Index: head/sys/conf/files
===================================================================
--- head/sys/conf/files
+++ head/sys/conf/files
@@ -734,6 +734,10 @@
 crypto/chacha20/chacha-sw.c	optional crypto | ipsec | ipsec_support
 crypto/des/des_ecb.c		optional netsmb
 crypto/des/des_setkey.c		optional netsmb
+crypto/openssl/ossl.c		optional ossl
+crypto/openssl/ossl_sha1.c	optional ossl
+crypto/openssl/ossl_sha256.c	optional ossl
+crypto/openssl/ossl_sha512.c	optional ossl
 crypto/rc4/rc4.c		optional netgraph_mppc_encryption
 crypto/rijndael/rijndael-alg-fst.c optional crypto | ekcd | geom_bde | \
 	ipsec | ipsec_support | !random_loadable | wlan_ccmp
Index: head/sys/conf/files.x86
===================================================================
--- head/sys/conf/files.x86
+++ head/sys/conf/files.x86
@@ -53,10 +53,7 @@
 	compile-with	"${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc} ${WERROR} ${PROF} -mmmx -msse -msse4 -msha ${.IMPSRC}" \
 	no-implicit-rule						\
 	clean		"intel_sha256.o"
-crypto/openssl/ossl.c		optional ossl
-crypto/openssl/ossl_sha1.c	optional ossl
-crypto/openssl/ossl_sha256.c	optional ossl
-crypto/openssl/ossl_sha512.c	optional ossl
+crypto/openssl/ossl_x86.c	optional ossl
 crypto/via/padlock.c		optional padlock
 crypto/via/padlock_cipher.c	optional padlock
 crypto/via/padlock_hash.c	optional padlock
Index: head/sys/crypto/openssl/ossl.h
===================================================================
--- head/sys/crypto/openssl/ossl.h
+++ head/sys/crypto/openssl/ossl.h
@@ -34,8 +34,7 @@
 /* Compatibility shims. */
 #define	OPENSSL_cleanse		explicit_bzero
 
-/* Used by assembly routines to select CPU-specific variants. */
-extern unsigned int OPENSSL_ia32cap_P[4];
+void ossl_cpuid(void);
 
 /* Needs to be big enough to hold any hash context. */
 struct ossl_hash_context {
Index: head/sys/crypto/openssl/ossl.c
===================================================================
--- head/sys/crypto/openssl/ossl.c
+++ head/sys/crypto/openssl/ossl.c
@@ -1,4 +1,6 @@
-/*
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
  * Copyright (c) 2020 Netflix, Inc
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,10 +41,8 @@
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
+
 #include <machine/fpu.h>
-#include <machine/md_var.h>
-#include <x86/cputypes.h>
-#include <x86/specialreg.h>
 
 #include <opencrypto/cryptodev.h>
 #include <opencrypto/xform_auth.h>
@@ -66,81 +66,7 @@
 	struct ossl_session_hash hash;
 };
 
-/*
- * See OPENSSL_ia32cap(3).
- *
- * [0] = cpu_feature but with a few custom bits
- * [1] = cpu_feature2 but with AMD XOP in bit 11
- * [2] = cpu_stdext_feature
- * [3] = 0
- */
-unsigned int OPENSSL_ia32cap_P[4];
-
 static MALLOC_DEFINE(M_OSSL, "ossl", "OpenSSL crypto");
-
-static void
-ossl_cpuid(void)
-{
-	uint64_t xcr0;
-	u_int regs[4];
-	u_int max_cores;
-
-	/* Derived from OpenSSL_ia32_cpuid. */
-
-	OPENSSL_ia32cap_P[0] = cpu_feature & ~(CPUID_B20 | CPUID_IA64);
-	if (cpu_vendor_id == CPU_VENDOR_INTEL) {
-		OPENSSL_ia32cap_P[0] |= CPUID_IA64;
-		if ((cpu_id & 0xf00) != 0xf00)
-			OPENSSL_ia32cap_P[0] |= CPUID_B20;
-	}
-
-	/* Only leave CPUID_HTT on if HTT is present. */
-	if (cpu_vendor_id == CPU_VENDOR_AMD && cpu_exthigh >= 0x80000008) {
-		max_cores = (cpu_procinfo2 & AMDID_CMP_CORES) + 1;
-		if (cpu_feature & CPUID_HTT) {
-			if ((cpu_procinfo & CPUID_HTT_CORES) >> 16 <= max_cores)
-				OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
-		}
-	} else {
-		if (cpu_high >= 4) {
-			cpuid_count(4, 0, regs);
-			max_cores = (regs[0] >> 26) & 0xfff;
-		} else
-			max_cores = -1;
-	}
-	if (max_cores == 0)
-		OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
-	else if ((cpu_procinfo & CPUID_HTT_CORES) >> 16 == 0)
-		OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
-
-	OPENSSL_ia32cap_P[1] = cpu_feature2 & ~AMDID2_XOP;
-	if (cpu_vendor_id == CPU_VENDOR_AMD)
-		OPENSSL_ia32cap_P[1] |= amd_feature2 & AMDID2_XOP;
-
-	OPENSSL_ia32cap_P[2] = cpu_stdext_feature;
-	if ((OPENSSL_ia32cap_P[1] & CPUID2_XSAVE) == 0)
-		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512F |
-		    CPUID_STDEXT_AVX512DQ);
-
-	/* Disable AVX512F on Skylake-X. */
-	if ((cpu_id & 0x0fff0ff0) == 0x00050650)
-		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512F);
-
-	if (cpu_feature2 & CPUID2_OSXSAVE)
-		xcr0 = rxcr(0);
-	else
-		xcr0 = 0;
-
-	if ((xcr0 & (XFEATURE_AVX512 | XFEATURE_AVX)) !=
-	    (XFEATURE_AVX512 | XFEATURE_AVX))
-		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512VL |
-		    CPUID_STDEXT_AVX512BW | CPUID_STDEXT_AVX512IFMA |
-		    CPUID_STDEXT_AVX512F);
-	if ((xcr0 & XFEATURE_AVX) != XFEATURE_AVX) {
-		OPENSSL_ia32cap_P[1] &= ~(CPUID2_AVX | AMDID2_XOP | CPUID2_FMA);
-		OPENSSL_ia32cap_P[2] &= ~CPUID_STDEXT_AVX2;
-	}
-}
 
 static void
 ossl_identify(driver_t *driver, device_t parent)
Index: head/sys/crypto/openssl/ossl_x86.c
===================================================================
--- head/sys/crypto/openssl/ossl_x86.c
+++ head/sys/crypto/openssl/ossl_x86.c
@@ -0,0 +1,115 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2020 Netflix, Inc
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer,
+ *    without modification.
+ * 2. Redistributions in binary form must reproduce at minimum a disclaimer
+ *    similar to the "NO WARRANTY" disclaimer below ("Disclaimer") and any
+ *    redistribution must be conditioned upon including a substantially
+ *    similar Disclaimer requirement for further binary redistribution.
+ *
+ * NO WARRANTY
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+ * THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGES.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/systm.h>
+
+#include <machine/cpufunc.h>
+#include <machine/md_var.h>
+#include <x86/cputypes.h>
+#include <x86/specialreg.h>
+
+#include <crypto/openssl/ossl.h>
+
+/*
+ * See OPENSSL_ia32cap(3).
+ *
+ * [0] = cpu_feature but with a few custom bits
+ * [1] = cpu_feature2 but with AMD XOP in bit 11
+ * [2] = cpu_stdext_feature
+ * [3] = 0
+ */
+unsigned int OPENSSL_ia32cap_P[4];
+
+void
+ossl_cpuid(void)
+{
+	uint64_t xcr0;
+	u_int regs[4];
+	u_int max_cores;
+
+	/* Derived from OpenSSL_ia32_cpuid. */
+
+	OPENSSL_ia32cap_P[0] = cpu_feature & ~(CPUID_B20 | CPUID_IA64);
+	if (cpu_vendor_id == CPU_VENDOR_INTEL) {
+		OPENSSL_ia32cap_P[0] |= CPUID_IA64;
+		if ((cpu_id & 0xf00) != 0xf00)
+			OPENSSL_ia32cap_P[0] |= CPUID_B20;
+	}
+
+	/* Only leave CPUID_HTT on if HTT is present. */
+	if (cpu_vendor_id == CPU_VENDOR_AMD && cpu_exthigh >= 0x80000008) {
+		max_cores = (cpu_procinfo2 & AMDID_CMP_CORES) + 1;
+		if (cpu_feature & CPUID_HTT) {
+			if ((cpu_procinfo & CPUID_HTT_CORES) >> 16 <= max_cores)
+				OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
+		}
+	} else {
+		if (cpu_high >= 4) {
+			cpuid_count(4, 0, regs);
+			max_cores = (regs[0] >> 26) & 0xfff;
+		} else
+			max_cores = -1;
+	}
+	if (max_cores == 0)
+		OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
+	else if ((cpu_procinfo & CPUID_HTT_CORES) >> 16 == 0)
+		OPENSSL_ia32cap_P[0] &= ~CPUID_HTT;
+
+	OPENSSL_ia32cap_P[1] = cpu_feature2 & ~AMDID2_XOP;
+	if (cpu_vendor_id == CPU_VENDOR_AMD)
+		OPENSSL_ia32cap_P[1] |= amd_feature2 & AMDID2_XOP;
+
+	OPENSSL_ia32cap_P[2] = cpu_stdext_feature;
+	if ((OPENSSL_ia32cap_P[1] & CPUID2_XSAVE) == 0)
+		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512F |
+		    CPUID_STDEXT_AVX512DQ);
+
+	/* Disable AVX512F on Skylake-X. */
+	if ((cpu_id & 0x0fff0ff0) == 0x00050650)
+		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512F);
+
+	if (cpu_feature2 & CPUID2_OSXSAVE)
+		xcr0 = rxcr(0);
+	else
+		xcr0 = 0;
+
+	if ((xcr0 & (XFEATURE_AVX512 | XFEATURE_AVX)) !=
+	    (XFEATURE_AVX512 | XFEATURE_AVX))
+		OPENSSL_ia32cap_P[2] &= ~(CPUID_STDEXT_AVX512VL |
+		    CPUID_STDEXT_AVX512BW | CPUID_STDEXT_AVX512IFMA |
+		    CPUID_STDEXT_AVX512F);
+	if ((xcr0 & XFEATURE_AVX) != XFEATURE_AVX) {
+		OPENSSL_ia32cap_P[1] &= ~(CPUID2_AVX | AMDID2_XOP | CPUID2_FMA);
+		OPENSSL_ia32cap_P[2] &= ~CPUID_STDEXT_AVX2;
+	}
+}
Index: head/sys/modules/ossl/Makefile
===================================================================
--- head/sys/modules/ossl/Makefile
+++ head/sys/modules/ossl/Makefile
@@ -16,11 +16,13 @@
 SRCS.amd64= \
 	sha1-x86_64.S \
 	sha256-x86_64.S \
-	sha512-x86_64.S
+	sha512-x86_64.S \
+	ossl_x86.c
 
 SRCS.i386= \
 	sha1-586.S \
 	sha256-586.S \
-	sha512-586.S
+	sha512-586.S \
+	ossl_x86.c
 
 .include <bsd.kmod.mk>