We have determined that enough HV have correct PKU handling now,

so don't be paranoid about it anymore.  What does this mean?  If the HV
above you is broken, userland programs in the guest could crash, the guest
might even be quite unusable.  So fix the hypervisor.  The best way to
raise the bar on hypervisor quality is for guests to behave like they
are on a real machine, and then sucky hypervisors have to get fixed.
ps.  if using vmd as your hypervisor, use syspatch...

diff --git a/sys/arch/amd64/amd64/pmap.c b/sys/arch/amd64/amd64/pmap.c
index d6b6fcb..9a474f2 100644 (file)
--- a/sys/arch/amd64/amd64/pmap.c
+++ b/sys/arch/amd64/amd64/pmap.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pmap.c,v 1.160 2023/01/29 16:23:15 deraadt Exp $      */
+/*     $OpenBSD: pmap.c,v 1.161 2023/01/30 00:10:39 deraadt Exp $      */
 /*     $NetBSD: pmap.c,v 1.3 2003/05/08 18:13:13 thorpej Exp $ */
 
 /*
@@ -665,10 +665,11 @@ pmap_bootstrap(paddr_t first_avail, paddr_t max_pa)
         */
        if (cpuid_level >= 0x7) {
                uint32_t ecx, dummy;
+
                CPUID_LEAF(0x7, 0, dummy, dummy, ecx, dummy);
-               if ((ecx & SEFF0ECX_PKU) &&
-                   (cpu_ecxfeature & CPUIDECX_HV) == 0) {
+               if (ecx & SEFF0ECX_PKU) {
                        lcr4(rcr4() | CR4_PKE);
+                       uvm_xonlymmu = 1;
                        pg_xo = PG_XO;
                }
        }