11787 Kernel needs to be built with retpolines
11788 Kernel needs to generally use RSB stuffing
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: John Levon <john.levon@joyent.com>

@@ -23,11 +23,11 @@
  */
 /*
  * Copyright (c) 2010, Intel Corporation.
  * All rights reserved.
  *
- * Copyright 2018 Joyent, Inc.
+ * Copyright 2019 Joyent, Inc.
  */
         
 #include <sys/asm_linkage.h>
 #include <sys/asm_misc.h>
 #include <sys/regset.h>

@@ -326,11 +326,12 @@
 
         /*
          * Complete the rest of the setup and call mp_startup().
          */
         movq    %gs:CPU_THREAD, %rax    /* get thread ptr */
-        call    *T_PC(%rax)             /* call mp_startup_boot */
+        movq    T_PC(%rax), %rax
+        INDIRECT_CALL_REG(rax)          /* call mp_startup_boot */
         /* not reached */
         int     $20                     /* whoops, returned somehow! */
 
         SET_SIZE(real_mode_start_cpu)
 

@@ -605,10 +606,16 @@
 
         /*
          * Jump to the stage 2 code in the rm_platter_va->rm_cpu_halt_code
          */
         movw            $CPUHALTCODEOFF, %ax
+        /*
+         * The following indirect call is executed as part of starting up a CPU.
+         * As such nothing else should be running on it or executing in the
+         * system such that it is a viable Spectre v2 branch target injection
+         * location. At least, in theory.
+         */
         jmp             *%ax
 
 #endif  /* !__GNUC_AS__ */
 
         .globl real_mode_stop_cpu_stage1_end