2 * Copyright (c) 1982, 1986 The Regents of the University of California.
3 * Copyright (c) 1989, 1990 William Jolitz
4 * Copyright (c) 1994 John Dyson
5 * Copyright (c) 2008-2018 The DragonFly Project.
8 * This code is derived from software contributed to Berkeley by
9 * the Systems Programming Group of the University of Utah Computer
10 * Science Department, and William Jolitz.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 * must display the following acknowledgement:
22 * This product includes software developed by the University of
23 * California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 * may be used to endorse or promote products derived from this software
26 * without specific prior written permission.
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 * from: @(#)vm_machdep.c 7.3 (Berkeley) 5/13/91
41 * Utah $Hdr: vm_machdep.c 1.16.1.1 89/06/23$
42 * $FreeBSD: src/sys/i386/i386/vm_machdep.c,v 1.132.2.9 2003/01/25 19:02:23 dillon Exp $
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/malloc.h>
50 #include <sys/interrupt.h>
51 #include <sys/vnode.h>
52 #include <sys/vmmeter.h>
53 #include <sys/kernel.h>
54 #include <sys/sysctl.h>
55 #include <sys/unistd.h>
58 #include <machine/clock.h>
59 #include <machine/cpu.h>
60 #include <machine/md_var.h>
61 #include <machine/smp.h>
62 #include <machine/pcb.h>
63 #include <machine/pcb_ext.h>
64 #include <machine/segments.h>
65 #include <machine/globaldata.h> /* npxthread */
66 #include <machine/specialreg.h>
67 #include <machine/vmm.h>
70 #include <vm/vm_param.h>
72 #include <vm/vm_kern.h>
73 #include <vm/vm_page.h>
74 #include <vm/vm_map.h>
75 #include <vm/vm_extern.h>
77 #include <sys/thread2.h>
79 #include <bus/isa/isa.h>
81 static void cpu_reset_real (void);
83 static int spectre_mitigation = -1;
84 static int spectre_support = 0;
85 static int spectre_mode = 0;
86 SYSCTL_INT(_machdep, OID_AUTO, spectre_mode, CTLFLAG_RD,
87 &spectre_mode, 0, "current Spectre enablements");
89 static int mds_mitigation = -1;
90 static int mds_support = 0;
91 static int mds_mode = 0;
92 SYSCTL_INT(_machdep, OID_AUTO, mds_mode, CTLFLAG_RD,
93 &mds_mode, 0, "current MDS enablements");
96 * Finish a fork operation, with lwp lp2 nearly set up.
97 * Copy and update the pcb, set up the stack so that the child
98 * ready to run and return to user mode.
101 cpu_fork(struct lwp *lp1, struct lwp *lp2, int flags)
106 if ((flags & RFPROC) == 0) {
107 if ((flags & RFMEM) == 0) {
109 * Unshare user LDT. > 1 test is MPSAFE. While
110 * it can potentially race a 2->1 transition, the
111 * worst that happens is that we do an unnecessary
114 struct pcb *pcb1 = lp1->lwp_thread->td_pcb;
115 struct pcb_ldt *pcb_ldt = pcb1->pcb_ldt;
117 if (pcb_ldt && pcb_ldt->ldt_refcnt > 1) {
118 pcb_ldt = user_ldt_alloc(pcb1,pcb_ldt->ldt_len);
120 pcb1->pcb_ldt = pcb_ldt;
127 /* Ensure that lp1's pcb is up to date. */
128 if (mdcpu->gd_npxthread == lp1->lwp_thread)
129 npxsave(lp1->lwp_thread->td_savefpu);
132 * Copy lp1's PCB. This really only applies to the
133 * debug registers and FP state, but its faster to just copy the
134 * whole thing. Because we only save the PCB at switchout time,
135 * the register state may not be current.
137 pcb2 = lp2->lwp_thread->td_pcb;
138 *pcb2 = *lp1->lwp_thread->td_pcb;
141 * Create a new fresh stack for the new process.
142 * Copy the trap frame for the return to user mode as if from a
143 * syscall. This copies the user mode register values.
145 * pcb_rsp must allocate an additional call-return pointer below
146 * the trap frame which will be restored by cpu_heavy_restore from
147 * PCB_RIP, and the thread's td_sp pointer must allocate an
148 * additonal two quadwords below the pcb_rsp call-return pointer to
149 * hold the LWKT restore function pointer and rflags.
151 * The LWKT restore function pointer must be set to cpu_heavy_restore,
152 * which is our standard heavy-weight process switch-in function.
153 * YYY eventually we should shortcut fork_return and fork_trampoline
154 * to use the LWKT restore function directly so we can get rid of
155 * all the extra crap we are setting up.
157 lp2->lwp_md.md_regs = (struct trapframe *)pcb2 - 1;
158 bcopy(lp1->lwp_md.md_regs, lp2->lwp_md.md_regs, sizeof(*lp2->lwp_md.md_regs));
161 * Set registers for trampoline to user mode. Leave space for the
162 * return address on stack. These are the kernel mode register values.
164 * Set the new pmap CR3. If the new process uses isolated VM spaces,
165 * also set the isolated CR3.
167 pmap2 = vmspace_pmap(lp2->lwp_proc->p_vmspace);
168 pcb2->pcb_cr3 = vtophys(pmap2->pm_pml4);
169 if ((pcb2->pcb_flags & PCB_ISOMMU) && pmap2->pm_pmlpv_iso) {
170 pcb2->pcb_cr3_iso = vtophys(pmap2->pm_pml4_iso);
172 pcb2->pcb_flags &= ~PCB_ISOMMU;
173 pcb2->pcb_cr3_iso = 0;
178 * Per-process spectre mitigation (future)
180 pcb2->pcb_flags &= ~(PCB_IBRS1 | PCB_IBRS2);
181 switch (spectre_mitigation) {
183 pcb2->pcb_flags |= PCB_IBRS1;
186 pcb2->pcb_flags |= PCB_IBRS2;
193 pcb2->pcb_rbx = (unsigned long)fork_return; /* fork_trampoline argument */
195 pcb2->pcb_rsp = (unsigned long)lp2->lwp_md.md_regs - sizeof(void *);
196 pcb2->pcb_r12 = (unsigned long)lp2; /* fork_trampoline argument */
200 pcb2->pcb_rip = (unsigned long)fork_trampoline;
201 lp2->lwp_thread->td_sp = (char *)(pcb2->pcb_rsp - sizeof(void *));
202 *(u_int64_t *)lp2->lwp_thread->td_sp = PSL_USER;
203 lp2->lwp_thread->td_sp -= sizeof(void *);
204 *(void **)lp2->lwp_thread->td_sp = (void *)cpu_heavy_restore;
207 * pcb2->pcb_ldt: duplicated below, if necessary.
208 * pcb2->pcb_savefpu: cloned above.
209 * pcb2->pcb_flags: cloned above
210 * pcb2->pcb_onfault: cloned above (always NULL here).
211 * pcb2->pcb_onfault_sp:cloned above (dont care)
215 * XXX don't copy the i/o pages. this should probably be fixed.
217 pcb2->pcb_ext = NULL;
219 /* Copy the LDT, if necessary. */
220 if (pcb2->pcb_ldt != NULL) {
222 atomic_add_int(&pcb2->pcb_ldt->ldt_refcnt, 1);
224 pcb2->pcb_ldt = user_ldt_alloc(pcb2,
225 pcb2->pcb_ldt->ldt_len);
228 bcopy(&lp1->lwp_thread->td_tls, &lp2->lwp_thread->td_tls,
229 sizeof(lp2->lwp_thread->td_tls));
231 * Now, cpu_switch() can schedule the new lwp.
232 * pcb_rsp is loaded pointing to the cpu_switch() stack frame
233 * containing the return address when exiting cpu_switch.
234 * This will normally be to fork_trampoline(), which will have
235 * %rbx loaded with the new lwp's pointer. fork_trampoline()
236 * will set up a stack to call fork_return(lp, frame); to complete
237 * the return to user-mode.
242 * Prepare new lwp to return to the address specified in params.
245 cpu_prepare_lwp(struct lwp *lp, struct lwp_params *params)
247 struct trapframe *regs = lp->lwp_md.md_regs;
248 void *bad_return = NULL;
251 regs->tf_rip = (long)params->lwp_func;
252 regs->tf_rsp = (long)params->lwp_stack;
253 /* Set up argument for function call */
254 regs->tf_rdi = (long)params->lwp_arg;
257 * Set up fake return address. As the lwp function may never return,
258 * we simply copy out a NULL pointer and force the lwp to receive
259 * a SIGSEGV if it returns anyways.
261 regs->tf_rsp -= sizeof(void *);
262 error = copyout(&bad_return, (void *)regs->tf_rsp, sizeof(bad_return));
266 if (lp->lwp_proc->p_vmm) {
267 lp->lwp_thread->td_pcb->pcb_cr3 = KPML4phys;
268 cpu_set_fork_handler(lp,
269 (void (*)(void *, struct trapframe *))vmm_lwp_return, lp);
271 cpu_set_fork_handler(lp,
272 (void (*)(void *, struct trapframe *))generic_lwp_return, lp);
278 * Intercept the return address from a freshly forked process that has NOT
279 * been scheduled yet.
281 * This is needed to make kernel threads stay in kernel mode.
284 cpu_set_fork_handler(struct lwp *lp, void (*func)(void *, struct trapframe *),
288 * Note that the trap frame follows the args, so the function
289 * is really called like this: func(arg, frame);
291 lp->lwp_thread->td_pcb->pcb_rbx = (long)func; /* function */
292 lp->lwp_thread->td_pcb->pcb_r12 = (long)arg; /* first arg */
296 cpu_set_thread_handler(thread_t td, void (*rfunc)(void), void *func, void *arg)
298 td->td_pcb->pcb_rbx = (long)func;
299 td->td_pcb->pcb_r12 = (long)arg;
300 td->td_switch = cpu_lwkt_switch;
301 td->td_sp -= sizeof(void *);
302 *(void **)td->td_sp = rfunc; /* exit function on return */
303 td->td_sp -= sizeof(void *);
304 *(void **)td->td_sp = cpu_kthread_restore;
310 struct thread *td = curthread;
315 /* Some x86 functionality was dropped */
316 KKASSERT(pcb->pcb_ext == NULL);
319 * disable all hardware breakpoints
321 if (pcb->pcb_flags & PCB_DBREGS) {
323 pcb->pcb_flags &= ~PCB_DBREGS;
325 td->td_gd->gd_cnt.v_swtch++;
327 crit_enter_quick(td);
328 if (td->td_flags & TDF_TSLEEPQ)
330 lwkt_deschedule_self(td);
331 lwkt_remove_tdallq(td);
336 * Terminate the current thread. The caller must have already acquired
337 * the thread's rwlock and placed it on a reap list or otherwise notified
338 * a reaper of its existance. We set a special assembly switch function which
339 * releases td_rwlock after it has cleaned up the MMU state and switched
342 * Must be caller from a critical section and with the thread descheduled.
345 cpu_thread_exit(void)
348 curthread->td_switch = cpu_exit_switch;
349 curthread->td_flags |= TDF_EXITING;
351 panic("cpu_thread_exit: lwkt_switch() unexpectedly returned");
364 * Attempt to do a CPU reset via the keyboard controller,
365 * do not turn off the GateA20, as any machine that fails
366 * to do the reset here would then end up in no man's land.
369 #if !defined(BROKEN_KEYBOARD_RESET)
370 outb(IO_KBD + 4, 0xFE);
371 DELAY(500000); /* wait 0.5 sec to see if that did it */
372 kprintf("Keyboard reset did not work, attempting CPU shutdown\n");
373 DELAY(1000000); /* wait 1 sec for kprintf to complete */
376 /* force a shutdown by unmapping entire address space ! */
377 bzero((caddr_t) PTD, PAGE_SIZE);
380 /* "good night, sweet prince .... <THUNK!>" */
387 swi_vm(void *arg, void *frame)
389 if (busdma_swi_pending != 0)
394 swi_vm_setup(void *arg)
396 register_swi_mp(SWI_VM, swi_vm, NULL, "swi_vm", NULL, 0);
399 SYSINIT(swi_vm_setup, SI_BOOT2_MACHDEP, SI_ORDER_ANY, swi_vm_setup, NULL);
402 * NOTE: This routine is also called after a successful microcode
405 void mitigation_vm_setup(void *arg);
408 * Check for IBPB and IBRS support
410 * This bits also specify desired modes in the spectre_mitigation sysctl.
412 #define IBRS_SUPPORTED 0x0001
413 #define STIBP_SUPPORTED 0x0002
414 #define IBPB_SUPPORTED 0x0004
415 #define IBRS_AUTO_SUPPORTED 0x0008
416 #define STIBP_AUTO_SUPPORTED 0x0010
417 #define IBRS_PREFERRED_REQUEST 0x0020
421 spectre_check_support(void)
427 * Spectre mitigation hw bits
429 * IBRS Indirect Branch Restricted Speculation (isolation)
430 * STIBP Single Thread Indirect Branch Prediction (isolation)
431 * IBPB Branch Prediction Barrier (barrier)
433 * IBRS and STIBP must be toggled (enabled on entry to kernel,
434 * disabled on exit, as well as disabled during any MWAIT/HLT).
435 * When *_AUTO bits are available, IBRS and STIBP may be left
436 * turned on and do not have to be toggled on kernel entry/exit.
438 * All this shit has enormous overhead. IBPB in particular, and
439 * non-auto modes are disabled by default.
441 if (cpu_vendor_id == CPU_VENDOR_INTEL) {
446 cpuid_count(7, 0, p);
447 if (p[3] & CPUID_7_0_I3_SPEC_CTRL)
448 rv |= IBRS_SUPPORTED | IBPB_SUPPORTED;
449 if (p[3] & CPUID_7_0_I3_STIBP)
450 rv |= STIBP_SUPPORTED;
453 * 0x80000008 p[1] bit 12 indicates IBPB support
455 * This bit might be set even though SPEC_CTRL is not set.
461 do_cpuid(0x80000008U, p);
462 if (p[1] & CPUID_INTEL_80000008_I1_IBPB_SUPPORT)
463 rv |= IBPB_SUPPORTED;
464 } else if (cpu_vendor_id == CPU_VENDOR_AMD) {
466 * 0x80000008 p[1] bit 12 indicates IBPB support
467 * p[1] bit 14 indicates IBRS support
468 * p[1] bit 15 indicates STIBP support
470 * p[1] bit 16 indicates IBRS auto support
471 * p[1] bit 17 indicates STIBP auto support
472 * p[1] bit 18 indicates processor prefers using
473 * IBRS instead of retpoline.
479 do_cpuid(0x80000008U, p);
480 if (p[1] & CPUID_AMD_80000008_I1_IBPB_SUPPORT)
481 rv |= IBPB_SUPPORTED;
482 if (p[1] & CPUID_AMD_80000008_I1_IBRS_SUPPORT)
483 rv |= IBRS_SUPPORTED;
484 if (p[1] & CPUID_AMD_80000008_I1_STIBP_SUPPORT)
485 rv |= STIBP_SUPPORTED;
487 if (p[1] & CPUID_AMD_80000008_I1_IBRS_AUTO)
488 rv |= IBRS_AUTO_SUPPORTED;
489 if (p[1] & CPUID_AMD_80000008_I1_STIBP_AUTO)
490 rv |= STIBP_AUTO_SUPPORTED;
491 if (p[1] & CPUID_AMD_80000008_I1_IBRS_REQUESTED)
492 rv |= IBRS_PREFERRED_REQUEST;
499 * Iterate CPUs and adjust MSR for global operations, since
500 * the KMMU* code won't do it if spectre_mitigation is 0 or 2.
502 #define CHECK(flag) (spectre_mitigation & spectre_support & (flag))
506 spectre_sysctl_changed(void)
508 globaldata_t save_gd;
509 struct trampframe *tr;
516 spec_mask = SPEC_CTRL_IBRS | SPEC_CTRL_STIBP |
517 SPEC_CTRL_DUMMY_ENABLE | SPEC_CTRL_DUMMY_IBPB;
524 for (n = 0; n < ncpus; ++n) {
525 lwkt_setcpu_self(globaldata_find(n));
527 tr = &pscpu->trampoline;
530 * Make sure we are cleaned out.
532 * XXX cleanup, reusing globals inside the loop (they get
533 * set to the same thing each loop)
535 * [0] kernel entry (idle exit)
536 * [1] kernel exit (idle entry)
538 tr->tr_pcb_spec_ctrl[0] &= ~spec_mask;
539 tr->tr_pcb_spec_ctrl[1] &= ~spec_mask;
542 * Don't try to parse if not available
544 if (spectre_mitigation < 0)
548 * IBRS mode. Auto overrides toggling.
550 * Only set the ENABLE flag if we have to toggle something
554 if (CHECK(IBRS_AUTO_SUPPORTED)) {
555 spec_ctrl |= SPEC_CTRL_IBRS;
556 mode |= IBRS_AUTO_SUPPORTED;
557 } else if (CHECK(IBRS_SUPPORTED)) {
558 spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_DUMMY_ENABLE;
559 mode |= IBRS_SUPPORTED;
561 if (CHECK(STIBP_AUTO_SUPPORTED)) {
562 spec_ctrl |= SPEC_CTRL_STIBP;
563 mode |= STIBP_AUTO_SUPPORTED;
564 } else if (CHECK(STIBP_SUPPORTED)) {
565 spec_ctrl |= SPEC_CTRL_STIBP | SPEC_CTRL_DUMMY_ENABLE;
566 mode |= STIBP_SUPPORTED;
570 * IBPB requested and supported.
572 if (CHECK(IBPB_SUPPORTED)) {
573 spec_ctrl |= SPEC_CTRL_DUMMY_IBPB;
574 mode |= IBPB_SUPPORTED;
578 * Update the MSR if the cpu supports the modes to ensure
579 * proper disablement if the user disabled the mode.
581 if (spectre_support & (IBRS_SUPPORTED | IBRS_AUTO_SUPPORTED |
582 STIBP_SUPPORTED | STIBP_AUTO_SUPPORTED)) {
584 spec_ctrl & (SPEC_CTRL_IBRS|SPEC_CTRL_STIBP));
588 * Update spec_ctrl fields in the trampoline.
590 * [0] on-kernel-entry (on-idle-exit)
591 * [1] on-kernel-exit (on-idle-entry)
593 * When auto mode is supported we leave the bit set, otherwise
596 tr->tr_pcb_spec_ctrl[0] |= spec_ctrl;
597 if (CHECK(IBRS_AUTO_SUPPORTED) == 0)
598 spec_ctrl &= ~SPEC_CTRL_IBRS;
599 if (CHECK(STIBP_AUTO_SUPPORTED) == 0)
600 spec_ctrl &= ~SPEC_CTRL_STIBP;
601 tr->tr_pcb_spec_ctrl[1] |= spec_ctrl;
604 * Make sure we set this on the first loop. It will be
605 * the same value on remaining loops.
609 lwkt_setcpu_self(save_gd);
613 * Console message on mitigation mode change
615 kprintf("Spectre: support=(");
616 if (spectre_support == 0) {
619 if (spectre_support & IBRS_SUPPORTED)
621 if (spectre_support & STIBP_SUPPORTED)
623 if (spectre_support & IBPB_SUPPORTED)
625 if (spectre_support & IBRS_AUTO_SUPPORTED)
626 kprintf(" IBRS_AUTO");
627 if (spectre_support & STIBP_AUTO_SUPPORTED)
628 kprintf(" STIBP_AUTO");
629 if (spectre_support & IBRS_PREFERRED_REQUEST)
630 kprintf(" IBRS_REQUESTED");
632 kprintf(" ) req=%04x operating=(", (uint16_t)spectre_mitigation);
633 if (spectre_mode == 0) {
636 if (spectre_mode & IBRS_SUPPORTED)
638 if (spectre_mode & STIBP_SUPPORTED)
640 if (spectre_mode & IBPB_SUPPORTED)
642 if (spectre_mode & IBRS_AUTO_SUPPORTED)
643 kprintf(" IBRS_AUTO");
644 if (spectre_mode & STIBP_AUTO_SUPPORTED)
645 kprintf(" STIBP_AUTO");
646 if (spectre_mode & IBRS_PREFERRED_REQUEST)
647 kprintf(" IBRS_REQUESTED");
655 * User changes sysctl value
658 sysctl_spectre_mitigation(SYSCTL_HANDLER_ARGS)
669 * Return current operating mode or support.
671 if (oidp->oid_kind & CTLFLAG_WR)
672 spectre = spectre_mode;
674 spectre = spectre_support;
676 spectre &= (IBRS_SUPPORTED | IBRS_AUTO_SUPPORTED |
677 STIBP_SUPPORTED | STIBP_AUTO_SUPPORTED |
683 error = SYSCTL_OUT(req, " ", 1);
687 if (spectre & IBRS_SUPPORTED) {
688 spectre &= ~IBRS_SUPPORTED;
689 error = SYSCTL_OUT(req, "IBRS", 4);
691 if (spectre & IBRS_AUTO_SUPPORTED) {
692 spectre &= ~IBRS_AUTO_SUPPORTED;
693 error = SYSCTL_OUT(req, "IBRS_AUTO", 9);
695 if (spectre & STIBP_SUPPORTED) {
696 spectre &= ~STIBP_SUPPORTED;
697 error = SYSCTL_OUT(req, "STIBP", 5);
699 if (spectre & STIBP_AUTO_SUPPORTED) {
700 spectre &= ~STIBP_AUTO_SUPPORTED;
701 error = SYSCTL_OUT(req, "STIBP_AUTO", 10);
703 if (spectre & IBPB_SUPPORTED) {
704 spectre &= ~IBPB_SUPPORTED;
705 error = SYSCTL_OUT(req, "IBPB", 4);
709 error = SYSCTL_OUT(req, "NONE", 4);
712 if (error || req->newptr == NULL)
714 if ((oidp->oid_kind & CTLFLAG_WR) == 0)
718 * Change current operating mode
720 len = req->newlen - req->newidx;
721 if (len >= sizeof(buf)) {
725 error = SYSCTL_IN(req, buf, len);
731 while (error == 0 && iter) {
732 ptr = strsep(&iter, " ,\t\r\n");
735 if (strcasecmp(ptr, "NONE") == 0)
737 else if (strcasecmp(ptr, "IBRS") == 0)
738 spectre |= IBRS_SUPPORTED;
739 else if (strcasecmp(ptr, "IBRS_AUTO") == 0)
740 spectre |= IBRS_AUTO_SUPPORTED;
741 else if (strcasecmp(ptr, "STIBP") == 0)
742 spectre |= STIBP_SUPPORTED;
743 else if (strcasecmp(ptr, "STIBP_AUTO") == 0)
744 spectre |= STIBP_AUTO_SUPPORTED;
745 else if (strcasecmp(ptr, "IBPB") == 0)
746 spectre |= IBPB_SUPPORTED;
751 spectre_mitigation = spectre;
752 spectre_sysctl_changed();
757 SYSCTL_PROC(_machdep, OID_AUTO, spectre_mitigation,
758 CTLTYPE_STRING | CTLFLAG_RW,
759 0, 0, sysctl_spectre_mitigation, "A", "Spectre exploit mitigation");
760 SYSCTL_PROC(_machdep, OID_AUTO, spectre_support,
761 CTLTYPE_STRING | CTLFLAG_RD,
762 0, 0, sysctl_spectre_mitigation, "A", "Spectre supported features");
765 * NOTE: Called at SI_BOOT2_MACHDEP and also when the microcode is
766 * updated. Microcode updates must be applied to all cpus
767 * for support to be recognized.
770 spectre_vm_setup(void *arg)
772 int inconsistent = 0;
776 * Fetch tunable in auto mode
778 if (spectre_mitigation < 0) {
779 TUNABLE_INT_FETCH("machdep.spectre_mitigation",
780 &spectre_mitigation);
783 if ((supmask = spectre_check_support()) != 0) {
785 * Must be supported on all cpus before we
786 * can enable it. Returns silently if it
789 * NOTE! arg != NULL indicates we were called
790 * from cpuctl after a successful microcode
794 globaldata_t save_gd;
798 for (n = 0; n < ncpus; ++n) {
799 lwkt_setcpu_self(globaldata_find(n));
801 if (spectre_check_support() !=
807 lwkt_setcpu_self(save_gd);
813 * Be silent while microcode is being loaded on various CPUs,
817 spectre_mitigation = -1;
825 spectre_support = supmask;
828 * Enable spectre_mitigation, set defaults if -1, adjust
829 * tuned value according to support if not.
831 * NOTE! We do not enable IBPB for user->kernel transitions
832 * by default, so this code is commented out for now.
834 if (spectre_support) {
835 if (spectre_mitigation < 0) {
836 spectre_mitigation = 0;
839 * IBRS toggling not currently recommended as a
842 if (spectre_support & IBRS_AUTO_SUPPORTED)
843 spectre_mitigation |= IBRS_AUTO_SUPPORTED;
844 else if (spectre_support & IBRS_SUPPORTED)
845 spectre_mitigation |= 0;
848 * STIBP toggling not currently recommended as a
851 if (spectre_support & STIBP_AUTO_SUPPORTED)
852 spectre_mitigation |= STIBP_AUTO_SUPPORTED;
853 else if (spectre_support & STIBP_SUPPORTED)
854 spectre_mitigation |= 0;
857 * IBPB adds enormous (~2uS) overhead to system
858 * calls etc, we do not enable it by default.
860 if (spectre_support & IBPB_SUPPORTED)
861 spectre_mitigation |= 0;
864 spectre_mitigation = -1;
868 * Disallow sysctl changes when there is no support (otherwise
869 * the wrmsr will cause a protection fault).
871 if (spectre_mitigation < 0)
872 sysctl___machdep_spectre_mitigation.oid_kind &= ~CTLFLAG_WR;
874 sysctl___machdep_spectre_mitigation.oid_kind |= CTLFLAG_WR;
876 spectre_sysctl_changed();
879 #define MDS_AVX512_4VNNIW_SUPPORTED 0x0001
880 #define MDS_AVX512_4FMAPS_SUPPORTED 0x0002
881 #define MDS_MD_CLEAR_SUPPORTED 0x0004
882 #define MDS_TSX_FORCE_ABORT_SUPPORTED 0x0008
883 #define MDS_NOT_REQUIRED 0x8000
887 mds_check_support(void)
894 * MDS mitigation hw bits
896 * MD_CLEAR Use microcode-supported verf insn. This is the
897 * only mode we really support.
899 if (cpu_vendor_id == CPU_VENDOR_INTEL) {
904 cpuid_count(7, 0, p);
905 if (p[3] & CPUID_SEF_ARCH_CAP) {
906 msr = rdmsr(MSR_IA32_ARCH_CAPABILITIES);
907 if (msr & IA32_ARCH_MDS_NO)
908 rv = MDS_NOT_REQUIRED;
910 if (p[3] & CPUID_SEF_AVX512_4VNNIW)
911 rv |= MDS_AVX512_4VNNIW_SUPPORTED;
912 if (p[3] & CPUID_SEF_AVX512_4FMAPS)
913 rv |= MDS_AVX512_4FMAPS_SUPPORTED;
914 if (p[3] & CPUID_SEF_MD_CLEAR)
915 rv |= MDS_MD_CLEAR_SUPPORTED;
916 if (p[3] & CPUID_SEF_TSX_FORCE_ABORT)
917 rv |= MDS_TSX_FORCE_ABORT_SUPPORTED;
919 rv = MDS_NOT_REQUIRED;
926 * Iterate CPUs and adjust MSR for global operations, since
927 * the KMMU* code won't do it if spectre_mitigation is 0 or 2.
929 #define CHECK(flag) (mds_mitigation & mds_support & (flag))
933 mds_sysctl_changed(void)
935 globaldata_t save_gd;
936 struct trampframe *tr;
942 spec_mask = SPEC_CTRL_MDS_ENABLE;
949 for (n = 0; n < ncpus; ++n) {
950 lwkt_setcpu_self(globaldata_find(n));
952 tr = &pscpu->trampoline;
955 * Make sure we are cleaned out.
957 * XXX cleanup, reusing globals inside the loop (they get
958 * set to the same thing each loop)
960 * [0] kernel entry (idle exit)
961 * [1] kernel exit (idle entry)
963 tr->tr_pcb_spec_ctrl[0] &= ~spec_mask;
964 tr->tr_pcb_spec_ctrl[1] &= ~spec_mask;
967 * Don't try to parse if not available
969 if (mds_mitigation < 0)
973 if (CHECK(MDS_MD_CLEAR_SUPPORTED)) {
974 spec_ctrl |= SPEC_CTRL_MDS_ENABLE;
975 mode |= MDS_MD_CLEAR_SUPPORTED;
979 * Update spec_ctrl fields in the trampoline.
981 * [0] on-kernel-entry (on-idle-exit)
982 * [1] on-kernel-exit (on-idle-entry)
984 * The MDS stuff is only needed on kernel-exit or idle-entry
986 /* tr->tr_pcb_spec_ctrl[0] |= spec_ctrl; */
987 tr->tr_pcb_spec_ctrl[1] |= spec_ctrl;
990 * Make sure we set this on the first loop. It will be
991 * the same value on remaining loops.
995 lwkt_setcpu_self(save_gd);
999 * Console message on mitigation mode change
1001 kprintf("MDS: support=(");
1002 if (mds_support == 0) {
1005 if (mds_support & MDS_AVX512_4VNNIW_SUPPORTED)
1006 kprintf(" AVX512_4VNNIW");
1007 if (mds_support & MDS_AVX512_4FMAPS_SUPPORTED)
1008 kprintf(" AVX512_4FMAPS");
1009 if (mds_support & MDS_MD_CLEAR_SUPPORTED)
1010 kprintf(" MD_CLEAR");
1011 if (mds_support & MDS_TSX_FORCE_ABORT_SUPPORTED)
1012 kprintf(" TSX_FORCE_ABORT");
1013 if (mds_support & MDS_NOT_REQUIRED)
1014 kprintf(" MDS_NOT_REQUIRED");
1016 kprintf(" ) req=%04x operating=(", (uint16_t)mds_mitigation);
1017 if (mds_mode == 0) {
1020 if (mds_mode & MDS_AVX512_4VNNIW_SUPPORTED)
1021 kprintf(" AVX512_4VNNIW");
1022 if (mds_mode & MDS_AVX512_4FMAPS_SUPPORTED)
1023 kprintf(" AVX512_4FMAPS");
1024 if (mds_mode & MDS_MD_CLEAR_SUPPORTED)
1025 kprintf(" MD_CLEAR");
1026 if (mds_mode & MDS_TSX_FORCE_ABORT_SUPPORTED)
1027 kprintf(" TSX_FORCE_ABORT");
1028 if (mds_mode & MDS_NOT_REQUIRED)
1029 kprintf(" MDS_NOT_REQUIRED");
1037 * User changes sysctl value
1040 sysctl_mds_mitigation(SYSCTL_HANDLER_ARGS)
1051 * Return current operating mode or support.
1053 if (oidp->oid_kind & CTLFLAG_WR)
1058 mds &= MDS_AVX512_4VNNIW_SUPPORTED |
1059 MDS_AVX512_4FMAPS_SUPPORTED |
1060 MDS_MD_CLEAR_SUPPORTED |
1061 MDS_TSX_FORCE_ABORT_SUPPORTED |
1068 error = SYSCTL_OUT(req, " ", 1);
1072 if (mds & MDS_AVX512_4VNNIW_SUPPORTED) {
1073 mds &= ~MDS_AVX512_4VNNIW_SUPPORTED;
1074 error = SYSCTL_OUT(req, "AVX512_4VNNIW", 13);
1076 if (mds & MDS_AVX512_4FMAPS_SUPPORTED) {
1077 mds &= ~MDS_AVX512_4FMAPS_SUPPORTED;
1078 error = SYSCTL_OUT(req, "AVX512_4FMAPS", 13);
1080 if (mds & MDS_MD_CLEAR_SUPPORTED) {
1081 mds &= ~MDS_MD_CLEAR_SUPPORTED;
1082 error = SYSCTL_OUT(req, "MD_CLEAR", 8);
1084 if (mds & MDS_TSX_FORCE_ABORT_SUPPORTED) {
1085 mds &= ~MDS_TSX_FORCE_ABORT_SUPPORTED;
1086 error = SYSCTL_OUT(req, "TSX_FORCE_ABORT", 15);
1088 if (mds & MDS_NOT_REQUIRED) {
1089 mds &= ~MDS_NOT_REQUIRED;
1090 error = SYSCTL_OUT(req, "MDS_NOT_REQUIRED", 16);
1094 error = SYSCTL_OUT(req, "NONE", 4);
1097 if (error || req->newptr == NULL)
1099 if ((oidp->oid_kind & CTLFLAG_WR) == 0)
1103 * Change current operating mode
1105 len = req->newlen - req->newidx;
1106 if (len >= sizeof(buf)) {
1110 error = SYSCTL_IN(req, buf, len);
1116 while (error == 0 && iter) {
1117 ptr = strsep(&iter, " ,\t\r\n");
1120 if (strcasecmp(ptr, "NONE") == 0)
1122 else if (strcasecmp(ptr, "AVX512_4VNNIW") == 0)
1123 mds |= MDS_AVX512_4VNNIW_SUPPORTED;
1124 else if (strcasecmp(ptr, "AVX512_4FMAPS") == 0)
1125 mds |= MDS_AVX512_4FMAPS_SUPPORTED;
1126 else if (strcasecmp(ptr, "MD_CLEAR") == 0)
1127 mds |= MDS_MD_CLEAR_SUPPORTED;
1128 else if (strcasecmp(ptr, "TSX_FORCE_ABORT") == 0)
1129 mds |= MDS_TSX_FORCE_ABORT_SUPPORTED;
1130 else if (strcasecmp(ptr, "MDS_NOT_REQUIRED") == 0)
1131 mds |= MDS_NOT_REQUIRED;
1136 mds_mitigation = mds;
1137 mds_sysctl_changed();
1142 SYSCTL_PROC(_machdep, OID_AUTO, mds_mitigation,
1143 CTLTYPE_STRING | CTLFLAG_RW,
1144 0, 0, sysctl_mds_mitigation, "A", "MDS exploit mitigation");
1145 SYSCTL_PROC(_machdep, OID_AUTO, mds_support,
1146 CTLTYPE_STRING | CTLFLAG_RD,
1147 0, 0, sysctl_mds_mitigation, "A", "MDS supported features");
1150 * NOTE: Called at SI_BOOT2_MACHDEP and also when the microcode is
1151 * updated. Microcode updates must be applied to all cpus
1152 * for support to be recognized.
1155 mds_vm_setup(void *arg)
1157 int inconsistent = 0;
1161 * Fetch tunable in auto mode
1163 if (mds_mitigation < 0) {
1164 TUNABLE_INT_FETCH("machdep.mds_mitigation", &mds_mitigation);
1167 if ((supmask = mds_check_support()) != 0) {
1169 * Must be supported on all cpus before we
1170 * can enable it. Returns silently if it
1173 * NOTE! arg != NULL indicates we were called
1174 * from cpuctl after a successful microcode
1178 globaldata_t save_gd;
1182 for (n = 0; n < ncpus; ++n) {
1183 lwkt_setcpu_self(globaldata_find(n));
1185 if (mds_check_support() != supmask) {
1190 lwkt_setcpu_self(save_gd);
1196 * Be silent while microcode is being loaded on various CPUs,
1200 mds_mitigation = -1;
1208 mds_support = supmask;
1211 * Enable mds_mitigation, set defaults if -1, adjust
1212 * tuned value according to support if not.
1214 * NOTE! MDS is not enabled by default.
1217 if (mds_mitigation < 0) {
1220 if ((mds_support & MDS_NOT_REQUIRED) == 0 &&
1221 (mds_support & MDS_MD_CLEAR_SUPPORTED)) {
1222 /* mds_mitigation |= MDS_MD_CLEAR_SUPPORTED; */
1226 mds_mitigation = -1;
1230 * Disallow sysctl changes when there is no support (otherwise
1231 * the wrmsr will cause a protection fault).
1233 if (mds_mitigation < 0)
1234 sysctl___machdep_mds_mitigation.oid_kind &= ~CTLFLAG_WR;
1236 sysctl___machdep_mds_mitigation.oid_kind |= CTLFLAG_WR;
1238 mds_sysctl_changed();
1242 * NOTE: Called at SI_BOOT2_MACHDEP and also when the microcode is
1243 * updated. Microcode updates must be applied to all cpus
1244 * for support to be recognized.
1247 mitigation_vm_setup(void *arg)
1249 spectre_vm_setup(arg);
1253 SYSINIT(mitigation_vm_setup, SI_BOOT2_MACHDEP, SI_ORDER_ANY,
1254 mitigation_vm_setup, NULL);
1257 * platform-specific vmspace initialization (nothing for x86_64)
1260 cpu_vmspace_alloc(struct vmspace *vm __unused)
1265 cpu_vmspace_free(struct vmspace *vm __unused)
1270 kvm_access_check(vm_offset_t saddr, vm_offset_t eaddr, int prot)
1274 if (saddr < KvaStart)
1276 if (eaddr >= KvaEnd)
1278 for (addr = saddr; addr < eaddr; addr += PAGE_SIZE) {
1279 if (pmap_kextract(addr) == 0)
1282 if (!kernacc((caddr_t)saddr, eaddr - saddr, prot))
1289 void _test_frame_enter(struct trapframe *frame);
1290 void _test_frame_exit(struct trapframe *frame);
1293 _test_frame_enter(struct trapframe *frame)
1295 thread_t td = curthread;
1297 if (ISPL(frame->tf_cs) == SEL_UPL) {
1298 KKASSERT(td->td_lwp);
1299 KASSERT(td->td_lwp->lwp_md.md_regs == frame,
1300 ("_test_frame_exit: Frame mismatch %p %p",
1301 td->td_lwp->lwp_md.md_regs, frame));
1302 td->td_lwp->lwp_saveusp = (void *)frame->tf_rsp;
1303 td->td_lwp->lwp_saveupc = (void *)frame->tf_rip;
1305 if ((char *)frame < td->td_kstack ||
1306 (char *)frame > td->td_kstack + td->td_kstack_size) {
1307 panic("_test_frame_exit: frame not on kstack %p kstack=%p",
1308 frame, td->td_kstack);
1313 _test_frame_exit(struct trapframe *frame)
1315 thread_t td = curthread;
1317 if (ISPL(frame->tf_cs) == SEL_UPL) {
1318 KKASSERT(td->td_lwp);
1319 KASSERT(td->td_lwp->lwp_md.md_regs == frame,
1320 ("_test_frame_exit: Frame mismatch %p %p",
1321 td->td_lwp->lwp_md.md_regs, frame));
1322 if (td->td_lwp->lwp_saveusp != (void *)frame->tf_rsp) {
1323 kprintf("_test_frame_exit: %s:%d usp mismatch %p/%p\n",
1324 td->td_comm, td->td_proc->p_pid,
1325 td->td_lwp->lwp_saveusp,
1326 (void *)frame->tf_rsp);
1328 if (td->td_lwp->lwp_saveupc != (void *)frame->tf_rip) {
1329 kprintf("_test_frame_exit: %s:%d upc mismatch %p/%p\n",
1330 td->td_comm, td->td_proc->p_pid,
1331 td->td_lwp->lwp_saveupc,
1332 (void *)frame->tf_rip);
1336 * adulterate the fields to catch entries that
1337 * don't run through test_frame_enter
1339 td->td_lwp->lwp_saveusp =
1340 (void *)~(intptr_t)td->td_lwp->lwp_saveusp;
1341 td->td_lwp->lwp_saveupc =
1342 (void *)~(intptr_t)td->td_lwp->lwp_saveupc;
1344 if ((char *)frame < td->td_kstack ||
1345 (char *)frame > td->td_kstack + td->td_kstack_size) {
1346 panic("_test_frame_exit: frame not on kstack %p kstack=%p",
1347 frame, td->td_kstack);
projects / dragonfly.git / blob