| Age | Commit message (Collapse) | Author |
|---|
|
with the syzkaller kernel fuzzer. So far, 8 distinct panics have been found and
fixed. This effort will continue.
kcov is limited to architectures using Clang as their default compiler and is
not enabled by default.
With help from mpi@, thanks!
ok kettenis@ mpi@ visa@
|
|
for now as amd64/i386 firmware still caters for legacy OSes that only
support a single PCI segment.
ok patrick@
|
|
'Deep Dive: CPUID Enumeration and Architectural MSRs'
ok deraadt@
|
|
|
|
|
|
Historically, the softraid crypto support in the boot loaders has only
given one attempt to provide the correct passphrase. There were a
few reasons for this, including the fact that pkcs5_pbkdf2() allows an
empty passphrase and that returning EPERM allowed for another attempt.
With the event of KARL and the need for bsd.booted with hibernate resumption,
this becomes much more of an issue - if you get the passphrase wrong you
fail to resume. There are also other situations like using /etc/boot.conf
to switch serial console, but an incorrect passphrase results in the config
not being read. Also, bcrypt_pbkdf() does not permit empty passphrases.
This reworks the softraid crypto support in the boot loaders so that it
loops requesting a valid passphrase until one is provided, or an empty
passphrase is entered (at which point it will abort).
ok mortimer@ tb@
|
|
Documented in 'Speculative Execution Side Channel Mitigations'
revision 2.0.
|
|
adapters.
"go ahead commit it" deraadt@
|
|
we don't need to uncondtionally set it.
Worksaround a suspected bug in newer Linux KVM, which may trigger a
#GP fault on writes to this MSR.
ok mlarkin@
|
|
the 512GB mark as the direct map cannot address memory past that point.
ok kettenis@ (quite a while ago)
|
|
remove the MD API.
ok guenther@, deraadt@, mpi@
|
|
Don't allow unprivileged users to crash things from ring 3
Thanks to William McCall for the patch!
OK mlarkin@
|
|
given an input/output ASM constraint...but I made it output-only, so the
compiler deleted the initialization.
reported by many, starting with Edd Barrett (edd(at)theunixzoo.co.uk)
|
|
when vmlaunch or vmresume fails.
Follow the lead of clang and the intel recommendation and do an lfence
after the pause in the speculation-stop path for retpoline, RSB refill,
and meltover ASM bits.
ok kettenis@ deraadt@
|
|
Managing Speculation on AMD Processors"
By setting MSR C001_1029[1]=1, LFENCE becomes a dispatch serializing
instruction.
Tested on AMD FX-4100 "Bulldozer", and Linux guest in SVM vmd(8)
ok deraadt@ mlarkin@
|
|
and its associated appendix at https://support.google.com/faqs/answer/7625886
This should address at least some cases of "SpectreRSB" and earlier
Spectre variants; more commits to follow.
The refilling is done in the enter-kernel-from-userspace and
return-to-userspace-from-kernel paths, making sure to do it before
unblocking interrupts so that a successive interrupt can't get the
CPU to C code without doing this refill. Per the link above, it
also does it immediately after mwait, apparently in case the low-power
CPU states of idle-via-mwait flush the RSB.
ok mlarkin@ deraadt@
|
|
unconditionally and codepatching it out on CPUs that don't need/do
the mitigation.
Align the from-{kernel,userspace} targets in INTRENTRY with _ALIGN_TRAPS
Align x2apic_eoi using KUENTRY() instead of the artisinal
segment+label+.globl bits it uses currently
s/testq/testb/ for SEL_RPL checks
ok kettenis@ mlarkin@
|
|
This way, it is not available for use in ROP attacks. This diff puts the
codepatching code into a separate section and unmaps that section after boot.
In the future, the memory could potentially be reused but that would require
larger changes.
ok pguenther@
|
|
|
|
spotted by kevlo
|
|
awareness of problems. when it is off, development cycles are faster.
let's do the faster cycle for a little while.
discussion with naddy
|
|
|
|
place and GS.base was horked on return. Also, the frame passed to ddb
didn't have the %rbp<-->tf_err swap, which would have confused backtraces.
Now if we can just come up with a way to automate testing the NMI handler
with qemu...
|
|
traps so that the "mov %rax,%cr3" is followed by an infinite loop
which is avoided because the mapping of the code being executed is
changed. This means the sysretq/iretq isn't even present in that
flow of instructions in the kernel mapping, so userspace code can't
be speculatively reached on the kernel mapping and totally eliminates
the conditional jump over the the %cr3 change that supported CPUs
without the Meltdown vulnerability. The return paths were probably
vulnerable to Spectre v1 (and v1.1/1.2) style attacks, speculatively
executing user code post-system-call with the kernel mappings, thus
creating cache/TLB/etc side-effects.
Would like to apply this technique to the interrupt stubs too, but
I'm hitting a bug in clang's assembler which misaligns the code and
symbols.
While here, when on a CPU not vulnerable to Meltdown, codepatch out
the unnecessary bits in cpu_switchto().
Inspiration from sf@, refined over dinner with theo
ok mlarkin@ deraadt@
|
|
basically can't run in those modes.
OK kettenis@
|
|
It was pulled in for efifb, but it is extremely unlikely an EFI system
supporting only 4-bit color depth (16 colors) exists. Even if it existed
though, on SMALL_KERNEL rasops4_putchar() simply returns EAGAIN so it
would not be possible to install the system.
For the record, we do not build rasops4 on i386 or on any of our other
platforms either.
OK kettenis@, mpi@
|
|
|
|
avoiding multiple readregs ioctls back to vmm in case register content
is needed subsequently.
ok phessler
|
|
|
|
ok mlarkin@
|
|
console at 115200 baud.
tested by phessler and myself, ok deraadt
|
|
Make the cache neighbor fields match the number of VCPUs present
(currently 1)
ok reyk
|
|
|
|
Clarify error values and change a panic into a debug printf (which will
in turn just kill the VM).
|
|
ENTRY is a trapsled. Fix a few functions which fall-through into an ENTRY
macro. amd64 binaries now are free of double+-nop sequences (except for one
assember nit in aes-586.pl). Previous changes by guenther got us here.
ok mortimer kettenis
|
|
|
|
ok mlarkin@ deraadt@ mpi@ kettenis@
|
|
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sendsig(); we no longer have a SunOS4-compat version of sendsig()
ok deraadt@
|
|
previously caught later but resulted in a guest termination, now we
use #GP as the SDM recommends.
|
|
as it is impossoble to run an anything but a single-CPU machine with it.
ok mpi@, guenther@
|
|
a custom kernel for over 20 years.
testing mlarkin@
ok deraadt@ phessler@ jca@ matthieu@
|
|
unhandled exit function.
ok phessler
|
|
problem discovered on bluhm@'s old opteron
ok deraadt@ kettenis@
|
|
ok sthen@
|
|
ok mlarkin@ mortimer@
|
|
is specified as the console. Current implementation can't assume the
given device is proved at the callback functions if the system has one
serial device at least.
|
|
in a compact block in the latter.
ok deraadt@ mlarkin@
|
|
after starting iked kernel enters ddb with:
Stopped at aesni_ctr_enc+0xd8: int $3
|
|
for noticing.
|
|
|
