Reserve page at the physical address zero on amd64.
We always zero the invalidated PTE/PDE for superpage, which means that L1TF CPU vulnerability (CVE-2018-3620) can be only used for reading from the page at zero. Note that both i386 and amd64 exclude the page from phys_avail[] array, so this change is redundant, but I think that phys_avail[] on UEFI-boot does not need to do that. Eventually the blacklisting should be made conditional on CPUs which report that they are not vulnerable to L1TF. Reviewed by: emaste. jhb Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
8fba5348fc
commit
9840c7373c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=337774
@ -1307,6 +1307,9 @@ pmap_init(void)
|
||||
vm_size_t s;
|
||||
int error, i, pv_npg, ret, skz63;
|
||||
|
||||
/* L1TF, reserve page @0 unconditionally */
|
||||
vm_page_blacklist_add(0, bootverbose);
|
||||
|
||||
/* Detect bare-metal Skylake Server and Skylake-X. */
|
||||
if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL &&
|
||||
CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) {
|
||||
|
Loading…
Reference in New Issue
Block a user