From: jsg <jsg@openbsd.org>
Date: Mon, 17 Apr 2023 00:42:04 +0000 (+0000)
Subject: Enable Indirect Branch Tracking (IBT) for the kernel
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=00473b026a1759e3b02b74517c7503a47947ae15;p=openbsd

Enable Indirect Branch Tracking (IBT) for the kernel

endbr64 (f3 0f 1e fa) is placed at valid targets of an indirect jmp or
call.  A nop on older machines.  When IBT is enabled, an indirect jmp or
call with no endbr will trigger a control protection trap.

IBT is present on Intel Tiger Lake (Core gen 11) and later.

with and ok deraadt@
---

diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
index 418ed9a04a1..de9e889f819 100644
--- a/sys/arch/amd64/amd64/cpu.c
+++ b/sys/arch/amd64/amd64/cpu.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.c,v 1.165 2023/03/09 13:17:28 jsg Exp $	*/
+/*	$OpenBSD: cpu.c,v 1.166 2023/04/17 00:42:04 jsg Exp $	*/
 /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */
 
 /*-
@@ -1189,6 +1189,14 @@ cpu_fix_msrs(struct cpu_info *ci)
 			}
 		}
 	}
+
+#ifndef SMALL_KERNEL
+	if (ci->ci_feature_sefflags_edx & SEFF0EDX_IBT) {
+		msr = rdmsr(MSR_S_CET);
+		wrmsr(MSR_S_CET, msr | MSR_CET_ENDBR_EN);
+		lcr4(rcr4() | CR4_CET);
+	}
+#endif
 }
 
 void