Enable Indirect Branch Tracking (IBT) for the kernel

endbr64 (f3 0f 1e fa) is placed at valid targets of an indirect jmp or
call.  A nop on older machines.  When IBT is enabled, an indirect jmp or
call with no endbr will trigger a control protection trap.

IBT is present on Intel Tiger Lake (Core gen 11) and later.

with and ok deraadt@

diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
index 418ed9a..de9e889 100644 (file)
--- a/sys/arch/amd64/amd64/cpu.c
+++ b/sys/arch/amd64/amd64/cpu.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cpu.c,v 1.165 2023/03/09 13:17:28 jsg Exp $   */
+/*     $OpenBSD: cpu.c,v 1.166 2023/04/17 00:42:04 jsg Exp $   */
 /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */
 
 /*-
@@ -1189,6 +1189,14 @@ cpu_fix_msrs(struct cpu_info *ci)
                        }
                }
        }
+
+#ifndef SMALL_KERNEL
+       if (ci->ci_feature_sefflags_edx & SEFF0EDX_IBT) {
+               msr = rdmsr(MSR_S_CET);
+               wrmsr(MSR_S_CET, msr | MSR_CET_ENDBR_EN);
+               lcr4(rcr4() | CR4_CET);
+       }
+#endif
 }
 
 void