HBSD: enable the AMD64 Page Tabe Isolation by default when option PAX is defined in kernel configuration

Default the enable the recent PTI mitigation against Intel's Meltdown
bug. So in general, HardenedBSD always comes with enabled mitigation,
since in our kernel always enabled the PAX.

For more detail see: c35d24e497ef2fa5d08a59ddb20123e9d9f58cc4

Discussed-with: Shawn Webb
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

(cherry picked from commit 25b11e7bcfb13d7e8f24148af7374769e25166da)

HBSD: enable PTI by default, when option PAX specified

This is a follow up commit to 1cf1c6c06d2f9cc2a208d17d610064cbc621e01a
and 25b11e7bcfb13d7e8f24148af7374769e25166da .

Suggested-by: noptrix
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

(cherry picked from commit 502559de8775002d1e6ba07f725a1fb40d77893d)
(cherry picked from commit 62f297a550)

sys/amd64/amd64/pmap.c

@@ -106,6 +106,7 @@ __FBSDID("$FreeBSD$");
  *	and to when physical maps must be made correct.
  */
 
+#include "opt_pax.h"
 #include "opt_pmap.h"
 #include "opt_vm.h"
 
@@ -414,7 +415,12 @@ int invpcid_works = 0;
 SYSCTL_INT(_vm_pmap, OID_AUTO, invpcid_works, CTLFLAG_RD, &invpcid_works, 0,
     "Is the invpcid instruction available ?");
 
+#ifdef PAX
+/* The related part of code is in x86/identcpu.c - see pti_get_default() */
+int pti = 1;
+#else
 int pti = 0;
+#endif
 SYSCTL_INT(_vm_pmap, OID_AUTO, pti, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
     &pti, 0,
     "Page Table Isolation enabled");

sys/x86/x86/identcpu.c

@@ -42,6 +42,7 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_cpu.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/bus.h>
@@ -1596,11 +1597,15 @@ int
 pti_get_default(void)
 {
 
+#ifdef PAX
+	return (1);
+#else
 	if (strcmp(cpu_vendor, AMD_VENDOR_ID) == 0)
 		return (0);
 	if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) != 0)
 		return (0);
 	return (1);
+#endif
 }
 
 static u_int