From: Hans-Jörg Höxer <hshoexer@genua.de>
Subject: SEV-ES guest: lfence near returns in vctrap handler
To: <tech@openbsd.org>
Date: Wed, 25 Jun 2025 14:57:29 +0200

Hi,

I think we should add lfence to the near returns in the locore0 vctrap
handler code.  While there, I tweaked a comment, as prompted by mlarkin.

Take care,
Hans-Joerg

----
commit 25a9ae17c445ba4e4b7383fbb4bccdb61738192c
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date:   Wed Jun 25 12:41:42 2025 +0200

    SEV-ES guest: lfence near returns in vctrap handler
    
    While there, tweak comment.

diff --git a/sys/arch/amd64/amd64/locore0.S b/sys/arch/amd64/amd64/locore0.S
index ab8d1d1c978..3f79af0d3cc 100644
--- a/sys/arch/amd64/amd64/locore0.S
+++ b/sys/arch/amd64/amd64/locore0.S
@@ -208,7 +208,8 @@ bi_size_ok:
 	 * 2) locore_vc_trap64:  Triggered when we are running in
 	 *    32-bit compatibility mode.
 	 *
-	 * The latter one is used by vmd(8).
+	 * The latter one is used by vmd(8) when direct kernel
+	 * launch is configured.
 	 */
 	movl	$RELOC(early_idt), %ecx
 	movl	$T_VC, %edx
@@ -814,6 +815,7 @@ vc_cpuid64:
 	rep vmmcall
 	rdmsr
 	ret
+	lfence
 
 	.globl	locore_vc_trap64
 locore_vc_trap64:
@@ -870,6 +872,7 @@ vc_cpuid32:
 	rep vmmcall
 	rdmsr
 	ret
+	lfence
 
 	.globl	locore_vc_trap32
 locore_vc_trap32: