From 83372e621621cd8509adc164599b212406970576 Mon Sep 17 00:00:00 2001 From: Ian Moffett Date: Tue, 12 Aug 2025 23:46:11 -0400 Subject: kernel/amd64: conf: Add CPU_UMIP config option This commit adds the CPU_UMIP kconf(9) option to allow the user to configure whether or not the kernel should enable the CR4.UMIP bit. It is recommended to keep this to "yes" as user applications should not be able to execute the SGDT, SIDT, SLDT, SMSW or STR instructions at all for security reasons. Signed-off-by: Ian Moffett --- sys/arch/amd64/amd64/machdep.c | 11 +++++++++++ sys/arch/amd64/conf/GENERIC | 1 + 2 files changed, 12 insertions(+) (limited to 'sys/arch/amd64') diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c index 7720620..6408ad3 100644 --- a/sys/arch/amd64/amd64/machdep.c +++ b/sys/arch/amd64/amd64/machdep.c @@ -74,6 +74,12 @@ #define CPU_SMEP 0 #endif +#if defined(__CPU_UMIP) +#define CPU_UMIP __CPU_UMIP +#else +#define CPU_UMIP 0 +#endif + int ibrs_enable(void); int simd_init(void); void syscall_isr(void); @@ -355,6 +361,11 @@ cpu_enable_umip(void) struct cpu_info *ci = this_cpu(); uint64_t cr4; + if (!CPU_UMIP) { + pr_trace_bsp("UMIP not configured\n"); + return; + } + if (ISSET(ci->feat, CPU_FEAT_UMIP)) { cr4 = amd64_read_cr4(); cr4 |= CR4_UMIP; diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC index 9411999..6bf3af5 100644 --- a/sys/arch/amd64/conf/GENERIC +++ b/sys/arch/amd64/conf/GENERIC @@ -7,6 +7,7 @@ // option SPECTRE_IBRS no // Enable the IBRS CPU feature option SERIAL_DEBUG yes // Enable kmsg serial logging +option CPU_UMIP yes // Enable User-mode Instruction Prevention option USER_KMSG no // Show kmsg in user consoles option USER_TSC no // Enable 'rdtsc' in user mode option CPU_SMEP yes // Supervisor Memory Exec Protection -- cgit v1.2.3