From 7eb2b5c29ec538447e2b96e5e7bfc16279363341 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Sat, 24 Feb 2024 17:00:05 +0000
Subject: [PATCH] Explicitly disable MSR_CET_NO_TRACK_EN in MSR_S_CET.  If
 enabled by the boot-process, we don't want to accidentally allow "notrack"
 indirect branches. Linux kernel does the same.  Today it is difficult to do
 the same for userland, because there is 1 known piece of software using
 "notrack" (which needs to be fixed). ok kettenis

---
 sys/arch/amd64/amd64/cpu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
index 9e05abf3f16..6c8e2b67d84 100644
--- a/sys/arch/amd64/amd64/cpu.c
+++ b/sys/arch/amd64/amd64/cpu.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.c,v 1.181 2024/02/18 05:42:50 guenther Exp $	*/
+/*	$OpenBSD: cpu.c,v 1.182 2024/02/24 17:00:05 deraadt Exp $	*/
 /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */
 
 /*-
@@ -1260,7 +1260,7 @@ cpu_fix_msrs(struct cpu_info *ci)
 #ifndef SMALL_KERNEL
 	if (ci->ci_feature_sefflags_edx & SEFF0EDX_IBT) {
 		msr = rdmsr(MSR_S_CET);
-		wrmsr(MSR_S_CET, msr | MSR_CET_ENDBR_EN);
+		wrmsr(MSR_S_CET, (msr & ~MSR_CET_NO_TRACK_EN) | MSR_CET_ENDBR_EN);
 		lcr4(rcr4() | CR4_CET);
 	}
 #endif
-- 
2.20.1