[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Philip Guenther <guenther () cvs ! openbsd ! org>
Date:       2023-07-31 3:59:48
Message-ID: 0808c6599cfbcaee () cvs ! openbsd ! org
[Download RAW message or body]

CVSROOT:	/cvs
Module name:	src
Changes by:	guenther@cvs.openbsd.org	2023/07/30 22:01:07

Modified files:
	sys/arch/amd64/amd64: cpu.c locore.S vector.S 
	sys/arch/amd64/conf: Makefile.amd64 
	sys/arch/amd64/include: codepatch.h 

Log message:
On CPUs with eIBRS ("enhanced Indirect Branch Restricted Speculation")
or IBT enabled the kernel, the hardware should the attacks which
retpolines were created to prevent.  In those cases, retpolines
should be a net negative for security as they are an indirect branch
gadget.  They're also slower.
* use -mretpoline-external-thunk to give us control of the code
used for indirect branches
* default to using a retpoline as before, but marks it and the
other ASM kernel retpolines for code patching
* if the CPU has eIBRS, then enable it
* if the CPU has eIBRS *or* IBT, then codepatch the three different
retpolines to just indirect jumps

make clean && make config required after this

ok kettenis@

[prev in list] [next in list] [prev in thread] [next in thread]