Attempt to disable and lock Intel Silicon Debug on boot

Mike Belopuhov Tue, 10 Jan 2017 09:36:48 -0800

One of the countermeasures against using Direct Connect Interface
(DCI) to debug CPUs via USB3 mentioned in the "Tapping into the
core" talk at the 33c3 was to identify and disable the Silicon
Debug feature found in Haswell and newer CPUs.


Two machines we have here are Haswell and Skylake, but both of
them have debugging disabled.  Would be interesting to know if
this works (or doesn't).


diff --git sys/arch/amd64/amd64/identcpu.c sys/arch/amd64/amd64/identcpu.c
index d9b1337a5fd..ae7da43df37 100644
--- sys/arch/amd64/amd64/identcpu.c
+++ sys/arch/amd64/amd64/identcpu.c
@@ -630,10 +630,37 @@ identifycpu(struct cpu_info *ci)
 
        printf("\n");
 
        x86_print_cacheinfo(ci);
 
+       /*
+        * Attempt to disable Silicon Debug and lock the configuration
+        * if it's enabled and unlocked.
+        */
+       if (!strcmp(cpu_vendor, "GenuineIntel") &&
+           (cpu_ecxfeature & CPUIDECX_SDBG)) {
+               uint64_t msr;
+
+               msr = rdmsr(IA32_DEBUG_INTERFACE);
+               if ((msr & IA32_DEBUG_INTERFACE_ENABLE) &&
+                   (msr & IA32_DEBUG_INTERFACE_LOCK) == 0) {
+                       msr &= IA32_DEBUG_INTERFACE_MASK;
+                       msr |= IA32_DEBUG_INTERFACE_LOCK;
+                       wrmsr(IA32_DEBUG_INTERFACE, msr);
+
+                       msr = rdmsr(IA32_DEBUG_INTERFACE);
+                       if ((msr & IA32_DEBUG_INTERFACE_ENABLE) == 0)
+                               printf("%s: disabled silicon debug\n",
+                                   ci->ci_dev->dv_xname);
+                       else
+                               printf("%s: failed to disable silicon debug\n",
+                                   ci->ci_dev->dv_xname);
+               } else if (msr & IA32_DEBUG_INTERFACE_ENABLE)
+                       printf("%s: cannot disable silicon debug\n",
+                           ci->ci_dev->dv_xname);
+       }
+
 #ifndef SMALL_KERNEL
        if (ci->ci_flags & CPUF_PRIMARY) {
                if (!strcmp(cpu_vendor, "AuthenticAMD") &&
                    ci->ci_pnfeatset >= 0x80000007) {
                        CPUID(0x80000007, dummy, dummy, dummy, val);
diff --git sys/arch/amd64/include/specialreg.h 
sys/arch/amd64/include/specialreg.h
index 48c47e74145..965633a15bc 100644
--- sys/arch/amd64/include/specialreg.h
+++ sys/arch/amd64/include/specialreg.h
@@ -835,10 +835,16 @@
 #define        C3_CRYPT_CWLO_DECRYPT           0x00000200
 #define        C3_CRYPT_CWLO_KEY128            0x0000000a      /* 128bit, 10 
rds */
 #define        C3_CRYPT_CWLO_KEY192            0x0000040c      /* 192bit, 12 
rds */
 #define        C3_CRYPT_CWLO_KEY256            0x0000080e      /* 256bit, 15 
rds */
 
+/* Intel Silicon Debug */
+#define IA32_DEBUG_INTERFACE           0xc80
+#define IA32_DEBUG_INTERFACE_ENABLE    0x00000001
+#define IA32_DEBUG_INTERFACE_LOCK      0x40000000
+#define IA32_DEBUG_INTERFACE_MASK      0x80000000
+
 /*
  * VMX
  */
 #define IA32_FEATURE_CONTROL_LOCK      0x01
 #define IA32_FEATURE_CONTROL_SMX_EN    0x02
diff --git sys/arch/i386/i386/machdep.c sys/arch/i386/i386/machdep.c
index d06abc19fef..12ce59c5276 100644
--- sys/arch/i386/i386/machdep.c
+++ sys/arch/i386/i386/machdep.c
@@ -2024,10 +2024,37 @@ identifycpu(struct cpu_info *ci)
 
                        printf("\n");
                }
        }
 
+       /*
+        * Attempt to disable Silicon Debug and lock the configuration
+        * if it's enabled and unlocked.
+        */
+       if (!strcmp(cpu_vendor, "GenuineIntel") &&
+           (cpu_ecxfeature & CPUIDECX_SDBG)) {
+               uint64_t msr;
+
+               msr = rdmsr(IA32_DEBUG_INTERFACE);
+               if ((msr & IA32_DEBUG_INTERFACE_ENABLE) &&
+                   (msr & IA32_DEBUG_INTERFACE_LOCK) == 0) {
+                       msr &= IA32_DEBUG_INTERFACE_MASK;
+                       msr |= IA32_DEBUG_INTERFACE_LOCK;
+                       wrmsr(IA32_DEBUG_INTERFACE, msr);
+
+                       msr = rdmsr(IA32_DEBUG_INTERFACE);
+                       if ((msr & IA32_DEBUG_INTERFACE_ENABLE) == 0)
+                               printf("%s: disabled silicon debug\n",
+                                   cpu_device);
+                       else
+                               printf("%s: failed to disable silicon debug\n",
+                                   cpu_device);
+               } else if (msr & IA32_DEBUG_INTERFACE_ENABLE)
+                       printf("%s: cannot disable silicon debug\n",
+                           cpu_device);
+       }
+
        if (ci->ci_flags & CPUF_PRIMARY) {
                if (cpu_ecxfeature & CPUIDECX_RDRAND)
                        has_rdrand = 1;
                if (ci->ci_feature_sefflags_ebx & SEFF0EBX_RDSEED)
                        has_rdseed = 1;
diff --git sys/arch/i386/include/specialreg.h sys/arch/i386/include/specialreg.h
index aa02392022b..f70a3eacd90 100644
--- sys/arch/i386/include/specialreg.h
+++ sys/arch/i386/include/specialreg.h
@@ -701,10 +701,16 @@
 #define        C3_CRYPT_CWLO_DECRYPT           0x00000200
 #define        C3_CRYPT_CWLO_KEY128            0x0000000a      /* 128bit, 10 
rds */
 #define        C3_CRYPT_CWLO_KEY192            0x0000040c      /* 192bit, 12 
rds */
 #define        C3_CRYPT_CWLO_KEY256            0x0000080e      /* 256bit, 15 
rds */
 
+/* Intel Silicon Debug */
+#define IA32_DEBUG_INTERFACE           0xc80
+#define IA32_DEBUG_INTERFACE_ENABLE    0x00000001
+#define IA32_DEBUG_INTERFACE_LOCK      0x40000000
+#define IA32_DEBUG_INTERFACE_MASK      0x80000000
+
 /*
  * VMX
  */
 #define IA32_FEATURE_CONTROL_LOCK      0x01
 #define IA32_FEATURE_CONTROL_SMX_EN    0x02

Attempt to disable and lock Intel Silicon Debug on boot

Reply via email to