From 755615ef0b094ca644ada0f677c49e665120ff37 Mon Sep 17 00:00:00 2001
From: Ian Moffett <ian@osmora.org>
Date: Sat, 5 Jul 2025 01:04:58 +0000
Subject: kernel/amd64: cpu: Support SMEP

Some CPUs support Supervisor Memory Execution Protection that prevent ring 3
code from being executed in a ring 0 context. Enable this on CPUs that
support it.

Signed-off-by: Ian Moffett <ian@osmora.org>
---
 sys/arch/amd64/amd64/machdep.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'sys/arch/amd64')

diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c
index 408ac95..5acacb4 100644
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@@ -313,6 +313,39 @@ md_sync_all(void)
     return 0;
 }
 
+void
+cpu_enable_smep(void)
+{
+    struct cpu_info *ci;
+    uint64_t cr4;
+
+    ci = this_cpu();
+    if (!ISSET(ci->feat, CPU_FEAT_SMEP)) {
+        pr_trace_bsp("SMEP not supported\n");
+        return;
+    }
+
+    cr4 = amd64_read_cr4();
+    cr4 |= BIT(20);         /* CR4.SMEP */
+    amd64_write_cr4(cr4);
+}
+
+void
+cpu_disable_smep(void)
+{
+    struct cpu_info *ci;
+    uint64_t cr4;
+
+    ci = this_cpu();
+    if (!ISSET(ci->feat, CPU_FEAT_SMEP)) {
+        return;
+    }
+
+    cr4 = amd64_read_cr4();
+    cr4 &= ~BIT(20);    /* CR4.SMEP */
+    amd64_write_cr4(cr4);
+}
+
 void
 cpu_startup(struct cpu_info *ci)
 {
@@ -328,6 +361,7 @@ cpu_startup(struct cpu_info *ci)
     try_mitigate_spectre();
 
     cpu_check_feat(ci);
+    cpu_enable_smep();
 
     enable_simd();
     lapic_init();
-- 
cgit v1.2.3