kernel/amd64: conf: Add CPU_UMIP config option

This commit adds the CPU_UMIP kconf(9) option to allow the user to configure whether or not the kernel should enable the CR4.UMIP bit. It is recommended to keep this to "yes" as user applications should not be able to execute the SGDT, SIDT, SLDT, SMSW or STR instructions at all for security reasons. Signed-off-by: Ian Moffett <ian@osmora.org>
author: Ian Moffett <ian@osmora.org> 2025-08-12 23:46:11 -0400
committer: Ian Moffett <ian@osmora.org> 2025-08-12 23:52:47 -0400
commit: 83372e621621cd8509adc164599b212406970576 (patch)
tree: b2d52c685b0e084e191a3b64a9e4283f2f3e8c91 /sys/arch/amd64/amd64
parent: eb4ec8d4b0d5d596c67dc2baf935df30e27fbb71 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c
index 7720620..6408ad3 100644
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@@ -74,6 +74,12 @@
 #define CPU_SMEP 0
 #endif
 
+#if defined(__CPU_UMIP)
+#define CPU_UMIP __CPU_UMIP
+#else
+#define CPU_UMIP 0
+#endif
+
 int ibrs_enable(void);
 int simd_init(void);
 void syscall_isr(void);
@@ -355,6 +361,11 @@ cpu_enable_umip(void)
     struct cpu_info *ci = this_cpu();
     uint64_t cr4;
 
+    if (!CPU_UMIP) {
+        pr_trace_bsp("UMIP not configured\n");
+        return;
+    }
+
     if (ISSET(ci->feat, CPU_FEAT_UMIP)) {
         cr4 = amd64_read_cr4();
         cr4 |= CR4_UMIP;
author	Ian Moffett <ian@osmora.org>	2025-08-12 23:46:11 -0400
committer	Ian Moffett <ian@osmora.org>	2025-08-12 23:52:47 -0400
commit	83372e621621cd8509adc164599b212406970576 (patch)
tree	b2d52c685b0e084e191a3b64a9e4283f2f3e8c91 /sys/arch/amd64/amd64
parent	eb4ec8d4b0d5d596c67dc2baf935df30e27fbb71 (diff)