vmm(4): allow guests to enable and use supervisor IBT.

Why should hosts have all the fun? Conditionally unmask the cpuid
bits for IBT and allow r/w access to the supervisor CET msr.

Will need revisiting when we introduce usage of userland CET msr.

ok marlkin@

diff --git a/sys/arch/amd64/amd64/vmm.c b/sys/arch/amd64/amd64/vmm.c
index 22dce4e..42ac800 100644 (file)
--- a/sys/arch/amd64/amd64/vmm.c
+++ b/sys/arch/amd64/amd64/vmm.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vmm.c,v 1.339 2023/04/22 18:27:28 guenther Exp $      */
+/*     $OpenBSD: vmm.c,v 1.340 2023/04/24 16:53:57 dv Exp $    */
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -3519,6 +3519,10 @@ vcpu_reset_regs_vmx(struct vcpu *vcpu, struct vcpu_reg_state *vrs)
        vmx_setmsrbr(vcpu, MSR_MISC_ENABLE);
        vmx_setmsrbr(vcpu, MSR_TSC);
 
+       /* If host supports CET, pass through access to the guest. */
+       if (rcr4() | CR4_CET)
+               vmx_setmsrbrw(vcpu, MSR_S_CET);
+
        /* XXX CR0 shadow */
        /* XXX CR4 shadow */
 
@@ -7053,6 +7057,12 @@ vmm_handle_cpuid(struct vcpu *vcpu)
                                *rcx |= SEFF0ECX_PKU;
                        else
                                *rcx &= ~SEFF0ECX_PKU;
+
+                       /* Expose IBT bit if we've enabled CET on the host. */
+                       if (rcr4() | CR4_CET)
+                               *rdx |= SEFF0EDX_IBT;
+                       else
+                               *rdx &= ~SEFF0EDX_IBT;
                } else {
                        /* Unsupported subleaf */
                        DPRINTF("%s: function 0x07 (SEFF) unsupported subleaf "