Explicitly disable MSR_CET_NO_TRACK_EN in MSR_S_CET. If enabled by the

boot-process, we don't want to accidentally allow "notrack" indirect
branches. Linux kernel does the same.  Today it is difficult to do the
same for userland, because there is 1 known piece of software using
"notrack" (which needs to be fixed).
ok kettenis

diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
index 9e05abf..6c8e2b6 100644 (file)
--- a/sys/arch/amd64/amd64/cpu.c
+++ b/sys/arch/amd64/amd64/cpu.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cpu.c,v 1.181 2024/02/18 05:42:50 guenther Exp $      */
+/*     $OpenBSD: cpu.c,v 1.182 2024/02/24 17:00:05 deraadt Exp $       */
 /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */
 
 /*-
@@ -1260,7 +1260,7 @@ cpu_fix_msrs(struct cpu_info *ci)
 #ifndef SMALL_KERNEL
        if (ci->ci_feature_sefflags_edx & SEFF0EDX_IBT) {
                msr = rdmsr(MSR_S_CET);
-               wrmsr(MSR_S_CET, msr | MSR_CET_ENDBR_EN);
+               wrmsr(MSR_S_CET, (msr & ~MSR_CET_NO_TRACK_EN) | MSR_CET_ENDBR_EN);
                lcr4(rcr4() | CR4_CET);
        }
 #endif