1*5d9d9091SRichard Lowe/* 2*5d9d9091SRichard Lowe * This file and its contents are supplied under the terms of the 3*5d9d9091SRichard Lowe * Common Development and Distribution License ("CDDL"), version 1.0. 4*5d9d9091SRichard Lowe * You may only use this file in accordance with the terms of version 5*5d9d9091SRichard Lowe * 1.0 of the CDDL. 6*5d9d9091SRichard Lowe * 7*5d9d9091SRichard Lowe * A full copy of the text of the CDDL should have accompanied this 8*5d9d9091SRichard Lowe * source. A copy of the CDDL is also available via the Internet at 9*5d9d9091SRichard Lowe * http://www.illumos.org/license/CDDL. 10*5d9d9091SRichard Lowe */ 11*5d9d9091SRichard Lowe 12*5d9d9091SRichard Lowe/* 13*5d9d9091SRichard Lowe * Copyright 2019 Joyent, Inc. 14*5d9d9091SRichard Lowe */ 15*5d9d9091SRichard Lowe 16*5d9d9091SRichard Lowe#include <sys/asm_linkage.h> 17*5d9d9091SRichard Lowe 18*5d9d9091SRichard Lowe/* 19*5d9d9091SRichard Lowe * This ASM file contains various routines that are designed to flush 20*5d9d9091SRichard Lowe * microarchitectural buffer state as part of dealing with the 21*5d9d9091SRichard Lowe * microarchitectural data sampling (MDS) vulnerabilities. 22*5d9d9091SRichard Lowe * 23*5d9d9091SRichard Lowe * These are called from various points in the system ranging from interrupts, 24*5d9d9091SRichard Lowe * before going idle, to returning from system calls. This means the following 25*5d9d9091SRichard Lowe * is true about the state of the system: 26*5d9d9091SRichard Lowe * 27*5d9d9091SRichard Lowe * o All register state is precious, we must not change register state upon 28*5d9d9091SRichard Lowe * entry or return from these functions. 29*5d9d9091SRichard Lowe * 30*5d9d9091SRichard Lowe * o %ds is valid. 31*5d9d9091SRichard Lowe * 32*5d9d9091SRichard Lowe * o %gs is arbitrary, it may be kernel or user. You cannot rely on it. 33*5d9d9091SRichard Lowe * 34*5d9d9091SRichard Lowe * o Interrupts should be disabled by the caller. 35*5d9d9091SRichard Lowe * 36*5d9d9091SRichard Lowe * o %cr3 is on the kernel-side and therefore we still have access to kernel 37*5d9d9091SRichard Lowe * text. In other words, we haven't switched back to the user page table. 38*5d9d9091SRichard Lowe * 39*5d9d9091SRichard Lowe * o It is up to the caller to insure that a sufficient serializing instruction 40*5d9d9091SRichard Lowe * has been executed after this to make sure any pending speculations are 41*5d9d9091SRichard Lowe * captured. In general, this should be handled by the fact that callers of 42*5d9d9091SRichard Lowe * this are either going to change privilege levels or halt, which makes 43*5d9d9091SRichard Lowe * these operations safer. 44*5d9d9091SRichard Lowe */ 45*5d9d9091SRichard Lowe 46*5d9d9091SRichard Lowe /* 47*5d9d9091SRichard Lowe * By default, x86_md_clear is disabled until the system determines that 48*5d9d9091SRichard Lowe * it both needs MDS related mitigations and we have microcode that 49*5d9d9091SRichard Lowe * provides the needed functionality. 50*5d9d9091SRichard Lowe * 51*5d9d9091SRichard Lowe * The VERW instruction clobbers flags which is why it's important that 52*5d9d9091SRichard Lowe * we save and restore them here. 53*5d9d9091SRichard Lowe */ 54*5d9d9091SRichard Lowe ENTRY_NP(x86_md_clear) 55*5d9d9091SRichard Lowe ret 56*5d9d9091SRichard Lowe pushfq 57*5d9d9091SRichard Lowe subq $8, %rsp 58*5d9d9091SRichard Lowe mov %ds, (%rsp) 59*5d9d9091SRichard Lowe verw (%rsp) 60*5d9d9091SRichard Lowe addq $8, %rsp 61*5d9d9091SRichard Lowe popfq 62*5d9d9091SRichard Lowe ret 63*5d9d9091SRichard Lowe SET_SIZE(x86_md_clear) 64