Page MenuHomeFreeBSD

Enable PTI by default for Intel
ClosedPublic

Authored by mhorne063_gmail.com on Jan 18 2018, 4:43 PM.

Details

Summary

Add a method to enable/disable PTI by default based on the CPU. For now, it is simply enabled for Intel, and disabled otherwise, but this can be adjusted later when we have a more concrete list of which CPUs are affected by Meltdown.

I was unsure of where the best place to put pti_get_default() was, so if you think it is more suitable somewhere else please let me know.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

imp added inline comments.
sys/amd64/amd64/machdep.c
1516–1517 ↗(On Diff #38166)

don't we have a list somewhere of affected versions?

sys/amd64/amd64/machdep.c
1513 ↗(On Diff #38166)

This function should go into x86/x86/identcpu.c, since it will be needed for i386 too (unless I go with unconditional 4/4g split).

1516–1517 ↗(On Diff #38166)

Once I saw a linux code where pti was disabled for amd and enabled for everything else (e.g. via).
But yes, there are rumors that atoms are not affected by meltdown, at least old in-order atoms.

sys/amd64/amd64/machdep.c
1516–1517 ↗(On Diff #38166)

Also, in the future Intel may come out with chips that don't suffer from metldown issues.

sys/amd64/amd64/machdep.c
1516–1517 ↗(On Diff #38166)

https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf

IA32_ARCH_CAPABILITIES MSR, bit 0

But I do not think it is meaningful to add this to the code now.

sys/amd64/amd64/machdep.c
1516–1517 ↗(On Diff #38166)

Also https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

We can assume Intel will make a change in CPUs not yet released and that they will not be vulnerable to Meltdown, but I think it is reasonable to start with this, and perhaps add a small handful of cases later (e.g. not vulnerable because too old, not vulnerable because new enough). I believe it is better to have a false positive (PTI enabled when not required); in all cases the user can choose to explicitly enable or disable it.

Move pti_get_default() to identcpu.c
Changed to enable for all except AMD

In the commit message we can reference this quote from https://www.amd.com/en/corporate/speculative-execution:

We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

cem added a subscriber: cem.
cem added inline comments.
sys/x86/x86/identcpu.c
1665 ↗(On Diff #38179)

Maybe use bool for predicates in new code?

This revision is now accepted and ready to land.Jan 18 2018, 8:26 PM
This revision was automatically updated to reflect the committed changes.
sys/x86/x86/identcpu.c
1665 ↗(On Diff #38179)

I think this would be a good thing to consider in general, but in this case the pti global is an int and is handled with existing int-based tunable/sysctl infrastructure so I think bool would seem out of place.

sys/x86/x86/identcpu.c
1665 ↗(On Diff #38179)

Our existing sysctl/tunable infrastructure has a bool type we can/should use.