media is still not big enough
grow size of media
OpenBSD/src eSApUJa — sys/arch/amd64/amd64 machdep.c, sys/dev/acpi acpi_x86.c acpibtn.c
We aren't ready to choose S0-over-S3 based upon the S0ix bit in FADT.
Some machines which work great in S3, don't work great in S0.
Some people want to be able to force S0, mostly for testing purposes
(or to notice improvements as changes are made in the tree). Provide
a TEMPORARY method via machdep.lidaction=-1 which will be S0-suspend
while =1 remains S3 suspend. This button will not remain long-term,
but for now, and during 7.6, it will be better than nothing.
ok ratchov kettenis
other growth has happened and I'm out of current culling options,
so mpi(4) gets removed from the floppy.
A few manual ret-cleans. Seeing as these pertain to interrupt servicing,
the stack utilization ends up near the the deep end of the stack where,
retcleans are useful. tested for a while in snaps
ok bluhm
manual ret-clean; ok mlarkin
do a manual ret-clean operation inside the vmm_dispatch_intr asm code
ok mlarkin
OpenBSD/src TUElws9 — distrib/special/gzip Makefile, sys/arch/amd64/stand/boot Makefile
we don't need the NOBYFOUR space-savings option anymore, that codepath
was replaced a while ago.
ok tb
include BUILDINFO file in the iso/img files; requested by florian for sysupgrade changes
ret-clean is compatible with unhibernate again, due to a fix in
LLVM X86RetClean.cpp
issue observed by mglocker, diagnosed by mlarkin, kettenis, guenther.
disable -fret-clean in the kernel until the returns_twice situation is handled
OpenBSD/src gED6ENM — lib/libc/arch/amd64 Makefile.inc, lib/libcrypto/arch/amd64 Makefile.inc
enable -fret-clean on amd64, for libc libcrypto ld.so kernel, and all the
ssh tools. The dynamic objects are entirely ret-clean, static binaries
will contain a blend of cleaning and non-cleaning callers.
Grow amd64 install*.{iso,img} because -fret-clean *.tgz sets are a tiny
bit bigger.
Explicitly disable MSR_CET_NO_TRACK_EN in MSR_S_CET. If enabled by the
boot-process, we don't want to accidentally allow "notrack" indirect
branches. Linux kernel does the same. Today it is difficult to do the
same for userland, because there is 1 known piece of software using
"notrack" (which needs to be fixed).
ok kettenis
create a new code ILL_BTCFI associated with SIGILL for trap faults which
indicate missing indirect branch target instructions (on the two
architectures which currently have this). This becomes nicely visible in
kdump:
6526 cat PSIG SIGILL SIG_DFL code=ILL_BTCFI addr=0x438fad6a990 trapno=21
ok kettenis sthen miod rsadowski
OpenBSD/src LSf2CCj — sys/arch/amd64/conf GENERIC RAMDISK_CD, sys/arch/arm64/conf GENERIC RAMDISK
qwx(4) works well enough to enable
ok stsp
OpenBSD/src eOi0nm2 — distrib/special/sysctl sysctl.c, sys/arch/amd64/amd64 cpu.c machdep.c
Add new amd64-only sysctl machdep.retpoline which says whether the cpu
requires retpoline. If 0, we should do everything in our power to avoid
pure retpoline (replacing it with a simple thunk where possible), because
by it's nature retpoline converts an indirect-branch into a direct branch
(push to stack & ret), and therefore it is an IBT (endbr64) bypass method.
This sysctl leverages guenther's decision-making logic in the kernel, which
already uses codepatch to fix the kernel retpoline thunk.
In my opinion, the retpoline-using logic really should be flipped; ROP
execution bypassing IBT to re-enter regular control flow is more dangerous
than spectre.
ok kettenis
For strange reasons which made sense at the time, the text segment was
placed head of the btext (boot.text) segment. (the boot.text segment is
"unmapped" after initization, as a self-protection mechanism). this meant
the LOAD's virtual addresses were not in sequence, which clearly isn't
what we intended.
remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen
The sigtramp was calling sigreturn(2), and upon failure exit(2), which
doesn't make sense anymore. It is better to just issue an illegal
instruction.
ok kettenis, with some misgivings about inconsistant approaches between
architectures.
In the future we could change sigreturn(2) to never return an exit code,
but always just terminate the process. We stopped this system call
from being callable ages ago with msyscall(2), and there is no stub for
it in libc.. maybe that's the next step to take?
Make sure the syscall table entries are aligned on a 4-byte boundary.
Required for strict-alignment architectures and a good idea on others.
same as kettenis commit to libc
Add a new label "sigcodecall" inside every sigtramp definition, directly
in front of the syscall instruction. This is used to calculate the start
of the syscall for SYS_sigreturn and pinned system calls.
ok kettenis
Populate the non-LOAD openbsd.syscalls section (and PT_OPENBSD_SYSCALL)
with {uint offset, uint syscall#} entries in libc & ld.so.
In libc a few syscall# entries (break, sigprocmask, _tfork, _threxit)
are duplicated because additional or inline uses occur (that situation
is handled elsewhere)
ok kettenis
crt0 uses a helper function in a MD src/libexec/ld.so .h file (rather than
reproducing the relevant defines and code in a different place) to perform
minor relocations. If things go very wrong, it would call _dl_exit() --
a locally defined crt0 function which is syscall exit(2). We don't need
to call exit(2) for this obscure case which doesn't happen and provides no
debugging information. An 'abort' is going to provide better information.
So let's change the function name to _dso_abort() and make it a single
illegal instruction.
ok guenther
enable mbg(4) at pci on amd64, from Maurice Janssen
Some hypervisors (such as Hertzner) allow msr read of DE_CFG (which does
not indicate bit 9 set, but they could have a firmware fix) but then block
a msr write to bit 9 (which disables enough AVX optimizations
to prevent the exfiltration of data), with a fault. So let's also check
the HV bit before we decide to modify the bit. hypervisors are expected
to set that bit. tested by lucas at sexy dot is.
with jsg, ok mlarkin
OpenBSD/src ixuZiUh — sys/arch/amd64/amd64 cpu.c, sys/arch/amd64/include specialreg.h
Set DE_CFG[9] -- a chickenbit which stops Zenbleed. The chickenbit may
have other side-effects (not disclosed by AMD), and firmwares fixes may
be better (and have other side-effects, same story). Newer processors
will probably be validated more carefully by AMD.
Issue found by Tavis Ormandy.
This is errata 7.2/033_amdcpu.patch.sig and 7.3/011_amdcpu.patch.sig
Zenbleed also blocked on select cpus by using errata
7.3/012_amdfirmware.patch.sig + 7.3/013_amdcpufirmware.patch /
7.2/034_amdfirmware.patch.sig + 7.2/035_amdcpufirmware.patch.sig
which load AMD cpu firmwares (firmware.openbsd.org is updated often to
contain the best firmwares)
ok jsg
upon resume, fpureset() was being called prematurely (before cpu_init,
which does not matter today, but will matter a lot in near future).
But actually it isn't needed at all, cpu_init() does it again.
So remove the call.
ok guenther
OpenBSD/src ZLHRiDt — lib/libcrypto/aes/asm aesni-x86_64.pl bsaes-x86_64.pl, lib/libcrypto/camellia/asm cmll-x86_64.pl
Add endbr64 where needed by inspection. Passes regresson tests.
ok jsing, and kind of tb an earlier version
endbr64 is potentially neccessary in the syscall stubs.
