MDS_BUF),%rax + movdqa %xmm0,CPUVAR(MDS_TMP) + pxor %xmm0,%xmm0 + + movq %rax,%rdi + movq %rax,%rsi + movl $40,%ecx +1: movntdq %xmm0,(%rax) + addq $16,%rax + decl %ecx + jnz 1b + mfence + movl $1536,%ecx + rep movsb + lfence + + movdqa CPUVAR(MDS_TMP),%xmm0 + RETGUARD_CHECK(mds_handler_bdw, r11) + retq +END(mds_handler_bdw) + +ENTRY(mds_handler_skl) + xorl %ecx,%ecx + xgetbv + testb $XCR0_AVX,%al + jne mds_handler_skl_avx + jmp mds_handler_skl_sse +END(mds_handler_skl) + +ENTRY(mds_handler_skl_sse) + RETGUARD_SETUP(mds_handler_skl_sse, r11) + movq CPUVAR(MDS_BUF),%rax + leaq 64(%rax),%rdi + movdqa %xmm0,CPUVAR(MDS_TMP) + pxor %xmm0,%xmm0 + + lfence + orpd (%rax),%xmm0 + orpd (%rax),%xmm0 + xorl %eax,%eax +1: clflushopt 5376(%rdi,%rax,8) + addl $8,%eax + cmpl $8*12,%eax + jb 1b + sfence + movl $6144,%ecx + xorl %eax,%eax + rep stosb + mfence + + movdqa CPUVAR(MDS_TMP),%xmm0 + RETGUARD_CHECK(mds_handler_skl_sse, r11) + retq +END(mds_handler_skl_sse) + +ENTRY(mds_handler_skl_avx) + RETGUARD_SETUP(mds_handler_skl_avx, r11) + movq CPUVAR(MDS_BUF),%rax + leaq 64(%rax),%rdi + vmovdqa %ymm0,CPUVAR(MDS_TMP) + vpxor %ymm0,%ymm0,%ymm0 + + lfence + vorpd (%rax),%ymm0,%ymm0 + vorpd (%rax),%ymm0,%ymm0 + xorl %eax,%eax +1: clflushopt 5376(%rdi,%rax,8) + addl $8,%eax + cmpl $8*12,%eax + jb 1b + sfence + movl $6144,%ecx + xorl %eax,%eax + rep stosb + mfence + + vmovdqa CPUVAR(MDS_TMP),%ymm0 + RETGUARD_CHECK(mds_handler_skl_avx, r11) + retq +END(mds_handler_skl_avx) + +/* we don't support AVX512 yet */ +#if 0 +ENTRY(mds_handler_skl_avx512) + RETGUARD_SETUP(mds_handler_skl_avx512, r11) + movq CPUVAR(MDS_BUF),%rax + leaq 64(%rax),%rdi + vmovdqa64 %zmm0,CPUVAR(MDS_TMP) + vpxor %zmm0,%zmm0,%zmm0 + + lfence + vorpd (%rax),%zmm0,%zmm0 + vorpd (%rax),%zmm0,%zmm0 + xorl %eax,%eax +1: clflushopt 5376(%rdi,%rax,8) + addl $8,%eax + cmpl $8*12,%eax + jb 1b + sfence + movl $6144,%ecx + xorl %eax,%eax + rep stosb + mfence + + vmovdqa64 CPUVAR(MDS_TMP),%zmm0 + RETGUARD_CHECK(mds_handler_skl_avx512, r11) + retq +END(mds_handler_skl_avx512) +#endif + +ENTRY(mds_handler_silvermont) + RETGUARD_SETUP(mds_handler_silvermont, r11) + movq CPUVAR(MDS_BUF),%rax + movdqa %xmm0,CPUVAR(MDS_TMP) + pxor %xmm0,%xmm0 + + movl $16,%ecx +1: movntdq %xmm0,(%rax) + addq $16,%rax + decl %ecx + jnz 1b + mfence + + movdqa CPUVAR(MDS_TMP),%xmm0 + RETGUARD_CHECK(mds_handler_silvermont, r11) + retq +END(mds_handler_silvermont) + +ENTRY(mds_handler_knights) + RETGUARD_SETUP(mds_handler_knights, r11) + movq CPUVAR(MDS_BUF),%rdi + xorl %eax,%eax + movl $16,%ecx + rep stosq + movl $128,%ecx + rep stosq + mfence + RETGUARD_CHECK(mds_handler_knights, r11) +END(mds_handler_knights) Index: sys/arch/amd64/amd64/vector.S =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/vector.S,v retrieving revision 1.77 diff -u -p -r1.77 vector.S --- sys/arch/amd64/amd64/vector.S 7 Oct 2018 22:43:06 -0000 1.77 +++ sys/arch/amd64/amd64/vector.S 26 May 2019 02:13:15 -0000 @@ -263,11 +263,12 @@ IDTVEC(trap0c) TRAP(T_STKFLT) /* - * The #GP (general protection fault) handler has a couple weird cases + * The #GP (general protection fault) handler has a few weird cases * to handle: * - trapping in iretq to userspace and * - trapping in xrstor in the kernel. - * We detect both of these by examining the %rip in the iretq_frame. + * - trapping when invalid MSRs are read in rdmsr_safe + * We detect these by examining the %rip in the iretq_frame. * Handling them is done by updating %rip in the iretq_frame to point * to a stub handler of some sort and then iretq'ing to it. For the * iretq fault we resume in a stub which acts like we got a fresh #GP. @@ -287,9 +288,17 @@ IDTVEC(trap0d) leaq xsetbv_fault(%rip),%rcx cmpq %rcx,%rdx je .Lhandle_xsetbv + leaq rdmsr_safe_fault(%rip),%rcx + cmpq %rcx,%rdx + je .Lhandle_rdmsr_safe popq %rcx popq %rdx TRAP(T_PROTFLT) + +.Lhandle_rdmsr_safe: + /* rdmsr faulted; just resume in rdmsr_resume */ + leaq rdmsr_resume(%rip),%rcx + jmp 1f .Lhandle_xrstor: /* xrstor faulted; just resume in xrstor_resume */ Index: sys/arch/amd64/amd64/vmm.c =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/vmm.c,v retrieving revision 1.221.2.1 diff -u -p -r1.221.2.1 vmm.c --- sys/arch/amd64/amd64/vmm.c 26 Mar 2019 19:50:56 -0000 1.221.2.1 +++ sys/arch/amd64/amd64/vmm.c 26 May 2019 02:13:15 -0000 @@ -6057,7 +6057,7 @@ vmm_handle_cpuid(struct vcpu *vcpu) *rax = 0; /* Highest subleaf supported */ *rbx = curcpu()->ci_feature_sefflags_ebx & VMM_SEFF0EBX_MASK; *rcx = curcpu()->ci_feature_sefflags_ecx & VMM_SEFF0ECX_MASK; - *rdx = 0; + *rdx = curcpu()->ci_feature_sefflags_edx & VMM_SEFF0EDX_MASK; } else { /* Unsupported subleaf */ DPRINTF("%s: function 0x07 (SEFF) unsupported subleaf " Index: sys/arch/amd64/amd64/vmm_support.S =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/vmm_support.S,v retrieving revision 1.14 diff -u -p -r1.14 vmm_support.S --- sys/arch/amd64/amd64/vmm_support.S 18 Sep 2018 16:02:08 -0000 1.14 +++ sys/arch/amd64/amd64/vmm_support.S 26 May 2019 02:13:15 -0000 @@ -18,6 +18,7 @@ #include "assym.h" #include #include +#include #include #include @@ -246,6 +247,19 @@ skip_init: pushq %rbp pushq %rbx pushq %rsi /* Guest Regs Pointer */ + + /* + * XXX this MDS mitigation and the L1TF mitigation are believed + * XXX to overlap in some cases, but Intel hasn't provided the + * XXX information yet to make the correct choices. + */ + CODEPATCH_START + subq $8, %rsp + movw %ds, (%rsp) + verw (%rsp) + addq $8, %rsp + CODEPATCH_END(CPTAG_MDS_VMM) + movq (%rsp),%rsi /* reload now that it's mucked with */ movq $VMCS_HOST_IA32_RSP, %rdi movq %rsp, %rax Index: sys/arch/amd64/conf/Makefile.amd64 =================================================================== RCS file: /cvs/src/sys/arch/amd64/conf/Makefile.amd64,v retrieving revision 1.104 diff -u -p -r1.104 Makefile.amd64 --- sys/arch/amd64/conf/Makefile.amd64 12 Sep 2018 04:34:59 -0000 1.104 +++ sys/arch/amd64/conf/Makefile.amd64 26 May 2019 02:13:15 -0000 @@ -161,7 +161,7 @@ cleandir: clean depend obj: locore0.o: ${_machdir}/${_mach}/locore0.S assym.h -mutex.o vector.o copy.o spl.o: assym.h +mutex.o vector.o copy.o spl.o mds.o: assym.h mptramp.o acpi_wakecode.o vmm_support.o: assym.h hardlink-obsd: Index: sys/arch/amd64/conf/files.amd64 =================================================================== RCS file: /cvs/src/sys/arch/amd64/conf/files.amd64,v retrieving revision 1.100 diff -u -p -r1.100 files.amd64 --- sys/arch/amd64/conf/files.amd64 21 Aug 2018 18:06:12 -0000 1.100 +++ sys/arch/amd64/conf/files.amd64 26 May 2019 02:13:15 -0000 @@ -32,6 +32,7 @@ file arch/amd64/amd64/cacheinfo.c file arch/amd64/amd64/vector.S file arch/amd64/amd64/copy.S file arch/amd64/amd64/spl.S +file arch/amd64/amd64/mds.S file arch/amd64/amd64/intr.c file arch/amd64/amd64/bus_space.c Index: sys/arch/amd64/include/codepatch.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/codepatch.h,v retrieving revision 1.8 diff -u -p -r1.8 codepatch.h --- sys/arch/amd64/include/codepatch.h 4 Oct 2018 05:00:40 -0000 1.8 +++ sys/arch/amd64/include/codepatch.h 26 May 2019 02:13:15 -0000 @@ -59,6 +59,8 @@ void codepatch_disable(void); #define CPTAG_XSAVE 5 #define CPTAG_MELTDOWN_NOP 6 #define CPTAG_PCID_SET_REUSE 7 +#define CPTAG_MDS 8 +#define CPTAG_MDS_VMM 9 /* * As stac/clac SMAP instructions are 3 bytes, we want the fastest Index: sys/arch/amd64/include/cpu.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/cpu.h,v retrieving revision 1.127 diff -u -p -r1.127 cpu.h --- sys/arch/amd64/include/cpu.h 21 Aug 2018 19:04:40 -0000 1.127 +++ sys/arch/amd64/include/cpu.h 26 May 2019 02:13:15 -0000 @@ -116,6 +116,10 @@ struct cpu_info { u_int64_t ci_intr_rsp; /* U<-->K trampoline stack */ u_int64_t ci_user_cr3; /* U-K page table */ + /* bits for mitigating Micro-architectural Data Sampling */ + char ci_mds_tmp[32]; /* 32byte aligned */ + void *ci_mds_buf; + struct pcb *ci_curpcb; struct pcb *ci_idle_pcb; Index: sys/arch/amd64/include/cpu_full.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/cpu_full.h,v retrieving revision 1.4 diff -u -p -r1.4 cpu_full.h --- sys/arch/amd64/include/cpu_full.h 12 Sep 2018 07:00:51 -0000 1.4 +++ sys/arch/amd64/include/cpu_full.h 26 May 2019 02:13:15 -0000 @@ -1,6 +1,6 @@ /* $OpenBSD: cpu_full.h,v 1.4 2018/09/12 07:00:51 guenther Exp $ */ /* - * Copyright (c) Philip Guenther + * Copyright (c) 2018 Philip Guenther * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above Index: sys/arch/amd64/include/cpufunc.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/cpufunc.h,v retrieving revision 1.31 diff -u -p -r1.31 cpufunc.h --- sys/arch/amd64/include/cpufunc.h 4 Oct 2018 05:00:40 -0000 1.31 +++ sys/arch/amd64/include/cpufunc.h 26 May 2019 02:13:15 -0000 @@ -353,6 +353,8 @@ void cpu_ucode_apply(struct cpu_info *); struct cpu_info_full; void cpu_enter_pages(struct cpu_info_full *); +int rdmsr_safe(u_int msr, uint64_t *); + #endif /* _KERNEL */ #endif /* !_MACHINE_CPUFUNC_H_ */ Index: sys/arch/amd64/include/specialreg.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/specialreg.h,v retrieving revision 1.81 diff -u -p -r1.81 specialreg.h --- sys/arch/amd64/include/specialreg.h 11 Sep 2018 07:13:23 -0000 1.81 +++ sys/arch/amd64/include/specialreg.h 26 May 2019 02:13:15 -0000 @@ -220,6 +220,8 @@ /* SEFF EDX bits */ #define SEFF0EDX_AVX512_4FNNIW 0x00000004 /* AVX-512 neural network insns */ #define SEFF0EDX_AVX512_4FMAPS 0x00000008 /* AVX-512 mult accum single prec */ +#define SEFF0EDX_MD_CLEAR 0x00000400 /* Microarch Data Clear */ +#define SEFF0EDX_TSXFA 0x00002000 /* TSX Forced Abort */ #define SEFF0EDX_IBRS 0x04000000 /* IBRS / IBPB Speculation Control */ #define SEFF0EDX_STIBP 0x08000000 /* STIBP Speculation Control */ #define SEFF0EDX_L1DF 0x10000000 /* L1D_FLUSH */ @@ -372,6 +374,7 @@ #define ARCH_CAPABILITIES_RSBA (1 << 2) /* RSB Alternate */ #define ARCH_CAPABILITIES_SKIP_L1DFL_VMENTRY (1 << 3) #define ARCH_CAPABILITIES_SSB_NO (1 << 4) /* Spec St Byp safe */ +#define ARCH_CAPABILITIES_MDS_NO (1 << 5) /* microarch data-sampling */ #define MSR_FLUSH_CMD 0x10b #define FLUSH_CMD_L1D_FLUSH (1ULL << 0) #define MSR_BBL_CR_ADDR 0x116 /* PII+ only */ Index: sys/arch/amd64/include/vmmvar.h =================================================================== RCS file: /cvs/src/sys/arch/amd64/include/vmmvar.h,v retrieving revision 1.59 diff -u -p -r1.59 vmmvar.h --- sys/arch/amd64/include/vmmvar.h 20 Sep 2018 14:32:59 -0000 1.59 +++ sys/arch/amd64/include/vmmvar.h 26 May 2019 02:13:15 -0000 @@ -608,6 +608,9 @@ struct vm_rwregs_params { SEFF0EBX_AVX512BW | SEFF0EBX_AVX512VL) #define VMM_SEFF0ECX_MASK ~(SEFF0ECX_AVX512VBMI) +/* EDX mask contains the bits to include */ +#define VMM_SEFF0EDX_MASK (SEFF0EDX_MD_CLEAR) + /* * Extended function flags - copy from host minus: * 0x80000001 EDX:RDTSCP Support