kernel - Implement support for SMAP and SMEP security (3)
authorMatthew Dillon <dillon@apollo.backplane.com>
Fri, 17 May 2019 01:44:28 +0000 (18:44 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Fri, 17 May 2019 01:47:08 +0000 (18:47 -0700)
* Issue clac after the push on all traps, interrupts, and
  exceptions.

* Improve code documentation.

sys/cpu/x86_64/include/asmacros.h
sys/platform/pc64/x86_64/machdep.c

index c1c0cee..a82d49c 100644 (file)
        KMMUENTER_TFRIP ;       /* from userland */                     \
 1:                                                                     \
        subq    $TF_RIP,%rsp ;                                          \
-       PUSH_FRAME_REGS                                                 \
+       PUSH_FRAME_REGS ;                                               \
+       SMAP_CLOSE                                                      \
 
 #define PUSH_FRAME_TFERR                                               \
        testb   $SEL_RPL_MASK,TF_CS-TF_ERR(%rsp) ; /* from userland? */ \
        KMMUENTER_TFERR ;       /* from userland */                     \
 1:                                                                     \
        subq    $TF_ERR,%rsp ;                                          \
-       PUSH_FRAME_REGS                                                 \
+       PUSH_FRAME_REGS ;                                               \
+       SMAP_CLOSE                                                      \
 
 #define PUSH_FRAME_TFERR_SAVECR2                                       \
        testb   $SEL_RPL_MASK,TF_CS-TF_ERR(%rsp) ;                      \
        PUSH_FRAME_REGS ;                                               \
        movq    %cr2, %r10 ;                                            \
 2:                                                                     \
-       movq    %r10, TF_ADDR(%rsp)
+       movq    %r10, TF_ADDR(%rsp) ;                                   \
+       SMAP_CLOSE                                                      \
 
 /*
  * POP_FRAME is issued just prior to the iretq, or just prior to a
index 0e62f23..1922277 100644 (file)
@@ -3505,13 +3505,13 @@ cpu_implement_smap(void)
 {
        char **scan;
 
-       for (scan = SET_BEGIN(smap_open);
+       for (scan = SET_BEGIN(smap_open);               /* nop -> stac */
             scan < SET_LIMIT(smap_open); ++scan) {
                (*scan)[0] = 0x0F;
                (*scan)[1] = 0x01;
                (*scan)[2] = 0xCB;
        }
-       for (scan = SET_BEGIN(smap_close);
+       for (scan = SET_BEGIN(smap_close);              /* nop -> clac */
             scan < SET_LIMIT(smap_close); ++scan) {
                (*scan)[0] = 0x0F;
                (*scan)[1] = 0x01;