Index: sys/amd64/amd64/machdep.c =================================================================== --- sys/amd64/amd64/machdep.c +++ sys/amd64/amd64/machdep.c @@ -1778,18 +1778,18 @@ vty_set_preferred(VTY_VT); TUNABLE_INT_FETCH("hw.ibrs_disable", &hw_ibrs_disable); - TUNABLE_INT_FETCH("machdep.mitigations.ibrs.disable", &hw_ibrs_disable); + TUNABLE_INT_FETCH("machdep.mitigations.ibrs.control", &hw_ibrs_disable); TUNABLE_INT_FETCH("hw.spec_store_bypass_disable", &hw_ssb_disable); - TUNABLE_INT_FETCH("machdep.mitigations.ssb.disable", &hw_ssb_disable); + TUNABLE_INT_FETCH("machdep.mitigations.ssb.control", &hw_ssb_disable); TUNABLE_INT_FETCH("machdep.syscall_ret_l1d_flush", &syscall_ret_l1d_flush_mode); TUNABLE_INT_FETCH("hw.mds_disable", &hw_mds_disable); - TUNABLE_INT_FETCH("machdep.mitigations.mds.disable", &hw_mds_disable); + TUNABLE_INT_FETCH("machdep.mitigations.mds.control", &hw_mds_disable); - TUNABLE_INT_FETCH("machdep.mitigations.taa.enable", &x86_taa_enable); + TUNABLE_INT_FETCH("machdep.mitigations.taa.control", &x86_taa_enable); finishidentcpu(); /* Final stage of CPU initialization */ initializecpu(); /* Initialize CPU registers */ Index: sys/kern/kern_mib.c =================================================================== --- sys/kern/kern_mib.c +++ sys/kern/kern_mib.c @@ -79,7 +79,7 @@ SYSCTL_ROOT_NODE(CTL_MACHDEP, machdep, CTLFLAG_RW, 0, "machine dependent"); SYSCTL_NODE(_machdep, OID_AUTO, mitigations, CTLFLAG_RW, 0, - "Machine dependent platform mitigations."); + "Machine dependent platform mitigations"); SYSCTL_ROOT_NODE(CTL_USER, user, CTLFLAG_RW, 0, "user-level"); SYSCTL_ROOT_NODE(CTL_P1003_1B, p1003_1b, CTLFLAG_RW, 0, Index: sys/x86/x86/cpu_machdep.c =================================================================== --- sys/x86/x86/cpu_machdep.c +++ sys/x86/x86/cpu_machdep.c @@ -878,10 +878,10 @@ "Indirect Branch Restricted Speculation active"); SYSCTL_NODE(_machdep_mitigations, OID_AUTO, ibrs, CTLFLAG_RW, 0, - "Indirect Branch Restricted Speculation active"); + "Indirect Branch Restricted Speculation state"); SYSCTL_INT(_machdep_mitigations_ibrs, OID_AUTO, active, CTLFLAG_RD, - &hw_ibrs_active, 0, "Indirect Branch Restricted Speculation active"); + &hw_ibrs_active, 0, "Indirect Branch Restricted Speculation (0 - inactive, 1 - active)"); void hw_ibrs_recalculate(void) @@ -913,10 +913,36 @@ CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, hw_ibrs_disable_handler, "I", "Disable Indirect Branch Restricted Speculation"); -SYSCTL_PROC(_machdep_mitigations_ibrs, OID_AUTO, disable, CTLTYPE_INT | +SYSCTL_PROC(_machdep_mitigations_ibrs, OID_AUTO, control, CTLTYPE_INT | CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, hw_ibrs_disable_handler, "I", - "Disable Indirect Branch Restricted Speculation"); + "Indirect Branch Restricted Speculation Mitigation control (0 - off, 1 - on)"); + + +static int +sysctl_hw_ibrs_disable_state_handler(SYSCTL_HANDLER_ARGS) +{ + const char *state; + + switch (hw_ibrs_disable) { + case 0: /* off */ + state = "mitigation off"; + break; + case 1: /* on */ + state = "mitigation on"; + break; + default: + state = "unknown"; + } + + return (SYSCTL_OUT(req, state, strlen(state))); +} + +SYSCTL_PROC(_machdep_mitigations_ibrs, OID_AUTO, state, + CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + sysctl_hw_ibrs_disable_state_handler, "A", + "Indirect Branch Restricted Speculation Mitigation state"); + int hw_ssb_active; int hw_ssb_disable; @@ -926,10 +952,10 @@ "Speculative Store Bypass Disable active"); SYSCTL_NODE(_machdep_mitigations, OID_AUTO, ssb, CTLFLAG_RW, 0, - "Speculative Store Bypass Disable active"); + "Speculative Store Bypass Mitigation state"); SYSCTL_INT(_machdep_mitigations_ssb, OID_AUTO, active, CTLFLAG_RD, - &hw_ssb_active, 0, "Speculative Store Bypass Disable active"); + &hw_ssb_active, 0, "Speculative Store Bypass (0 - inactive, 1 - active)"); static void hw_ssb_set(bool enable, bool for_all_cpus) @@ -984,11 +1010,34 @@ hw_ssb_disable_handler, "I", "Speculative Store Bypass Disable (0 - off, 1 - on, 2 - auto"); -SYSCTL_PROC(_machdep_mitigations_ssb, OID_AUTO, disable, CTLTYPE_INT | +SYSCTL_PROC(_machdep_mitigations_ssb, OID_AUTO, control, CTLTYPE_INT | CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, hw_ssb_disable_handler, "I", - "Speculative Store Bypass Disable (0 - off, 1 - on, 2 - auto"); + "Speculative Store Bypass Mitigation control (0 - off, 1 - on, 2 - auto)"); + +static int +sysctl_hw_ssb_disable_state_handler(SYSCTL_HANDLER_ARGS) +{ + const char *state; + + switch (hw_ssb_disable) { + case 0: /* off */ + state = "mitigation off"; + break; + case 1: /* on */ + state = "mitigation on"; + break; + default: + state = "unknown"; + } + + return (SYSCTL_OUT(req, state, strlen(state))); +} +SYSCTL_PROC(_machdep_mitigations_ssb, OID_AUTO, state, + CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + sysctl_hw_ssb_disable_state_handler, "A", + "Speculative Store Bypass Mitigation state"); int hw_mds_disable; /* @@ -1013,21 +1062,21 @@ const char *state; if (mds_handler == mds_handler_void) - state = "inactive"; + state = "mitigation off"; else if (mds_handler == mds_handler_verw) - state = "VERW"; + state = "mitigation on (VERW)"; else if (mds_handler == mds_handler_ivb) - state = "software IvyBridge"; + state = "mitigation on (IvyBridge)"; else if (mds_handler == mds_handler_bdw) - state = "software Broadwell"; + state = "mitigation on (Broadwell)"; else if (mds_handler == mds_handler_skl_sse) - state = "software Skylake SSE"; + state = "mitigation on (Skylake SSE)"; else if (mds_handler == mds_handler_skl_avx) - state = "software Skylake AVX"; + state = "mitigation on (Skylake AVX)"; else if (mds_handler == mds_handler_skl_avx512) - state = "software Skylake AVX512"; + state = "mitigation on (Skylake AVX512)"; else if (mds_handler == mds_handler_silvermont) - state = "software Silvermont"; + state = "mitigation on (Silvermont)"; else state = "unknown"; return (SYSCTL_OUT(req, state, strlen(state))); @@ -1202,11 +1251,12 @@ "Microarchitectural Data Sampling Mitigation " "(0 - off, 1 - on VERW, 2 - on SW, 3 - on AUTO"); -SYSCTL_PROC(_machdep_mitigations_mds, OID_AUTO, disable, CTLTYPE_INT | +SYSCTL_PROC(_machdep_mitigations_mds, OID_AUTO, control, CTLTYPE_INT | CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, sysctl_mds_disable_handler, "I", - "Microarchitectural Data Sampling Mitigation " - "(0 - off, 1 - on VERW, 2 - on SW, 3 - on AUTO"); + "Microarchitectural Data Sampling Mitigation control " + "(0 - off, 1 - on (VERW), 2 - on (SW), 3 - on (AUTO))"); + /* * Intel Transactional Memory Asynchronous Abort Mitigation @@ -1340,11 +1390,11 @@ return (0); } -SYSCTL_PROC(_machdep_mitigations_taa, OID_AUTO, enable, CTLTYPE_INT | +SYSCTL_PROC(_machdep_mitigations_taa, OID_AUTO, control, CTLTYPE_INT | CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, sysctl_taa_handler, "I", - "TAA Mitigation enablement control " - "(0 - off, 1 - disable TSX, 2 - VERW, 3 - on AUTO"); + "TSX Asynchronous Abort Mitigation control " + "(0 - off, 1 - on (disable TSX), 2 - on (VERW), 3 - on (AUTO))"); static int sysctl_taa_state_handler(SYSCTL_HANDLER_ARGS) @@ -1353,19 +1403,19 @@ switch (x86_taa_state) { case TAA_NONE: - state = "inactive"; + state = "mitigation off"; break; case TAA_TSX_DISABLE: - state = "TSX disabled"; + state = "mitigation on (TSX disabled)"; break; case TAA_VERW: - state = "VERW"; + state = "mitigation on (VERW)"; break; case TAA_TAA_UC: - state = "Mitigated in microcode"; + state = "mitigation on (microcode)"; break; case TAA_NOT_PRESENT: - state = "TSX not present"; + state = "mitigation off (TSX not present)"; break; default: state = "unknown"; @@ -1377,7 +1427,7 @@ SYSCTL_PROC(_machdep_mitigations_taa, OID_AUTO, state, CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_taa_state_handler, "A", - "TAA Mitigation state"); + "TSX Asynchronous Abort Mitigation state"); /* * Enable and restore kernel text write permissions.