Page MenuHomeFreeBSD

Enable PTI by default for Intel
ClosedPublic

Authored by mhorne063_gmail.com on Jan 18 2018, 4:43 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Mar 8, 8:56 PM
Unknown Object (File)
Jan 19 2024, 4:11 PM
Unknown Object (File)
Jan 13 2024, 3:11 PM
Unknown Object (File)
Dec 28 2023, 6:54 AM
Unknown Object (File)
Dec 25 2023, 7:59 AM
Unknown Object (File)
Dec 20 2023, 2:19 AM
Unknown Object (File)
Dec 10 2023, 11:21 PM
Unknown Object (File)
Nov 10 2023, 12:29 PM
Subscribers

Details

Summary

Add a method to enable/disable PTI by default based on the CPU. For now, it is simply enabled for Intel, and disabled otherwise, but this can be adjusted later when we have a more concrete list of which CPUs are affected by Meltdown.

I was unsure of where the best place to put pti_get_default() was, so if you think it is more suitable somewhere else please let me know.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

imp added inline comments.
sys/amd64/amd64/machdep.c
1516–1517

don't we have a list somewhere of affected versions?

sys/amd64/amd64/machdep.c
1513

This function should go into x86/x86/identcpu.c, since it will be needed for i386 too (unless I go with unconditional 4/4g split).

1516–1517

Once I saw a linux code where pti was disabled for amd and enabled for everything else (e.g. via).
But yes, there are rumors that atoms are not affected by meltdown, at least old in-order atoms.

sys/amd64/amd64/machdep.c
1516–1517

Also, in the future Intel may come out with chips that don't suffer from metldown issues.

sys/amd64/amd64/machdep.c
1516–1517

https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf

IA32_ARCH_CAPABILITIES MSR, bit 0

But I do not think it is meaningful to add this to the code now.

sys/amd64/amd64/machdep.c
1516–1517

Also https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

We can assume Intel will make a change in CPUs not yet released and that they will not be vulnerable to Meltdown, but I think it is reasonable to start with this, and perhaps add a small handful of cases later (e.g. not vulnerable because too old, not vulnerable because new enough). I believe it is better to have a false positive (PTI enabled when not required); in all cases the user can choose to explicitly enable or disable it.

Move pti_get_default() to identcpu.c
Changed to enable for all except AMD

In the commit message we can reference this quote from https://www.amd.com/en/corporate/speculative-execution:

We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

cem added a subscriber: cem.
cem added inline comments.
sys/x86/x86/identcpu.c
1665

Maybe use bool for predicates in new code?

This revision is now accepted and ready to land.Jan 18 2018, 8:26 PM
This revision was automatically updated to reflect the committed changes.
sys/x86/x86/identcpu.c
1665

I think this would be a good thing to consider in general, but in this case the pti global is an int and is handled with existing int-based tunable/sysctl infrastructure so I think bool would seem out of place.

sys/x86/x86/identcpu.c
1665

Our existing sysctl/tunable infrastructure has a bool type we can/should use.