| Age | Commit message (Collapse) | Author |
|---|
|
except alpha. This will put the stack at a random location in the upper
1/4th of the userland virtual address space providing up to 26 additional
bits of randomness in the address. Skip alpha for now since it currently
puts the stack at a (for a 64-bit architecture) very low address. Skip
32-bit architectures for now as well since those have a much smaller
virtual address space and we need more time to figure out what a safe
amount of extra randomizations is. These architectures will continue to
use a mildly randomized stack address through the existing stackgap random
mechanism. We will revisit this after 7.3 is released.
This should make it harder for an attacker to find the stack.
ok deraadt@, miod@
|
|
now this only supports states advertised in device trees, but ACPI support
could be added as well. The parsing of the idle states as well as the
heuristic to pick the deepest one is probably a bit to simple, but more
complex cases can be added later. Worst case cores will use WFI and use
more power in suspend.
ok phessler@
|
|
those days, and nothing checks for that symbol anymore.
|
|
to send a resume event to userland when we come out of suspend.
ok deraadt@
|
|
ok patrick@, deraadt@, phessler@
|
|
that is compatible with what FreeBSD and NetBSD have. Setting EFI
variables is only allowed at securelevel 0 and below.
Heavily based on work done by Sergii Dmytruk.
ok yasuoka@
|
|
where the bottom 9 bits of the counter register can't be trusted if any of
the higher bits are rolling over. This is an unpublished errata so the
details aren't known. Adopt the same workaround that Linux has.
This will disable the userland timecounter support on hardware affected
by the hardware. We will need a similar workaround in libc to restore
that functionality.
tested by semarie@
ok cheloha@
|
|
ok mpi@
|
|
ok deraadt@
|
|
DVACT_SUSPEND/DVACT_RESUME handling and push it into the MD code that
handles "suspend-to-idle". This way a failure in DVACT_SUSPEND handling
will not result in hosed interrupts on the primary interrupt controller
if we abort the suspend operation.
requested by deraadt@
ok patrick@
|
|
Spectre-BHB can be mitigated by using a loop that branches a number of times.
For cores where this does not suffice, or where Spectre-V2 needs to be handled
as well, try and call into a new PSCI function that mitigates both Spectre-V2
and Spectre-BHB. Some newer machines, which might not be in anyone's hands
yet, have an instruction (CLRBHB) that clears the BHB. If ECBHB is set, the
BHB isn't vulnerable. If we have CSV2_3/HCXT, it's not vulnerable at all.
No visible performance dropoff on a MacchiatoBin (4xA72) or Lenovo x13s (4xA78C+
4xX1C), but around 2-3% on a LX2K (16xA72) and RK3399 (4xA53+2xA72).
ok kettenis@
|
|
feature bits.
ok kettenis@
|
|
is ELF" world. Eliminate use of them in amd64, arm64, armv7, i386,
macppc, mips64, and sparc64 code.
ok deraadt@ jca@ krw@
|
|
ok kettenis@
|
|
of ARMv8/ARMv9. Make sure we only expose the features that we know about
and support in our kernel. This matches what Linux does. For now, mostly
restrict ourselves to features defined in ARMv8.5 which means that we only
actually implement support for ID_AA64ISAR0_EL1, ID_AA64ISAR1_EL1,
ID_AA64PFR0_EL1 and ID_AA64PFR1_EL1. For the other registers we simply
always return 0.
ok deraadt@
|
|
in ARMv8.5 as far as the ISAR and PFR registers are concerned.
ok deraadt@
|
|
1G mappings for the PA = VA identity mapping used in the early boot phase
of the kernel and when spinning up CPUs. The mappings are dangerous since
they might (unintentially) covering address ranges that should not be
mapped (i.e. secure memory) which is dangerous on arm64 since the
architecture allows speculative access to any address for which a valid
mapping exists and even speculative access may cause the machine to
misbehave.
So instead of relying on the PA = VA identity mapping, call pmap_bootstrap()
earlier such that we can use pmap_kenter_cache() to enter mappings for the
FDT.
ok miod@
|
|
aplintc(4); other arm64 interrupt controllers will follow.
ok patrick@
|
|
|
|
Switch arm64 to the clockintr(9) subsystem.
- Remove the custom per-CPU clock interrupt schedule from agtimer(4).
- Remove the custom randomized statclock() pieces from agtimer(4).
- Add agtimer_rearm(), agtimer_trigger(), and wire up agtimer_intrclock.
There is one wart:
- The AArch64 spec says that a value written to CNTV_TVAL_EL0 is
"treated as a signed 32-bit integer" [1]. kettenis@ doesn't know
what to make of this. I'm capping the value at INT32_MAX for
now. It's possible I am misreading this, though.
Tested by kettenis@ on his Apple M1 mini. Tested by me on my
Raspberry Pi 4B.
Link: https://marc.info/?l=openbsd-tech&m=166776342503304&w=2
[1] "Arm Architecture Reference Manual for A-profile architecture"
issue I.a, section D17.11.27 ("CNTV_TVAL_EL0").
ok kettenis@
|
|
ok mpi@, jsg@, phessler@, patrick@
|
|
Based on a diff from gerhard@, ok kettenis@
|
|
ok deraadt@
|
|
|
|
ok miod@ guenther@
|
|
ok beck@
|
|
to turn off the secondary CPUs and suspend the primary CPU using the
CPU_OFF and SYSTEM_SUSPEND calls. A new "halt" IPI is added to turn off
the ssecondary CPUs. This IPI is implemented for the ampintc(4) and
agintc(4) interrupt controllers. Fulle suspend/resume support is only
implemented for ampintc(4). This is enough to suspend and resume boards
based on the Allwinner A64 SoC, provided the necessary wakeup interrupts
have been set up (not part of this commit).
ok patrick@
|
|
Previously for __cpu_simple_lock parts. Now only hppa and m88k use
__cpu_simple_lock (and hppa uses atomic.h for it).
ok miod@ visa@
|
|
OK miod@ mpi@
|
|
machine with Ampere Altra Max CPUs. OpenBSD should run on such a machine
now.
ok patrick@, deraadt@
|
|
add _?ENTRY_NB to asm.h, switch libc's asm bits to the generic
DEFS.h, and use ENTRY_NB as necessary.
Also, give sizes to the htonl/htons symbols and mark them as weak.
ok kettenis@ miod@
|
|
that we can detect which instruction set extensions are supported without
relying in catching SIGILL.
ok deraadt@
|
|
(works better with `cvs rm' prior to commit...)
|
|
dependent on __STDC__ and doesn't need the ## operator.
ok jsg@
|
|
ok guenther@
|
|
that we implement proper "break-before-make" semantics and I've stared
at the code for long enough that I've convinced myself that we do indeed
implement this correctly several times.
ok guenther@
|
|
|
|
in cpu_switch() instead of at the kernel edge and gets rid of the FPU
state tracking in struct cpu_info and struct pcb. This fixes the random
crashes seen with SMP kernels on Apple M1.
ok patrick@
|
|
In order to make progress (and protect myself from things dumping cores
left and right when I run sysupgrade) abuse the hw.smt mechanism to
only schedule processes on the primary CPU.
ok deraadt@, patrick@
|
|
of TCR_EL1 in locore to make clear we use 4K pages for both userland and
the kernel.
ok patrick@
|
|
back in 2019.
ok mpi@
|
|
waiting on CPUs that didn't spin up. This will allow us to spin down
CPUs in the future to save power as well.
ok mpi@
|
|
sparc64. For now, do this only for aplpcie(4) as we only need this
functionality for Apple Silicon systems.
ok patrick@
|
|
Add a 512-byte buffer (ci_panicbuf) to each cpu_info struct on each
platform for use by panic(9). The first panic on a given CPU writes
its message to this buffer. Subsequent panics on a given CPU print
the panic message to the console but do not modify the buffer. This
aids debugging in two cases:
- If 2+ CPUs panic simultaneously there is no risk of garbled messages
in the panic buffer.
- If a CPU panics and then the operator causes a second panic while
using ddb(4), the operator can still recall the first failure on
a particular CPU.
Misc. changes to support this bigger change:
- Set panicstr atomically to identify the first CPU to reach panic().
- Tweak db_show_panic_cmd() to print all panic messages across all
CPUs. Prefix the first panic with an asterisk ('*').
- Prefer db_printf() to printf() during a panic if we have it.
Apparently it disturbs less global state.
- On amd64, tweak fault() to write the local panic buffer. This needs
more work.
Prompted by bluhm@ and deraadt@. Mostly written by deraadt@.
Discussed with bluhm@, deraadt@ and kettenis@.
Borne from a discussion on tech@ about making panic(9) more MP-safe:
https://marc.info/?l=openbsd-tech&m=162086462316143&w=2
ok kettenis@, visa@, bluhm@, deraadt@
|
|
preparation for sharing PCIe host bridge drivers between arm64 and riscv64.
ok mpi@, mlarkin@, patrick@
|
|
|
|
enable_interrupts()/disable_interrupts()/restore_interrupts() and remove
the latter interfaces.
While there move a few malloc(9) and free(9) calls to run with interrupts
enabled.
ok patrick@
|
|
ok gnezdo@
|
|
Do this by clearing all the bits marked RES0 and set all the bits
marked RES1 for the ARMv8.0.
Any optional features introduced in later revisions of the architecture
(such as PAN) will be enabled after SCTLR_EL1 is initialized.
ok patrick@
|
|
ok patrick@
|
