Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-10]: src/sys/arch/x86 Pull up following revision(s) (requested by...
details: https://anonhg.NetBSD.org/src/rev/016e07ef821b
branches: netbsd-10
changeset: 378182:016e07ef821b
user: martin <martin%NetBSD.org@localhost>
date: Tue Jul 25 11:41:42 2023 +0000
description:
Pull up following revision(s) (requested by riastradh in ticket #244):
sys/arch/x86/x86/fpu.c: revision 1.80
sys/arch/x86/include/cpu_extended_state.h: revision 1.18
x86: Mitigate MXCSR Configuration Dependent Timing in kernel FPU use.
In fpu_kern_enter, make sure all the MXCSR exception status bits are
set when we start using the FPU, so that instructions which exhibit
MCDT are unaffected by it.
While here, zero all the other FPU registers in fpu_kern_enter.
In principle we could skip this step on future CPUs that fix the MCDT
bug, but there's probably not much benefit -- workloads that do a lot
of crypto in the kernel are probably better off using
kthread_fpu_enter or WQ_FPU to skip the fpu_kern_enter/leave cycles
in the first place.
For details, see:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/mxcsr-configuration-dependent-timing.html
diffstat:
sys/arch/x86/include/cpu_extended_state.h | 9 ++++++++-
sys/arch/x86/x86/fpu.c | 14 ++++++++++++--
2 files changed, 20 insertions(+), 3 deletions(-)
diffs (67 lines):
diff -r e2d6ab51d72f -r 016e07ef821b sys/arch/x86/include/cpu_extended_state.h
--- a/sys/arch/x86/include/cpu_extended_state.h Tue Jul 25 11:30:43 2023 +0000
+++ b/sys/arch/x86/include/cpu_extended_state.h Tue Jul 25 11:41:42 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cpu_extended_state.h,v 1.17 2019/06/26 12:30:13 mgorny Exp $ */
+/* $NetBSD: cpu_extended_state.h,v 1.17.28.1 2023/07/25 11:41:42 martin Exp $ */
#ifndef _X86_CPU_EXTENDED_STATE_H_
#define _X86_CPU_EXTENDED_STATE_H_
@@ -306,8 +306,15 @@ union savefpu {
* Bits 13 and 14 are rounding control.
* Bit 15 is 'flush to zero' - affects underflow.
* Bits 16-31 must be zero.
+ *
+ * The safe MXCSR is fit for constant-time use, e.g. in crypto. Some
+ * CPU instructions take input- dependent time if an exception status
+ * bit is not set; __SAFE_MXCSR__ has the exception status bits all set
+ * already to mitigate this. See:
+ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/mxcsr-configuration-dependent-timing.html
*/
#define __INITIAL_MXCSR__ 0x1f80
#define __INITIAL_MXCSR_MASK__ 0xffbf
+#define __SAFE_MXCSR__ 0x1fbf
#endif /* _X86_CPU_EXTENDED_STATE_H_ */
diff -r e2d6ab51d72f -r 016e07ef821b sys/arch/x86/x86/fpu.c
--- a/sys/arch/x86/x86/fpu.c Tue Jul 25 11:30:43 2023 +0000
+++ b/sys/arch/x86/x86/fpu.c Tue Jul 25 11:41:42 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fpu.c,v 1.79.4.1 2023/07/25 11:29:23 martin Exp $ */
+/* $NetBSD: fpu.c,v 1.79.4.2 2023/07/25 11:41:42 martin Exp $ */
/*
* Copyright (c) 2008, 2019 The NetBSD Foundation, Inc. All
@@ -96,7 +96,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.79.4.1 2023/07/25 11:29:23 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.79.4.2 2023/07/25 11:41:42 martin Exp $");
#include "opt_multiprocessor.h"
@@ -373,6 +373,11 @@ fpu_lwp_abandon(struct lwp *l)
void
fpu_kern_enter(void)
{
+ static const union savefpu safe_fpu __aligned(64) = {
+ .sv_xmm = {
+ .fx_mxcsr = __SAFE_MXCSR__,
+ },
+ };
struct lwp *l = curlwp;
struct cpu_info *ci;
int s;
@@ -407,6 +412,11 @@ fpu_kern_enter(void)
* the last FPU usage requiring that we save the FPU state.
*/
clts();
+
+ /*
+ * Zero the FPU registers and install safe control words.
+ */
+ fpu_area_restore(&safe_fpu, x86_xsave_features, false);
}
/*
Home |
Main Index |
Thread Index |
Old Index