From 62f297a5508b2c8665fef8c31f0bab829eccaed2 Mon Sep 17 00:00:00 2001
From: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Date: Wed, 17 Jan 2018 16:58:32 +0100
Subject: [PATCH] HBSD: enable the AMD64 Page Tabe Isolation by default when
 option PAX is defined in kernel configuration

Default the enable the recent PTI mitigation against Intel's Meltdown
bug. So in general, HardenedBSD always comes with enabled mitigation,
since in our kernel always enabled the PAX.

For more detail see: c35d24e497ef2fa5d08a59ddb20123e9d9f58cc4

Discussed-with: Shawn Webb
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

(cherry picked from commit 25b11e7bcfb13d7e8f24148af7374769e25166da)

HBSD: enable PTI by default, when option PAX specified

This is a follow up commit to 1cf1c6c06d2f9cc2a208d17d610064cbc621e01a
and 25b11e7bcfb13d7e8f24148af7374769e25166da .

Suggested-by: noptrix
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

(cherry picked from commit 502559de8775002d1e6ba07f725a1fb40d77893d)
---
 sys/amd64/amd64/pmap.c | 6 ++++++
 sys/x86/x86/identcpu.c | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c
index 2989eb40059..54a733c9c1f 100644
--- a/sys/amd64/amd64/pmap.c
+++ b/sys/amd64/amd64/pmap.c
@@ -106,6 +106,7 @@ __FBSDID("$FreeBSD$");
  *	and to when physical maps must be made correct.
  */
 
+#include "opt_pax.h"
 #include "opt_pmap.h"
 #include "opt_vm.h"
 
@@ -414,7 +415,12 @@ int invpcid_works = 0;
 SYSCTL_INT(_vm_pmap, OID_AUTO, invpcid_works, CTLFLAG_RD, &invpcid_works, 0,
     "Is the invpcid instruction available ?");
 
+#ifdef PAX
+/* The related part of code is in x86/identcpu.c - see pti_get_default() */
+int pti = 1;
+#else
 int pti = 0;
+#endif
 SYSCTL_INT(_vm_pmap, OID_AUTO, pti, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
     &pti, 0,
     "Page Table Isolation enabled");
diff --git a/sys/x86/x86/identcpu.c b/sys/x86/x86/identcpu.c
index dd580375454..8b48855639e 100644
--- a/sys/x86/x86/identcpu.c
+++ b/sys/x86/x86/identcpu.c
@@ -42,6 +42,7 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_cpu.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/bus.h>
@@ -1596,11 +1597,15 @@ int
 pti_get_default(void)
 {
 
+#ifdef PAX
+	return (1);
+#else
 	if (strcmp(cpu_vendor, AMD_VENDOR_ID) == 0)
 		return (0);
 	if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) != 0)
 		return (0);
 	return (1);
+#endif
 }
 
 static u_int