Index: head/share/security/advisories/FreeBSD-SA-19:07.mds.asc
===================================================================
--- head/share/security/advisories/FreeBSD-SA-19:07.mds.asc (revision 53030)
+++ head/share/security/advisories/FreeBSD-SA-19:07.mds.asc (revision 53031)
@@ -1,212 +1,226 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:07.mds Security Advisory
The FreeBSD Project
Topic: Microarchitectural Data Sampling (MDS)
Category: core
Module: kernel
Announced: 2019-05-14
Credits: Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects: All supported versions of FreeBSD.
Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
- 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
+ 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
0. Revision history
v1.0 2019-05-14 Initial release.
v1.1 2019-05-15 Fixed date on microcode update package.
v1.2 2019-05-15 Userland startup microcode update details added.
Add language specifying which manufacturers is affected.
v1.3 2019-05-15 Minor quoting nit for the HT disable loader config.
+v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug.
I. Background
Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.
II. Problem Description
On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.
III. Impact
An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).
IV. Workaround
No workaround is available.
Only Intel x86 based processors are affected. x86 processors from other
manufacturers (eg, AMD) are not believed to be vulnerable.
Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
# echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf
# shutdown -r +10min "Security update"
V. Solution
Perform one of the following:
Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.
New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.
If using the package or port the Intel microcode update can be applied at
boot time (only on FreeBSD 12 and later) by adding the following lines to the
system's /boot/loader.conf:
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
To automatically load microcode during userland startup (supported on all
FreeBSD versions), add the following to /etc/rc.conf:
microcode_update_enable="YES"
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Follow additional details under "Mitigation Configuration" below.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
+[*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***]
+Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new
+set of patches is being released. If your 12.0-RELEASE sources are not yet
+patched using the initially published patch, then you need to apply the
+mds.12.0.patch. If your sources are already updated, or patched with the
+patch from the initial advisory, then you need to apply the incremental
+patch, named mds.12.0.p4p5.patch
+
[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc
-[FreeBSD 12.0-RELEASE]
+[FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.0.patch.asc
+[FreeBSD 12.0-RELEASE, patched with initial SA-19:07.mds patch]
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch.asc
+# gpg --verify mds.12.0.p4p5.patch.asc
+
[FreeBSD 11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
# gpg --verify mds.11-stable.patch.asc
[FreeBSD 11.2-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
# gpg --verify mds.11.2.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
.
Mitigation Configuration
Systems with users, processes, or virtual machines in different trust
domains should disable Hyper-Threading by setting the
machdep.hyperthreading_allowed tunable to 0:
# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf
To activate the MDS mitigation set the hw.mds_disable sysctl. The settings
are:
0 - mitigation disabled
1 - VERW instruction (microcode) mitigation enabled
2 - Software sequence mitigation enabled (not recommended)
3 - Automatic VERW or Software selection
Automatic mode uses the VERW instruction if supported by the CPU / microcode,
or software sequences if not. To enable automatic mode at boot:
# echo hw.mds_disable=3 >> /etc/sysctl.conf
Reboot the system:
# shutdown -r +10min "Security update"
Check the mitigation status:
# sysctl hw.mds_disable_state
hw.mds_disable_state: software Silvermont
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r347567
-releng/12.0/ r346594
+releng/12.0/ r347632
stable/11/ r347568
releng/11.2/ r347595
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcbGNfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciUJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cIlKw/+MxbSJYXnq2icpzhouV84BYjLSO4INwckgtYRnHNuS3DnxFctbu4NMqLp
-JIualHdDoX3qSbiZrZ0sEY5+gvFrfgOfIbtsSopT3qnyBKF2w97M1lYxI8ylnGRM
-pYv+pV4MVvagl8xwvhScHq2ylSLU0x6tN2UV2htD98coaEnzNNAiPU049p8Hd3vk
-29kZPr9nYNRqww3kacoWUoLhv5JF11P0Ez0Xh+YVU2kuvV7uh/Q1RVvtr94T30wk
-xQSQCoHfeNQFP/S/Mz4aze2p/NgZkEcNXl2JgZMBiMcoKHuIWCUSCLG3zVfCnDwl
-AANWt3q+LJI/dQ/6BWUuc7qejuQx2/qBjoPILbi9yf3/MS5waouOaGn04iQQhKcQ
-iE4g4YqyyeZYY7A8BGZedu8vICq4C5BluLUzLuvGdWW8sRTaRNgnCz5Pl3mzPU9k
-rbvlk6vO97z7TURdS8DeCcxwyiNsLTeFjZBHrZK+k1xLcKuFGCq4/nv/HHNiW0/e
-jOUwycDhd2W3zmRDwtnnwu6/49K/qK029b2wBmQdLOW7EDBVrBsPiFSuhBw3QCJg
-j4zPv6o9r7PheqcnTTEMJm4ZWVeCMFLoXMz4C7CICoZHLUaRxx+BTQyu6wnz2/f+
-Ivm/MrtmtVegZwI2oF+rl9PNSMr+jpPdj5QHHPM/J5ETiwKPoPI=
-=W6aR
+5cKc2w//UxEu2JWDEJnpGuYv/Hh+PAEsWjzG2mCuFmriF7//deJTbwWybJk0DXhU
+n6HCdw47nG/uVaeVOw921BRpJMK9bqpqr80VXKturOacS6kaQmMCXS+ZyPytZT0K
+XJIgM3QrHsUUd6FnCHZ6Z6PBRLWl72RvNm8b2ZUE32puALlEeDCcd9PP3pyPITgj
+iU3gP05GafKzG/7liqQuWPffRqAq4oQyQYCjkRfBdPNlacACvbtAXNnDPnwkfIqg
+Si2Svj2TDS0eTxC5fspQtdWkKru50ZHTFFsoNhT33uX9L1Yr8ui+ajRG0Zxd81fj
+0YGGat9QhzF6R2dywU75wXRveM/VMXj2wy5/CWBVI9kY84SeqcDDdkksG3iMC63Q
+ebkZF38kbZ85Xwpi3z2yHxw16yKg0pLNryW/GBp0xyJz5ivFhgpeFWEHfmjmiX+u
+Ka0E5RgCHh/eNAihbU8XN9MLnHToaX3mlEM+He+YsAXCMutaiSKaFpUhEs7uVmqu
+r8YIYLbxJcIfqrRyIJtn9RpWisxJfo/RVLyE3QDg7Pg5x6QeVysyuYkbeOdIk75e
+KW5B0b3eKh8Xu0mZqexdL9Hb1kEii5RxbSU5qLYoKfkMSo4/dLKgJwYZH61EC5cP
+dEj/KaIAdMA0VMi8XQfAsPIR4FKhKcd5tUazjBaW97WJjha0dog=
+=StiT
-----END PGP SIGNATURE-----
Index: head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch
===================================================================
--- head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch (nonexistent)
+++ head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch (revision 53031)
@@ -0,0 +1,20 @@
+Index: sys/i386/i386/initcpu.c
+===================================================================
+--- sys/i386/i386/initcpu.c (revision 347631)
++++ sys/i386/i386/initcpu.c (revision 347632)
+@@ -745,7 +745,6 @@
+ cpu_fxsr = hw_instruction_sse = 1;
+ }
+ #if defined(PAE) || defined(PAE_TABLES)
+- hw_mds_recalculate();
+ if ((amd_feature & AMDID_NX) != 0) {
+ uint64_t msr;
+
+@@ -755,6 +754,7 @@
+ elf32_nxstack = 1;
+ }
+ #endif
++ hw_mds_recalculate();
+ }
+
+ void
Property changes on: head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch.asc
===================================================================
--- head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch.asc (nonexistent)
+++ head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch.asc (revision 53031)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciVtfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK2Ww/9GtlX5nZh0wb2cHXO/qJ3Us4dT9U66lGLrLqNID+bYMvosoTjS4K//lwz
+RME/1CX2N5zXxzB3a3zqiTVS4MiaY22hT5Xjq0tXNd3JjolpIuEM2pmU9zx/Y1pA
+gfn0F3Ke4V5vBVvON7CpCJ+gccq7baLfPDcGs+sRhBFCanoDLc94BKkMDmjJQ8Ch
+0soLccxOMVpn2+/95pQsKbl2j40GYiyW+a+DjHlnvof6b+BO6cM84uJfcmiA/pd8
+myWd0HEjJOh8Ji3Ujsruhq/uGOHF2hMnY2qI2wQ4ndhfBz3nfDdQOyHva2LrmGeb
+CY7MSw3d+/3TuNyeW+DiVcfPrPRDGaVSOdm4b48JQhBOaj/MBhuO0qrA5GHPBt7X
+2PHZbQC4yaKzB2YJ5hH/ifTYQY/Pr9lrunosfYXsgVl7YPRXdJ15xJw8aMafh9DW
+17hk0FoYdG5BaafClNlP2kajuktsyjCOZvfs0NZ9Bba0Xeq5L9BPFQu9SWMKHpB1
+L+RE16Dxh0zk4YRfcBnG37rrVjqwq+qpPZANNi6kkB53c99TNOnx6gJcKkiI1dA0
+HdCHI7iu+ldfs88u7LG56MRuZw34rZCA8mirRx4FGEgRbNh164VoVnop1lx26AXO
+LOei7IMuUkT8TWHKj8+v2IbVOW/aKtP59f+eDuq+Y6oTmDXcOeM=
+=eIZs
+-----END PGP SIGNATURE-----
Property changes on: head/share/security/patches/SA-19:07/mds.12.0.p4p5.patch.asc
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: head/share/security/patches/SA-19:07/mds.12.0.patch
===================================================================
--- head/share/security/patches/SA-19:07/mds.12.0.patch (revision 53030)
+++ head/share/security/patches/SA-19:07/mds.12.0.patch (revision 53031)
@@ -1,868 +1,868 @@
Index: sys/amd64/amd64/exception.S
===================================================================
---- sys/amd64/amd64/exception.S (revision 347487)
-+++ sys/amd64/amd64/exception.S (working copy)
-@@ -512,6 +512,7 @@ fast_syscall_common:
+--- sys/amd64/amd64/exception.S (revision 347593)
++++ sys/amd64/amd64/exception.S (revision 347632)
+@@ -512,6 +512,7 @@
testl $TDF_ASTPENDING | TDF_NEEDRESCHED,TD_FLAGS(%rax)
jne 3f
call handle_ibrs_exit
+ callq *mds_handler
/* Restore preserved registers. */
MEXITCOUNT
movq TF_RDI(%rsp),%rdi /* bonus; preserve arg 1 */
-@@ -1157,6 +1158,7 @@ ld_regs:
+@@ -1157,6 +1158,7 @@
jz 2f /* keep running with kernel GS.base */
cli
call handle_ibrs_exit_rs
+ callq *mds_handler
cmpq $~0,PCPU(UCR3)
je 1f
pushq %rdx
Index: sys/amd64/amd64/genassym.c
===================================================================
---- sys/amd64/amd64/genassym.c (revision 347487)
-+++ sys/amd64/amd64/genassym.c (working copy)
-@@ -233,6 +233,9 @@ ASSYM(PC_PTI_STACK, offsetof(struct pcpu, pc_pti_s
+--- sys/amd64/amd64/genassym.c (revision 347593)
++++ sys/amd64/amd64/genassym.c (revision 347632)
+@@ -233,6 +233,9 @@
ASSYM(PC_PTI_STACK_SZ, PC_PTI_STACK_SZ);
ASSYM(PC_PTI_RSP0, offsetof(struct pcpu, pc_pti_rsp0));
ASSYM(PC_IBPB_SET, offsetof(struct pcpu, pc_ibpb_set));
+ASSYM(PC_MDS_TMP, offsetof(struct pcpu, pc_mds_tmp));
+ASSYM(PC_MDS_BUF, offsetof(struct pcpu, pc_mds_buf));
+ASSYM(PC_MDS_BUF64, offsetof(struct pcpu, pc_mds_buf64));
ASSYM(LA_EOI, LAPIC_EOI * LAPIC_MEM_MUL);
ASSYM(LA_ISR, LAPIC_ISR0 * LAPIC_MEM_MUL);
Index: sys/amd64/amd64/initcpu.c
===================================================================
---- sys/amd64/amd64/initcpu.c (revision 347487)
-+++ sys/amd64/amd64/initcpu.c (working copy)
-@@ -253,6 +253,7 @@ initializecpu(void)
+--- sys/amd64/amd64/initcpu.c (revision 347593)
++++ sys/amd64/amd64/initcpu.c (revision 347632)
+@@ -253,6 +253,7 @@
}
hw_ibrs_recalculate();
hw_ssb_recalculate(false);
+ hw_mds_recalculate();
switch (cpu_vendor_id) {
case CPU_VENDOR_AMD:
init_amd();
Index: sys/amd64/amd64/machdep.c
===================================================================
---- sys/amd64/amd64/machdep.c (revision 347487)
-+++ sys/amd64/amd64/machdep.c (working copy)
-@@ -1878,6 +1878,7 @@ hammer_time(u_int64_t modulep, u_int64_t physfree)
+--- sys/amd64/amd64/machdep.c (revision 347593)
++++ sys/amd64/amd64/machdep.c (revision 347632)
+@@ -1878,6 +1878,7 @@
TUNABLE_INT_FETCH("hw.ibrs_disable", &hw_ibrs_disable);
TUNABLE_INT_FETCH("hw.spec_store_bypass_disable", &hw_ssb_disable);
+ TUNABLE_INT_FETCH("hw.mds_disable", &hw_mds_disable);
TSEXIT();
Index: sys/amd64/amd64/support.S
===================================================================
---- sys/amd64/amd64/support.S (revision 347487)
-+++ sys/amd64/amd64/support.S (working copy)
+--- sys/amd64/amd64/support.S (revision 347593)
++++ sys/amd64/amd64/support.S (revision 347632)
@@ -1,8 +1,13 @@
/*-
+ * Copyright (c) 2018-2019 The FreeBSD Foundation
* Copyright (c) 2003 Peter Wemm.
* Copyright (c) 1993 The Regents of the University of California.
* All rights reserved.
*
+ * Portions of this software were developed by
+ * Konstantin Belousov under sponsorship from
+ * the FreeBSD Foundation.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
-@@ -1586,3 +1591,246 @@ ENTRY(flush_l1d_sw)
+@@ -1586,3 +1591,246 @@
ret
#undef L1D_FLUSH_SIZE
END(flush_l1d_sw)
+
+ENTRY(mds_handler_void)
+ retq
+END(mds_handler_void)
+
+ENTRY(mds_handler_verw)
+ subq $8, %rsp
+ movw %ds, (%rsp)
+ verw (%rsp)
+ addq $8, %rsp
+ retq
+END(mds_handler_verw)
+
+ENTRY(mds_handler_ivb)
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rdx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ lfence
+ orpd (%rdx), %xmm0
+ orpd (%rdx), %xmm0
+ mfence
+ movl $40, %ecx
+ addq $16, %rdx
+2: movntdq %xmm0, (%rdx)
+ addq $16, %rdx
+ decl %ecx
+ jnz 2b
+ mfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rcx
+ popq %rdx
+ popq %rax
+ retq
+END(mds_handler_ivb)
+
+ENTRY(mds_handler_bdw)
+ pushq %rax
+ pushq %rbx
+ pushq %rcx
+ pushq %rdi
+ pushq %rsi
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rbx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ movq %rbx, %rdi
+ movq %rbx, %rsi
+ movl $40, %ecx
+2: movntdq %xmm0, (%rbx)
+ addq $16, %rbx
+ decl %ecx
+ jnz 2b
+ mfence
+ movl $1536, %ecx
+ rep; movsb
+ lfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rsi
+ popq %rdi
+ popq %rcx
+ popq %rbx
+ popq %rax
+ retq
+END(mds_handler_bdw)
+
+ENTRY(mds_handler_skl_sse)
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+ pushq %rdi
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rdi
+ movq PCPU(MDS_BUF64), %rdx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ lfence
+ orpd (%rdx), %xmm0
+ orpd (%rdx), %xmm0
+ xorl %eax, %eax
+2: clflushopt 5376(%rdi, %rax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+ movdqa PCPU(MDS_TMP), %xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rdi
+ popq %rcx
+ popq %rdx
+ popq %rax
+ retq
+END(mds_handler_skl_sse)
+
+ENTRY(mds_handler_skl_avx)
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+ pushq %rdi
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rdi
+ movq PCPU(MDS_BUF64), %rdx
+ vmovdqa %ymm0, PCPU(MDS_TMP)
+ vpxor %ymm0, %ymm0, %ymm0
+
+ lfence
+ vorpd (%rdx), %ymm0, %ymm0
+ vorpd (%rdx), %ymm0, %ymm0
+ xorl %eax, %eax
+2: clflushopt 5376(%rdi, %rax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+ vmovdqa PCPU(MDS_TMP), %ymm0
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rdi
+ popq %rcx
+ popq %rdx
+ popq %rax
+ retq
+END(mds_handler_skl_avx)
+
+ENTRY(mds_handler_skl_avx512)
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+ pushq %rdi
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rdi
+ movq PCPU(MDS_BUF64), %rdx
+/* vmovdqa64 %zmm0, PCPU(MDS_TMP) */
+ .byte 0x65, 0x62, 0xf1, 0xfd, 0x48, 0x7f, 0x04, 0x25
+ .long PC_MDS_TMP
+/* vpxor %zmm0, %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0xef, 0xc0
+
+ lfence
+/* vorpd (%rdx), %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0x56, 0x02
+/* vorpd (%rdx), %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0x56, 0x02
+ xorl %eax, %eax
+2: clflushopt 5376(%rdi, %rax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+/* vmovdqa64 PCPU(MDS_TMP), %zmm0 */
+ .byte 0x65, 0x62, 0xf1, 0xfd, 0x48, 0x6f, 0x04, 0x25
+ .long PC_MDS_TMP
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rdi
+ popq %rcx
+ popq %rdx
+ popq %rax
+ retq
+END(mds_handler_skl_avx512)
+
+ENTRY(mds_handler_silvermont)
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+
+ movq %cr0, %rax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movq PCPU(MDS_BUF), %rdx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ movl $16, %ecx
+2: movntdq %xmm0, (%rdx)
+ addq $16, %rdx
+ decl %ecx
+ jnz 2b
+ mfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movq %rax, %cr0
+3: popq %rcx
+ popq %rdx
+ popq %rax
+ retq
+END(mds_handler_silvermont)
Index: sys/amd64/include/pcpu.h
===================================================================
---- sys/amd64/include/pcpu.h (revision 347487)
-+++ sys/amd64/include/pcpu.h (working copy)
+--- sys/amd64/include/pcpu.h (revision 347593)
++++ sys/amd64/include/pcpu.h (revision 347632)
@@ -76,7 +76,11 @@
uint32_t pc_pcid_gen; \
uint32_t pc_smp_tlb_done; /* TLB op acknowledgement */ \
uint32_t pc_ibpb_set; \
- char __pad[3288] /* pad to UMA_PCPU_ALLOC_SIZE */
+ void *pc_mds_buf; \
+ void *pc_mds_buf64; \
+ uint32_t pc_pad[2]; \
+ uint8_t pc_mds_tmp[64]; \
+ char __pad[3176] /* pad to UMA_PCPU_ALLOC_SIZE */
#define PC_DBREG_CMD_NONE 0
#define PC_DBREG_CMD_LOAD 1
Index: sys/dev/cpuctl/cpuctl.c
===================================================================
---- sys/dev/cpuctl/cpuctl.c (revision 347487)
-+++ sys/dev/cpuctl/cpuctl.c (working copy)
-@@ -521,6 +521,7 @@ cpuctl_do_eval_cpu_features(int cpu, struct thread
+--- sys/dev/cpuctl/cpuctl.c (revision 347593)
++++ sys/dev/cpuctl/cpuctl.c (revision 347632)
+@@ -521,6 +521,7 @@
hw_ibrs_recalculate();
restore_cpu(oldcpu, is_bound, td);
hw_ssb_recalculate(true);
+ hw_mds_recalculate();
printcpuinfo();
return (0);
}
Index: sys/i386/i386/exception.s
===================================================================
---- sys/i386/i386/exception.s (revision 347487)
-+++ sys/i386/i386/exception.s (working copy)
-@@ -518,6 +518,8 @@ doreti_exit:
+--- sys/i386/i386/exception.s (revision 347593)
++++ sys/i386/i386/exception.s (revision 347632)
+@@ -518,6 +518,8 @@
2: movl $handle_ibrs_exit,%eax
pushl %ecx /* preserve enough call-used regs */
call *%eax
+ movl mds_handler,%eax
+ call *%eax
popl %ecx
movl %esp, %esi
movl PCPU(TRAMPSTK), %edx
Index: sys/i386/i386/genassym.c
===================================================================
---- sys/i386/i386/genassym.c (revision 347487)
-+++ sys/i386/i386/genassym.c (working copy)
-@@ -222,6 +222,9 @@ ASSYM(PC_KESP0, offsetof(struct pcpu, pc_kesp0));
+--- sys/i386/i386/genassym.c (revision 347593)
++++ sys/i386/i386/genassym.c (revision 347632)
+@@ -222,6 +222,9 @@
ASSYM(PC_TRAMPSTK, offsetof(struct pcpu, pc_trampstk));
ASSYM(PC_COPYOUT_BUF, offsetof(struct pcpu, pc_copyout_buf));
ASSYM(PC_IBPB_SET, offsetof(struct pcpu, pc_ibpb_set));
+ASSYM(PC_MDS_TMP, offsetof(struct pcpu, pc_mds_tmp));
+ASSYM(PC_MDS_BUF, offsetof(struct pcpu, pc_mds_buf));
+ASSYM(PC_MDS_BUF64, offsetof(struct pcpu, pc_mds_buf64));
#ifdef DEV_APIC
ASSYM(LA_EOI, LAPIC_EOI * LAPIC_MEM_MUL);
Index: sys/i386/i386/initcpu.c
===================================================================
---- sys/i386/i386/initcpu.c (revision 347487)
-+++ sys/i386/i386/initcpu.c (working copy)
-@@ -745,6 +745,7 @@ initializecpu(void)
- cpu_fxsr = hw_instruction_sse = 1;
+--- sys/i386/i386/initcpu.c (revision 347593)
++++ sys/i386/i386/initcpu.c (revision 347632)
+@@ -754,6 +754,7 @@
+ elf32_nxstack = 1;
}
- #if defined(PAE) || defined(PAE_TABLES)
+ #endif
+ hw_mds_recalculate();
- if ((amd_feature & AMDID_NX) != 0) {
- uint64_t msr;
+ }
+ void
Index: sys/i386/i386/support.s
===================================================================
---- sys/i386/i386/support.s (revision 347487)
-+++ sys/i386/i386/support.s (working copy)
-@@ -472,3 +472,194 @@ ENTRY(handle_ibrs_exit)
+--- sys/i386/i386/support.s (revision 347593)
++++ sys/i386/i386/support.s (revision 347632)
+@@ -472,3 +472,194 @@
movb $0,PCPU(IBPB_SET)
1: ret
END(handle_ibrs_exit)
+
+ENTRY(mds_handler_void)
+ ret
+END(mds_handler_void)
+
+ENTRY(mds_handler_verw)
+ subl $4, %esp
+ movw %ds, (%esp)
+ verw (%esp)
+ addl $4, %esp
+ ret
+END(mds_handler_verw)
+
+ENTRY(mds_handler_ivb)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %edx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ lfence
+ orpd (%edx), %xmm0
+ orpd (%edx), %xmm0
+ mfence
+ movl $40, %ecx
+ addl $16, %edx
+2: movntdq %xmm0, (%edx)
+ addl $16, %edx
+ decl %ecx
+ jnz 2b
+ mfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_ivb)
+
+ENTRY(mds_handler_bdw)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %ebx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ movl %ebx, %edi
+ movl %ebx, %esi
+ movl $40, %ecx
+2: movntdq %xmm0, (%ebx)
+ addl $16, %ebx
+ decl %ecx
+ jnz 2b
+ mfence
+ movl $1536, %ecx
+ rep; movsb
+ lfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_bdw)
+
+ENTRY(mds_handler_skl_sse)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %edi
+ movl PCPU(MDS_BUF64), %edx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ lfence
+ orpd (%edx), %xmm0
+ orpd (%edx), %xmm0
+ xorl %eax, %eax
+2: clflushopt 5376(%edi, %eax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+ movdqa PCPU(MDS_TMP), %xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_skl_sse)
+
+ENTRY(mds_handler_skl_avx)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %edi
+ movl PCPU(MDS_BUF64), %edx
+ vmovdqa %ymm0, PCPU(MDS_TMP)
+ vpxor %ymm0, %ymm0, %ymm0
+
+ lfence
+ vorpd (%edx), %ymm0, %ymm0
+ vorpd (%edx), %ymm0, %ymm0
+ xorl %eax, %eax
+2: clflushopt 5376(%edi, %eax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+ vmovdqa PCPU(MDS_TMP), %ymm0
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_skl_avx)
+
+ENTRY(mds_handler_skl_avx512)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %edi
+ movl PCPU(MDS_BUF64), %edx
+/* vmovdqa64 %zmm0, PCPU(MDS_TMP) */
+ .byte 0x64, 0x62, 0xf1, 0xfd, 0x48, 0x7f, 0x05
+ .long PC_MDS_TMP
+/* vpxor %zmm0, %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0xef, 0xc0
+
+ lfence
+/* vorpd (%edx), %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0x56, 0x02
+/* vorpd (%edx), %zmm0, %zmm0 */
+ .byte 0x62, 0xf1, 0xfd, 0x48, 0x56, 0x02
+ xorl %eax, %eax
+2: clflushopt 5376(%edi, %eax, 8)
+ addl $8, %eax
+ cmpl $8 * 12, %eax
+ jb 2b
+ sfence
+ movl $6144, %ecx
+ xorl %eax, %eax
+ rep; stosb
+ mfence
+
+/* vmovdqa64 PCPU(MDS_TMP), %zmm0 */
+ .byte 0x64, 0x62, 0xf1, 0xfd, 0x48, 0x6f, 0x05
+ .long PC_MDS_TMP
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_skl_avx512)
+
+ENTRY(mds_handler_silvermont)
+ movl %cr0, %eax
+ testb $CR0_TS, %al
+ je 1f
+ clts
+1: movl PCPU(MDS_BUF), %edx
+ movdqa %xmm0, PCPU(MDS_TMP)
+ pxor %xmm0, %xmm0
+
+ movl $16, %ecx
+2: movntdq %xmm0, (%edx)
+ addl $16, %edx
+ decl %ecx
+ jnz 2b
+ mfence
+
+ movdqa PCPU(MDS_TMP),%xmm0
+ testb $CR0_TS, %al
+ je 3f
+ movl %eax, %cr0
+3: ret
+END(mds_handler_silvermont)
Index: sys/i386/include/pcpu.h
===================================================================
---- sys/i386/include/pcpu.h (revision 347487)
-+++ sys/i386/include/pcpu.h (working copy)
+--- sys/i386/include/pcpu.h (revision 347593)
++++ sys/i386/include/pcpu.h (revision 347632)
@@ -77,10 +77,14 @@
struct sx pc_copyout_slock; \
char *pc_copyout_buf; \
vm_offset_t pc_pmap_eh_va; \
- caddr_t pc_pmap_eh_ptep; \
+ caddr_t pc_pmap_eh_ptep; \
uint32_t pc_smp_tlb_done; /* TLB op acknowledgement */ \
uint32_t pc_ibpb_set; \
- char __pad[3610]
+ void *pc_mds_buf; \
+ void *pc_mds_buf64; \
+ uint32_t pc_pad[4]; \
+ uint8_t pc_mds_tmp[64]; \
+ char __pad[3522]
#ifdef _KERNEL
Index: sys/x86/include/specialreg.h
===================================================================
---- sys/x86/include/specialreg.h (revision 347487)
-+++ sys/x86/include/specialreg.h (working copy)
+--- sys/x86/include/specialreg.h (revision 347593)
++++ sys/x86/include/specialreg.h (revision 347632)
@@ -425,6 +425,7 @@
/*
* CPUID instruction 7 Structured Extended Features, leaf 0 edx info
*/
+#define CPUID_STDEXT3_MD_CLEAR 0x00000400
#define CPUID_STDEXT3_IBPB 0x04000000
#define CPUID_STDEXT3_STIBP 0x08000000
#define CPUID_STDEXT3_L1D_FLUSH 0x10000000
@@ -437,6 +438,7 @@
#define IA32_ARCH_CAP_RSBA 0x00000004
#define IA32_ARCH_CAP_SKIP_L1DFL_VMENTRY 0x00000008
#define IA32_ARCH_CAP_SSB_NO 0x00000010
+#define IA32_ARCH_CAP_MDS_NO 0x00000020
/*
* CPUID manufacturers identifiers
Index: sys/x86/include/x86_var.h
===================================================================
---- sys/x86/include/x86_var.h (revision 347487)
-+++ sys/x86/include/x86_var.h (working copy)
-@@ -85,6 +85,7 @@ extern uint64_t xsave_mask;
+--- sys/x86/include/x86_var.h (revision 347593)
++++ sys/x86/include/x86_var.h (revision 347632)
+@@ -85,6 +85,7 @@
extern u_int max_apic_id;
extern int pti;
extern int hw_ibrs_active;
+extern int hw_mds_disable;
extern int hw_ssb_active;
struct pcb;
-@@ -139,6 +140,7 @@ int isa_nmi(int cd);
+@@ -139,6 +140,7 @@
void handle_ibrs_entry(void);
void handle_ibrs_exit(void);
void hw_ibrs_recalculate(void);
+void hw_mds_recalculate(void);
void hw_ssb_recalculate(bool all_cpus);
void nmi_call_kdb(u_int cpu, u_int type, struct trapframe *frame);
void nmi_call_kdb_smp(u_int type, struct trapframe *frame);
Index: sys/x86/x86/cpu_machdep.c
===================================================================
---- sys/x86/x86/cpu_machdep.c (revision 347487)
-+++ sys/x86/x86/cpu_machdep.c (working copy)
-@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
+--- sys/x86/x86/cpu_machdep.c (revision 347593)
++++ sys/x86/x86/cpu_machdep.c (revision 347632)
+@@ -61,6 +61,7 @@
#include
#include
#include
+#include
#include
#include
#include
-@@ -915,7 +916,204 @@ SYSCTL_PROC(_hw, OID_AUTO, spec_store_bypass_disab
+@@ -915,7 +916,204 @@
hw_ssb_disable_handler, "I",
"Speculative Store Bypass Disable (0 - off, 1 - on, 2 - auto");
+int hw_mds_disable;
+
/*
+ * Handler for Microarchitectural Data Sampling issues. Really not a
+ * pointer to C function: on amd64 the code must not change any CPU
+ * architectural state except possibly %rflags. Also, it is always
+ * called with interrupts disabled.
+ */
+void (*mds_handler)(void);
+void mds_handler_void(void);
+void mds_handler_verw(void);
+void mds_handler_ivb(void);
+void mds_handler_bdw(void);
+void mds_handler_skl_sse(void);
+void mds_handler_skl_avx(void);
+void mds_handler_skl_avx512(void);
+void mds_handler_silvermont(void);
+
+static int
+sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS)
+{
+ const char *state;
+
+ if (mds_handler == mds_handler_void)
+ state = "inactive";
+ else if (mds_handler == mds_handler_verw)
+ state = "VERW";
+ else if (mds_handler == mds_handler_ivb)
+ state = "software IvyBridge";
+ else if (mds_handler == mds_handler_bdw)
+ state = "software Broadwell";
+ else if (mds_handler == mds_handler_skl_sse)
+ state = "software Skylake SSE";
+ else if (mds_handler == mds_handler_skl_avx)
+ state = "software Skylake AVX";
+ else if (mds_handler == mds_handler_skl_avx512)
+ state = "software Skylake AVX512";
+ else if (mds_handler == mds_handler_silvermont)
+ state = "software Silvermont";
+ else
+ state = "unknown";
+ return (SYSCTL_OUT(req, state, strlen(state)));
+}
+
+SYSCTL_PROC(_hw, OID_AUTO, mds_disable_state,
+ CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+ sysctl_hw_mds_disable_state_handler, "A",
+ "Microarchitectural Data Sampling Mitigation state");
+
+_Static_assert(__offsetof(struct pcpu, pc_mds_tmp) % 64 == 0, "MDS AVX512");
+
+void
+hw_mds_recalculate(void)
+{
+ struct pcpu *pc;
+ vm_offset_t b64;
+ u_long xcr0;
+ int i;
+
+ /*
+ * Allow user to force VERW variant even if MD_CLEAR is not
+ * reported. For instance, hypervisor might unknowingly
+ * filter the cap out.
+ * For the similar reasons, and for testing, allow to enable
+ * mitigation even for RDCL_NO or MDS_NO caps.
+ */
+ if (cpu_vendor_id != CPU_VENDOR_INTEL || hw_mds_disable == 0 ||
+ ((cpu_ia32_arch_caps & (IA32_ARCH_CAP_RDCL_NO |
+ IA32_ARCH_CAP_MDS_NO)) != 0 && hw_mds_disable == 3)) {
+ mds_handler = mds_handler_void;
+ } else if (((cpu_stdext_feature3 & CPUID_STDEXT3_MD_CLEAR) != 0 &&
+ hw_mds_disable == 3) || hw_mds_disable == 1) {
+ mds_handler = mds_handler_verw;
+ } else if (CPUID_TO_FAMILY(cpu_id) == 0x6 &&
+ (CPUID_TO_MODEL(cpu_id) == 0x2e || CPUID_TO_MODEL(cpu_id) == 0x1e ||
+ CPUID_TO_MODEL(cpu_id) == 0x1f || CPUID_TO_MODEL(cpu_id) == 0x1a ||
+ CPUID_TO_MODEL(cpu_id) == 0x2f || CPUID_TO_MODEL(cpu_id) == 0x25 ||
+ CPUID_TO_MODEL(cpu_id) == 0x2c || CPUID_TO_MODEL(cpu_id) == 0x2d ||
+ CPUID_TO_MODEL(cpu_id) == 0x2a || CPUID_TO_MODEL(cpu_id) == 0x3e ||
+ CPUID_TO_MODEL(cpu_id) == 0x3a) &&
+ (hw_mds_disable == 2 || hw_mds_disable == 3)) {
+ /*
+ * Nehalem, SandyBridge, IvyBridge
+ */
+ CPU_FOREACH(i) {
+ pc = pcpu_find(i);
+ if (pc->pc_mds_buf == NULL) {
+ pc->pc_mds_buf = malloc_domainset(672, M_TEMP,
+ DOMAINSET_PREF(pc->pc_domain), M_WAITOK);
+ bzero(pc->pc_mds_buf, 16);
+ }
+ }
+ mds_handler = mds_handler_ivb;
+ } else if (CPUID_TO_FAMILY(cpu_id) == 0x6 &&
+ (CPUID_TO_MODEL(cpu_id) == 0x3f || CPUID_TO_MODEL(cpu_id) == 0x3c ||
+ CPUID_TO_MODEL(cpu_id) == 0x45 || CPUID_TO_MODEL(cpu_id) == 0x46 ||
+ CPUID_TO_MODEL(cpu_id) == 0x56 || CPUID_TO_MODEL(cpu_id) == 0x4f ||
+ CPUID_TO_MODEL(cpu_id) == 0x47 || CPUID_TO_MODEL(cpu_id) == 0x3d) &&
+ (hw_mds_disable == 2 || hw_mds_disable == 3)) {
+ /*
+ * Haswell, Broadwell
+ */
+ CPU_FOREACH(i) {
+ pc = pcpu_find(i);
+ if (pc->pc_mds_buf == NULL) {
+ pc->pc_mds_buf = malloc_domainset(1536, M_TEMP,
+ DOMAINSET_PREF(pc->pc_domain), M_WAITOK);
+ bzero(pc->pc_mds_buf, 16);
+ }
+ }
+ mds_handler = mds_handler_bdw;
+ } else if (CPUID_TO_FAMILY(cpu_id) == 0x6 &&
+ ((CPUID_TO_MODEL(cpu_id) == 0x55 && (cpu_id &
+ CPUID_STEPPING) <= 5) ||
+ CPUID_TO_MODEL(cpu_id) == 0x4e || CPUID_TO_MODEL(cpu_id) == 0x5e ||
+ (CPUID_TO_MODEL(cpu_id) == 0x8e && (cpu_id &
+ CPUID_STEPPING) <= 0xb) ||
+ (CPUID_TO_MODEL(cpu_id) == 0x9e && (cpu_id &
+ CPUID_STEPPING) <= 0xc)) &&
+ (hw_mds_disable == 2 || hw_mds_disable == 3)) {
+ /*
+ * Skylake, KabyLake, CoffeeLake, WhiskeyLake,
+ * CascadeLake
+ */
+ CPU_FOREACH(i) {
+ pc = pcpu_find(i);
+ if (pc->pc_mds_buf == NULL) {
+ pc->pc_mds_buf = malloc_domainset(6 * 1024,
+ M_TEMP, DOMAINSET_PREF(pc->pc_domain),
+ M_WAITOK);
+ b64 = (vm_offset_t)malloc_domainset(64 + 63,
+ M_TEMP, DOMAINSET_PREF(pc->pc_domain),
+ M_WAITOK);
+ pc->pc_mds_buf64 = (void *)roundup2(b64, 64);
+ bzero(pc->pc_mds_buf64, 64);
+ }
+ }
+ xcr0 = rxcr(0);
+ if ((xcr0 & XFEATURE_ENABLED_ZMM_HI256) != 0 &&
+ (cpu_stdext_feature2 & CPUID_STDEXT_AVX512DQ) != 0)
+ mds_handler = mds_handler_skl_avx512;
+ else if ((xcr0 & XFEATURE_ENABLED_AVX) != 0 &&
+ (cpu_feature2 & CPUID2_AVX) != 0)
+ mds_handler = mds_handler_skl_avx;
+ else
+ mds_handler = mds_handler_skl_sse;
+ } else if (CPUID_TO_FAMILY(cpu_id) == 0x6 &&
+ ((CPUID_TO_MODEL(cpu_id) == 0x37 ||
+ CPUID_TO_MODEL(cpu_id) == 0x4a ||
+ CPUID_TO_MODEL(cpu_id) == 0x4c ||
+ CPUID_TO_MODEL(cpu_id) == 0x4d ||
+ CPUID_TO_MODEL(cpu_id) == 0x5a ||
+ CPUID_TO_MODEL(cpu_id) == 0x5d ||
+ CPUID_TO_MODEL(cpu_id) == 0x6e ||
+ CPUID_TO_MODEL(cpu_id) == 0x65 ||
+ CPUID_TO_MODEL(cpu_id) == 0x75 ||
+ CPUID_TO_MODEL(cpu_id) == 0x1c ||
+ CPUID_TO_MODEL(cpu_id) == 0x26 ||
+ CPUID_TO_MODEL(cpu_id) == 0x27 ||
+ CPUID_TO_MODEL(cpu_id) == 0x35 ||
+ CPUID_TO_MODEL(cpu_id) == 0x36 ||
+ CPUID_TO_MODEL(cpu_id) == 0x7a))) {
+ /* Silvermont, Airmont */
+ CPU_FOREACH(i) {
+ pc = pcpu_find(i);
+ if (pc->pc_mds_buf == NULL)
+ pc->pc_mds_buf = malloc(256, M_TEMP, M_WAITOK);
+ }
+ mds_handler = mds_handler_silvermont;
+ } else {
+ hw_mds_disable = 0;
+ mds_handler = mds_handler_void;
+ }
+}
+
+static int
+sysctl_mds_disable_handler(SYSCTL_HANDLER_ARGS)
+{
+ int error, val;
+
+ val = hw_mds_disable;
+ error = sysctl_handle_int(oidp, &val, 0, req);
+ if (error != 0 || req->newptr == NULL)
+ return (error);
+ if (val < 0 || val > 3)
+ return (EINVAL);
+ hw_mds_disable = val;
+ hw_mds_recalculate();
+ return (0);
+}
+
+SYSCTL_PROC(_hw, OID_AUTO, mds_disable, CTLTYPE_INT |
+ CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0,
+ sysctl_mds_disable_handler, "I",
+ "Microarchitectural Data Sampling Mitigation "
+ "(0 - off, 1 - on VERW, 2 - on SW, 3 - on AUTO");
+
+/*
* Enable and restore kernel text write permissions.
* Callers must ensure that disable_wp()/restore_wp() are executed
* without rescheduling on the same core.
Index: head/share/security/patches/SA-19:07/mds.12.0.patch.asc
===================================================================
--- head/share/security/patches/SA-19:07/mds.12.0.patch.asc (revision 53030)
+++ head/share/security/patches/SA-19:07/mds.12.0.patch.asc (revision 53031)
@@ -1,18 +1,18 @@
-----BEGIN PGP SIGNATURE-----
-iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTz5fFIAAAAAALgAo
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciVhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cK7PRAAiK8IWVyHOwKuCTq95qQ7l57bJPeciIthl7qweKeilQy1/k4NnQBN3ix0
-ZHBDxUaeu4AyIz7AZR0h38DZtYdDx1lYc7v3F7ydf5GAd2cmzHFDLcj/85LExF2e
-8tmMaB/9sXS2aSrqvYkSRpHZRjxZbBNHCGXWboyYXjcgtVij5/2qhKEELxx2IasO
-AQU0aOMdgkkKNkWyabGfT2bEObP8CCszymrarOLYHEglYxt4GuRKD88Tlosk7Ks4
-4Gzk+sw9zKJzFRBj3kf0gocd6gbesAmPAl+zrx6Uv4m6yfsaX+3LZDG/nOPiLqmq
-sEkVNusYC2PtauurrP6PL4IdAy4wyf1Br+9Cfag7ZQBwONZVLIwU+hwnlYJaz64l
-pyZ0JP0HWNH668fUsQx+WLADW6JNnMZvK4CsCawcph1CIWzKVUk9LQCrwwz1T66e
-r0Kgt4UjAv+k5jIDRaL7k6Cgs15bhDplad4UBz7c7jiBaQVs8nn+XsbzkfhMp1eH
-VwQN1x/j0cLWsIiz75jT3pIKqqMeQSD6/l9HT+dMXdlpsESTBubCfahzg4g6hc5K
-Bix71M41d30pPhvwXGeEEh3t1YvxigyhbjP6vRGl3w6nCSNriSS4kljXDfOrrKdi
-Eutxciow24U8phAeILxbgFthKvvNuEntmfw9Y/vS6u8BvYvKeQQ=
-=oWiG
+5cKnFRAApFnndBamehRcWQUIZOUimyK3RIFtNR/jM05kuN4wDGxiiUSf1Zpzq5/S
+aUJ/lLb++U7QeTV61rRGTo/3u6BApay40C78cDaCsc5mtobI5EX1P3BrF0zs3STm
+J0IUp28EY6bvhBKxhiP/IouDaJKt5z2cm6eDFfpqJpIbrNL8DnR6zr0iaLHb78HL
+IW9mTxvotHxwUDq+X+YbFsqB1I3bzgCMamfX7vewA65hZWySCzPD/Ts2P6Jq8Jqk
+xHtdZWdWPtgLVyQz4Vca2kSq3anePznAJKGd9CHM0NxO3hdWgsTtbhgj1lsl6z1F
+qcvuwWq5/HdR6WIdOAMVN9gBLcESuayu/y/RL6Dr/3BTvdfGfK1LMuI/XlnGxfU6
+GbOiJBTGdOY7cPXfwNjvTxDeVLGXd918+/dLdsR7qo0kWBm1yoCpTmQgVRis8xVZ
+2fQ++aXJQGwY42JffQ6hh4Wkwt1BPUokf1iHDdIVebYQHPze068s5PSFxN116IdQ
+iHDT8eNSI/Sng0z9WMIHJQj/Sgqu74M1qafIaV3hyDQlWlrX5wPI0/CoJWRKTUAS
+2LFLNz3rgWgwGZR1LhCXXIr21wjWcZe+GOJ75KCRg+jcP00WOguWREaKX2WvPaUL
+ctY3ZyNl+BJ3h4dg8HeRTxNJDZEFwx8AmyuGxBgTE49wGDePnnE=
+=35zn
-----END PGP SIGNATURE-----