HBSD: hide the Silicon Debug CPU capability from bhyve

There is no place for a strongly hardware related and risky feature in bhyve's vmm, so filter out this capability. So disable them by default and set the lock bit to disallow further changes to them. MFC-to: 10-STABLE 11-STABLE Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
HardenedBSD · Jan 25, 2017 · cc91b57 · cc91b57
1 parent e76fcb7
commit cc91b57
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/usr.sbin/bhyve/xmsr.c b/usr.sbin/bhyve/xmsr.c
@@ -58,6 +58,8 @@ emulate_wrmsr(struct vmctx *ctx, int vcpu, uint32_t num, uint64_t val)
 			return (0);
 		case MSR_BIOS_SIGN:
 			return (0);
+		case MSR_IA32_DEBUG_INTERFACE:
+			return (0);
 		default:
 			break;
 		}
@@ -120,6 +122,13 @@ emulate_rdmsr(struct vmctx *ctx, int vcpu, uint32_t num, uint64_t *val)
 			 */
 			*val = 0x000a1003;
 			break;
+		case MSR_IA32_DEBUG_INTERFACE:
+			/*
+			 * Mark the Silicon Debug feature as disabled
+			 * and lock the configuration.
+			 */
+			*val = 0 | IA32_DEBUG_INTERFACE_LOCK;
+			return (0);
 		default:
 			error = -1;
 			break;