Initialize ci_idle_pcb->pcb_cr0 just once, in cpu_attach().
For secondary CPUs, %cr0 is initially loaded in cpu_spinup_trampoline so
don't load it again in cpu_hatch().

ok kettenis@

Delete antique sigdebug definitions

ok kettenis@

Reorder trapframe/intrframe to put %rbp next to %rip and make it
behave like a real call frame, thus vastly simplifying the ddb back
trace logic.

based on whinging from deraadt@
ok jasper@ mpi@ phes

Reorder trapframe/intrframe to put %rbp next to %rip and make it
behave like a real call frame, thus vastly simplifying the ddb back
trace logic.

based on whinging from deraadt@
ok jasper@ mpi@ phessler@

show more ...

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_att

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

show more ...

Explicitly declare the gdt storage in struct cpu_info_full instead of
implicitly putting it in the padding to page-size. This eliminates a
couple Coverity issues from the Meltdown work.

testing dan

Explicitly declare the gdt storage in struct cpu_info_full instead of
implicitly putting it in the padding to page-size. This eliminates a
couple Coverity issues from the Meltdown work.

testing daniel@
ok mlarkin@

show more ...

Meltdown: implement user/kernel page table separation.

On Intel CPUs which speculate past user/supervisor page permission checks,
use a separate page table for userspace with only the minimum of ker

Meltdown: implement user/kernel page table separation.

On Intel CPUs which speculate past user/supervisor page permission checks,
use a separate page table for userspace with only the minimum of kernel code
and data required for the transitions to/from the kernel (still marked as
supervisor-only, of course):
- the IDT (RO)
- three pages of kernel text in the .kutext section for interrupt, trap,
and syscall trampoline code (RX)
- one page of kernel data in the .kudata section for TLB flush IPIs (RW)
- the lapic page (RW, uncachable)
- per CPU: one page for the TSS+GDT (RO) and one page for trampoline
stacks (RW)

When a syscall, trap, or interrupt takes a CPU from userspace to kernel the
trampoline code switches page tables, switches stacks to the thread's real
kernel stack, then copies over the necessary bits from the trampoline stack.
On return to userspace the opposite occurs: recreate the iretq frame on the
trampoline stack, switch stack, switch page tables, and return to userspace.

mlarkin@ implemented the pmap bits and did 90% of the debugging, diagnosing
issues on MP in particular, and drove the final push to completion.
Many rounds of testing by naddy@, sthen@, and others
Thanks to Alex Wilson from Joyent for early discussions about trampolines
and their data requirements.
Per-CPU page layout mostly inspired by DragonFlyBSD.

ok mlarkin@ deraadt@

show more ...

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and feat

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

show more ...

Handle %gs like %[def]s and reset set it in cpu_switchto() instead of on
every return to userspace.

ok kettenis@ mlarkin@

In uvm Chuck decided backing store would not be allocated proactively
for blocks re-fetchable from the filesystem. However at reboot time,
filesystems are unmounted, and since processes lack backing

In uvm Chuck decided backing store would not be allocated proactively
for blocks re-fetchable from the filesystem. However at reboot time,
filesystems are unmounted, and since processes lack backing store they
are killed. Since the scheduler is still running, in some cases init is
killed... which drops us to ddb [noted by bluhm]. Solution is to convert
filesystems to read-only [proposed by kettenis]. The tale follows:
sys_reboot() should pass proc * to MD boot() to vfs_shutdown() which
completes current IO with vfs_busy VB_WRITE|VB_WAIT, then calls VFS_MOUNT()
with MNT_UPDATE | MNT_RDONLY, soon teaching us that *fs_mount() calls a
copyin() late... so store the sizes in vfsconflist[] and move the copyin()
to sys_mount()... and notice nfs_mount copyin() is size-variant, so kill
legacy struct nfs_args3. Next we learn ffs_mount()'s MNT_UPDATE code is
sharp and rusty especially wrt softdep, so fix some bugs adn add
~MNT_SOFTDEP to the downgrade. Some vnodes need a little more help,
so tie them to &dead_vnops.

ffs_mount calling DIOCCACHESYNC is causing a bit of grief still but
this issue is seperate and will be dealt with in time.
couple hundred reboots by bluhm and myself, advice from guenther and
others at the hut

show more ...

Call i8254_startclock() earlier to make delay() usable. Actually HP
DL 20 Gen9 with "UEFI optimized mode" requires this initialization.

tested by Pedro Ramos
ok kettenis

Expose TSC properties via sysctl nodes

From Adam Steen with suggestions from tedu@
OK deraadt, mlarkin (as part of a larger diff)

reduce the amount of includes in arch/amd64
ok mpi@ deraadt@

remove a unused variable

ok tom, kettenis, deraadt

remove CPU_LIDSUSPEND/machdep.lidsuspend

"fire away!" tedu

Remove a block of "#if 0" code that has been in the file since r1.1, 13
years ago. This was part of the original reset code port from i386, and
we've never been able to reset amd64 in the way the cod

Remove a block of "#if 0" code that has been in the file since r1.1, 13
years ago. This was part of the original reset code port from i386, and
we've never been able to reset amd64 in the way the code tries to do in
the #if 0 block since we don't have a 'PTD' variable in amd64.

I thought to keep this around for diffability with i386, but that's pretty
pointless now as the diff between the two machdep.c files is over 5000
lines already...

show more ...

Since copyin(9) already doeas access 32-bit quantities atomically, we can
add copyin32(9) as a simple C wrapper around it. These wrappers do check
alignment and return EFAULT if the userland pointer

Since copyin(9) already doeas access 32-bit quantities atomically, we can
add copyin32(9) as a simple C wrapper around it. These wrappers do check
alignment and return EFAULT if the userland pointer is misaligned. This is
enough to guarantee that the access doesn't cross a cache line boundary which
could make the access non-atomic.

ok mpi@, visa@, tedu@

show more ...

Rename Debugger() into db_enter().

Using a name with the 'db_' prefix makes it invisible from the dynamic
profiler.

ok deraadt@, kettenis@, visa@

Unifdef KGDB.

It doesn't compile und hasn't been working during the last decade.

ok kettenis@, deraadt@

Introduce a new knob to force the first USB keyboard as console input.

By setting "machdep.forceukbd=1" you can now use your USB keyboard in
ddb(4) even if your BIOS emulates a pckbd(4).

ok tom@, k

Introduce a new knob to force the first USB keyboard as console input.

By setting "machdep.forceukbd=1" you can now use your USB keyboard in
ddb(4) even if your BIOS emulates a pckbd(4).

ok tom@, kettenis@, deraadt@

show more ...

Disallow setting machdep.lidaction to any other value but [0,2].

suggested by halex
ok deraadt millert

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidac

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

show more ...

Apply consistency to forever loops with continue and NOTREACHED

Same thought from kettenis@, ok krw@ phessler@ millert@

option INSECURE is obsolete

hand-massage sendsig() and sys_sigreturn() to be much more similar.
ok guenther kettenis

Pad end of code in the MP trampoline with int3 instead of 0x0 as it is
certain we don't want an intentional sled here either.

ok deraadt@