diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2023-01-20 16:01:05 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2023-01-20 16:01:05 +0000 |
| commit | 64eda274b19d1687a786d431c866b2ab12f39bce (patch) | |
| tree | 4263d1983e6c5a31450b6e36924d37aede035f5e /sys/arch/amd64/include | |
| parent | 73e5f6974865e5906ed4dc82dbeff3a360557272 (diff) | |
On cpu with the PKU feature, prot=PROT_EXEC pages now create pte which
contain PG_XO, which is PKU key1. On every exit from kernel to userland,
force the PKU register to inhibit data read against key1 memory. On
(some) traps into the kernel if the PKU register is changed, abort the
process (processes have no reason to change the PKU register). This
provides us with viable xonly functionality on most modern intel & AMD
cpus. I started with a xsave-based diff from dv@, but discovered the
fpu save/restore logic wasn't a good fit and went to direct register management.
Disabled on HV (vm) systems until we know they handle PKU correctly.
ok kettenis, dv, guenther, etc
Diffstat (limited to 'sys/arch/amd64/include')
| -rw-r--r-- | sys/arch/amd64/include/cpufunc.h | 10 | ||||
| -rw-r--r-- | sys/arch/amd64/include/pte.h | 3 |
2 files changed, 11 insertions, 2 deletions
diff --git a/sys/arch/amd64/include/cpufunc.h b/sys/arch/amd64/include/cpufunc.h index 2a8ddd34fd1..cd2d2db753d 100644 --- a/sys/arch/amd64/include/cpufunc.h +++ b/sys/arch/amd64/include/cpufunc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpufunc.h,v 1.37 2022/09/22 04:57:08 robert Exp $ */ +/* $OpenBSD: cpufunc.h,v 1.38 2023/01/20 16:01:04 deraadt Exp $ */ /* $NetBSD: cpufunc.h,v 1.3 2003/05/08 10:27:43 fvdl Exp $ */ /*- @@ -232,6 +232,14 @@ rdmsr(u_int msr) return (((uint64_t)hi << 32) | (uint64_t) lo); } +static __inline int +rdpkru(u_int ecx) +{ + uint32_t edx, pkru; + asm volatile("rdpkru " : "=a" (pkru), "=d" (edx) : "c" (ecx)); + return pkru; +} + static __inline void wrmsr(u_int msr, u_int64_t newval) { diff --git a/sys/arch/amd64/include/pte.h b/sys/arch/amd64/include/pte.h index fc6f9cc4206..c2bd8793c7d 100644 --- a/sys/arch/amd64/include/pte.h +++ b/sys/arch/amd64/include/pte.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pte.h,v 1.16 2023/01/16 00:04:47 deraadt Exp $ */ +/* $OpenBSD: pte.h,v 1.17 2023/01/20 16:01:04 deraadt Exp $ */ /* $NetBSD: pte.h,v 1.1 2003/04/26 18:39:47 fvdl Exp $ */ /* @@ -162,6 +162,7 @@ typedef u_int64_t pt_entry_t; /* PTE */ #define PGEX_PK 0x20 /* protection-key violation */ #ifdef _KERNEL +extern pt_entry_t pg_xo; /* XO pte bits using PKU key1 */ extern pt_entry_t pg_nx; /* NX pte bit */ extern pt_entry_t pg_g_kern; /* PG_G if glbl mappings can be used in kern */ #endif /* _KERNEL */ |