2 Wdiff usr/src/uts/i86pc/ml/md_clear.s

Print this page

11787 Kernel needs to be built with retpolines
11788 Kernel needs to generally use RSB stuffing
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: John Levon <john.levon@joyent.com>

Split	Close
Expand all
Collapse all

          --- old/usr/src/uts/i86pc/ml/md_clear.s
          +++ new/usr/src/uts/i86pc/ml/md_clear.s

   1    1  /*
   2    2   * This file and its contents are supplied under the terms of the
   3    3   * Common Development and Distribution License ("CDDL"), version 1.0.
   4    4   * You may only use this file in accordance with the terms of version
   5    5   * 1.0 of the CDDL.
   6    6   *
   7    7   * A full copy of the text of the CDDL should have accompanied this
   8    8   * source.  A copy of the CDDL is also available via the Internet at
   9    9   * http://www.illumos.org/license/CDDL.
  10   10   */
  11   11  
  12   12  /*
  13   13   * Copyright 2019 Joyent, Inc.
  14   14   */
  15   15  
  16   16  #include <sys/asm_linkage.h>
  17   17  
  18   18  /*
  19   19   * This ASM file contains various routines that are designed to flush
  20   20   * microarchitectural buffer state as part of dealing with the
  21   21   * microarchitectural data sampling (MDS) vulnerabilities.
  22   22   *
  23   23   * These are called from various points in the system ranging from interrupts,
  24   24   * before going idle, to returning from system calls. This means the following
  25   25   * is true about the state of the system:
  26   26   *
  27   27   *  o All register state is precious, we must not change register state upon
  28   28   *    entry or return from these functions.
  29   29   *
  30   30   *  o %ds is valid.
  31   31   *
  32   32   *  o %gs is arbitrary, it may be kernel or user. You cannot rely on it.
  33   33   *
  34   34   *  o Interrupts should be disabled by the caller.

↓ open down ↓

34 lines elided

↑ open up ↑

  35   35   *
  36   36   *  o %cr3 is on the kernel-side and therefore we still have access to kernel
  37   37   *    text. In other words, we haven't switched back to the user page table.
  38   38   *
  39   39   *  o It is up to the caller to insure that a sufficient serializing instruction
  40   40   *    has been executed after this to make sure any pending speculations are
  41   41   *    captured. In general, this should be handled by the fact that callers of
  42   42   *    this are either going to change privilege levels or halt, which makes
  43   43   *    these operations safer.
  44   44   */
  45      -        ENTRY_NP(x86_md_clear_noop)
  46      -        ret
  47      -        SET_SIZE(x86_md_clear_noop)
  48   45  
  49   46          /*
  50      -         * This uses the microcode based means of flushing state. VERW will
  51      -         * clobber flags.
       47 +         * By default, x86_md_clear is disabled until the system determines that
       48 +         * it both needs MDS related mitigations and we have microcode that
       49 +         * provides the needed functionality.
       50 +         *
       51 +         * The VERW instruction clobbers flags which is why it's important that
       52 +         * we save and restore them here.
  52   53           */
  53      -        ENTRY_NP(x86_md_clear_verw)
       54 +        ENTRY_NP(x86_md_clear)
       55 +        ret
  54   56          pushfq
  55   57          subq    $8, %rsp
  56   58          mov     %ds, (%rsp)
  57   59          verw    (%rsp)
  58   60          addq    $8, %rsp
  59   61          popfq
  60   62          ret
  61      -        SET_SIZE(x86_md_clear_verw)
       63 +        SET_SIZE(x86_md_clear)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX