Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/i86pc/os/mlsetup.c
+++ new/usr/src/uts/i86pc/os/mlsetup.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2012 Gary Mills
23 23 *
24 24 * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved.
25 25 * Copyright (c) 2011 by Delphix. All rights reserved.
26 26 */
27 27 /*
28 28 * Copyright (c) 2010, Intel Corporation.
29 29 * All rights reserved.
30 30 */
31 31
32 32 #include <sys/types.h>
33 33 #include <sys/sysmacros.h>
34 34 #include <sys/disp.h>
35 35 #include <sys/promif.h>
36 36 #include <sys/clock.h>
37 37 #include <sys/cpuvar.h>
38 38 #include <sys/stack.h>
39 39 #include <vm/as.h>
40 40 #include <vm/hat.h>
41 41 #include <sys/reboot.h>
42 42 #include <sys/avintr.h>
43 43 #include <sys/vtrace.h>
44 44 #include <sys/proc.h>
45 45 #include <sys/thread.h>
46 46 #include <sys/cpupart.h>
47 47 #include <sys/pset.h>
48 48 #include <sys/copyops.h>
49 49 #include <sys/pg.h>
50 50 #include <sys/disp.h>
51 51 #include <sys/debug.h>
52 52 #include <sys/sunddi.h>
53 53 #include <sys/x86_archext.h>
54 54 #include <sys/privregs.h>
55 55 #include <sys/machsystm.h>
56 56 #include <sys/ontrap.h>
57 57 #include <sys/bootconf.h>
58 58 #include <sys/boot_console.h>
59 59 #include <sys/kdi_machimpl.h>
60 60 #include <sys/archsystm.h>
61 61 #include <sys/promif.h>
62 62 #include <sys/pci_cfgspace.h>
63 63 #include <sys/bootvfs.h>
64 64 #ifdef __xpv
65 65 #include <sys/hypervisor.h>
66 66 #else
67 67 #include <sys/xpv_support.h>
68 68 #endif
69 69
70 70 /*
71 71 * some globals for patching the result of cpuid
72 72 * to solve problems w/ creative cpu vendors
73 73 */
74 74
75 75 extern uint32_t cpuid_feature_ecx_include;
76 76 extern uint32_t cpuid_feature_ecx_exclude;
77 77 extern uint32_t cpuid_feature_edx_include;
78 78 extern uint32_t cpuid_feature_edx_exclude;
79 79
80 80 /*
81 81 * Set console mode
82 82 */
83 83 static void
84 84 set_console_mode(uint8_t val)
85 85 {
86 86 struct bop_regs rp = {0};
87 87
88 88 rp.eax.byte.ah = 0x0;
89 89 rp.eax.byte.al = val;
90 90 rp.ebx.word.bx = 0x0;
91 91
92 92 BOP_DOINT(bootops, 0x10, &rp);
93 93 }
94 94
95 95
96 96 /*
97 97 * Setup routine called right before main(). Interposing this function
98 98 * before main() allows us to call it in a machine-independent fashion.
99 99 */
100 100 void
101 101 mlsetup(struct regs *rp)
102 102 {
103 103 u_longlong_t prop_value;
104 104 extern struct classfuncs sys_classfuncs;
105 105 extern disp_t cpu0_disp;
106 106 extern char t0stack[];
107 107 extern int post_fastreboot;
108 108 extern uint64_t plat_dr_options;
109 109
110 110 ASSERT_STACK_ALIGNED();
111 111
112 112 /*
113 113 * initialize cpu_self
114 114 */
115 115 cpu[0]->cpu_self = cpu[0];
116 116
117 117 #if defined(__xpv)
118 118 /*
119 119 * Point at the hypervisor's virtual cpu structure
120 120 */
121 121 cpu[0]->cpu_m.mcpu_vcpu_info = &HYPERVISOR_shared_info->vcpu_info[0];
122 122 #endif
123 123
124 124 /*
125 125 * check if we've got special bits to clear or set
126 126 * when checking cpu features
127 127 */
128 128
129 129 if (bootprop_getval("cpuid_feature_ecx_include", &prop_value) != 0)
130 130 cpuid_feature_ecx_include = 0;
131 131 else
132 132 cpuid_feature_ecx_include = (uint32_t)prop_value;
133 133
134 134 if (bootprop_getval("cpuid_feature_ecx_exclude", &prop_value) != 0)
135 135 cpuid_feature_ecx_exclude = 0;
136 136 else
137 137 cpuid_feature_ecx_exclude = (uint32_t)prop_value;
138 138
139 139 if (bootprop_getval("cpuid_feature_edx_include", &prop_value) != 0)
140 140 cpuid_feature_edx_include = 0;
141 141 else
142 142 cpuid_feature_edx_include = (uint32_t)prop_value;
143 143
144 144 if (bootprop_getval("cpuid_feature_edx_exclude", &prop_value) != 0)
145 145 cpuid_feature_edx_exclude = 0;
146 146 else
147 147 cpuid_feature_edx_exclude = (uint32_t)prop_value;
148 148
149 149 /*
150 150 * Initialize idt0, gdt0, ldt0_default, ktss0 and dftss.
151 151 */
152 152 init_desctbls();
153 153
154 154 /*
155 155 * lgrp_init() and possibly cpuid_pass1() need PCI config
156 156 * space access
157 157 */
158 158 #if defined(__xpv)
159 159 if (DOMAIN_IS_INITDOMAIN(xen_info))
160 160 pci_cfgspace_init();
161 161 #else
162 162 pci_cfgspace_init();
163 163 /*
164 164 * Initialize the platform type from CPU 0 to ensure that
165 165 * determine_platform() is only ever called once.
166 166 */
167 167 determine_platform();
168 168 #endif
169 169
170 170 /*
171 171 * The first lightweight pass (pass0) through the cpuid data
172 172 * was done in locore before mlsetup was called. Do the next
173 173 * pass in C code.
174 174 *
175 175 * The x86_featureset is initialized here based on the capabilities
176 176 * of the boot CPU. Note that if we choose to support CPUs that have
177 177 * different feature sets (at which point we would almost certainly
178 178 * want to set the feature bits to correspond to the feature
179 179 * minimum) this value may be altered.
180 180 */
181 181 cpuid_pass1(cpu[0], x86_featureset);
182 182
183 183 #if !defined(__xpv)
184 184 if ((get_hwenv() & HW_XEN_HVM) != 0)
185 185 xen_hvm_init();
186 186
187 187 /*
188 188 * Before we do anything with the TSCs, we need to work around
189 189 * Intel erratum BT81. On some CPUs, warm reset does not
190 190 * clear the TSC. If we are on such a CPU, we will clear TSC ourselves
191 191 * here. Other CPUs will clear it when we boot them later, and the
192 192 * resulting skew will be handled by tsc_sync_master()/_slave();
193 193 * note that such skew already exists and has to be handled anyway.
194 194 *
195 195 * We do this only on metal. This same problem can occur with a
196 196 * hypervisor that does not happen to virtualise a TSC that starts from
197 197 * zero, regardless of CPU type; however, we do not expect hypervisors
198 198 * that do not virtualise TSC that way to handle writes to TSC
199 199 * correctly, either.
200 200 */
201 201 if (get_hwenv() == HW_NATIVE &&
202 202 cpuid_getvendor(CPU) == X86_VENDOR_Intel &&
203 203 cpuid_getfamily(CPU) == 6 &&
204 204 (cpuid_getmodel(CPU) == 0x2d || cpuid_getmodel(CPU) == 0x3e) &&
205 205 is_x86_feature(x86_featureset, X86FSET_TSC)) {
206 206 (void) wrmsr(REG_TSC, 0UL);
207 207 }
208 208
209 209 /*
210 210 * Patch the tsc_read routine with appropriate set of instructions,
211 211 * depending on the processor family and architecure, to read the
212 212 * time-stamp counter while ensuring no out-of-order execution.
213 213 * Patch it while the kernel text is still writable.
214 214 *
215 215 * Note: tsc_read is not patched for intel processors whose family
216 216 * is >6 and for amd whose family >f (in case they don't support rdtscp
217 217 * instruction, unlikely). By default tsc_read will use cpuid for
218 218 * serialization in such cases. The following code needs to be
219 219 * revisited if intel processors of family >= f retains the
220 220 * instruction serialization nature of mfence instruction.
221 221 * Note: tsc_read is not patched for x86 processors which do
222 222 * not support "mfence". By default tsc_read will use cpuid for
223 223 * serialization in such cases.
224 224 *
225 225 * The Xen hypervisor does not correctly report whether rdtscp is
226 226 * supported or not, so we must assume that it is not.
227 227 */
228 228 if ((get_hwenv() & HW_XEN_HVM) == 0 &&
229 229 is_x86_feature(x86_featureset, X86FSET_TSCP))
230 230 patch_tsc_read(X86_HAVE_TSCP);
231 231 else if (cpuid_getvendor(CPU) == X86_VENDOR_AMD &&
232 232 cpuid_getfamily(CPU) <= 0xf &&
233 233 is_x86_feature(x86_featureset, X86FSET_SSE2))
234 234 patch_tsc_read(X86_TSC_MFENCE);
235 235 else if (cpuid_getvendor(CPU) == X86_VENDOR_Intel &&
236 236 cpuid_getfamily(CPU) <= 6 &&
237 237 is_x86_feature(x86_featureset, X86FSET_SSE2))
238 238 patch_tsc_read(X86_TSC_LFENCE);
239 239
240 240 #endif /* !__xpv */
241 241
242 242 #if defined(__i386) && !defined(__xpv)
243 243 /*
244 244 * Some i386 processors do not implement the rdtsc instruction,
245 245 * or at least they do not implement it correctly. Patch them to
246 246 * return 0.
247 247 */
248 248 if (!is_x86_feature(x86_featureset, X86FSET_TSC))
249 249 patch_tsc_read(X86_NO_TSC);
250 250 #endif /* __i386 && !__xpv */
251 251
252 252 #if defined(__amd64) && !defined(__xpv)
253 253 patch_memops(cpuid_getvendor(CPU));
254 254 #endif /* __amd64 && !__xpv */
255 255
256 256 #if !defined(__xpv)
257 257 /* XXPV what, if anything, should be dorked with here under xen? */
258 258
259 259 /*
260 260 * While we're thinking about the TSC, let's set up %cr4 so that
261 261 * userland can issue rdtsc, and initialize the TSC_AUX value
262 262 * (the cpuid) for the rdtscp instruction on appropriately
263 263 * capable hardware.
264 264 */
265 265 if (is_x86_feature(x86_featureset, X86FSET_TSC))
266 266 setcr4(getcr4() & ~CR4_TSD);
267 267
268 268 if (is_x86_feature(x86_featureset, X86FSET_TSCP))
269 269 (void) wrmsr(MSR_AMD_TSCAUX, 0);
270 270
271 271 /*
272 272 * Let's get the other %cr4 stuff while we're here. Note, we defer
273 273 * enabling CR4_SMAP until startup_end(); however, that's importantly
274 274 * before we start other CPUs. That ensures that it will be synced out
275 275 * to other CPUs.
276 276 */
277 277 if (is_x86_feature(x86_featureset, X86FSET_DE))
278 278 setcr4(getcr4() | CR4_DE);
279 279
280 280 if (is_x86_feature(x86_featureset, X86FSET_SMEP))
281 281 setcr4(getcr4() | CR4_SMEP);
282 282 #endif /* __xpv */
283 283
284 284 /*
285 285 * initialize t0
286 286 */
287 287 t0.t_stk = (caddr_t)rp - MINFRAME;
288 288 t0.t_stkbase = t0stack;
289 289 t0.t_pri = maxclsyspri - 3;
290 290 t0.t_schedflag = TS_LOAD | TS_DONT_SWAP;
291 291 t0.t_procp = &p0;
292 292 t0.t_plockp = &p0lock.pl_lock;
293 293 t0.t_lwp = &lwp0;
294 294 t0.t_forw = &t0;
295 295 t0.t_back = &t0;
296 296 t0.t_next = &t0;
297 297 t0.t_prev = &t0;
298 298 t0.t_cpu = cpu[0];
299 299 t0.t_disp_queue = &cpu0_disp;
300 300 t0.t_bind_cpu = PBIND_NONE;
301 301 t0.t_bind_pset = PS_NONE;
302 302 t0.t_bindflag = (uchar_t)default_binding_mode;
303 303 t0.t_cpupart = &cp_default;
304 304 t0.t_clfuncs = &sys_classfuncs.thread;
305 305 t0.t_copyops = NULL;
306 306 THREAD_ONPROC(&t0, CPU);
307 307
308 308 lwp0.lwp_thread = &t0;
309 309 lwp0.lwp_regs = (void *)rp;
310 310 lwp0.lwp_procp = &p0;
311 311 t0.t_tid = p0.p_lwpcnt = p0.p_lwprcnt = p0.p_lwpid = 1;
312 312
313 313 p0.p_exec = NULL;
|
↓ open down ↓ |
313 lines elided |
↑ open up ↑ |
314 314 p0.p_stat = SRUN;
315 315 p0.p_flag = SSYS;
316 316 p0.p_tlist = &t0;
317 317 p0.p_stksize = 2*PAGESIZE;
318 318 p0.p_stkpageszc = 0;
319 319 p0.p_as = &kas;
320 320 p0.p_lockp = &p0lock;
321 321 p0.p_brkpageszc = 0;
322 322 p0.p_t1_lgrpid = LGRP_NONE;
323 323 p0.p_tr_lgrpid = LGRP_NONE;
324 + psecflags_default(&p0.p_secflags);
325 +
324 326 sigorset(&p0.p_ignore, &ignoredefault);
325 327
326 328 CPU->cpu_thread = &t0;
327 329 bzero(&cpu0_disp, sizeof (disp_t));
328 330 CPU->cpu_disp = &cpu0_disp;
329 331 CPU->cpu_disp->disp_cpu = CPU;
330 332 CPU->cpu_dispthread = &t0;
331 333 CPU->cpu_idle_thread = &t0;
332 334 CPU->cpu_flags = CPU_READY | CPU_RUNNING | CPU_EXISTS | CPU_ENABLE;
333 335 CPU->cpu_dispatch_pri = t0.t_pri;
334 336
335 337 CPU->cpu_id = 0;
336 338
337 339 CPU->cpu_pri = 12; /* initial PIL for the boot CPU */
338 340
339 341 /*
340 342 * The kernel doesn't use LDTs unless a process explicitly requests one.
341 343 */
342 344 p0.p_ldt_desc = null_sdesc;
343 345
344 346 /*
345 347 * Initialize thread/cpu microstate accounting
346 348 */
347 349 init_mstate(&t0, LMS_SYSTEM);
348 350 init_cpu_mstate(CPU, CMS_SYSTEM);
349 351
350 352 /*
351 353 * Initialize lists of available and active CPUs.
352 354 */
353 355 cpu_list_init(CPU);
354 356
355 357 pg_cpu_bootstrap(CPU);
356 358
357 359 /*
358 360 * Now that we have taken over the GDT, IDT and have initialized
359 361 * active CPU list it's time to inform kmdb if present.
360 362 */
361 363 if (boothowto & RB_DEBUG)
362 364 kdi_idt_sync();
363 365
364 366 /*
365 367 * Explicitly set console to text mode (0x3) if this is a boot
366 368 * post Fast Reboot, and the console is set to CONS_SCREEN_TEXT.
367 369 */
368 370 if (post_fastreboot && boot_console_type(NULL) == CONS_SCREEN_TEXT)
369 371 set_console_mode(0x3);
370 372
371 373 /*
372 374 * If requested (boot -d) drop into kmdb.
373 375 *
374 376 * This must be done after cpu_list_init() on the 64-bit kernel
375 377 * since taking a trap requires that we re-compute gsbase based
376 378 * on the cpu list.
377 379 */
378 380 if (boothowto & RB_DEBUGENTER)
379 381 kmdb_enter();
380 382
381 383 cpu_vm_data_init(CPU);
382 384
383 385 rp->r_fp = 0; /* terminate kernel stack traces! */
384 386
385 387 prom_init("kernel", (void *)NULL);
386 388
387 389 /* User-set option overrides firmware value. */
388 390 if (bootprop_getval(PLAT_DR_OPTIONS_NAME, &prop_value) == 0) {
389 391 plat_dr_options = (uint64_t)prop_value;
390 392 }
391 393 #if defined(__xpv)
392 394 /* No support of DR operations on xpv */
393 395 plat_dr_options = 0;
394 396 #else /* __xpv */
395 397 /* Flag PLAT_DR_FEATURE_ENABLED should only be set by DR driver. */
396 398 plat_dr_options &= ~PLAT_DR_FEATURE_ENABLED;
397 399 #ifndef __amd64
398 400 /* Only enable CPU/memory DR on 64 bits kernel. */
399 401 plat_dr_options &= ~PLAT_DR_FEATURE_MEMORY;
400 402 plat_dr_options &= ~PLAT_DR_FEATURE_CPU;
401 403 #endif /* __amd64 */
402 404 #endif /* __xpv */
403 405
404 406 /*
405 407 * Get value of "plat_dr_physmax" boot option.
406 408 * It overrides values calculated from MSCT or SRAT table.
407 409 */
408 410 if (bootprop_getval(PLAT_DR_PHYSMAX_NAME, &prop_value) == 0) {
409 411 plat_dr_physmax = ((uint64_t)prop_value) >> PAGESHIFT;
410 412 }
411 413
412 414 /* Get value of boot_ncpus. */
413 415 if (bootprop_getval(BOOT_NCPUS_NAME, &prop_value) != 0) {
414 416 boot_ncpus = NCPU;
415 417 } else {
416 418 boot_ncpus = (int)prop_value;
417 419 if (boot_ncpus <= 0 || boot_ncpus > NCPU)
418 420 boot_ncpus = NCPU;
419 421 }
420 422
421 423 /*
422 424 * Set max_ncpus and boot_max_ncpus to boot_ncpus if platform doesn't
423 425 * support CPU DR operations.
424 426 */
425 427 if (plat_dr_support_cpu() == 0) {
426 428 max_ncpus = boot_max_ncpus = boot_ncpus;
427 429 } else {
428 430 if (bootprop_getval(PLAT_MAX_NCPUS_NAME, &prop_value) != 0) {
429 431 max_ncpus = NCPU;
430 432 } else {
431 433 max_ncpus = (int)prop_value;
432 434 if (max_ncpus <= 0 || max_ncpus > NCPU) {
433 435 max_ncpus = NCPU;
434 436 }
435 437 if (boot_ncpus > max_ncpus) {
436 438 boot_ncpus = max_ncpus;
437 439 }
438 440 }
439 441
440 442 if (bootprop_getval(BOOT_MAX_NCPUS_NAME, &prop_value) != 0) {
441 443 boot_max_ncpus = boot_ncpus;
442 444 } else {
443 445 boot_max_ncpus = (int)prop_value;
444 446 if (boot_max_ncpus <= 0 || boot_max_ncpus > NCPU) {
445 447 boot_max_ncpus = boot_ncpus;
446 448 } else if (boot_max_ncpus > max_ncpus) {
447 449 boot_max_ncpus = max_ncpus;
448 450 }
449 451 }
450 452 }
451 453
452 454 /*
453 455 * Initialize the lgrp framework
454 456 */
455 457 lgrp_init(LGRP_INIT_STAGE1);
456 458
457 459 if (boothowto & RB_HALT) {
458 460 prom_printf("unix: kernel halted by -h flag\n");
459 461 prom_enter_mon();
460 462 }
461 463
462 464 ASSERT_STACK_ALIGNED();
463 465
464 466 /*
465 467 * Fill out cpu_ucode_info. Update microcode if necessary.
466 468 */
467 469 ucode_check(CPU);
468 470
469 471 if (workaround_errata(CPU) != 0)
470 472 panic("critical workaround(s) missing for boot cpu");
471 473 }
472 474
473 475
474 476 void
475 477 mach_modpath(char *path, const char *filename)
476 478 {
477 479 /*
478 480 * Construct the directory path from the filename.
479 481 */
480 482
481 483 int len;
482 484 char *p;
483 485 const char isastr[] = "/amd64";
484 486 size_t isalen = strlen(isastr);
485 487
486 488 len = strlen(SYSTEM_BOOT_PATH "/kernel");
487 489 (void) strcpy(path, SYSTEM_BOOT_PATH "/kernel ");
488 490 path += len + 1;
489 491
490 492 if ((p = strrchr(filename, '/')) == NULL)
491 493 return;
492 494
493 495 while (p > filename && *(p - 1) == '/')
494 496 p--; /* remove trailing '/' characters */
495 497 if (p == filename)
496 498 p++; /* so "/" -is- the modpath in this case */
497 499
498 500 /*
499 501 * Remove optional isa-dependent directory name - the module
500 502 * subsystem will put this back again (!)
501 503 */
502 504 len = p - filename;
503 505 if (len > isalen &&
504 506 strncmp(&filename[len - isalen], isastr, isalen) == 0)
505 507 p -= isalen;
506 508
507 509 /*
508 510 * "/platform/mumblefrotz" + " " + MOD_DEFPATH
509 511 */
510 512 len += (p - filename) + 1 + strlen(MOD_DEFPATH) + 1;
511 513 (void) strncpy(path, filename, p - filename);
512 514 }
|
↓ open down ↓ |
179 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX