kernel/amd64: cpu: Support SMEP

Some CPUs support Supervisor Memory Execution Protection that prevent ring 3 code from being executed in a ring 0 context. Enable this on CPUs that support it. Signed-off-by: Ian Moffett <ian@osmora.org>
author: Ian Moffett <ian@osmora.org> 2025-07-05 01:04:58 +0000
committer: Ian Moffett <ian@osmora.org> 2025-07-05 01:04:58 +0000
commit: 755615ef0b094ca644ada0f677c49e665120ff37 (patch)
tree: 09d2c53b4a236bcf0d11aac2c2e1f6528bbd3812 /sys/arch/amd64/amd64
parent: 627c047d1ce71c9882cefac41a0d0b3c9d379c5b (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c
index 408ac95..5acacb4 100644
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@@ -314,6 +314,39 @@ md_sync_all(void)
 }
 
 void
+cpu_enable_smep(void)
+{
+    struct cpu_info *ci;
+    uint64_t cr4;
+
+    ci = this_cpu();
+    if (!ISSET(ci->feat, CPU_FEAT_SMEP)) {
+        pr_trace_bsp("SMEP not supported\n");
+        return;
+    }
+
+    cr4 = amd64_read_cr4();
+    cr4 |= BIT(20);         /* CR4.SMEP */
+    amd64_write_cr4(cr4);
+}
+
+void
+cpu_disable_smep(void)
+{
+    struct cpu_info *ci;
+    uint64_t cr4;
+
+    ci = this_cpu();
+    if (!ISSET(ci->feat, CPU_FEAT_SMEP)) {
+        return;
+    }
+
+    cr4 = amd64_read_cr4();
+    cr4 &= ~BIT(20);    /* CR4.SMEP */
+    amd64_write_cr4(cr4);
+}
+
+void
 cpu_startup(struct cpu_info *ci)
 {
     ci->self = ci;
@@ -328,6 +361,7 @@ cpu_startup(struct cpu_info *ci)
     try_mitigate_spectre();
 
     cpu_check_feat(ci);
+    cpu_enable_smep();
 
     enable_simd();
     lapic_init();
author	Ian Moffett <ian@osmora.org>	2025-07-05 01:04:58 +0000
committer	Ian Moffett <ian@osmora.org>	2025-07-05 01:04:58 +0000
commit	755615ef0b094ca644ada0f677c49e665120ff37 (patch)
tree	09d2c53b4a236bcf0d11aac2c2e1f6528bbd3812 /sys/arch/amd64/amd64
parent	627c047d1ce71c9882cefac41a0d0b3c9d379c5b (diff)