Module Name: src
Committed By: riastradh
Date: Sat Feb 25 13:57:37 UTC 2023
Modified Files:
src/sys/arch/x86/include: cpu_extended_state.h
src/sys/arch/x86/x86: fpu.c
Log Message:
x86: Mitigate MXCSR Configuration Dependent Timing in kernel FPU use.
In fpu_kern_enter, make sure all the MXCSR exception status bits are
set when we start using the FPU, so that instructions which exhibit
MCDT are unaffected by it.
While here, zero all the other FPU registers in fpu_kern_enter.
In principle we could skip this step on future CPUs that fix the MCDT
bug, but there's probably not much benefit -- workloads that do a lot
of crypto in the kernel are probably better off using
kthread_fpu_enter or WQ_FPU to skip the fpu_kern_enter/leave cycles
in the first place.
For details, see:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/mxcsr-configuration-dependent-timing.html
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/arch/x86/include/cpu_extended_state.h
cvs rdiff -u -r1.79 -r1.80 src/sys/arch/x86/x86/fpu.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/x86/include/cpu_extended_state.h
diff -u src/sys/arch/x86/include/cpu_extended_state.h:1.17 src/sys/arch/x86/include/cpu_extended_state.h:1.18
--- src/sys/arch/x86/include/cpu_extended_state.h:1.17 Wed Jun 26 12:30:13 2019
+++ src/sys/arch/x86/include/cpu_extended_state.h Sat Feb 25 13:57:37 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: cpu_extended_state.h,v 1.17 2019/06/26 12:30:13 mgorny Exp $ */
+/* $NetBSD: cpu_extended_state.h,v 1.18 2023/02/25 13:57:37 riastradh Exp $ */
#ifndef _X86_CPU_EXTENDED_STATE_H_
#define _X86_CPU_EXTENDED_STATE_H_
@@ -306,8 +306,15 @@ union savefpu {
* Bits 13 and 14 are rounding control.
* Bit 15 is 'flush to zero' - affects underflow.
* Bits 16-31 must be zero.
+ *
+ * The safe MXCSR is fit for constant-time use, e.g. in crypto. Some
+ * CPU instructions take input- dependent time if an exception status
+ * bit is not set; __SAFE_MXCSR__ has the exception status bits all set
+ * already to mitigate this. See:
+ * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/mxcsr-configuration-dependent-timing.html
*/
#define __INITIAL_MXCSR__ 0x1f80
#define __INITIAL_MXCSR_MASK__ 0xffbf
+#define __SAFE_MXCSR__ 0x1fbf
#endif /* _X86_CPU_EXTENDED_STATE_H_ */
Index: src/sys/arch/x86/x86/fpu.c
diff -u src/sys/arch/x86/x86/fpu.c:1.79 src/sys/arch/x86/x86/fpu.c:1.80
--- src/sys/arch/x86/x86/fpu.c:1.79 Sat Aug 20 11:34:08 2022
+++ src/sys/arch/x86/x86/fpu.c Sat Feb 25 13:57:37 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: fpu.c,v 1.79 2022/08/20 11:34:08 riastradh Exp $ */
+/* $NetBSD: fpu.c,v 1.80 2023/02/25 13:57:37 riastradh Exp $ */
/*
* Copyright (c) 2008, 2019 The NetBSD Foundation, Inc. All
@@ -96,7 +96,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.79 2022/08/20 11:34:08 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.80 2023/02/25 13:57:37 riastradh Exp $");
#include "opt_multiprocessor.h"
@@ -373,6 +373,11 @@ fpu_lwp_abandon(struct lwp *l)
void
fpu_kern_enter(void)
{
+ static const union savefpu safe_fpu __aligned(64) = {
+ .sv_xmm = {
+ .fx_mxcsr = __SAFE_MXCSR__,
+ },
+ };
struct lwp *l = curlwp;
struct cpu_info *ci;
int s;
@@ -407,6 +412,11 @@ fpu_kern_enter(void)
* the last FPU usage requiring that we save the FPU state.
*/
clts();
+
+ /*
+ * Zero the FPU registers and install safe control words.
+ */
+ fpu_area_restore(&safe_fpu, x86_xsave_features, false);
}
/*
