Toggle IBT off during EFI runtime services calls.

While UEFI 2.10 has a way of indicating that runtime services use the
appropriate ENDBR64 instructions, firmware that's out int the wild doesn't
actually use that yet.  Once the landscape changes we may want to
reconsider toggling IBT off.

ok guenther@, kn@

diff --git a/sys/arch/amd64/amd64/efi_machdep.c b/sys/arch/amd64/amd64/efi_machdep.c
index 97be06b..7486ff1 100644 (file)
--- a/sys/arch/amd64/amd64/efi_machdep.c
+++ b/sys/arch/amd64/amd64/efi_machdep.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: efi_machdep.c,v 1.6 2023/04/30 17:24:24 kettenis Exp $        */
+/*     $OpenBSD: efi_machdep.c,v 1.7 2023/07/08 07:18:39 kettenis Exp $        */
 
 /*
  * Copyright (c) 2022 Mark Kettenis <kettenis@openbsd.org>
@@ -208,11 +208,15 @@ efi_enter(struct efi_softc *sc)
        fpu_kernel_enter();
 
        curpcb->pcb_onfault = (void *)efi_fault;
+       if (curcpu()->ci_feature_sefflags_edx & SEFF0EDX_IBT)
+               lcr4(rcr4() & ~CR4_CET);
 }
 
 void
 efi_leave(struct efi_softc *sc)
 {
+       if (curcpu()->ci_feature_sefflags_edx & SEFF0EDX_IBT)
+               lcr4(rcr4() | CR4_CET);
        curpcb->pcb_onfault = NULL;
 
        fpu_kernel_exit();