Enable PTI by default for Intel
ClosedPublic
Actions

Authored by mhorne063_gmail.com on Jan 18 2018, 4:43 PM.

Details

Reviewers

emaste
kib
cem

Commits

rS328166: Enable KPTI by default on amd64 for non-AMD CPUs

Summary

Add a method to enable/disable PTI by default based on the CPU. For now, it is simply enabled for Intel, and disabled otherwise, but this can be adjusted later when we have a more concrete list of which CPUs are affected by Meltdown.

I was unsure of where the best place to put pti_get_default() was, so if you think it is more suitable somewhere else please let me know.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

mhorne063_gmail.com created this revision.Jan 18 2018, 4:43 PM

emaste added a subscriber: gordon.Jan 18 2018, 4:46 PM

imp added a subscriber: imp.Jan 18 2018, 5:06 PM

imp added inline comments.

sys/amd64/amd64/machdep.c
1516–1517 ↗	(On Diff #38166)	don't we have a list somewhere of affected versions?

kib added inline comments.Jan 18 2018, 5:25 PM

sys/amd64/amd64/machdep.c
1513 ↗	(On Diff #38166)	This function should go into x86/x86/identcpu.c, since it will be needed for i386 too (unless I go with unconditional 4/4g split).
1516–1517 ↗	(On Diff #38166)	Once I saw a linux code where pti was disabled for amd and enabled for everything else (e.g. via). But yes, there are rumors that atoms are not affected by meltdown, at least old in-order atoms.

imp added inline comments.Jan 18 2018, 5:36 PM

sys/amd64/amd64/machdep.c
1516–1517 ↗	(On Diff #38166)	Also, in the future Intel may come out with chips that don't suffer from metldown issues.

kib added inline comments.Jan 18 2018, 5:42 PM

sys/amd64/amd64/machdep.c
1516–1517 ↗	(On Diff #38166)	https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf IA32_ARCH_CAPABILITIES MSR, bit 0 But I do not think it is meaningful to add this to the code now.

emaste added inline comments.Jan 18 2018, 6:03 PM

sys/amd64/amd64/machdep.c
1516–1517 ↗	(On Diff #38166)	Also https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr We can assume Intel will make a change in CPUs not yet released and that they will not be vulnerable to Meltdown, but I think it is reasonable to start with this, and perhaps add a small handful of cases later (e.g. not vulnerable because too old, not vulnerable because new enough). I believe it is better to have a false positive (PTI enabled when not required); in all cases the user can choose to explicitly enable or disable it.

Move pti_get_default() to identcpu.c
Changed to enable for all except AMD

mhorne063_gmail.com marked an inline comment as done.Jan 18 2018, 6:36 PM

In the commit message we can reference this quote from https://www.amd.com/en/corporate/speculative-execution:

We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

cem accepted this revision.Jan 18 2018, 8:26 PM

cem added a subscriber: cem.

cem added inline comments.

sys/x86/x86/identcpu.c
1665 ↗	(On Diff #38179)	Maybe use `bool` for predicates in new code?

This revision is now accepted and ready to land.Jan 18 2018, 8:26 PM

Closed by commit rS328166: Enable KPTI by default on amd64 for non-AMD CPUs (authored by emaste). · Explain WhyJan 19 2018, 3:42 PM

This revision was automatically updated to reflect the committed changes.

emaste added inline comments.Jan 19 2018, 3:47 PM

sys/x86/x86/identcpu.c
1665 ↗	(On Diff #38179)	I think this would be a good thing to consider in general, but in this case the pti global is an int and is handled with existing int-based tunable/sysctl infrastructure so I think bool would seem out of place.