From 312f06f761f7362e153ed5a1a9c49e17294e52b5 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 14 Mar 2018 04:00:00 +0000 Subject: Add mitigations for two classes of speculative execution vulnerabilities on amd64. [FreeBSD-SA-18:03.speculative_execution] Approved by: so Security: FreeBSD-SA-18:03.speculative_execution Security: CVE-2017-5715 Security: CVE-2017-5754 --- UPDATING | 5 + sys/amd64/amd64/apic_vector.S | 172 ++++----- sys/amd64/amd64/atpic_vector.S | 53 ++- sys/amd64/amd64/cpu_switch.S | 13 +- sys/amd64/amd64/db_trace.c | 1 + sys/amd64/amd64/exception.S | 562 ++++++++++++++++++++--------- sys/amd64/amd64/genassym.c | 18 + sys/amd64/amd64/initcpu.c | 1 + sys/amd64/amd64/machdep.c | 144 +++++--- sys/amd64/amd64/mp_machdep.c | 235 ++++++++++-- sys/amd64/amd64/pmap.c | 576 ++++++++++++++++++++++++++++-- sys/amd64/amd64/support.S | 113 ++++++ sys/amd64/amd64/sys_machdep.c | 30 +- sys/amd64/amd64/trap.c | 35 +- sys/amd64/amd64/vm_machdep.c | 2 + sys/amd64/ia32/ia32_exception.S | 17 +- sys/amd64/ia32/ia32_syscall.c | 9 +- sys/amd64/include/asmacros.h | 185 +++++++--- sys/amd64/include/frame.h | 48 ++- sys/amd64/include/intr_machdep.h | 2 +- sys/amd64/include/md_var.h | 8 + sys/amd64/include/pcb.h | 2 +- sys/amd64/include/pcpu.h | 9 +- sys/amd64/include/pmap.h | 12 + sys/amd64/include/smp.h | 28 +- sys/amd64/vmm/intel/vmx.c | 3 +- sys/amd64/vmm/vmm.c | 4 +- sys/conf/Makefile.amd64 | 1 + sys/conf/newvers.sh | 2 +- sys/dev/cpuctl/cpuctl.c | 31 +- sys/dev/hyperv/vmbus/amd64/vmbus_vector.S | 7 +- sys/dev/hyperv/vmbus/i386/vmbus_vector.S | 1 + sys/dev/hyperv/vmbus/vmbus.c | 6 +- sys/i386/i386/apic_vector.s | 4 + sys/i386/i386/atpic_vector.s | 1 + sys/i386/i386/exception.s | 1 + sys/i386/i386/machdep.c | 2 +- sys/i386/i386/pmap.c | 6 +- sys/i386/i386/support.s | 8 + sys/i386/i386/vm_machdep.c | 2 +- sys/sys/cpuctl.h | 1 + sys/x86/include/apicvar.h | 6 +- sys/x86/include/specialreg.h | 25 ++ sys/x86/include/x86_smp.h | 5 +- sys/x86/include/x86_var.h | 11 +- sys/x86/isa/atpic.c | 17 +- sys/x86/x86/cpu_machdep.c | 52 +++ sys/x86/x86/identcpu.c | 110 ++++-- sys/x86/x86/local_apic.c | 40 ++- sys/x86/x86/mp_x86.c | 11 +- sys/x86/xen/pv.c | 3 + usr.sbin/cpucontrol/cpucontrol.8 | 32 +- usr.sbin/cpucontrol/cpucontrol.c | 60 +++- 53 files changed, 2141 insertions(+), 591 deletions(-) diff --git a/UPDATING b/UPDATING index d8eadbe..a754cca 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180314 p8 FreeBSD-SA-18:03.speculative_execution + + Add mitigations for two classes of speculative execution vulnerabilities + on amd64. + 20180307 p7 FreeBSD-SA-18:01.ipsec FreeBSD-SA-18:02.ntp FreeBSD-EN-18:01.tzdata diff --git a/sys/amd64/amd64/apic_vector.S b/sys/amd64/amd64/apic_vector.S index b3ca520..ea93d32 100644 --- a/sys/amd64/amd64/apic_vector.S +++ b/sys/amd64/amd64/apic_vector.S @@ -2,6 +2,12 @@ * Copyright (c) 1989, 1990 William F. Jolitz. * Copyright (c) 1990 The Regents of the University of California. * All rights reserved. + * Copyright (c) 2014-2018 The FreeBSD Foundation + * All rights reserved. + * + * Portions of this software were developed by + * Konstantin Belousov under sponsorship from + * the FreeBSD Foundation. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -38,12 +44,12 @@ #include "opt_smp.h" +#include "assym.s" + #include #include #include -#include "assym.s" - #ifdef SMP #define LK lock ; #else @@ -73,30 +79,28 @@ as_lapic_eoi: * translates that into a vector, and passes the vector to the * lapic_handle_intr() function. */ -#define ISR_VEC(index, vec_name) \ - .text ; \ - SUPERALIGN_TEXT ; \ -IDTVEC(vec_name) ; \ - PUSH_FRAME ; \ - FAKE_MCOUNT(TF_RIP(%rsp)) ; \ - cmpl $0,x2apic_mode ; \ - je 1f ; \ - movl $(MSR_APIC_ISR0 + index),%ecx ; \ - rdmsr ; \ - jmp 2f ; \ -1: ; \ - movq lapic_map, %rdx ; /* pointer to local APIC */ \ - movl LA_ISR + 16 * (index)(%rdx), %eax ; /* load ISR */ \ -2: ; \ - bsrl %eax, %eax ; /* index of highest set bit in ISR */ \ - jz 3f ; \ - addl $(32 * index),%eax ; \ - movq %rsp, %rsi ; \ - movl %eax, %edi ; /* pass the IRQ */ \ - call lapic_handle_intr ; \ -3: ; \ - MEXITCOUNT ; \ + .macro ISR_VEC index, vec_name + INTR_HANDLER \vec_name + FAKE_MCOUNT(TF_RIP(%rsp)) + cmpl $0,x2apic_mode + je 1f + movl $(MSR_APIC_ISR0 + \index),%ecx + rdmsr + jmp 2f +1: + movq lapic_map, %rdx /* pointer to local APIC */ + movl LA_ISR + 16 * (\index)(%rdx), %eax /* load ISR */ +2: + bsrl %eax, %eax /* index of highest set bit in ISR */ + jz 3f + addl $(32 * \index),%eax + movq %rsp, %rsi + movl %eax, %edi /* pass the IRQ */ + call lapic_handle_intr +3: + MEXITCOUNT jmp doreti + .endm /* * Handle "spurious INTerrupts". @@ -108,26 +112,21 @@ IDTVEC(vec_name) ; \ .text SUPERALIGN_TEXT IDTVEC(spuriousint) - /* No EOI cycle used here */ - jmp doreti_iret - ISR_VEC(1, apic_isr1) - ISR_VEC(2, apic_isr2) - ISR_VEC(3, apic_isr3) - ISR_VEC(4, apic_isr4) - ISR_VEC(5, apic_isr5) - ISR_VEC(6, apic_isr6) - ISR_VEC(7, apic_isr7) + ISR_VEC 1, apic_isr1 + ISR_VEC 2, apic_isr2 + ISR_VEC 3, apic_isr3 + ISR_VEC 4, apic_isr4 + ISR_VEC 5, apic_isr5 + ISR_VEC 6, apic_isr6 + ISR_VEC 7, apic_isr7 /* * Local APIC periodic timer handler. */ - .text - SUPERALIGN_TEXT -IDTVEC(timerint) - PUSH_FRAME + INTR_HANDLER timerint FAKE_MCOUNT(TF_RIP(%rsp)) movq %rsp, %rdi call lapic_handle_timer @@ -137,10 +136,7 @@ IDTVEC(timerint) /* * Local APIC CMCI handler. */ - .text - SUPERALIGN_TEXT -IDTVEC(cmcint) - PUSH_FRAME + INTR_HANDLER cmcint FAKE_MCOUNT(TF_RIP(%rsp)) call lapic_handle_cmc MEXITCOUNT @@ -149,10 +145,7 @@ IDTVEC(cmcint) /* * Local APIC error interrupt handler. */ - .text - SUPERALIGN_TEXT -IDTVEC(errorint) - PUSH_FRAME + INTR_HANDLER errorint FAKE_MCOUNT(TF_RIP(%rsp)) call lapic_handle_error MEXITCOUNT @@ -163,10 +156,7 @@ IDTVEC(errorint) * Xen event channel upcall interrupt handler. * Only used when the hypervisor supports direct vector callbacks. */ - .text - SUPERALIGN_TEXT -IDTVEC(xen_intr_upcall) - PUSH_FRAME + INTR_HANDLER xen_intr_upcall FAKE_MCOUNT(TF_RIP(%rsp)) movq %rsp, %rdi call xen_intr_handle_upcall @@ -183,74 +173,68 @@ IDTVEC(xen_intr_upcall) SUPERALIGN_TEXT invltlb_ret: call as_lapic_eoi - POP_FRAME - jmp doreti_iret + jmp ld_regs SUPERALIGN_TEXT -IDTVEC(invltlb) - PUSH_FRAME - + INTR_HANDLER invltlb call invltlb_handler jmp invltlb_ret -IDTVEC(invltlb_pcid) - PUSH_FRAME - + INTR_HANDLER invltlb_pcid call invltlb_pcid_handler jmp invltlb_ret -IDTVEC(invltlb_invpcid) - PUSH_FRAME - + INTR_HANDLER invltlb_invpcid_nopti call invltlb_invpcid_handler jmp invltlb_ret + INTR_HANDLER invltlb_invpcid_pti + call invltlb_invpcid_pti_handler + jmp invltlb_ret + /* * Single page TLB shootdown */ - .text + INTR_HANDLER invlpg + call invlpg_handler + jmp invltlb_ret - SUPERALIGN_TEXT -IDTVEC(invlpg) - PUSH_FRAME + INTR_HANDLER invlpg_invpcid + call invlpg_invpcid_handler + jmp invltlb_ret - call invlpg_handler + INTR_HANDLER invlpg_pcid + call invlpg_pcid_handler jmp invltlb_ret /* * Page range TLB shootdown. */ - .text - SUPERALIGN_TEXT -IDTVEC(invlrng) - PUSH_FRAME - + INTR_HANDLER invlrng call invlrng_handler jmp invltlb_ret + INTR_HANDLER invlrng_invpcid + call invlrng_invpcid_handler + jmp invltlb_ret + + INTR_HANDLER invlrng_pcid + call invlrng_pcid_handler + jmp invltlb_ret + /* * Invalidate cache. */ - .text - SUPERALIGN_TEXT -IDTVEC(invlcache) - PUSH_FRAME - + INTR_HANDLER invlcache call invlcache_handler jmp invltlb_ret /* * Handler for IPIs sent via the per-cpu IPI bitmap. */ - .text - SUPERALIGN_TEXT -IDTVEC(ipi_intr_bitmap_handler) - PUSH_FRAME - + INTR_HANDLER ipi_intr_bitmap_handler call as_lapic_eoi - FAKE_MCOUNT(TF_RIP(%rsp)) - call ipi_bitmap_handler MEXITCOUNT jmp doreti @@ -258,24 +242,15 @@ IDTVEC(ipi_intr_bitmap_handler) /* * Executed by a CPU when it receives an IPI_STOP from another CPU. */ - .text - SUPERALIGN_TEXT -IDTVEC(cpustop) - PUSH_FRAME - + INTR_HANDLER cpustop call as_lapic_eoi - call cpustop_handler jmp doreti /* * Executed by a CPU when it receives an IPI_SUSPEND from another CPU. */ - .text - SUPERALIGN_TEXT -IDTVEC(cpususpend) - PUSH_FRAME - + INTR_HANDLER cpususpend call cpususpend_handler call as_lapic_eoi jmp doreti @@ -285,10 +260,7 @@ IDTVEC(cpususpend) * * - Calls the generic rendezvous action function. */ - .text - SUPERALIGN_TEXT -IDTVEC(rendezvous) - PUSH_FRAME + INTR_HANDLER rendezvous #ifdef COUNT_IPIS movl PCPU(CPUID), %eax movq ipi_rendezvous_counts(,%rax,8), %rax @@ -328,4 +300,8 @@ IDTVEC(justreturn) popq %rax jmp doreti_iret + INTR_HANDLER justreturn1 + call as_lapic_eoi + jmp doreti + #endif /* SMP */ diff --git a/sys/amd64/amd64/atpic_vector.S b/sys/amd64/amd64/atpic_vector.S index e7dcbc3..0cc0cd4 100644 --- a/sys/amd64/amd64/atpic_vector.S +++ b/sys/amd64/amd64/atpic_vector.S @@ -36,38 +36,35 @@ * master and slave interrupt controllers. */ -#include - #include "assym.s" +#include /* * Macros for interrupt entry, call to handler, and exit. */ -#define INTR(irq_num, vec_name) \ - .text ; \ - SUPERALIGN_TEXT ; \ -IDTVEC(vec_name) ; \ - PUSH_FRAME ; \ - FAKE_MCOUNT(TF_RIP(%rsp)) ; \ - movq %rsp, %rsi ; \ - movl $irq_num, %edi; /* pass the IRQ */ \ - call atpic_handle_intr ; \ - MEXITCOUNT ; \ + .macro INTR irq_num, vec_name + INTR_HANDLER \vec_name + FAKE_MCOUNT(TF_RIP(%rsp)) + movq %rsp, %rsi + movl $\irq_num, %edi /* pass the IRQ */ + call atpic_handle_intr + MEXITCOUNT jmp doreti + .endm - INTR(0, atpic_intr0) - INTR(1, atpic_intr1) - INTR(2, atpic_intr2) - INTR(3, atpic_intr3) - INTR(4, atpic_intr4) - INTR(5, atpic_intr5) - INTR(6, atpic_intr6) - INTR(7, atpic_intr7) - INTR(8, atpic_intr8) - INTR(9, atpic_intr9) - INTR(10, atpic_intr10) - INTR(11, atpic_intr11) - INTR(12, atpic_intr12) - INTR(13, atpic_intr13) - INTR(14, atpic_intr14) - INTR(15, atpic_intr15) + INTR 0, atpic_intr0 + INTR 1, atpic_intr1 + INTR 2, atpic_intr2 + INTR 3, atpic_intr3 + INTR 4, atpic_intr4 + INTR 5, atpic_intr5 + INTR 6, atpic_intr6 + INTR 7, atpic_intr7 + INTR 8, atpic_intr8 + INTR 9, atpic_intr9 + INTR 10, atpic_intr10 + INTR 11, atpic_intr11 + INTR 12, atpic_intr12 + INTR 13, atpic_intr13 + INTR 14, atpic_intr14 + INTR 15, atpic_intr15 diff --git a/sys/amd64/amd64/cpu_switch.S b/sys/amd64/amd64/cpu_switch.S index 64a3485..ff47afb 100644 --- a/sys/amd64/amd64/cpu_switch.S +++ b/sys/amd64/amd64/cpu_switch.S @@ -191,9 +191,11 @@ do_kthread: done_tss: movq %r8,PCPU(RSP0) movq %r8,PCPU(CURPCB) - /* Update the TSS_RSP0 pointer for the next interrupt */ + /* Update the COMMON_TSS_RSP0 pointer for the next interrupt */ + cmpb $0,pti(%rip) + jne 1f movq %r8,COMMON_TSS_RSP0(%rdx) - movq %r12,PCPU(CURTHREAD) /* into next thread */ +1: movq %r12,PCPU(CURTHREAD) /* into next thread */ /* Test if debug registers should be restored. */ testl $PCB_DBREGS,PCB_FLAGS(%r8) @@ -270,7 +272,12 @@ do_tss: movq %rdx,PCPU(TSSP) shrq $8,%rcx movl %ecx,8(%rax) movb $0x89,5(%rax) /* unset busy */ - movl $TSSSEL,%eax + cmpb $0,pti(%rip) + je 1f + movq PCPU(PRVSPACE),%rax + addq $PC_PTI_STACK+PC_PTI_STACK_SZ*8,%rax + movq %rax,COMMON_TSS_RSP0(%rdx) +1: movl $TSSSEL,%eax ltr %ax jmp done_tss diff --git a/sys/amd64/amd64/db_trace.c b/sys/amd64/amd64/db_trace.c index 381237b..d15d207 100644 --- a/sys/amd64/amd64/db_trace.c +++ b/sys/amd64/amd64/db_trace.c @@ -200,6 +200,7 @@ db_nextframe(struct amd64_frame **fp, db_addr_t *ip, struct thread *td) if (name != NULL) { if (strcmp(name, "calltrap") == 0 || strcmp(name, "fork_trampoline") == 0 || + strcmp(name, "mchk_calltrap") == 0 || strcmp(name, "nmi_calltrap") == 0 || strcmp(name, "Xdblfault") == 0) frame_type = TRAP; diff --git a/sys/amd64/amd64/exception.S b/sys/amd64/amd64/exception.S index 2c2b99b..524e729 100644 --- a/sys/amd64/amd64/exception.S +++ b/sys/amd64/amd64/exception.S @@ -1,12 +1,16 @@ /*- * Copyright (c) 1989, 1990 William F. Jolitz. * Copyright (c) 1990 The Regents of the University of California. - * Copyright (c) 2007 The FreeBSD Foundation + * Copyright (c) 2007-2018 The FreeBSD Foundation * All rights reserved. * * Portions of this software were developed by A. Joseph Koshy under * sponsorship from the FreeBSD Foundation and Google, Inc. * + * Portions of this software were developed by + * Konstantin Belousov under sponsorship from + * the FreeBSD Foundation. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -38,13 +42,13 @@ #include "opt_compat.h" #include "opt_hwpmc_hooks.h" +#include "assym.s" + #include #include #include #include -#include "assym.s" - #ifdef KDTRACE_HOOKS .bss .globl dtrace_invop_jump_addr @@ -100,68 +104,61 @@ dtrace_invop_calltrap_addr: MCOUNT_LABEL(user) MCOUNT_LABEL(btrap) -/* Traps that we leave interrupts disabled for.. */ -#define TRAP_NOEN(a) \ - subq $TF_RIP,%rsp; \ - movl $(a),TF_TRAPNO(%rsp) ; \ - movq $0,TF_ADDR(%rsp) ; \ - movq $0,TF_ERR(%rsp) ; \ +/* Traps that we leave interrupts disabled for. */ + .macro TRAP_NOEN l, trapno + PTI_ENTRY \l,X\l + .globl X\l + .type X\l,@function +X\l: subq $TF_RIP,%rsp + movl $\trapno,TF_TRAPNO(%rsp) + movq $0,TF_ADDR(%rsp) + movq $0,TF_ERR(%rsp) jmp alltraps_noen -IDTVEC(dbg) - TRAP_NOEN(T_TRCTRAP) -IDTVEC(bpt) - TRAP_NOEN(T_BPTFLT) + .endm + + TRAP_NOEN dbg, T_TRCTRAP + TRAP_NOEN bpt, T_BPTFLT #ifdef KDTRACE_HOOKS -IDTVEC(dtrace_ret) - TRAP_NOEN(T_DTRACE_RET) + TRAP_NOEN dtrace_ret, T_DTRACE_RET #endif /* Regular traps; The cpu does not supply tf_err for these. */ -#define TRAP(a) \ - subq $TF_RIP,%rsp; \ - movl $(a),TF_TRAPNO(%rsp) ; \ - movq $0,TF_ADDR(%rsp) ; \ - movq $0,TF_ERR(%rsp) ; \ + .macro TRAP l, trapno + PTI_ENTRY \l,X\l + .globl X\l + .type X\l,@function +X\l: + subq $TF_RIP,%rsp + movl $\trapno,TF_TRAPNO(%rsp) + movq $0,TF_ADDR(%rsp) + movq $0,TF_ERR(%rsp) jmp alltraps -IDTVEC(div) - TRAP(T_DIVIDE) -IDTVEC(ofl) - TRAP(T_OFLOW) -IDTVEC(bnd) - TRAP(T_BOUND) -IDTVEC(ill) - TRAP(T_PRIVINFLT) -IDTVEC(dna) - TRAP(T_DNA) -IDTVEC(fpusegm) - TRAP(T_FPOPFLT) -IDTVEC(mchk) - TRAP(T_MCHK) -IDTVEC(rsvd) - TRAP(T_RESERVED) -IDTVEC(fpu) - TRAP(T_ARITHTRAP) -IDTVEC(xmm) - TRAP(T_XMMFLT) - -/* This group of traps have tf_err already pushed by the cpu */ -#define TRAP_ERR(a) \ - subq $TF_ERR,%rsp; \ - movl $(a),TF_TRAPNO(%rsp) ; \ - movq $0,TF_ADDR(%rsp) ; \ + .endm + + TRAP div, T_DIVIDE + TRAP ofl, T_OFLOW + TRAP bnd, T_BOUND + TRAP ill, T_PRIVINFLT + TRAP dna, T_DNA + TRAP fpusegm, T_FPOPFLT + TRAP rsvd, T_RESERVED + TRAP fpu, T_ARITHTRAP + TRAP xmm, T_XMMFLT + +/* This group of traps have tf_err already pushed by the cpu. */ + .macro TRAP_ERR l, trapno + PTI_ENTRY \l,X\l,has_err=1 + .globl X\l + .type X\l,@function +X\l: + subq $TF_ERR,%rsp + movl $\trapno,TF_TRAPNO(%rsp) + movq $0,TF_ADDR(%rsp) jmp alltraps -IDTVEC(tss) - TRAP_ERR(T_TSSFLT) -IDTVEC(missing) - subq $TF_ERR,%rsp - movl $T_SEGNPFLT,TF_TRAPNO(%rsp) - jmp prot_addrf -IDTVEC(stk) - subq $TF_ERR,%rsp - movl $T_STKFLT,TF_TRAPNO(%rsp) - jmp prot_addrf -IDTVEC(align) - TRAP_ERR(T_ALIGNFLT) + .endm + + TRAP_ERR tss, T_TSSFLT + TRAP_ERR align, T_ALIGNFLT /* * alltraps entry point. Use swapgs if this is the first time in the @@ -174,25 +171,24 @@ IDTVEC(align) alltraps: movq %rdi,TF_RDI(%rsp) testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ - jz alltraps_testi /* already running with kernel GS.base */ + jz 1f /* already running with kernel GS.base */ swapgs movq PCPU(CURPCB),%rdi andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi) - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) -alltraps_testi: - testl $PSL_I,TF_RFLAGS(%rsp) - jz alltraps_pushregs_no_rdi - sti -alltraps_pushregs_no_rdi: - movq %rsi,TF_RSI(%rsp) +1: SAVE_SEGS movq %rdx,TF_RDX(%rsp) + movq %rax,TF_RAX(%rsp) movq %rcx,TF_RCX(%rsp) + testb $SEL_RPL_MASK,TF_CS(%rsp) + jz 2f + call handle_ibrs_entry +2: testl $PSL_I,TF_RFLAGS(%rsp) + jz alltraps_pushregs_no_rax + sti +alltraps_pushregs_no_rax: + movq %rsi,TF_RSI(%rsp) movq %r8,TF_R8(%rsp) movq %r9,TF_R9(%rsp) - movq %rax,TF_RAX(%rsp) movq %rbx,TF_RBX(%rsp) movq %rbp,TF_RBP(%rsp) movq %r10,TF_R10(%rsp) @@ -248,15 +244,18 @@ calltrap: alltraps_noen: movq %rdi,TF_RDI(%rsp) testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ - jz 1f /* already running with kernel GS.base */ + jz 1f /* already running with kernel GS.base */ swapgs movq PCPU(CURPCB),%rdi andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi) -1: movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) - jmp alltraps_pushregs_no_rdi +1: SAVE_SEGS + movq %rdx,TF_RDX(%rsp) + movq %rax,TF_RAX(%rsp) + movq %rcx,TF_RCX(%rsp) + testb $SEL_RPL_MASK,TF_CS(%rsp) + jz alltraps_pushregs_no_rax + call handle_ibrs_entry + jmp alltraps_pushregs_no_rax IDTVEC(dblfault) subq $TF_ERR,%rsp @@ -278,70 +277,131 @@ IDTVEC(dblfault) movq %r13,TF_R13(%rsp) movq %r14,TF_R14(%rsp) movq %r15,TF_R15(%rsp) - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) + SAVE_SEGS movl $TF_HASSEGS,TF_FLAGS(%rsp) cld testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ jz 1f /* already running with kernel GS.base */ swapgs 1: - movq %rsp,%rdi + movq PCPU(KCR3),%rax + cmpq $~0,%rax + je 2f + movq %rax,%cr3 +2: movq %rsp,%rdi call dblfault_handler -2: - hlt - jmp 2b +3: hlt + jmp 3b + ALIGN_TEXT +IDTVEC(page_pti) + testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp) + jz Xpage + swapgs + pushq %rax + pushq %rdx + movq %cr3,%rax + movq %rax,PCPU(SAVED_UCR3) + PTI_UUENTRY has_err=1 + subq $TF_ERR,%rsp + movq %rdi,TF_RDI(%rsp) + movq %rax,TF_RAX(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) + jmp page_u IDTVEC(page) subq $TF_ERR,%rsp - movl $T_PAGEFLT,TF_TRAPNO(%rsp) - movq %rdi,TF_RDI(%rsp) /* free up a GP register */ + movq %rdi,TF_RDI(%rsp) /* free up GP registers */ + movq %rax,TF_RAX(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ - jz 1f /* already running with kernel GS.base */ + jz page_cr2 /* already running with kernel GS.base */ swapgs - movq PCPU(CURPCB),%rdi +page_u: movq PCPU(CURPCB),%rdi andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi) -1: movq %cr2,%rdi /* preserve %cr2 before .. */ + movq PCPU(SAVED_UCR3),%rax + movq %rax,PCB_SAVED_UCR3(%rdi) + call handle_ibrs_entry +page_cr2: + movq %cr2,%rdi /* preserve %cr2 before .. */ movq %rdi,TF_ADDR(%rsp) /* enabling interrupts. */ - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) + SAVE_SEGS + movl $T_PAGEFLT,TF_TRAPNO(%rsp) testl $PSL_I,TF_RFLAGS(%rsp) - jz alltraps_pushregs_no_rdi + jz alltraps_pushregs_no_rax sti - jmp alltraps_pushregs_no_rdi + jmp alltraps_pushregs_no_rax /* * We have to special-case this one. If we get a trap in doreti() at * the iretq stage, we'll reenter with the wrong gs state. We'll have * to do a special the swapgs in this case even coming from the kernel. * XXX linux has a trap handler for their equivalent of load_gs(). + * + * On the stack, we have the hardware interrupt frame to return + * to usermode (faulted) and another frame with error code, for + * fault. For PTI, copy both frames to the main thread stack. */ -IDTVEC(prot) + .macro PROTF_ENTRY name,trapno +\name\()_pti_doreti: + pushq %rax + pushq %rdx + swapgs + movq PCPU(KCR3),%rax + movq %rax,%cr3 + movq PCPU(RSP0),%rax + subq $2*PTI_SIZE-3*8,%rax /* no err, %rax, %rdx in faulted frame */ + MOVE_STACKS (PTI_SIZE / 4 - 3) + movq %rax,%rsp + popq %rdx + popq %rax + swapgs + jmp X\name +IDTVEC(\name\()_pti) + cmpq $doreti_iret,PTI_RIP-2*8(%rsp) + je \name\()_pti_doreti + testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp) /* %rax, %rdx not yet pushed */ + jz X\name + PTI_UENTRY has_err=1 + swapgs +IDTVEC(\name) subq $TF_ERR,%rsp - movl $T_PROTFLT,TF_TRAPNO(%rsp) + movl $\trapno,TF_TRAPNO(%rsp) + jmp prot_addrf + .endm + + PROTF_ENTRY missing, T_SEGNPFLT + PROTF_ENTRY stk, T_STKFLT + PROTF_ENTRY prot, T_PROTFLT + prot_addrf: movq $0,TF_ADDR(%rsp) movq %rdi,TF_RDI(%rsp) /* free up a GP register */ + movq %rax,TF_RAX(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) + movw %fs,TF_FS(%rsp) + movw %gs,TF_GS(%rsp) leaq doreti_iret(%rip),%rdi cmpq %rdi,TF_RIP(%rsp) - je 1f /* kernel but with user gsbase!! */ + je 5f /* kernel but with user gsbase!! */ testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ - jz 2f /* already running with kernel GS.base */ -1: swapgs -2: movq PCPU(CURPCB),%rdi + jz 6f /* already running with kernel GS.base */ + swapgs + movq PCPU(CURPCB),%rdi +4: call handle_ibrs_entry orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* always full iret from GPF */ - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) movw %es,TF_ES(%rsp) movw %ds,TF_DS(%rsp) testl $PSL_I,TF_RFLAGS(%rsp) - jz alltraps_pushregs_no_rdi + jz alltraps_pushregs_no_rax sti - jmp alltraps_pushregs_no_rdi + jmp alltraps_pushregs_no_rax + +5: swapgs +6: movq PCPU(CURPCB),%rdi + jmp 4b /* * Fast syscall entry point. We enter here with just our new %cs/%ss set, @@ -352,8 +412,18 @@ prot_addrf: * We do not support invoking this from a custom %cs or %ss (e.g. using * entries from an LDT). */ + SUPERALIGN_TEXT +IDTVEC(fast_syscall_pti) + swapgs + movq %rax,PCPU(SCRATCH_RAX) + movq PCPU(KCR3),%rax + movq %rax,%cr3 + jmp fast_syscall_common + SUPERALIGN_TEXT IDTVEC(fast_syscall) swapgs + movq %rax,PCPU(SCRATCH_RAX) +fast_syscall_common: movq %rsp,PCPU(SCRATCH_RSP) movq PCPU(RSP0),%rsp /* Now emulate a trapframe. Make the 8 byte alignment odd for call. */ @@ -363,10 +433,11 @@ IDTVEC(fast_syscall) movq %rcx,TF_RIP(%rsp) /* %rcx original value is in %r10 */ movq PCPU(SCRATCH_RSP),%r11 /* %r11 already saved */ movq %r11,TF_RSP(%rsp) /* user stack pointer */ - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) + movq PCPU(SCRATCH_RAX),%rax + movq %rax,TF_RAX(%rsp) /* syscall number */ + movq %rdx,TF_RDX(%rsp) /* arg 3 */ + SAVE_SEGS + call handle_ibrs_entry movq PCPU(CURPCB),%r11 andl $~PCB_FULL_IRET,PCB_FLAGS(%r11) sti @@ -375,11 +446,9 @@ IDTVEC(fast_syscall) movq $2,TF_ERR(%rsp) movq %rdi,TF_RDI(%rsp) /* arg 1 */ movq %rsi,TF_RSI(%rsp) /* arg 2 */ - movq %rdx,TF_RDX(%rsp) /* arg 3 */ movq %r10,TF_RCX(%rsp) /* arg 4 */ movq %r8,TF_R8(%rsp) /* arg 5 */ movq %r9,TF_R9(%rsp) /* arg 6 */ - movq %rax,TF_RAX(%rsp) /* syscall number */ movq %rbx,TF_RBX(%rsp) /* C preserved */ movq %rbp,TF_RBP(%rsp) /* C preserved */ movq %r12,TF_R12(%rsp) /* C preserved */ @@ -398,11 +467,12 @@ IDTVEC(fast_syscall) /* Disable interrupts before testing PCB_FULL_IRET. */ cli testl $PCB_FULL_IRET,PCB_FLAGS(%rax) - jnz 3f + jnz 4f /* Check for and handle AST's on return to userland. */ movq PCPU(CURTHREAD),%rax testl $TDF_ASTPENDING | TDF_NEEDRESCHED,TD_FLAGS(%rax) - jne 2f + jne 3f + call handle_ibrs_exit /* Restore preserved registers. */ MEXITCOUNT movq TF_RDI(%rsp),%rdi /* bonus; preserve arg 1 */ @@ -412,16 +482,21 @@ IDTVEC(fast_syscall) movq TF_RFLAGS(%rsp),%r11 /* original %rflags */ movq TF_RIP(%rsp),%rcx /* original %rip */ movq TF_RSP(%rsp),%rsp /* user stack pointer */ - swapgs + cmpb $0,pti + je 2f + movq PCPU(UCR3),%r9 + movq %r9,%cr3 + xorl %r9d,%r9d +2: swapgs sysretq -2: /* AST scheduled. */ +3: /* AST scheduled. */ sti movq %rsp,%rdi call ast jmp 1b -3: /* Requested full context restore, use doreti for that. */ +4: /* Requested full context restore, use doreti for that. */ MEXITCOUNT jmp doreti @@ -477,17 +552,15 @@ IDTVEC(nmi) movq %r13,TF_R13(%rsp) movq %r14,TF_R14(%rsp) movq %r15,TF_R15(%rsp) - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) + SAVE_SEGS movl $TF_HASSEGS,TF_FLAGS(%rsp) cld xorl %ebx,%ebx testb $SEL_RPL_MASK,TF_CS(%rsp) jnz nmi_fromuserspace /* - * We've interrupted the kernel. Preserve GS.base in %r12. + * We've interrupted the kernel. Preserve GS.base in %r12, + * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d. */ movl $MSR_GSBASE,%ecx rdmsr @@ -499,10 +572,32 @@ IDTVEC(nmi) movl %edx,%eax shrq $32,%rdx wrmsr + movq %cr3,%r13 + movq PCPU(KCR3),%rax + cmpq $~0,%rax + je 1f + movq %rax,%cr3 +1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip) + je nmi_calltrap + movl $MSR_IA32_SPEC_CTRL,%ecx + rdmsr + movl %eax,%r14d + call handle_ibrs_entry jmp nmi_calltrap nmi_fromuserspace: incl %ebx swapgs + movq %cr3,%r13 + movq PCPU(KCR3),%rax + cmpq $~0,%rax + je 1f + movq %rax,%cr3 +1: call handle_ibrs_entry + movq PCPU(CURPCB),%rdi + testq %rdi,%rdi + jz 3f + orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) +3: /* Note: this label is also used by ddb and gdb: */ nmi_calltrap: FAKE_MCOUNT(TF_RIP(%rsp)) @@ -525,26 +620,29 @@ nmi_calltrap: movq PCPU(CURTHREAD),%rax orq %rax,%rax /* curthread present? */ jz nocallchain - testl $TDP_CALLCHAIN,TD_PFLAGS(%rax) /* flagged for capture? */ - jz nocallchain /* - * A user callchain is to be captured, so: - * - Move execution to the regular kernel stack, to allow for - * nested NMI interrupts. - * - Take the processor out of "NMI" mode by faking an "iret". - * - Enable interrupts, so that copyin() can work. + * Move execution to the regular kernel stack, because we + * committed to return through doreti. */ movq %rsp,%rsi /* source stack pointer */ movq $TF_SIZE,%rcx movq PCPU(RSP0),%rdx subq %rcx,%rdx movq %rdx,%rdi /* destination stack pointer */ - shrq $3,%rcx /* trap frame size in long words */ cld rep movsq /* copy trapframe */ + movq %rdx,%rsp /* we are on the regular kstack */ + testl $TDP_CALLCHAIN,TD_PFLAGS(%rax) /* flagged for capture? */ + jz nocallchain + /* + * A user callchain is to be captured, so: + * - Take the processor out of "NMI" mode by faking an "iret", + * to allow for nested NMI interrupts. + * - Enable interrupts, so that copyin() can work. + */ movl %ss,%eax pushq %rax /* tf_ss */ pushq %rdx /* tf_rsp (on kernel stack) */ @@ -574,33 +672,139 @@ outofnmi: cli nocallchain: #endif - testl %ebx,%ebx + testl %ebx,%ebx /* %ebx == 0 => return to userland */ jnz doreti_exit -nmi_kernelexit: + /* + * Restore speculation control MSR, if preserved. + */ + testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip) + je 1f + movl %r14d,%eax + xorl %edx,%edx + movl $MSR_IA32_SPEC_CTRL,%ecx + wrmsr /* * Put back the preserved MSR_GSBASE value. */ +1: movl $MSR_GSBASE,%ecx + movq %r12,%rdx + movl %edx,%eax + shrq $32,%rdx + wrmsr + movq %r13,%cr3 + RESTORE_REGS + addq $TF_RIP,%rsp + jmp doreti_iret + +/* + * MC# handling is similar to NMI. + * + * As with NMIs, machine check exceptions do not respect RFLAGS.IF and + * can occur at any time with a GS.base value that does not correspond + * to the privilege level in CS. + * + * Machine checks are not unblocked by iretq, but it is best to run + * the handler with interrupts disabled since the exception may have + * interrupted a critical section. + * + * The MC# handler runs on its own stack (tss_ist3). The canonical + * GS.base value for the processor is stored just above the bottom of + * its MC# stack. For exceptions taken from kernel mode, the current + * value in the processor's GS.base is saved at entry to C-preserved + * register %r12, the canonical value for GS.base is then loaded into + * the processor, and the saved value is restored at exit time. For + * exceptions taken from user mode, the cheaper 'SWAPGS' instructions + * are used for swapping GS.base. + */ + +IDTVEC(mchk) + subq $TF_RIP,%rsp + movl $(T_MCHK),TF_TRAPNO(%rsp) + movq $0,TF_ADDR(%rsp) + movq $0,TF_ERR(%rsp) + movq %rdi,TF_RDI(%rsp) + movq %rsi,TF_RSI(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) + movq %r8,TF_R8(%rsp) + movq %r9,TF_R9(%rsp) + movq %rax,TF_RAX(%rsp) + movq %rbx,TF_RBX(%rsp) + movq %rbp,TF_RBP(%rsp) + movq %r10,TF_R10(%rsp) + movq %r11,TF_R11(%rsp) + movq %r12,TF_R12(%rsp) + movq %r13,TF_R13(%rsp) + movq %r14,TF_R14(%rsp) + movq %r15,TF_R15(%rsp) + SAVE_SEGS + movl $TF_HASSEGS,TF_FLAGS(%rsp) + cld + xorl %ebx,%ebx + testb $SEL_RPL_MASK,TF_CS(%rsp) + jnz mchk_fromuserspace + /* + * We've interrupted the kernel. Preserve GS.base in %r12, + * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d. + */ movl $MSR_GSBASE,%ecx + rdmsr + movq %rax,%r12 + shlq $32,%rdx + orq %rdx,%r12 + /* Retrieve and load the canonical value for GS.base. */ + movq TF_SIZE(%rsp),%rdx + movl %edx,%eax + shrq $32,%rdx + wrmsr + movq %cr3,%r13 + movq PCPU(KCR3),%rax + cmpq $~0,%rax + je 1f + movq %rax,%cr3 +1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip) + je mchk_calltrap + movl $MSR_IA32_SPEC_CTRL,%ecx + rdmsr + movl %eax,%r14d + call handle_ibrs_entry + jmp mchk_calltrap +mchk_fromuserspace: + incl %ebx + swapgs + movq %cr3,%r13 + movq PCPU(KCR3),%rax + cmpq $~0,%rax + je 1f + movq %rax,%cr3 +1: call handle_ibrs_entry +/* Note: this label is also used by ddb and gdb: */ +mchk_calltrap: + FAKE_MCOUNT(TF_RIP(%rsp)) + movq %rsp,%rdi + call mca_intr + MEXITCOUNT + testl %ebx,%ebx /* %ebx == 0 => return to userland */ + jnz doreti_exit + /* + * Restore speculation control MSR, if preserved. + */ + testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip) + je 1f + movl %r14d,%eax + xorl %edx,%edx + movl $MSR_IA32_SPEC_CTRL,%ecx + wrmsr + /* + * Put back the preserved MSR_GSBASE value. + */ +1: movl $MSR_GSBASE,%ecx movq %r12,%rdx movl %edx,%eax shrq $32,%rdx wrmsr -nmi_restoreregs: - movq TF_RDI(%rsp),%rdi - movq TF_RSI(%rsp),%rsi - movq TF_RDX(%rsp),%rdx - movq TF_RCX(%rsp),%rcx - movq TF_R8(%rsp),%r8 - movq TF_R9(%rsp),%r9 - movq TF_RAX(%rsp),%rax - movq TF_RBX(%rsp),%rbx - movq TF_RBP(%rsp),%rbp - movq TF_R10(%rsp),%r10 - movq TF_R11(%rsp),%r11 - movq TF_R12(%rsp),%r12 - movq TF_R13(%rsp),%r13 - movq TF_R14(%rsp),%r14 - movq TF_R15(%rsp),%r15 + movq %r13,%cr3 + RESTORE_REGS addq $TF_RIP,%rsp jmp doreti_iret @@ -767,27 +971,39 @@ ld_es: ld_ds: movw TF_DS(%rsp),%ds ld_regs: - movq TF_RDI(%rsp),%rdi - movq TF_RSI(%rsp),%rsi - movq TF_RDX(%rsp),%rdx - movq TF_RCX(%rsp),%rcx - movq TF_R8(%rsp),%r8 - movq TF_R9(%rsp),%r9 - movq TF_RAX(%rsp),%rax - movq TF_RBX(%rsp),%rbx - movq TF_RBP(%rsp),%rbp - movq TF_R10(%rsp),%r10 - movq TF_R11(%rsp),%r11 - movq TF_R12(%rsp),%r12 - movq TF_R13(%rsp),%r13 - movq TF_R14(%rsp),%r14 - movq TF_R15(%rsp),%r15 + RESTORE_REGS testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */ - jz 1f /* keep running with kernel GS.base */ + jz 2f /* keep running with kernel GS.base */ cli + call handle_ibrs_exit_rs + cmpb $0,pti + je 1f + pushq %rdx + movq PCPU(PRVSPACE),%rdx + addq $PC_PTI_STACK+PC_PTI_STACK_SZ*8-PTI_SIZE,%rdx + movq %rax,PTI_RAX(%rdx) + popq %rax + movq %rax,PTI_RDX(%rdx) + movq TF_RIP(%rsp),%rax + movq %rax,PTI_RIP(%rdx) + movq TF_CS(%rsp),%rax + movq %rax,PTI_CS(%rdx) + movq TF_RFLAGS(%rsp),%rax + movq %rax,PTI_RFLAGS(%rdx) + movq TF_RSP(%rsp),%rax + movq %rax,PTI_RSP(%rdx) + movq TF_SS(%rsp),%rax + movq %rax,PTI_SS(%rdx) + movq PCPU(UCR3),%rax swapgs -1: - addq $TF_RIP,%rsp /* skip over tf_err, tf_trapno */ + movq %rdx,%rsp + movq %rax,%cr3 + popq %rdx + popq %rax + addq $8,%rsp + jmp doreti_iret +1: swapgs +2: addq $TF_RIP,%rsp .globl doreti_iret doreti_iret: iretq @@ -811,22 +1027,20 @@ set_segs: .globl doreti_iret_fault doreti_iret_fault: subq $TF_RIP,%rsp /* space including tf_err, tf_trapno */ - testl $PSL_I,TF_RFLAGS(%rsp) + movq %rax,TF_RAX(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) + call handle_ibrs_entry + testb $SEL_RPL_MASK,TF_CS(%rsp) jz 1f sti 1: - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) + SAVE_SEGS movl $TF_HASSEGS,TF_FLAGS(%rsp) movq %rdi,TF_RDI(%rsp) movq %rsi,TF_RSI(%rsp) - movq %rdx,TF_RDX(%rsp) - movq %rcx,TF_RCX(%rsp) movq %r8,TF_R8(%rsp) movq %r9,TF_R9(%rsp) - movq %rax,TF_RAX(%rsp) movq %rbx,TF_RBX(%rsp) movq %rbp,TF_RBP(%rsp) movq %r10,TF_R10(%rsp) @@ -845,7 +1059,7 @@ doreti_iret_fault: .globl ds_load_fault ds_load_fault: movl $T_PROTFLT,TF_TRAPNO(%rsp) - testl $PSL_I,TF_RFLAGS(%rsp) + testb $SEL_RPL_MASK,TF_CS(%rsp) jz 1f sti 1: diff --git a/sys/amd64/amd64/genassym.c b/sys/amd64/amd64/genassym.c index d087fdc..94382ca 100644 --- a/sys/amd64/amd64/genassym.c +++ b/sys/amd64/amd64/genassym.c @@ -145,6 +145,7 @@ ASSYM(PCB_LDT, offsetof(struct pcb, pcb_ldt)); ASSYM(PCB_TR, offsetof(struct pcb, pcb_tr)); ASSYM(PCB_FLAGS, offsetof(struct pcb, pcb_flags)); ASSYM(PCB_ONFAULT, offsetof(struct pcb, pcb_onfault)); +ASSYM(PCB_SAVED_UCR3, offsetof(struct pcb, pcb_saved_ucr3)); ASSYM(PCB_TSSP, offsetof(struct pcb, pcb_tssp)); ASSYM(PCB_SAVEFPU, offsetof(struct pcb, pcb_save)); ASSYM(PCB_EFER, offsetof(struct pcb, pcb_efer)); @@ -190,6 +191,16 @@ ASSYM(TF_FLAGS, offsetof(struct trapframe, tf_flags)); ASSYM(TF_SIZE, sizeof(struct trapframe)); ASSYM(TF_HASSEGS, TF_HASSEGS); +ASSYM(PTI_RDX, offsetof(struct pti_frame, pti_rdx)); +ASSYM(PTI_RAX, offsetof(struct pti_frame, pti_rax)); +ASSYM(PTI_ERR, offsetof(struct pti_frame, pti_err)); +ASSYM(PTI_RIP, offsetof(struct pti_frame, pti_rip)); +ASSYM(PTI_CS, offsetof(struct pti_frame, pti_cs)); +ASSYM(PTI_RFLAGS, offsetof(struct pti_frame, pti_rflags)); +ASSYM(PTI_RSP, offsetof(struct pti_frame, pti_rsp)); +ASSYM(PTI_SS, offsetof(struct pti_frame, pti_ss)); +ASSYM(PTI_SIZE, sizeof(struct pti_frame)); + ASSYM(SIGF_HANDLER, offsetof(struct sigframe, sf_ahu.sf_handler)); ASSYM(SIGF_UC, offsetof(struct sigframe, sf_uc)); ASSYM(UC_EFLAGS, offsetof(ucontext_t, uc_mcontext.mc_rflags)); @@ -206,6 +217,7 @@ ASSYM(PC_IDLETHREAD, offsetof(struct pcpu, pc_idlethread)); ASSYM(PC_CURPCB, offsetof(struct pcpu, pc_curpcb)); ASSYM(PC_CPUID, offsetof(struct pcpu, pc_cpuid)); ASSYM(PC_SCRATCH_RSP, offsetof(struct pcpu, pc_scratch_rsp)); +ASSYM(PC_SCRATCH_RAX, offsetof(struct pcpu, pc_scratch_rax)); ASSYM(PC_CURPMAP, offsetof(struct pcpu, pc_curpmap)); ASSYM(PC_TSSP, offsetof(struct pcpu, pc_tssp)); ASSYM(PC_RSP0, offsetof(struct pcpu, pc_rsp0)); @@ -215,6 +227,12 @@ ASSYM(PC_LDT, offsetof(struct pcpu, pc_ldt)); ASSYM(PC_COMMONTSSP, offsetof(struct pcpu, pc_commontssp)); ASSYM(PC_TSS, offsetof(struct pcpu, pc_tss)); ASSYM(PC_PM_SAVE_CNT, offsetof(struct pcpu, pc_pm_save_cnt)); +ASSYM(PC_KCR3, offsetof(struct pcpu, pc_kcr3)); +ASSYM(PC_UCR3, offsetof(struct pcpu, pc_ucr3)); +ASSYM(PC_SAVED_UCR3, offsetof(struct pcpu, pc_saved_ucr3)); +ASSYM(PC_PTI_STACK, offsetof(struct pcpu, pc_pti_stack)); +ASSYM(PC_PTI_STACK_SZ, PC_PTI_STACK_SZ); +ASSYM(PC_IBPB_SET, offsetof(struct pcpu, pc_ibpb_set)); ASSYM(LA_EOI, LAPIC_EOI * LAPIC_MEM_MUL); ASSYM(LA_ISR, LAPIC_ISR0 * LAPIC_MEM_MUL); diff --git a/sys/amd64/amd64/initcpu.c b/sys/amd64/amd64/initcpu.c index 63c0f20..2818111 100644 --- a/sys/amd64/amd64/initcpu.c +++ b/sys/amd64/amd64/initcpu.c @@ -194,6 +194,7 @@ initializecpu(void) wrmsr(MSR_EFER, msr); pg_nx = PG_NX; } + hw_ibrs_recalculate(); switch (cpu_vendor_id) { case CPU_VENDOR_AMD: init_amd(); diff --git a/sys/amd64/amd64/machdep.c b/sys/amd64/amd64/machdep.c index 2c18af9..dd5bb06 100644 --- a/sys/amd64/amd64/machdep.c +++ b/sys/amd64/amd64/machdep.c @@ -114,6 +114,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -149,6 +150,14 @@ __FBSDID("$FreeBSD$"); /* Sanity check for __curthread() */ CTASSERT(offsetof(struct pcpu, pc_curthread) == 0); +/* + * The PTI trampoline stack needs enough space for a hardware trapframe and a + * couple of scratch registers, as well as the trapframe left behind after an + * iret fault. + */ +CTASSERT(PC_PTI_STACK_SZ * sizeof(register_t) >= 2 * sizeof(struct pti_frame) - + offsetof(struct pti_frame, pti_rip)); + extern u_int64_t hammer_time(u_int64_t, u_int64_t); #define CS_SECURE(cs) (ISPL(cs) == SEL_UPL) @@ -180,12 +189,6 @@ struct init_ops init_ops = { .msi_init = msi_init, }; -/* - * The file "conf/ldscript.amd64" defines the symbol "kernphys". Its value is - * the physical address at which the kernel is loaded. - */ -extern char kernphys[]; - struct msgbuf *msgbufp; /* @@ -670,7 +673,7 @@ static struct gate_descriptor idt0[NIDT]; struct gate_descriptor *idt = &idt0[0]; /* interrupt descriptor table */ static char dblfault_stack[PAGE_SIZE] __aligned(16); - +static char mce0_stack[PAGE_SIZE] __aligned(16); static char nmi0_stack[PAGE_SIZE] __aligned(16); CTASSERT(sizeof(struct nmi_pcpu) == 16); @@ -824,13 +827,20 @@ extern inthand_t IDTVEC(tss), IDTVEC(missing), IDTVEC(stk), IDTVEC(prot), IDTVEC(page), IDTVEC(mchk), IDTVEC(rsvd), IDTVEC(fpu), IDTVEC(align), IDTVEC(xmm), IDTVEC(dblfault), + IDTVEC(div_pti), IDTVEC(dbg_pti), IDTVEC(bpt_pti), + IDTVEC(ofl_pti), IDTVEC(bnd_pti), IDTVEC(ill_pti), IDTVEC(dna_pti), + IDTVEC(fpusegm_pti), IDTVEC(tss_pti), IDTVEC(missing_pti), + IDTVEC(stk_pti), IDTVEC(prot_pti), IDTVEC(page_pti), + IDTVEC(rsvd_pti), IDTVEC(fpu_pti), IDTVEC(align_pti), + IDTVEC(xmm_pti), #ifdef KDTRACE_HOOKS - IDTVEC(dtrace_ret), + IDTVEC(dtrace_ret), IDTVEC(dtrace_ret_pti), #endif #ifdef XENHVM - IDTVEC(xen_intr_upcall), + IDTVEC(xen_intr_upcall), IDTVEC(xen_intr_upcall_pti), #endif - IDTVEC(fast_syscall), IDTVEC(fast_syscall32); + IDTVEC(fast_syscall), IDTVEC(fast_syscall32), + IDTVEC(fast_syscall_pti); #ifdef DDB /* @@ -1523,6 +1533,23 @@ amd64_kdb_init(void) #endif } +/* Set up the fast syscall stuff */ +void +amd64_conf_fast_syscall(void) +{ + uint64_t msr; + + msr = rdmsr(MSR_EFER) | EFER_SCE; + wrmsr(MSR_EFER, msr); + wrmsr(MSR_LSTAR, pti ? (u_int64_t)IDTVEC(fast_syscall_pti) : + (u_int64_t)IDTVEC(fast_syscall)); + wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32)); + msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) | + ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48); + wrmsr(MSR_STAR, msr); + wrmsr(MSR_SF_MASK, PSL_NT | PSL_T | PSL_I | PSL_C | PSL_D); +} + u_int64_t hammer_time(u_int64_t modulep, u_int64_t physfree) { @@ -1531,7 +1558,7 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) struct pcpu *pc; struct nmi_pcpu *np; struct xstate_hdr *xhdr; - u_int64_t msr; + u_int64_t rsp0; char *env; size_t kstack0_sz; int late_console; @@ -1544,6 +1571,8 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) kmdp = init_ops.parse_preload_data(modulep); + identify_cpu1(); + /* Init basic tunables, hz etc */ init_param1(); @@ -1600,34 +1629,55 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) mtx_init(&dt_lock, "descriptor tables", NULL, MTX_DEF); /* exceptions */ + pti = pti_get_default(); + TUNABLE_INT_FETCH("vm.pmap.pti", &pti); + for (x = 0; x < NIDT; x++) - setidt(x, &IDTVEC(rsvd), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_DE, &IDTVEC(div), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_DB, &IDTVEC(dbg), SDT_SYSIGT, SEL_KPL, 0); + setidt(x, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_DE, pti ? &IDTVEC(div_pti) : &IDTVEC(div), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_DB, pti ? &IDTVEC(dbg_pti) : &IDTVEC(dbg), SDT_SYSIGT, + SEL_KPL, 0); setidt(IDT_NMI, &IDTVEC(nmi), SDT_SYSIGT, SEL_KPL, 2); - setidt(IDT_BP, &IDTVEC(bpt), SDT_SYSIGT, SEL_UPL, 0); - setidt(IDT_OF, &IDTVEC(ofl), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_BR, &IDTVEC(bnd), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_UD, &IDTVEC(ill), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_NM, &IDTVEC(dna), SDT_SYSIGT, SEL_KPL, 0); + setidt(IDT_BP, pti ? &IDTVEC(bpt_pti) : &IDTVEC(bpt), SDT_SYSIGT, + SEL_UPL, 0); + setidt(IDT_OF, pti ? &IDTVEC(ofl_pti) : &IDTVEC(ofl), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_BR, pti ? &IDTVEC(bnd_pti) : &IDTVEC(bnd), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_UD, pti ? &IDTVEC(ill_pti) : &IDTVEC(ill), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_NM, pti ? &IDTVEC(dna_pti) : &IDTVEC(dna), SDT_SYSIGT, + SEL_KPL, 0); setidt(IDT_DF, &IDTVEC(dblfault), SDT_SYSIGT, SEL_KPL, 1); - setidt(IDT_FPUGP, &IDTVEC(fpusegm), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_TS, &IDTVEC(tss), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_NP, &IDTVEC(missing), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_SS, &IDTVEC(stk), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_GP, &IDTVEC(prot), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_PF, &IDTVEC(page), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_MF, &IDTVEC(fpu), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_AC, &IDTVEC(align), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_MC, &IDTVEC(mchk), SDT_SYSIGT, SEL_KPL, 0); - setidt(IDT_XF, &IDTVEC(xmm), SDT_SYSIGT, SEL_KPL, 0); + setidt(IDT_FPUGP, pti ? &IDTVEC(fpusegm_pti) : &IDTVEC(fpusegm), + SDT_SYSIGT, SEL_KPL, 0); + setidt(IDT_TS, pti ? &IDTVEC(tss_pti) : &IDTVEC(tss), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_NP, pti ? &IDTVEC(missing_pti) : &IDTVEC(missing), + SDT_SYSIGT, SEL_KPL, 0); + setidt(IDT_SS, pti ? &IDTVEC(stk_pti) : &IDTVEC(stk), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_GP, pti ? &IDTVEC(prot_pti) : &IDTVEC(prot), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_PF, pti ? &IDTVEC(page_pti) : &IDTVEC(page), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_MF, pti ? &IDTVEC(fpu_pti) : &IDTVEC(fpu), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_AC, pti ? &IDTVEC(align_pti) : &IDTVEC(align), SDT_SYSIGT, + SEL_KPL, 0); + setidt(IDT_MC, &IDTVEC(mchk), SDT_SYSIGT, SEL_KPL, 3); + setidt(IDT_XF, pti ? &IDTVEC(xmm_pti) : &IDTVEC(xmm), SDT_SYSIGT, + SEL_KPL, 0); #ifdef KDTRACE_HOOKS - setidt(IDT_DTRACE_RET, &IDTVEC(dtrace_ret), SDT_SYSIGT, SEL_UPL, 0); + setidt(IDT_DTRACE_RET, pti ? &IDTVEC(dtrace_ret_pti) : + &IDTVEC(dtrace_ret), SDT_SYSIGT, SEL_UPL, 0); #endif #ifdef XENHVM - setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYSIGT, SEL_UPL, 0); + setidt(IDT_EVTCHN, pti ? &IDTVEC(xen_intr_upcall_pti) : + &IDTVEC(xen_intr_upcall), SDT_SYSIGT, SEL_KPL, 0); #endif - r_idt.rd_limit = sizeof(idt0) - 1; r_idt.rd_base = (long) idt; lidt(&r_idt); @@ -1648,7 +1698,7 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) != NULL) vty_set_preferred(VTY_VT); - identify_cpu(); /* Final stage of CPU initialization */ + finishidentcpu(); /* Final stage of CPU initialization */ initializecpu(); /* Initialize CPU registers */ initializecpucache(); @@ -1663,21 +1713,21 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) np->np_pcpu = (register_t) pc; common_tss[0].tss_ist2 = (long) np; + /* + * MC# stack, runs on ist3. The pcpu pointer is stored just + * above the start of the ist3 stack. + */ + np = ((struct nmi_pcpu *) &mce0_stack[sizeof(mce0_stack)]) - 1; + np->np_pcpu = (register_t) pc; + common_tss[0].tss_ist3 = (long) np; + /* Set the IO permission bitmap (empty due to tss seg limit) */ common_tss[0].tss_iobase = sizeof(struct amd64tss) + IOPERM_BITMAP_SIZE; gsel_tss = GSEL(GPROC0_SEL, SEL_KPL); ltr(gsel_tss); - /* Set up the fast syscall stuff */ - msr = rdmsr(MSR_EFER) | EFER_SCE; - wrmsr(MSR_EFER, msr); - wrmsr(MSR_LSTAR, (u_int64_t)IDTVEC(fast_syscall)); - wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32)); - msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) | - ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48); - wrmsr(MSR_STAR, msr); - wrmsr(MSR_SF_MASK, PSL_NT|PSL_T|PSL_I|PSL_C|PSL_D); + amd64_conf_fast_syscall(); /* * Temporary forge some valid pointer to PCB, for exception @@ -1749,10 +1799,12 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) xhdr->xstate_bv = xsave_mask; } /* make an initial tss so cpu can get interrupt stack on syscall! */ - common_tss[0].tss_rsp0 = (vm_offset_t)thread0.td_pcb; + rsp0 = (vm_offset_t)thread0.td_pcb; /* Ensure the stack is aligned to 16 bytes */ - common_tss[0].tss_rsp0 &= ~0xFul; - PCPU_SET(rsp0, common_tss[0].tss_rsp0); + rsp0 &= ~0xFul; + common_tss[0].tss_rsp0 = pti ? ((vm_offset_t)PCPU_PTR(pti_stack) + + PC_PTI_STACK_SZ * sizeof(uint64_t)) & ~0xful : rsp0; + PCPU_SET(rsp0, rsp0); PCPU_SET(curpcb, thread0.td_pcb); /* transfer to user mode */ @@ -1782,6 +1834,8 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) #endif thread0.td_critnest = 0; + TUNABLE_INT_FETCH("hw.ibrs_disable", &hw_ibrs_disable); + /* Location of kernel stack for locore */ return ((u_int64_t)thread0.td_pcb); } diff --git a/sys/amd64/amd64/mp_machdep.c b/sys/amd64/amd64/mp_machdep.c index ce07e0f..450d512 100644 --- a/sys/amd64/amd64/mp_machdep.c +++ b/sys/amd64/amd64/mp_machdep.c @@ -85,10 +85,9 @@ extern struct pcpu __pcpu[]; /* Temporary variables for init_secondary() */ char *doublefault_stack; +char *mce_stack; char *nmi_stack; -extern inthand_t IDTVEC(fast_syscall), IDTVEC(fast_syscall32); - /* * Local data and functions. */ @@ -132,33 +131,50 @@ cpu_mp_start(void) /* Install an inter-CPU IPI for TLB invalidation */ if (pmap_pcid_enabled) { if (invpcid_works) { - setidt(IPI_INVLTLB, IDTVEC(invltlb_invpcid), - SDT_SYSIGT, SEL_KPL, 0); - } else { - setidt(IPI_INVLTLB, IDTVEC(invltlb_pcid), SDT_SYSIGT, + setidt(IPI_INVLTLB, pti ? + IDTVEC(invltlb_invpcid_pti_pti) : + IDTVEC(invltlb_invpcid_nopti), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_invpcid_pti) : + IDTVEC(invlpg_invpcid), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_invpcid_pti) : + IDTVEC(invlrng_invpcid), SDT_SYSIGT, SEL_KPL, 0); + } else { + setidt(IPI_INVLTLB, pti ? IDTVEC(invltlb_pcid_pti) : + IDTVEC(invltlb_pcid), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_pcid_pti) : + IDTVEC(invlpg_pcid), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_pcid_pti) : + IDTVEC(invlrng_pcid), SDT_SYSIGT, SEL_KPL, 0); } } else { - setidt(IPI_INVLTLB, IDTVEC(invltlb), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLTLB, pti ? IDTVEC(invltlb_pti) : IDTVEC(invltlb), + SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_pti) : IDTVEC(invlpg), + SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_pti) : IDTVEC(invlrng), + SDT_SYSIGT, SEL_KPL, 0); } - setidt(IPI_INVLPG, IDTVEC(invlpg), SDT_SYSIGT, SEL_KPL, 0); - setidt(IPI_INVLRNG, IDTVEC(invlrng), SDT_SYSIGT, SEL_KPL, 0); /* Install an inter-CPU IPI for cache invalidation. */ - setidt(IPI_INVLCACHE, IDTVEC(invlcache), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_INVLCACHE, pti ? IDTVEC(invlcache_pti) : IDTVEC(invlcache), + SDT_SYSIGT, SEL_KPL, 0); /* Install an inter-CPU IPI for all-CPU rendezvous */ - setidt(IPI_RENDEZVOUS, IDTVEC(rendezvous), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_RENDEZVOUS, pti ? IDTVEC(rendezvous_pti) : + IDTVEC(rendezvous), SDT_SYSIGT, SEL_KPL, 0); /* Install generic inter-CPU IPI handler */ - setidt(IPI_BITMAP_VECTOR, IDTVEC(ipi_intr_bitmap_handler), - SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_BITMAP_VECTOR, pti ? IDTVEC(ipi_intr_bitmap_handler_pti) : + IDTVEC(ipi_intr_bitmap_handler), SDT_SYSIGT, SEL_KPL, 0); /* Install an inter-CPU IPI for CPU stop/restart */ - setidt(IPI_STOP, IDTVEC(cpustop), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_STOP, pti ? IDTVEC(cpustop_pti) : IDTVEC(cpustop), + SDT_SYSIGT, SEL_KPL, 0); /* Install an inter-CPU IPI for CPU suspend/resume */ - setidt(IPI_SUSPEND, IDTVEC(cpususpend), SDT_SYSIGT, SEL_KPL, 0); + setidt(IPI_SUSPEND, pti ? IDTVEC(cpususpend_pti) : IDTVEC(cpususpend), + SDT_SYSIGT, SEL_KPL, 0); /* Set boot_cpu_id if needed. */ if (boot_cpu_id == -1) { @@ -188,7 +204,7 @@ init_secondary(void) { struct pcpu *pc; struct nmi_pcpu *np; - u_int64_t msr, cr0; + u_int64_t cr0; int cpu, gsel_tss, x; struct region_descriptor ap_gdt; @@ -197,7 +213,6 @@ init_secondary(void) /* Init tss */ common_tss[cpu] = common_tss[0]; - common_tss[cpu].tss_rsp0 = 0; /* not used until after switch */ common_tss[cpu].tss_iobase = sizeof(struct amd64tss) + IOPERM_BITMAP_SIZE; common_tss[cpu].tss_ist1 = (long)&doublefault_stack[PAGE_SIZE]; @@ -206,6 +221,10 @@ init_secondary(void) np = ((struct nmi_pcpu *) &nmi_stack[PAGE_SIZE]) - 1; common_tss[cpu].tss_ist2 = (long) np; + /* The MC# stack runs on IST3. */ + np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1; + common_tss[cpu].tss_ist3 = (long) np; + /* Prepare private GDT */ gdt_segs[GPROC0_SEL].ssd_base = (long) &common_tss[cpu]; for (x = 0; x < NGDT; x++) { @@ -240,8 +259,15 @@ init_secondary(void) pc->pc_curpmap = kernel_pmap; pc->pc_pcid_gen = 1; pc->pc_pcid_next = PMAP_PCID_KERN + 1; + common_tss[cpu].tss_rsp0 = pti ? ((vm_offset_t)&pc->pc_pti_stack + + PC_PTI_STACK_SZ * sizeof(uint64_t)) & ~0xful : 0; /* Save the per-cpu pointer for use by the NMI handler. */ + np = ((struct nmi_pcpu *) &nmi_stack[PAGE_SIZE]) - 1; + np->np_pcpu = (register_t) pc; + + /* Save the per-cpu pointer for use by the MC# handler. */ + np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1; np->np_pcpu = (register_t) pc; wrmsr(MSR_FSBASE, 0); /* User value */ @@ -263,15 +289,7 @@ init_secondary(void) cr0 &= ~(CR0_CD | CR0_NW | CR0_EM); load_cr0(cr0); - /* Set up the fast syscall stuff */ - msr = rdmsr(MSR_EFER) | EFER_SCE; - wrmsr(MSR_EFER, msr); - wrmsr(MSR_LSTAR, (u_int64_t)IDTVEC(fast_syscall)); - wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32)); - msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) | - ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48); - wrmsr(MSR_STAR, msr); - wrmsr(MSR_SF_MASK, PSL_NT|PSL_T|PSL_I|PSL_C|PSL_D); + amd64_conf_fast_syscall(); /* signal our startup to the BSP. */ mp_naps++; @@ -346,6 +364,8 @@ native_start_all_aps(void) kstack_pages * PAGE_SIZE, M_WAITOK | M_ZERO); doublefault_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); + mce_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, + M_WAITOK | M_ZERO); nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); dpcpu = (void *)kmem_malloc(kernel_arena, DPCPU_SIZE, @@ -428,9 +448,43 @@ invltlb_invpcid_handler(void) } void -invltlb_pcid_handler(void) +invltlb_invpcid_pti_handler(void) { + struct invpcid_descr d; uint32_t generation; + +#ifdef COUNT_XINVLTLB_HITS + xhits_gbl[PCPU_GET(cpuid)]++; +#endif /* COUNT_XINVLTLB_HITS */ +#ifdef COUNT_IPIS + (*ipi_invltlb_counts[PCPU_GET(cpuid)])++; +#endif /* COUNT_IPIS */ + + generation = smp_tlb_generation; + d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid; + d.pad = 0; + d.addr = 0; + if (smp_tlb_pmap == kernel_pmap) { + /* + * This invalidation actually needs to clear kernel + * mappings from the TLB in the current pmap, but + * since we were asked for the flush in the kernel + * pmap, achieve it by performing global flush. + */ + invpcid(&d, INVPCID_CTXGLOB); + } else { + invpcid(&d, INVPCID_CTX); + d.pcid |= PMAP_PCID_USER_PT; + invpcid(&d, INVPCID_CTX); + } + PCPU_SET(smp_tlb_done, generation); +} + +void +invltlb_pcid_handler(void) +{ + uint64_t kcr3, ucr3; + uint32_t generation, pcid; #ifdef COUNT_XINVLTLB_HITS xhits_gbl[PCPU_GET(cpuid)]++; @@ -451,9 +505,132 @@ invltlb_pcid_handler(void) * CPU. */ if (PCPU_GET(curpmap) == smp_tlb_pmap) { - load_cr3(smp_tlb_pmap->pm_cr3 | - smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid); + pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid; + kcr3 = smp_tlb_pmap->pm_cr3 | pcid; + ucr3 = smp_tlb_pmap->pm_ucr3; + if (ucr3 != PMAP_NO_CR3) { + ucr3 |= PMAP_PCID_USER_PT | pcid; + pmap_pti_pcid_invalidate(ucr3, kcr3); + } else + load_cr3(kcr3); } } PCPU_SET(smp_tlb_done, generation); } + +void +invlpg_invpcid_handler(void) +{ + struct invpcid_descr d; + uint32_t generation; + +#ifdef COUNT_XINVLTLB_HITS + xhits_pg[PCPU_GET(cpuid)]++; +#endif /* COUNT_XINVLTLB_HITS */ +#ifdef COUNT_IPIS + (*ipi_invlpg_counts[PCPU_GET(cpuid)])++; +#endif /* COUNT_IPIS */ + + generation = smp_tlb_generation; /* Overlap with serialization */ + invlpg(smp_tlb_addr1); + if (smp_tlb_pmap->pm_ucr3 != PMAP_NO_CR3) { + d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid | + PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = smp_tlb_addr1; + invpcid(&d, INVPCID_ADDR); + } + PCPU_SET(smp_tlb_done, generation); +} + +void +invlpg_pcid_handler(void) +{ + uint64_t kcr3, ucr3; + uint32_t generation; + uint32_t pcid; + +#ifdef COUNT_XINVLTLB_HITS + xhits_pg[PCPU_GET(cpuid)]++; +#endif /* COUNT_XINVLTLB_HITS */ +#ifdef COUNT_IPIS + (*ipi_invlpg_counts[PCPU_GET(cpuid)])++; +#endif /* COUNT_IPIS */ + + generation = smp_tlb_generation; /* Overlap with serialization */ + invlpg(smp_tlb_addr1); + if (smp_tlb_pmap == PCPU_GET(curpmap) && + (ucr3 = smp_tlb_pmap->pm_ucr3) != PMAP_NO_CR3) { + pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid; + kcr3 = smp_tlb_pmap->pm_cr3 | pcid | CR3_PCID_SAVE; + ucr3 |= pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlpg(ucr3, kcr3, smp_tlb_addr1); + } + PCPU_SET(smp_tlb_done, generation); +} + +void +invlrng_invpcid_handler(void) +{ + struct invpcid_descr d; + vm_offset_t addr, addr2; + uint32_t generation; + +#ifdef COUNT_XINVLTLB_HITS + xhits_rng[PCPU_GET(cpuid)]++; +#endif /* COUNT_XINVLTLB_HITS */ +#ifdef COUNT_IPIS + (*ipi_invlrng_counts[PCPU_GET(cpuid)])++; +#endif /* COUNT_IPIS */ + + addr = smp_tlb_addr1; + addr2 = smp_tlb_addr2; + generation = smp_tlb_generation; /* Overlap with serialization */ + do { + invlpg(addr); + addr += PAGE_SIZE; + } while (addr < addr2); + if (smp_tlb_pmap->pm_ucr3 != PMAP_NO_CR3) { + d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid | + PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = smp_tlb_addr1; + do { + invpcid(&d, INVPCID_ADDR); + d.addr += PAGE_SIZE; + } while (d.addr < addr2); + } + PCPU_SET(smp_tlb_done, generation); +} + +void +invlrng_pcid_handler(void) +{ + vm_offset_t addr, addr2; + uint64_t kcr3, ucr3; + uint32_t generation; + uint32_t pcid; + +#ifdef COUNT_XINVLTLB_HITS + xhits_rng[PCPU_GET(cpuid)]++; +#endif /* COUNT_XINVLTLB_HITS */ +#ifdef COUNT_IPIS + (*ipi_invlrng_counts[PCPU_GET(cpuid)])++; +#endif /* COUNT_IPIS */ + + addr = smp_tlb_addr1; + addr2 = smp_tlb_addr2; + generation = smp_tlb_generation; /* Overlap with serialization */ + do { + invlpg(addr); + addr += PAGE_SIZE; + } while (addr < addr2); + if (smp_tlb_pmap == PCPU_GET(curpmap) && + (ucr3 = smp_tlb_pmap->pm_ucr3) != PMAP_NO_CR3) { + pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid; + kcr3 = smp_tlb_pmap->pm_cr3 | pcid | CR3_PCID_SAVE; + ucr3 |= pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlrng(ucr3, kcr3, smp_tlb_addr1, addr2); + } + PCPU_SET(smp_tlb_done, generation); +} diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c index a7ce847..2989eb40 100644 --- a/sys/amd64/amd64/pmap.c +++ b/sys/amd64/amd64/pmap.c @@ -9,11 +9,17 @@ * All rights reserved. * Copyright (c) 2005-2010 Alan L. Cox * All rights reserved. + * Copyright (c) 2014-2018 The FreeBSD Foundation + * All rights reserved. * * This code is derived from software contributed to Berkeley by * the Systems Programming Group of the University of Utah Computer * Science Department and William Jolitz of UUNET Technologies Inc. * + * Portions of this software were developed by + * Konstantin Belousov under sponsorship from + * the FreeBSD Foundation. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -147,6 +153,7 @@ __FBSDID("$FreeBSD$"); #ifdef SMP #include #endif +#include static __inline boolean_t pmap_type_guest(pmap_t pmap) @@ -208,6 +215,8 @@ pmap_rw_bit(pmap_t pmap) return (mask); } +static pt_entry_t pg_g; + static __inline pt_entry_t pmap_global_bit(pmap_t pmap) { @@ -215,7 +224,7 @@ pmap_global_bit(pmap_t pmap) switch (pmap->pm_type) { case PT_X86: - mask = X86_PG_G; + mask = pg_g; break; case PT_RVI: case PT_EPT: @@ -405,6 +414,15 @@ int invpcid_works = 0; SYSCTL_INT(_vm_pmap, OID_AUTO, invpcid_works, CTLFLAG_RD, &invpcid_works, 0, "Is the invpcid instruction available ?"); +int pti = 0; +SYSCTL_INT(_vm_pmap, OID_AUTO, pti, CTLFLAG_RDTUN | CTLFLAG_NOFETCH, + &pti, 0, + "Page Table Isolation enabled"); +static vm_object_t pti_obj; +static pml4_entry_t *pti_pml4; +static vm_pindex_t pti_pg_idx; +static bool pti_finalized; + static int pmap_pcid_save_cnt_proc(SYSCTL_HANDLER_ARGS) { @@ -622,6 +640,11 @@ static void pmap_promote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va, static boolean_t pmap_protect_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t sva, vm_prot_t prot); static void pmap_pte_attr(pt_entry_t *pte, int cache_bits, int mask); +static void pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva, + bool exec); +static pdp_entry_t *pmap_pti_pdpe(vm_offset_t va); +static pd_entry_t *pmap_pti_pde(vm_offset_t va); +static void pmap_pti_wire_pte(void *pte); static int pmap_remove_pde(pmap_t pmap, pd_entry_t *pdq, vm_offset_t sva, struct spglist *free, struct rwlock **lockp); static int pmap_remove_pte(pmap_t pmap, pt_entry_t *ptq, vm_offset_t sva, @@ -901,7 +924,7 @@ create_pagetables(vm_paddr_t *firstaddr) /* XXX not fully used, underneath 2M pages */ pt_p = (pt_entry_t *)KPTphys; for (i = 0; ptoa(i) < *firstaddr; i++) - pt_p[i] = ptoa(i) | X86_PG_RW | X86_PG_V | X86_PG_G; + pt_p[i] = ptoa(i) | X86_PG_RW | X86_PG_V | pg_g; /* Now map the page tables at their location within PTmap */ pd_p = (pd_entry_t *)KPDphys; @@ -912,7 +935,7 @@ create_pagetables(vm_paddr_t *firstaddr) /* This replaces some of the KPTphys entries above */ for (i = 0; (i << PDRSHIFT) < *firstaddr; i++) pd_p[i] = (i << PDRSHIFT) | X86_PG_RW | X86_PG_V | PG_PS | - X86_PG_G; + pg_g; /* And connect up the PD to the PDP (leaving room for L4 pages) */ pdp_p = (pdp_entry_t *)(KPDPphys + ptoa(KPML4I - KPML4BASE)); @@ -932,14 +955,14 @@ create_pagetables(vm_paddr_t *firstaddr) for (i = NPDEPG * ndm1g, j = 0; i < NPDEPG * ndmpdp; i++, j++) { pd_p[j] = (vm_paddr_t)i << PDRSHIFT; /* Preset PG_M and PG_A because demotion expects it. */ - pd_p[j] |= X86_PG_RW | X86_PG_V | PG_PS | X86_PG_G | + pd_p[j] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g | X86_PG_M | X86_PG_A; } pdp_p = (pdp_entry_t *)DMPDPphys; for (i = 0; i < ndm1g; i++) { pdp_p[i] = (vm_paddr_t)i << PDPSHIFT; /* Preset PG_M and PG_A because demotion expects it. */ - pdp_p[i] |= X86_PG_RW | X86_PG_V | PG_PS | X86_PG_G | + pdp_p[i] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g | X86_PG_M | X86_PG_A; } for (j = 0; i < ndmpdp; i++, j++) { @@ -982,6 +1005,9 @@ pmap_bootstrap(vm_paddr_t *firstaddr) pt_entry_t *pte; int i; + if (!pti) + pg_g = X86_PG_G; + /* * Create an initial set of page tables to run the kernel in. */ @@ -1014,6 +1040,7 @@ pmap_bootstrap(vm_paddr_t *firstaddr) PMAP_LOCK_INIT(kernel_pmap); kernel_pmap->pm_pml4 = (pdp_entry_t *)PHYS_TO_DMAP(KPML4phys); kernel_pmap->pm_cr3 = KPML4phys; + kernel_pmap->pm_ucr3 = PMAP_NO_CR3; CPU_FILL(&kernel_pmap->pm_active); /* don't allow deactivation */ TAILQ_INIT(&kernel_pmap->pm_pvchunk); kernel_pmap->pm_flags = pmap_flags; @@ -1528,6 +1555,9 @@ void pmap_invalidate_page(pmap_t pmap, vm_offset_t va) { cpuset_t *mask; + struct invpcid_descr d; + uint64_t kcr3, ucr3; + uint32_t pcid; u_int cpuid, i; if (pmap_type_guest(pmap)) { @@ -1544,9 +1574,32 @@ pmap_invalidate_page(pmap_t pmap, vm_offset_t va) mask = &all_cpus; } else { cpuid = PCPU_GET(cpuid); - if (pmap == PCPU_GET(curpmap)) + if (pmap == PCPU_GET(curpmap)) { invlpg(va); - else if (pmap_pcid_enabled) + if (pmap_pcid_enabled && pmap->pm_ucr3 != PMAP_NO_CR3) { + /* + * Disable context switching. pm_pcid + * is recalculated on switch, which + * might make us use wrong pcid below. + */ + critical_enter(); + pcid = pmap->pm_pcids[cpuid].pm_pcid; + + if (invpcid_works) { + d.pcid = pcid | PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = va; + invpcid(&d, INVPCID_ADDR); + } else { + kcr3 = pmap->pm_cr3 | pcid | + CR3_PCID_SAVE; + ucr3 = pmap->pm_ucr3 | pcid | + PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlpg(ucr3, kcr3, va); + } + critical_exit(); + } + } else if (pmap_pcid_enabled) pmap->pm_pcids[cpuid].pm_gen = 0; if (pmap_pcid_enabled) { CPU_FOREACH(i) { @@ -1556,7 +1609,7 @@ pmap_invalidate_page(pmap_t pmap, vm_offset_t va) } mask = &pmap->pm_active; } - smp_masked_invlpg(*mask, va); + smp_masked_invlpg(*mask, va, pmap); sched_unpin(); } @@ -1567,7 +1620,10 @@ void pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) { cpuset_t *mask; + struct invpcid_descr d; vm_offset_t addr; + uint64_t kcr3, ucr3; + uint32_t pcid; u_int cpuid, i; if (eva - sva >= PMAP_INVLPG_THRESHOLD) { @@ -1593,6 +1649,26 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) if (pmap == PCPU_GET(curpmap)) { for (addr = sva; addr < eva; addr += PAGE_SIZE) invlpg(addr); + if (pmap_pcid_enabled && pmap->pm_ucr3 != PMAP_NO_CR3) { + critical_enter(); + pcid = pmap->pm_pcids[cpuid].pm_pcid; + if (invpcid_works) { + d.pcid = pcid | PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = sva; + for (; d.addr < eva; d.addr += + PAGE_SIZE) + invpcid(&d, INVPCID_ADDR); + } else { + kcr3 = pmap->pm_cr3 | pcid | + CR3_PCID_SAVE; + ucr3 = pmap->pm_ucr3 | pcid | + PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlrng(ucr3, kcr3, sva, + eva); + } + critical_exit(); + } } else if (pmap_pcid_enabled) { pmap->pm_pcids[cpuid].pm_gen = 0; } @@ -1604,7 +1680,7 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) } mask = &pmap->pm_active; } - smp_masked_invlpg_range(*mask, sva, eva); + smp_masked_invlpg_range(*mask, sva, eva, pmap); sched_unpin(); } @@ -1613,6 +1689,8 @@ pmap_invalidate_all(pmap_t pmap) { cpuset_t *mask; struct invpcid_descr d; + uint64_t kcr3, ucr3; + uint32_t pcid; u_int cpuid, i; if (pmap_type_guest(pmap)) { @@ -1636,15 +1714,29 @@ pmap_invalidate_all(pmap_t pmap) cpuid = PCPU_GET(cpuid); if (pmap == PCPU_GET(curpmap)) { if (pmap_pcid_enabled) { + critical_enter(); + pcid = pmap->pm_pcids[cpuid].pm_pcid; if (invpcid_works) { - d.pcid = pmap->pm_pcids[cpuid].pm_pcid; + d.pcid = pcid; d.pad = 0; d.addr = 0; invpcid(&d, INVPCID_CTX); + if (pmap->pm_ucr3 != PMAP_NO_CR3) { + d.pcid |= PMAP_PCID_USER_PT; + invpcid(&d, INVPCID_CTX); + } } else { - load_cr3(pmap->pm_cr3 | pmap->pm_pcids - [PCPU_GET(cpuid)].pm_pcid); + kcr3 = pmap->pm_cr3 | pcid; + ucr3 = pmap->pm_ucr3; + if (ucr3 != PMAP_NO_CR3) { + ucr3 |= pcid | PMAP_PCID_USER_PT; + pmap_pti_pcid_invalidate(ucr3, + kcr3); + } else { + load_cr3(kcr3); + } } + critical_exit(); } else { invltlb(); } @@ -1749,6 +1841,9 @@ pmap_update_pde(pmap_t pmap, vm_offset_t va, pd_entry_t *pde, pd_entry_t newpde) void pmap_invalidate_page(pmap_t pmap, vm_offset_t va) { + struct invpcid_descr d; + uint64_t kcr3, ucr3; + uint32_t pcid; if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) { pmap->pm_eptgen++; @@ -1757,16 +1852,35 @@ pmap_invalidate_page(pmap_t pmap, vm_offset_t va) KASSERT(pmap->pm_type == PT_X86, ("pmap_invalidate_range: unknown type %d", pmap->pm_type)); - if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) + if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) { invlpg(va); - else if (pmap_pcid_enabled) + if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled && + pmap->pm_ucr3 != PMAP_NO_CR3) { + critical_enter(); + pcid = pmap->pm_pcids[0].pm_pcid; + if (invpcid_works) { + d.pcid = pcid | PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = va; + invpcid(&d, INVPCID_ADDR); + } else { + kcr3 = pmap->pm_cr3 | pcid | CR3_PCID_SAVE; + ucr3 = pmap->pm_ucr3 | pcid | + PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlpg(ucr3, kcr3, va); + } + critical_exit(); + } + } else if (pmap_pcid_enabled) pmap->pm_pcids[0].pm_gen = 0; } void pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) { + struct invpcid_descr d; vm_offset_t addr; + uint64_t kcr3, ucr3; if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) { pmap->pm_eptgen++; @@ -1778,6 +1892,25 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) { for (addr = sva; addr < eva; addr += PAGE_SIZE) invlpg(addr); + if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled && + pmap->pm_ucr3 != PMAP_NO_CR3) { + critical_enter(); + if (invpcid_works) { + d.pcid = pmap->pm_pcids[0].pm_pcid | + PMAP_PCID_USER_PT; + d.pad = 0; + d.addr = sva; + for (; d.addr < eva; d.addr += PAGE_SIZE) + invpcid(&d, INVPCID_ADDR); + } else { + kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0]. + pm_pcid | CR3_PCID_SAVE; + ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[0]. + pm_pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE; + pmap_pti_pcid_invlrng(ucr3, kcr3, sva, eva); + } + critical_exit(); + } } else if (pmap_pcid_enabled) { pmap->pm_pcids[0].pm_gen = 0; } @@ -1787,6 +1920,7 @@ void pmap_invalidate_all(pmap_t pmap) { struct invpcid_descr d; + uint64_t kcr3, ucr3; if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) { pmap->pm_eptgen++; @@ -1804,15 +1938,26 @@ pmap_invalidate_all(pmap_t pmap) } } else if (pmap == PCPU_GET(curpmap)) { if (pmap_pcid_enabled) { + critical_enter(); if (invpcid_works) { d.pcid = pmap->pm_pcids[0].pm_pcid; d.pad = 0; d.addr = 0; invpcid(&d, INVPCID_CTX); + if (pmap->pm_ucr3 != PMAP_NO_CR3) { + d.pcid |= PMAP_PCID_USER_PT; + invpcid(&d, INVPCID_CTX); + } } else { - load_cr3(pmap->pm_cr3 | pmap->pm_pcids[0]. - pm_pcid); + kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0].pm_pcid; + if (pmap->pm_ucr3 != PMAP_NO_CR3) { + ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[ + 0].pm_pcid | PMAP_PCID_USER_PT; + pmap_pti_pcid_invalidate(ucr3, kcr3); + } else + load_cr3(kcr3); } + critical_exit(); } else { invltlb(); } @@ -2094,7 +2239,7 @@ pmap_kenter(vm_offset_t va, vm_paddr_t pa) pt_entry_t *pte; pte = vtopte(va); - pte_store(pte, pa | X86_PG_RW | X86_PG_V | X86_PG_G); + pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g); } static __inline void @@ -2105,7 +2250,7 @@ pmap_kenter_attr(vm_offset_t va, vm_paddr_t pa, int mode) pte = vtopte(va); cache_bits = pmap_cache_bits(kernel_pmap, mode, 0); - pte_store(pte, pa | X86_PG_RW | X86_PG_V | X86_PG_G | cache_bits); + pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g | cache_bits); } /* @@ -2165,7 +2310,7 @@ pmap_qenter(vm_offset_t sva, vm_page_t *ma, int count) pa = VM_PAGE_TO_PHYS(m) | cache_bits; if ((*pte & (PG_FRAME | X86_PG_PTE_CACHE)) != pa) { oldpte |= *pte; - pte_store(pte, pa | X86_PG_G | X86_PG_RW | X86_PG_V); + pte_store(pte, pa | pg_g | X86_PG_RW | X86_PG_V); } pte++; } @@ -2284,6 +2429,10 @@ _pmap_unwire_ptp(pmap_t pmap, vm_offset_t va, vm_page_t m, struct spglist *free) pml4_entry_t *pml4; pml4 = pmap_pml4e(pmap, va); *pml4 = 0; + if (pmap->pm_pml4u != NULL && va <= VM_MAXUSER_ADDRESS) { + pml4 = &pmap->pm_pml4u[pmap_pml4e_index(va)]; + *pml4 = 0; + } } else if (m->pindex >= NUPDE) { /* PD page */ pdp_entry_t *pdp; @@ -2349,7 +2498,10 @@ pmap_pinit0(pmap_t pmap) PMAP_LOCK_INIT(pmap); pmap->pm_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(KPML4phys); + pmap->pm_pml4u = NULL; pmap->pm_cr3 = KPML4phys; + /* hack to keep pmap_pti_pcid_invalidate() alive */ + pmap->pm_ucr3 = PMAP_NO_CR3; pmap->pm_root.rt_root = 0; CPU_ZERO(&pmap->pm_active); TAILQ_INIT(&pmap->pm_pvchunk); @@ -2358,6 +2510,8 @@ pmap_pinit0(pmap_t pmap) CPU_FOREACH(i) { pmap->pm_pcids[i].pm_pcid = PMAP_PCID_NONE; pmap->pm_pcids[i].pm_gen = 0; + if (!pti) + __pcpu[i].pc_kcr3 = PMAP_NO_CR3; } PCPU_SET(curpmap, kernel_pmap); pmap_activate(curthread); @@ -2387,6 +2541,17 @@ pmap_pinit_pml4(vm_page_t pml4pg) X86_PG_A | X86_PG_M; } +static void +pmap_pinit_pml4_pti(vm_page_t pml4pg) +{ + pml4_entry_t *pm_pml4; + int i; + + pm_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4pg)); + for (i = 0; i < NPML4EPG; i++) + pm_pml4[i] = pti_pml4[i]; +} + /* * Initialize a preallocated and zeroed pmap structure, * such as one in a vmspace structure. @@ -2394,7 +2559,7 @@ pmap_pinit_pml4(vm_page_t pml4pg) int pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags) { - vm_page_t pml4pg; + vm_page_t pml4pg, pml4pgu; vm_paddr_t pml4phys; int i; @@ -2411,8 +2576,11 @@ pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags) pmap->pm_pcids[i].pm_pcid = PMAP_PCID_NONE; pmap->pm_pcids[i].pm_gen = 0; } - pmap->pm_cr3 = ~0; /* initialize to an invalid value */ + pmap->pm_cr3 = PMAP_NO_CR3; /* initialize to an invalid value */ + pmap->pm_ucr3 = PMAP_NO_CR3; + pmap->pm_pml4u = NULL; + pmap->pm_type = pm_type; if ((pml4pg->flags & PG_ZERO) == 0) pagezero(pmap->pm_pml4); @@ -2420,10 +2588,21 @@ pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags) * Do not install the host kernel mappings in the nested page * tables. These mappings are meaningless in the guest physical * address space. + * Install minimal kernel mappings in PTI case. */ - if ((pmap->pm_type = pm_type) == PT_X86) { + if (pm_type == PT_X86) { pmap->pm_cr3 = pml4phys; pmap_pinit_pml4(pml4pg); + if (pti) { + while ((pml4pgu = vm_page_alloc(NULL, 0, + VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ | VM_ALLOC_WIRED)) + == NULL) + VM_WAIT; + pmap->pm_pml4u = (pml4_entry_t *)PHYS_TO_DMAP( + VM_PAGE_TO_PHYS(pml4pgu)); + pmap_pinit_pml4_pti(pml4pgu); + pmap->pm_ucr3 = VM_PAGE_TO_PHYS(pml4pgu); + } } pmap->pm_root.rt_root = 0; @@ -2495,13 +2674,27 @@ _pmap_allocpte(pmap_t pmap, vm_pindex_t ptepindex, struct rwlock **lockp) */ if (ptepindex >= (NUPDE + NUPDPE)) { - pml4_entry_t *pml4; + pml4_entry_t *pml4, *pml4u; vm_pindex_t pml4index; /* Wire up a new PDPE page */ pml4index = ptepindex - (NUPDE + NUPDPE); pml4 = &pmap->pm_pml4[pml4index]; *pml4 = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M; + if (pmap->pm_pml4u != NULL && pml4index < NUPML4E) { + /* + * PTI: Make all user-space mappings in the + * kernel-mode page table no-execute so that + * we detect any programming errors that leave + * the kernel-mode page table active on return + * to user space. + */ + *pml4 |= pg_nx; + + pml4u = &pmap->pm_pml4u[pml4index]; + *pml4u = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | + PG_A | PG_M; + } } else if (ptepindex >= NUPDE) { vm_pindex_t pml4index; @@ -2702,6 +2895,13 @@ pmap_release(pmap_t pmap) m->wire_count--; atomic_subtract_int(&vm_cnt.v_wire_count, 1); vm_page_free_zero(m); + + if (pmap->pm_pml4u != NULL) { + m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_pml4u)); + m->wire_count--; + atomic_subtract_int(&vm_cnt.v_wire_count, 1); + vm_page_free(m); + } } static int @@ -6867,13 +7067,15 @@ pmap_pcid_alloc(pmap_t pmap, u_int cpuid) CRITICAL_ASSERT(curthread); gen = PCPU_GET(pcid_gen); - if (pmap->pm_pcids[cpuid].pm_pcid == PMAP_PCID_KERN || - pmap->pm_pcids[cpuid].pm_gen == gen) + if (!pti && (pmap->pm_pcids[cpuid].pm_pcid == PMAP_PCID_KERN || + pmap->pm_pcids[cpuid].pm_gen == gen)) return (CR3_PCID_SAVE); pcid_next = PCPU_GET(pcid_next); - KASSERT(pcid_next <= PMAP_PCID_OVERMAX, ("cpu %d pcid_next %#x", - cpuid, pcid_next)); - if (pcid_next == PMAP_PCID_OVERMAX) { + KASSERT((!pti && pcid_next <= PMAP_PCID_OVERMAX) || + (pti && pcid_next <= PMAP_PCID_OVERMAX_KERN), + ("cpu %d pcid_next %#x", cpuid, pcid_next)); + if ((!pti && pcid_next == PMAP_PCID_OVERMAX) || + (pti && pcid_next == PMAP_PCID_OVERMAX_KERN)) { new_gen = gen + 1; if (new_gen == 0) new_gen = 1; @@ -6892,7 +7094,8 @@ void pmap_activate_sw(struct thread *td) { pmap_t oldpmap, pmap; - uint64_t cached, cr3; + struct invpcid_descr d; + uint64_t cached, cr3, kcr3, ucr3; register_t rflags; u_int cpuid; @@ -6948,11 +7151,41 @@ pmap_activate_sw(struct thread *td) PCPU_INC(pm_save_cnt); } PCPU_SET(curpmap, pmap); + if (pti) { + kcr3 = pmap->pm_cr3 | pmap->pm_pcids[cpuid].pm_pcid; + ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[cpuid].pm_pcid | + PMAP_PCID_USER_PT; + + /* + * Manually invalidate translations cached + * from the user page table, which are not + * flushed by reload of cr3 with the kernel + * page table pointer above. + */ + if (pmap->pm_ucr3 != PMAP_NO_CR3) { + if (invpcid_works) { + d.pcid = PMAP_PCID_USER_PT | + pmap->pm_pcids[cpuid].pm_pcid; + d.pad = 0; + d.addr = 0; + invpcid(&d, INVPCID_CTX); + } else { + pmap_pti_pcid_invalidate(ucr3, kcr3); + } + } + + PCPU_SET(kcr3, kcr3 | CR3_PCID_SAVE); + PCPU_SET(ucr3, ucr3 | CR3_PCID_SAVE); + } if (!invpcid_works) intr_restore(rflags); } else if (cr3 != pmap->pm_cr3) { load_cr3(pmap->pm_cr3); PCPU_SET(curpmap, pmap); + if (pti) { + PCPU_SET(kcr3, pmap->pm_cr3); + PCPU_SET(ucr3, pmap->pm_ucr3); + } } #ifdef SMP CPU_CLR_ATOMIC(cpuid, &oldpmap->pm_active); @@ -7271,6 +7504,291 @@ pmap_quick_remove_page(vm_offset_t addr) mtx_unlock_spin(&qframe_mtx); } +static vm_page_t +pmap_pti_alloc_page(void) +{ + vm_page_t m; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + m = vm_page_grab(pti_obj, pti_pg_idx++, VM_ALLOC_NOBUSY | + VM_ALLOC_WIRED | VM_ALLOC_ZERO); + return (m); +} + +static bool +pmap_pti_free_page(vm_page_t m) +{ + + KASSERT(m->wire_count > 0, ("page %p not wired", m)); + m->wire_count--; + if (m->wire_count != 0) + return (false); + atomic_subtract_int(&vm_cnt.v_wire_count, 1); + vm_page_free_zero(m); + return (true); +} + +static void +pmap_pti_init(void) +{ + vm_page_t pml4_pg; + pdp_entry_t *pdpe; + vm_offset_t va; + int i; + + if (!pti) + return; + pti_obj = vm_pager_allocate(OBJT_PHYS, NULL, 0, VM_PROT_ALL, 0, NULL); + VM_OBJECT_WLOCK(pti_obj); + pml4_pg = pmap_pti_alloc_page(); + pti_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4_pg)); + for (va = VM_MIN_KERNEL_ADDRESS; va <= VM_MAX_KERNEL_ADDRESS && + va >= VM_MIN_KERNEL_ADDRESS && va > NBPML4; va += NBPML4) { + pdpe = pmap_pti_pdpe(va); + pmap_pti_wire_pte(pdpe); + } + pmap_pti_add_kva_locked((vm_offset_t)&__pcpu[0], + (vm_offset_t)&__pcpu[0] + sizeof(__pcpu[0]) * MAXCPU, false); + pmap_pti_add_kva_locked((vm_offset_t)gdt, (vm_offset_t)gdt + + sizeof(struct user_segment_descriptor) * NGDT * MAXCPU, false); + pmap_pti_add_kva_locked((vm_offset_t)idt, (vm_offset_t)idt + + sizeof(struct gate_descriptor) * NIDT, false); + pmap_pti_add_kva_locked((vm_offset_t)common_tss, + (vm_offset_t)common_tss + sizeof(struct amd64tss) * MAXCPU, false); + CPU_FOREACH(i) { + /* Doublefault stack IST 1 */ + va = common_tss[i].tss_ist1; + pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false); + /* NMI stack IST 2 */ + va = common_tss[i].tss_ist2 + sizeof(struct nmi_pcpu); + pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false); + /* MC# stack IST 3 */ + va = common_tss[i].tss_ist3 + sizeof(struct nmi_pcpu); + pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false); + } + pmap_pti_add_kva_locked((vm_offset_t)kernphys + KERNBASE, + (vm_offset_t)etext, true); + pti_finalized = true; + VM_OBJECT_WUNLOCK(pti_obj); +} +SYSINIT(pmap_pti, SI_SUB_CPU + 1, SI_ORDER_ANY, pmap_pti_init, NULL); + +static pdp_entry_t * +pmap_pti_pdpe(vm_offset_t va) +{ + pml4_entry_t *pml4e; + pdp_entry_t *pdpe; + vm_page_t m; + vm_pindex_t pml4_idx; + vm_paddr_t mphys; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + + pml4_idx = pmap_pml4e_index(va); + pml4e = &pti_pml4[pml4_idx]; + m = NULL; + if (*pml4e == 0) { + if (pti_finalized) + panic("pml4 alloc after finalization\n"); + m = pmap_pti_alloc_page(); + if (*pml4e != 0) { + pmap_pti_free_page(m); + mphys = *pml4e & ~PAGE_MASK; + } else { + mphys = VM_PAGE_TO_PHYS(m); + *pml4e = mphys | X86_PG_RW | X86_PG_V; + } + } else { + mphys = *pml4e & ~PAGE_MASK; + } + pdpe = (pdp_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pdpe_index(va); + return (pdpe); +} + +static void +pmap_pti_wire_pte(void *pte) +{ + vm_page_t m; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte)); + m->wire_count++; +} + +static void +pmap_pti_unwire_pde(void *pde, bool only_ref) +{ + vm_page_t m; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pde)); + MPASS(m->wire_count > 0); + MPASS(only_ref || m->wire_count > 1); + pmap_pti_free_page(m); +} + +static void +pmap_pti_unwire_pte(void *pte, vm_offset_t va) +{ + vm_page_t m; + pd_entry_t *pde; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte)); + MPASS(m->wire_count > 0); + if (pmap_pti_free_page(m)) { + pde = pmap_pti_pde(va); + MPASS((*pde & (X86_PG_PS | X86_PG_V)) == X86_PG_V); + *pde = 0; + pmap_pti_unwire_pde(pde, false); + } +} + +static pd_entry_t * +pmap_pti_pde(vm_offset_t va) +{ + pdp_entry_t *pdpe; + pd_entry_t *pde; + vm_page_t m; + vm_pindex_t pd_idx; + vm_paddr_t mphys; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + + pdpe = pmap_pti_pdpe(va); + if (*pdpe == 0) { + m = pmap_pti_alloc_page(); + if (*pdpe != 0) { + pmap_pti_free_page(m); + MPASS((*pdpe & X86_PG_PS) == 0); + mphys = *pdpe & ~PAGE_MASK; + } else { + mphys = VM_PAGE_TO_PHYS(m); + *pdpe = mphys | X86_PG_RW | X86_PG_V; + } + } else { + MPASS((*pdpe & X86_PG_PS) == 0); + mphys = *pdpe & ~PAGE_MASK; + } + + pde = (pd_entry_t *)PHYS_TO_DMAP(mphys); + pd_idx = pmap_pde_index(va); + pde += pd_idx; + return (pde); +} + +static pt_entry_t * +pmap_pti_pte(vm_offset_t va, bool *unwire_pde) +{ + pd_entry_t *pde; + pt_entry_t *pte; + vm_page_t m; + vm_paddr_t mphys; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + + pde = pmap_pti_pde(va); + if (unwire_pde != NULL) { + *unwire_pde = true; + pmap_pti_wire_pte(pde); + } + if (*pde == 0) { + m = pmap_pti_alloc_page(); + if (*pde != 0) { + pmap_pti_free_page(m); + MPASS((*pde & X86_PG_PS) == 0); + mphys = *pde & ~(PAGE_MASK | pg_nx); + } else { + mphys = VM_PAGE_TO_PHYS(m); + *pde = mphys | X86_PG_RW | X86_PG_V; + if (unwire_pde != NULL) + *unwire_pde = false; + } + } else { + MPASS((*pde & X86_PG_PS) == 0); + mphys = *pde & ~(PAGE_MASK | pg_nx); + } + + pte = (pt_entry_t *)PHYS_TO_DMAP(mphys); + pte += pmap_pte_index(va); + + return (pte); +} + +static void +pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva, bool exec) +{ + vm_paddr_t pa; + pd_entry_t *pde; + pt_entry_t *pte, ptev; + bool unwire_pde; + + VM_OBJECT_ASSERT_WLOCKED(pti_obj); + + sva = trunc_page(sva); + MPASS(sva > VM_MAXUSER_ADDRESS); + eva = round_page(eva); + MPASS(sva < eva); + for (; sva < eva; sva += PAGE_SIZE) { + pte = pmap_pti_pte(sva, &unwire_pde); + pa = pmap_kextract(sva); + ptev = pa | X86_PG_RW | X86_PG_V | X86_PG_A | + (exec ? 0 : pg_nx) | pmap_cache_bits(kernel_pmap, + VM_MEMATTR_DEFAULT, FALSE); + if (*pte == 0) { + pte_store(pte, ptev); + pmap_pti_wire_pte(pte); + } else { + KASSERT(!pti_finalized, + ("pti overlap after fin %#lx %#lx %#lx", + sva, *pte, ptev)); + KASSERT(*pte == ptev, + ("pti non-identical pte after fin %#lx %#lx %#lx", + sva, *pte, ptev)); + } + if (unwire_pde) { + pde = pmap_pti_pde(sva); + pmap_pti_unwire_pde(pde, true); + } + } +} + +void +pmap_pti_add_kva(vm_offset_t sva, vm_offset_t eva, bool exec) +{ + + if (!pti) + return; + VM_OBJECT_WLOCK(pti_obj); + pmap_pti_add_kva_locked(sva, eva, exec); + VM_OBJECT_WUNLOCK(pti_obj); +} + +void +pmap_pti_remove_kva(vm_offset_t sva, vm_offset_t eva) +{ + pt_entry_t *pte; + vm_offset_t va; + + if (!pti) + return; + sva = rounddown2(sva, PAGE_SIZE); + MPASS(sva > VM_MAXUSER_ADDRESS); + eva = roundup2(eva, PAGE_SIZE); + MPASS(sva < eva); + VM_OBJECT_WLOCK(pti_obj); + for (va = sva; va < eva; va += PAGE_SIZE) { + pte = pmap_pti_pte(va, NULL); + KASSERT((*pte & X86_PG_V) != 0, + ("invalid pte va %#lx pte %#lx pt %#lx", va, + (u_long)pte, *pte)); + pte_clear(pte); + pmap_pti_unwire_pte(pte, va); + } + pmap_invalidate_range(kernel_pmap, sva, eva); + VM_OBJECT_WUNLOCK(pti_obj); +} + #include "opt_ddb.h" #ifdef DDB #include diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S index e7af5d7..f6be94e 100644 --- a/sys/amd64/amd64/support.S +++ b/sys/amd64/amd64/support.S @@ -33,6 +33,7 @@ #include "opt_ddb.h" #include +#include #include #include "assym.s" @@ -787,3 +788,115 @@ msr_onfault: movl $EFAULT,%eax POP_FRAME_POINTER ret + +/* + * void pmap_pti_pcid_invalidate(uint64_t ucr3, uint64_t kcr3); + * Invalidates address space addressed by ucr3, then returns to kcr3. + * Done in assembler to ensure no other memory accesses happen while + * on ucr3. + */ + ALIGN_TEXT +ENTRY(pmap_pti_pcid_invalidate) + pushfq + cli + movq %rdi,%cr3 /* to user page table */ + movq %rsi,%cr3 /* back to kernel */ + popfq + retq + +/* + * void pmap_pti_pcid_invlpg(uint64_t ucr3, uint64_t kcr3, vm_offset_t va); + * Invalidates virtual address va in address space ucr3, then returns to kcr3. + */ + ALIGN_TEXT +ENTRY(pmap_pti_pcid_invlpg) + pushfq + cli + movq %rdi,%cr3 /* to user page table */ + invlpg (%rdx) + movq %rsi,%cr3 /* back to kernel */ + popfq + retq + +/* + * void pmap_pti_pcid_invlrng(uint64_t ucr3, uint64_t kcr3, vm_offset_t sva, + * vm_offset_t eva); + * Invalidates virtual addresses between sva and eva in address space ucr3, + * then returns to kcr3. + */ + ALIGN_TEXT +ENTRY(pmap_pti_pcid_invlrng) + pushfq + cli + movq %rdi,%cr3 /* to user page table */ +1: invlpg (%rdx) + addq $PAGE_SIZE,%rdx + cmpq %rdx,%rcx + ja 1b + movq %rsi,%cr3 /* back to kernel */ + popfq + retq + + .altmacro + .macro ibrs_seq_label l +handle_ibrs_\l: + .endm + .macro ibrs_call_label l + call handle_ibrs_\l + .endm + .macro ibrs_seq count + ll=1 + .rept \count + ibrs_call_label %(ll) + nop + ibrs_seq_label %(ll) + addq $8,%rsp + ll=ll+1 + .endr + .endm + +/* all callers already saved %rax, %rdx, and %rcx */ +ENTRY(handle_ibrs_entry) + cmpb $0,hw_ibrs_active(%rip) + je 1f + movl $MSR_IA32_SPEC_CTRL,%ecx + movl $(IA32_SPEC_CTRL_IBRS|IA32_SPEC_CTRL_STIBP),%eax + movl $(IA32_SPEC_CTRL_IBRS|IA32_SPEC_CTRL_STIBP)>>32,%edx + wrmsr + movb $1,PCPU(IBPB_SET) + testl $CPUID_STDEXT_SMEP,cpu_stdext_feature(%rip) + jne 1f + ibrs_seq 32 +1: ret +END(handle_ibrs_entry) + +ENTRY(handle_ibrs_exit) + cmpb $0,PCPU(IBPB_SET) + je 1f + movl $MSR_IA32_SPEC_CTRL,%ecx + xorl %eax,%eax + xorl %edx,%edx + wrmsr + movb $0,PCPU(IBPB_SET) +1: ret +END(handle_ibrs_exit) + +/* registers-neutral version, but needs stack */ +ENTRY(handle_ibrs_exit_rs) + cmpb $0,PCPU(IBPB_SET) + je 1f + pushq %rax + pushq %rdx + pushq %rcx + movl $MSR_IA32_SPEC_CTRL,%ecx + xorl %eax,%eax + xorl %edx,%edx + wrmsr + popq %rcx + popq %rdx + popq %rax + movb $0,PCPU(IBPB_SET) +1: ret +END(handle_ibrs_exit_rs) + + .noaltmacro diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c index 24009db..8867aed 100644 --- a/sys/amd64/amd64/sys_machdep.c +++ b/sys/amd64/amd64/sys_machdep.c @@ -357,7 +357,9 @@ amd64_set_ioperm(td, uap) pcb = td->td_pcb; if (pcb->pcb_tssp == NULL) { tssp = (struct amd64tss *)kmem_malloc(kernel_arena, - ctob(IOPAGES+1), M_WAITOK); + ctob(IOPAGES + 1), M_WAITOK); + pmap_pti_add_kva((vm_offset_t)tssp, (vm_offset_t)tssp + + ctob(IOPAGES + 1), false); iomap = (char *)&tssp[1]; memset(iomap, 0xff, IOPERM_BITMAP_SIZE); critical_enter(); @@ -452,6 +454,8 @@ user_ldt_alloc(struct proc *p, int force) struct proc_ldt *pldt, *new_ldt; struct mdproc *mdp; struct soft_segment_descriptor sldt; + vm_offset_t sva; + vm_size_t sz; mtx_assert(&dt_lock, MA_OWNED); mdp = &p->p_md; @@ -459,13 +463,13 @@ user_ldt_alloc(struct proc *p, int force) return (mdp->md_ldt); mtx_unlock(&dt_lock); new_ldt = malloc(sizeof(struct proc_ldt), M_SUBPROC, M_WAITOK); - new_ldt->ldt_base = (caddr_t)kmem_malloc(kernel_arena, - max_ldt_segment * sizeof(struct user_segment_descriptor), - M_WAITOK | M_ZERO); + sz = max_ldt_segment * sizeof(struct user_segment_descriptor); + sva = kmem_malloc(kernel_arena, sz, M_WAITOK | M_ZERO); + new_ldt->ldt_base = (caddr_t)sva; + pmap_pti_add_kva(sva, sva + sz, false); new_ldt->ldt_refcnt = 1; - sldt.ssd_base = (uint64_t)new_ldt->ldt_base; - sldt.ssd_limit = max_ldt_segment * - sizeof(struct user_segment_descriptor) - 1; + sldt.ssd_base = sva; + sldt.ssd_limit = sz - 1; sldt.ssd_type = SDT_SYSLDT; sldt.ssd_dpl = SEL_KPL; sldt.ssd_p = 1; @@ -475,8 +479,8 @@ user_ldt_alloc(struct proc *p, int force) mtx_lock(&dt_lock); pldt = mdp->md_ldt; if (pldt != NULL && !force) { - kmem_free(kernel_arena, (vm_offset_t)new_ldt->ldt_base, - max_ldt_segment * sizeof(struct user_segment_descriptor)); + pmap_pti_remove_kva(sva, sva + sz); + kmem_free(kernel_arena, sva, sz); free(new_ldt, M_SUBPROC); return (pldt); } @@ -518,10 +522,14 @@ user_ldt_free(struct thread *td) static void user_ldt_derefl(struct proc_ldt *pldt) { + vm_offset_t sva; + vm_size_t sz; if (--pldt->ldt_refcnt == 0) { - kmem_free(kernel_arena, (vm_offset_t)pldt->ldt_base, - max_ldt_segment * sizeof(struct user_segment_descriptor)); + sva = (vm_offset_t)pldt->ldt_base; + sz = max_ldt_segment * sizeof(struct user_segment_descriptor); + pmap_pti_remove_kva(sva, sva + sz); + kmem_free(kernel_arena, sva, sz); free(pldt, M_SUBPROC); } } diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c index e779ef2..fccd297 100644 --- a/sys/amd64/amd64/trap.c +++ b/sys/amd64/amd64/trap.c @@ -218,11 +218,6 @@ trap(struct trapframe *frame) #endif } - if (type == T_MCHK) { - mca_intr(); - goto out; - } - if ((frame->tf_rflags & PSL_I) == 0) { /* * Buggy application or kernel code has disabled @@ -452,9 +447,28 @@ trap(struct trapframe *frame) * problem here and not have to check all the * selectors and pointers when the user changes * them. + * + * In case of PTI, the IRETQ faulted while the + * kernel used the pti stack, and exception + * frame records %rsp value pointing to that + * stack. If we return normally to + * doreti_iret_fault, the trapframe is + * reconstructed on pti stack, and calltrap() + * called on it as well. Due to the very + * limited pti stack size, kernel does not + * survive for too long. Switch to the normal + * thread stack for the trap handling. + * + * Magic '5' is the number of qwords occupied by + * the hardware trap frame. */ if (frame->tf_rip == (long)doreti_iret) { frame->tf_rip = (long)doreti_iret_fault; + if (pti && frame->tf_rsp == (uintptr_t)PCPU_PTR( + pti_stack) + (PC_PTI_STACK_SZ - 5) * + sizeof(register_t)) + frame->tf_rsp = PCPU_GET(rsp0) - 5 * + sizeof(register_t); goto out; } if (frame->tf_rip == (long)ld_ds) { @@ -694,6 +708,17 @@ trap_pfault(frame, usermode) } /* + * If nx protection of the usermode portion of kernel page + * tables caused trap, panic. + */ + if (pti && usermode && pg_nx != 0 && (frame->tf_err & (PGEX_P | PGEX_W | + PGEX_U | PGEX_I)) == (PGEX_P | PGEX_U | PGEX_I) && + (curpcb->pcb_saved_ucr3 & ~CR3_PCID_MASK)== + (PCPU_GET(curpmap)->pm_cr3 & ~CR3_PCID_MASK)) + panic("PTI: pid %d comm %s tf_err %#lx\n", p->p_pid, + p->p_comm, frame->tf_err); + + /* * PGEX_I is defined only if the execute disable bit capability is * supported and enabled. */ diff --git a/sys/amd64/amd64/vm_machdep.c b/sys/amd64/amd64/vm_machdep.c index 20c7cce..8846eb8 100644 --- a/sys/amd64/amd64/vm_machdep.c +++ b/sys/amd64/amd64/vm_machdep.c @@ -339,6 +339,8 @@ cpu_thread_clean(struct thread *td) * Clean TSS/iomap */ if (pcb->pcb_tssp != NULL) { + pmap_pti_remove_kva((vm_offset_t)pcb->pcb_tssp, + (vm_offset_t)pcb->pcb_tssp + ctob(IOPAGES + 1)); kmem_free(kernel_arena, (vm_offset_t)pcb->pcb_tssp, ctob(IOPAGES + 1)); pcb->pcb_tssp = NULL; diff --git a/sys/amd64/ia32/ia32_exception.S b/sys/amd64/ia32/ia32_exception.S index fe1a676..1f09764 100644 --- a/sys/amd64/ia32/ia32_exception.S +++ b/sys/amd64/ia32/ia32_exception.S @@ -40,24 +40,27 @@ * that it originated in supervisor mode and skip the swapgs. */ SUPERALIGN_TEXT +IDTVEC(int0x80_syscall_pti) + PTI_UENTRY has_err=0 + jmp int0x80_syscall_common + SUPERALIGN_TEXT IDTVEC(int0x80_syscall) swapgs +int0x80_syscall_common: pushq $2 /* sizeof "int 0x80" */ subq $TF_ERR,%rsp /* skip over tf_trapno */ movq %rdi,TF_RDI(%rsp) movq PCPU(CURPCB),%rdi andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi) - movw %fs,TF_FS(%rsp) - movw %gs,TF_GS(%rsp) - movw %es,TF_ES(%rsp) - movw %ds,TF_DS(%rsp) - sti - movq %rsi,TF_RSI(%rsp) + SAVE_SEGS + movq %rax,TF_RAX(%rsp) movq %rdx,TF_RDX(%rsp) movq %rcx,TF_RCX(%rsp) + call handle_ibrs_entry + sti + movq %rsi,TF_RSI(%rsp) movq %r8,TF_R8(%rsp) movq %r9,TF_R9(%rsp) - movq %rax,TF_RAX(%rsp) movq %rbx,TF_RBX(%rsp) movq %rbp,TF_RBP(%rsp) movq %r10,TF_R10(%rsp) diff --git a/sys/amd64/ia32/ia32_syscall.c b/sys/amd64/ia32/ia32_syscall.c index 6e96edd..c2bf2fb 100644 --- a/sys/amd64/ia32/ia32_syscall.c +++ b/sys/amd64/ia32/ia32_syscall.c @@ -93,7 +93,8 @@ __FBSDID("$FreeBSD$"); #define IDTVEC(name) __CONCAT(X,name) -extern inthand_t IDTVEC(int0x80_syscall), IDTVEC(rsvd); +extern inthand_t IDTVEC(int0x80_syscall), IDTVEC(int0x80_syscall_pti), + IDTVEC(rsvd), IDTVEC(rsvd_pti); void ia32_syscall(struct trapframe *frame); /* Called from asm code */ @@ -205,14 +206,16 @@ static void ia32_syscall_enable(void *dummy) { - setidt(IDT_SYSCALL, &IDTVEC(int0x80_syscall), SDT_SYSIGT, SEL_UPL, 0); + setidt(IDT_SYSCALL, pti ? &IDTVEC(int0x80_syscall_pti) : + &IDTVEC(int0x80_syscall), SDT_SYSIGT, SEL_UPL, 0); } static void ia32_syscall_disable(void *dummy) { - setidt(IDT_SYSCALL, &IDTVEC(rsvd), SDT_SYSIGT, SEL_KPL, 0); + setidt(IDT_SYSCALL, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), + SDT_SYSIGT, SEL_KPL, 0); } SYSINIT(ia32_syscall, SI_SUB_EXEC, SI_ORDER_ANY, ia32_syscall_enable, NULL); diff --git a/sys/amd64/include/asmacros.h b/sys/amd64/include/asmacros.h index d5652c4..cd7acd8 100644 --- a/sys/amd64/include/asmacros.h +++ b/sys/amd64/include/asmacros.h @@ -1,7 +1,15 @@ +/* -*- mode: asm -*- */ /*- * Copyright (c) 1993 The Regents of the University of California. * All rights reserved. * + * Copyright (c) 2018 The FreeBSD Foundation + * All rights reserved. + * + * Portions of this software were developed by + * Konstantin Belousov under sponsorship from + * the FreeBSD Foundation. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -144,70 +152,135 @@ #ifdef LOCORE /* + * Access per-CPU data. + */ +#define PCPU(member) %gs:PC_ ## member +#define PCPU_ADDR(member, reg) \ + movq %gs:PC_PRVSPACE, reg ; \ + addq $PC_ ## member, reg + +/* * Convenience macro for declaring interrupt entry points. */ #define IDTVEC(name) ALIGN_TEXT; .globl __CONCAT(X,name); \ .type __CONCAT(X,name),@function; __CONCAT(X,name): -/* - * Macros to create and destroy a trap frame. - */ -#define PUSH_FRAME \ - subq $TF_RIP,%rsp ; /* skip dummy tf_err and tf_trapno */ \ - testb $SEL_RPL_MASK,TF_CS(%rsp) ; /* come from kernel? */ \ - jz 1f ; /* Yes, dont swapgs again */ \ - swapgs ; \ -1: movq %rdi,TF_RDI(%rsp) ; \ - movq %rsi,TF_RSI(%rsp) ; \ - movq %rdx,TF_RDX(%rsp) ; \ - movq %rcx,TF_RCX(%rsp) ; \ - movq %r8,TF_R8(%rsp) ; \ - movq %r9,TF_R9(%rsp) ; \ - movq %rax,TF_RAX(%rsp) ; \ - movq %rbx,TF_RBX(%rsp) ; \ - movq %rbp,TF_RBP(%rsp) ; \ - movq %r10,TF_R10(%rsp) ; \ - movq %r11,TF_R11(%rsp) ; \ - movq %r12,TF_R12(%rsp) ; \ - movq %r13,TF_R13(%rsp) ; \ - movq %r14,TF_R14(%rsp) ; \ - movq %r15,TF_R15(%rsp) ; \ - movw %fs,TF_FS(%rsp) ; \ - movw %gs,TF_GS(%rsp) ; \ - movw %es,TF_ES(%rsp) ; \ - movw %ds,TF_DS(%rsp) ; \ - movl $TF_HASSEGS,TF_FLAGS(%rsp) ; \ + .macro SAVE_SEGS + movw %fs,TF_FS(%rsp) + movw %gs,TF_GS(%rsp) + movw %es,TF_ES(%rsp) + movw %ds,TF_DS(%rsp) + .endm + + .macro MOVE_STACKS qw + .L.offset=0 + .rept \qw + movq .L.offset(%rsp),%rdx + movq %rdx,.L.offset(%rax) + .L.offset=.L.offset+8 + .endr + .endm + + .macro PTI_UUENTRY has_err + movq PCPU(KCR3),%rax + movq %rax,%cr3 + movq PCPU(RSP0),%rax + subq $PTI_SIZE,%rax + MOVE_STACKS ((PTI_SIZE / 8) - 1 + \has_err) + movq %rax,%rsp + popq %rdx + popq %rax + .endm + + .macro PTI_UENTRY has_err + swapgs + pushq %rax + pushq %rdx + PTI_UUENTRY \has_err + .endm + + .macro PTI_ENTRY name, cont, has_err=0 + ALIGN_TEXT + .globl X\name\()_pti + .type X\name\()_pti,@function +X\name\()_pti: + /* %rax, %rdx and possibly err not yet pushed */ + testb $SEL_RPL_MASK,PTI_CS-(2+1-\has_err)*8(%rsp) + jz \cont + PTI_UENTRY \has_err + swapgs + jmp \cont + .endm + + .macro PTI_INTRENTRY vec_name + SUPERALIGN_TEXT + .globl X\vec_name\()_pti + .type X\vec_name\()_pti,@function +X\vec_name\()_pti: + testb $SEL_RPL_MASK,PTI_CS-3*8(%rsp) /* err, %rax, %rdx not pushed */ + jz \vec_name\()_u + PTI_UENTRY has_err=0 + jmp \vec_name\()_u + .endm + + .macro INTR_PUSH_FRAME vec_name + SUPERALIGN_TEXT + .globl X\vec_name + .type X\vec_name,@function +X\vec_name: + testb $SEL_RPL_MASK,PTI_CS-3*8(%rsp) /* come from kernel? */ + jz \vec_name\()_u /* Yes, dont swapgs again */ + swapgs +\vec_name\()_u: + subq $TF_RIP,%rsp /* skip dummy tf_err and tf_trapno */ + movq %rdi,TF_RDI(%rsp) + movq %rsi,TF_RSI(%rsp) + movq %rdx,TF_RDX(%rsp) + movq %rcx,TF_RCX(%rsp) + movq %r8,TF_R8(%rsp) + movq %r9,TF_R9(%rsp) + movq %rax,TF_RAX(%rsp) + movq %rbx,TF_RBX(%rsp) + movq %rbp,TF_RBP(%rsp) + movq %r10,TF_R10(%rsp) + movq %r11,TF_R11(%rsp) + movq %r12,TF_R12(%rsp) + movq %r13,TF_R13(%rsp) + movq %r14,TF_R14(%rsp) + movq %r15,TF_R15(%rsp) + SAVE_SEGS + movl $TF_HASSEGS,TF_FLAGS(%rsp) cld + testb $SEL_RPL_MASK,TF_CS(%rsp) /* come from kernel ? */ + jz 1f /* yes, leave PCB_FULL_IRET alone */ + movq PCPU(CURPCB),%r8 + andl $~PCB_FULL_IRET,PCB_FLAGS(%r8) +1: + .endm -#define POP_FRAME \ - movq TF_RDI(%rsp),%rdi ; \ - movq TF_RSI(%rsp),%rsi ; \ - movq TF_RDX(%rsp),%rdx ; \ - movq TF_RCX(%rsp),%rcx ; \ - movq TF_R8(%rsp),%r8 ; \ - movq TF_R9(%rsp),%r9 ; \ - movq TF_RAX(%rsp),%rax ; \ - movq TF_RBX(%rsp),%rbx ; \ - movq TF_RBP(%rsp),%rbp ; \ - movq TF_R10(%rsp),%r10 ; \ - movq TF_R11(%rsp),%r11 ; \ - movq TF_R12(%rsp),%r12 ; \ - movq TF_R13(%rsp),%r13 ; \ - movq TF_R14(%rsp),%r14 ; \ - movq TF_R15(%rsp),%r15 ; \ - testb $SEL_RPL_MASK,TF_CS(%rsp) ; /* come from kernel? */ \ - jz 1f ; /* keep kernel GS.base */ \ - cli ; \ - swapgs ; \ -1: addq $TF_RIP,%rsp /* skip over tf_err, tf_trapno */ + .macro INTR_HANDLER vec_name + .text + PTI_INTRENTRY \vec_name + INTR_PUSH_FRAME \vec_name + .endm -/* - * Access per-CPU data. - */ -#define PCPU(member) %gs:PC_ ## member -#define PCPU_ADDR(member, reg) \ - movq %gs:PC_PRVSPACE, reg ; \ - addq $PC_ ## member, reg + .macro RESTORE_REGS + movq TF_RDI(%rsp),%rdi + movq TF_RSI(%rsp),%rsi + movq TF_RDX(%rsp),%rdx + movq TF_RCX(%rsp),%rcx + movq TF_R8(%rsp),%r8 + movq TF_R9(%rsp),%r9 + movq TF_RAX(%rsp),%rax + movq TF_RBX(%rsp),%rbx + movq TF_RBP(%rsp),%rbp + movq TF_R10(%rsp),%r10 + movq TF_R11(%rsp),%r11 + movq TF_R12(%rsp),%r12 + movq TF_R13(%rsp),%r13 + movq TF_R14(%rsp),%r14 + movq TF_R15(%rsp),%r15 + .endm #endif /* LOCORE */ diff --git a/sys/amd64/include/frame.h b/sys/amd64/include/frame.h index 0953be7..f0a6fcf 100644 --- a/sys/amd64/include/frame.h +++ b/sys/amd64/include/frame.h @@ -1,6 +1,50 @@ /*- - * This file is in the public domain. + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2018 The FreeBSD Foundation + * All rights reserved. + * + * This software was developed by Konstantin Belousov + * under sponsorship from the FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ */ -/* $FreeBSD$ */ + +#ifndef _AMD64_FRAME_H +#define _AMD64_FRAME_H #include + +struct pti_frame { + register_t pti_rdx; + register_t pti_rax; + register_t pti_err; + register_t pti_rip; + register_t pti_cs; + register_t pti_rflags; + register_t pti_rsp; + register_t pti_ss; +}; + +#endif diff --git a/sys/amd64/include/intr_machdep.h b/sys/amd64/include/intr_machdep.h index e7320e6..29c20b6 100644 --- a/sys/amd64/include/intr_machdep.h +++ b/sys/amd64/include/intr_machdep.h @@ -136,7 +136,7 @@ struct trapframe; /* * The following data structure holds per-cpu data, and is placed just - * above the top of the space used for the NMI stack. + * above the top of the space used for the NMI and MC# stacks. */ struct nmi_pcpu { register_t np_pcpu; diff --git a/sys/amd64/include/md_var.h b/sys/amd64/include/md_var.h index e4c50eb..b81f497 100644 --- a/sys/amd64/include/md_var.h +++ b/sys/amd64/include/md_var.h @@ -35,9 +35,17 @@ #include extern uint64_t *vm_page_dump; +extern int hw_ibrs_disable; + +/* + * The file "conf/ldscript.amd64" defines the symbol "kernphys". Its + * value is the physical address at which the kernel is loaded. + */ +extern char kernphys[]; struct savefpu; +void amd64_conf_fast_syscall(void); void amd64_db_resume_dbreg(void); void amd64_syscall(struct thread *td, int traced); void doreti_iret(void) __asm(__STRING(doreti_iret)); diff --git a/sys/amd64/include/pcb.h b/sys/amd64/include/pcb.h index 8078073..2b7bb6e 100644 --- a/sys/amd64/include/pcb.h +++ b/sys/amd64/include/pcb.h @@ -90,7 +90,7 @@ struct pcb { /* copyin/out fault recovery */ caddr_t pcb_onfault; - uint64_t pcb_pad0; + uint64_t pcb_saved_ucr3; /* local tss, with i/o bitmap; NULL for common */ struct amd64tss *pcb_tssp; diff --git a/sys/amd64/include/pcpu.h b/sys/amd64/include/pcpu.h index a4f4e1d..e40c521 100644 --- a/sys/amd64/include/pcpu.h +++ b/sys/amd64/include/pcpu.h @@ -33,6 +33,7 @@ #error "sys/cdefs.h is a prerequisite for this file" #endif +#define PC_PTI_STACK_SZ 16 /* * The SMP parts are setup in pmap.c and locore.s for the BSP, and * mp_machdep.c sets up the data for the AP's to "see" when they awake. @@ -46,8 +47,12 @@ struct pmap *pc_curpmap; \ struct amd64tss *pc_tssp; /* TSS segment active on CPU */ \ struct amd64tss *pc_commontssp;/* Common TSS for the CPU */ \ + uint64_t pc_kcr3; \ + uint64_t pc_ucr3; \ + uint64_t pc_saved_ucr3; \ register_t pc_rsp0; \ register_t pc_scratch_rsp; /* User %rsp in syscall */ \ + register_t pc_scratch_rax; \ u_int pc_apic_id; \ u_int pc_acpi_id; /* ACPI CPU id */ \ /* Pointer to the CPU %fs descriptor */ \ @@ -61,12 +66,14 @@ uint64_t pc_pm_save_cnt; \ u_int pc_cmci_mask; /* MCx banks for CMCI */ \ uint64_t pc_dbreg[16]; /* ddb debugging regs */ \ + uint64_t pc_pti_stack[PC_PTI_STACK_SZ]; \ int pc_dbreg_cmd; /* ddb debugging reg cmd */ \ u_int pc_vcpu_id; /* Xen vCPU ID */ \ uint32_t pc_pcid_next; \ uint32_t pc_pcid_gen; \ uint32_t pc_smp_tlb_done; /* TLB op acknowledgement */ \ - char __pad[145] /* be divisor of PAGE_SIZE \ + uint32_t pc_ibpb_set; \ + char __pad[96] /* be divisor of PAGE_SIZE \ after cache alignment */ #define PC_DBREG_CMD_NONE 0 diff --git a/sys/amd64/include/pmap.h b/sys/amd64/include/pmap.h index a0b8ee3..acf0301 100644 --- a/sys/amd64/include/pmap.h +++ b/sys/amd64/include/pmap.h @@ -223,6 +223,10 @@ #define PMAP_PCID_NONE 0xffffffff #define PMAP_PCID_KERN 0 #define PMAP_PCID_OVERMAX 0x1000 +#define PMAP_PCID_OVERMAX_KERN 0x800 +#define PMAP_PCID_USER_PT 0x800 + +#define PMAP_NO_CR3 (~0UL) #ifndef LOCORE @@ -313,7 +317,9 @@ struct pmap_pcids { struct pmap { struct mtx pm_mtx; pml4_entry_t *pm_pml4; /* KVA of level 4 page table */ + pml4_entry_t *pm_pml4u; /* KVA of user l4 page table */ uint64_t pm_cr3; + uint64_t pm_ucr3; TAILQ_HEAD(,pv_chunk) pm_pvchunk; /* list of mappings in pmap */ cpuset_t pm_active; /* active on cpus */ enum pmap_type pm_type; /* regular or nested tables */ @@ -419,6 +425,12 @@ void pmap_invalidate_cache_range(vm_offset_t sva, vm_offset_t eva, void pmap_get_mapping(pmap_t pmap, vm_offset_t va, uint64_t *ptr, int *num); boolean_t pmap_map_io_transient(vm_page_t *, vm_offset_t *, int, boolean_t); void pmap_unmap_io_transient(vm_page_t *, vm_offset_t *, int, boolean_t); +void pmap_pti_add_kva(vm_offset_t sva, vm_offset_t eva, bool exec); +void pmap_pti_remove_kva(vm_offset_t sva, vm_offset_t eva); +void pmap_pti_pcid_invalidate(uint64_t ucr3, uint64_t kcr3); +void pmap_pti_pcid_invlpg(uint64_t ucr3, uint64_t kcr3, vm_offset_t va); +void pmap_pti_pcid_invlrng(uint64_t ucr3, uint64_t kcr3, vm_offset_t sva, + vm_offset_t eva); #endif /* _KERNEL */ /* Return various clipped indexes for a given VA */ diff --git a/sys/amd64/include/smp.h b/sys/amd64/include/smp.h index d97c730..64135bc 100644 --- a/sys/amd64/include/smp.h +++ b/sys/amd64/include/smp.h @@ -28,12 +28,36 @@ extern u_int32_t mptramp_pagetables; /* IPI handlers */ inthand_t + IDTVEC(justreturn), /* interrupt CPU with minimum overhead */ + IDTVEC(justreturn1_pti), + IDTVEC(invltlb_pti), + IDTVEC(invltlb_pcid_pti), IDTVEC(invltlb_pcid), /* TLB shootdowns - global, pcid */ - IDTVEC(invltlb_invpcid),/* TLB shootdowns - global, invpcid */ - IDTVEC(justreturn); /* interrupt CPU with minimum overhead */ + IDTVEC(invltlb_invpcid_pti_pti), + IDTVEC(invltlb_invpcid_nopti), + IDTVEC(invlpg_pti), + IDTVEC(invlpg_invpcid_pti), + IDTVEC(invlpg_invpcid), + IDTVEC(invlpg_pcid_pti), + IDTVEC(invlpg_pcid), + IDTVEC(invlrng_pti), + IDTVEC(invlrng_invpcid_pti), + IDTVEC(invlrng_invpcid), + IDTVEC(invlrng_pcid_pti), + IDTVEC(invlrng_pcid), + IDTVEC(invlcache_pti), + IDTVEC(ipi_intr_bitmap_handler_pti), + IDTVEC(cpustop_pti), + IDTVEC(cpususpend_pti), + IDTVEC(rendezvous_pti); void invltlb_pcid_handler(void); void invltlb_invpcid_handler(void); +void invltlb_invpcid_pti_handler(void); +void invlpg_invpcid_handler(void); +void invlpg_pcid_handler(void); +void invlrng_invpcid_handler(void); +void invlrng_pcid_handler(void); int native_start_all_aps(void); #endif /* !LOCORE */ diff --git a/sys/amd64/vmm/intel/vmx.c b/sys/amd64/vmm/intel/vmx.c index 517a374..0edfe51 100644 --- a/sys/amd64/vmm/intel/vmx.c +++ b/sys/amd64/vmm/intel/vmx.c @@ -693,7 +693,8 @@ vmx_init(int ipinum) MSR_VMX_TRUE_PINBASED_CTLS, PINBASED_POSTED_INTERRUPT, 0, &tmp); if (error == 0) { - pirvec = lapic_ipi_alloc(&IDTVEC(justreturn)); + pirvec = lapic_ipi_alloc(pti ? &IDTVEC(justreturn1_pti) : + &IDTVEC(justreturn)); if (pirvec < 0) { if (bootverbose) { printf("vmx_init: unable to allocate " diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c index 537454a..2118c13 100644 --- a/sys/amd64/vmm/vmm.c +++ b/sys/amd64/vmm/vmm.c @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -325,7 +326,8 @@ vmm_init(void) vmm_host_state_init(); - vmm_ipinum = lapic_ipi_alloc(&IDTVEC(justreturn)); + vmm_ipinum = lapic_ipi_alloc(pti ? &IDTVEC(justreturn1_pti) : + &IDTVEC(justreturn)); if (vmm_ipinum < 0) vmm_ipinum = IPI_AST; diff --git a/sys/conf/Makefile.amd64 b/sys/conf/Makefile.amd64 index 696ef55..9c10c77 100644 --- a/sys/conf/Makefile.amd64 +++ b/sys/conf/Makefile.amd64 @@ -39,6 +39,7 @@ CFLAGS+= -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer ASM_CFLAGS.acpi_wakecode.S= ${CLANG_NO_IAS34} ASM_CFLAGS.mpboot.S= ${CLANG_NO_IAS34} +ASM_CFLAGS.support.S= ${CLANG_NO_IAS} %BEFORE_DEPEND diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 0a0893e..2341b62 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/cpuctl/cpuctl.c b/sys/dev/cpuctl/cpuctl.c index 5351d8ed..a841400 100644 --- a/sys/dev/cpuctl/cpuctl.c +++ b/sys/dev/cpuctl/cpuctl.c @@ -71,6 +71,7 @@ static int cpuctl_do_cpuid(int cpu, cpuctl_cpuid_args_t *data, struct thread *td); static int cpuctl_do_cpuid_count(int cpu, cpuctl_cpuid_count_args_t *data, struct thread *td); +static int cpuctl_do_eval_cpu_features(int cpu, struct thread *td); static int cpuctl_do_update(int cpu, cpuctl_update_args_t *data, struct thread *td); static int update_intel(int cpu, cpuctl_update_args_t *args, @@ -157,7 +158,8 @@ cpuctl_ioctl(struct cdev *dev, u_long cmd, caddr_t data, } /* Require write flag for "write" requests. */ if ((cmd == CPUCTL_MSRCBIT || cmd == CPUCTL_MSRSBIT || - cmd == CPUCTL_UPDATE || cmd == CPUCTL_WRMSR) && + cmd == CPUCTL_UPDATE || cmd == CPUCTL_WRMSR || + cmd == CPUCTL_EVAL_CPU_FEATURES) && (flags & FWRITE) == 0) return (EPERM); switch (cmd) { @@ -185,6 +187,9 @@ cpuctl_ioctl(struct cdev *dev, u_long cmd, caddr_t data, ret = cpuctl_do_cpuid_count(cpu, (cpuctl_cpuid_count_args_t *)data, td); break; + case CPUCTL_EVAL_CPU_FEATURES: + ret = cpuctl_do_eval_cpu_features(cpu, td); + break; default: ret = EINVAL; break; @@ -502,6 +507,30 @@ fail: return (ret); } +static int +cpuctl_do_eval_cpu_features(int cpu, struct thread *td) +{ + int is_bound = 0; + int oldcpu; + + KASSERT(cpu >= 0 && cpu <= mp_maxid, + ("[cpuctl,%d]: bad cpu number %d", __LINE__, cpu)); + +#ifdef __i386__ + if (cpu_id == 0) + return (ENODEV); +#endif + oldcpu = td->td_oncpu; + is_bound = cpu_sched_is_bound(td); + set_cpu(cpu, td); + identify_cpu1(); + identify_cpu2(); + hw_ibrs_recalculate(); + restore_cpu(oldcpu, is_bound, td); + printcpuinfo(); + return (0); +} + int cpuctl_open(struct cdev *dev, int flags, int fmt __unused, struct thread *td) { diff --git a/sys/dev/hyperv/vmbus/amd64/vmbus_vector.S b/sys/dev/hyperv/vmbus/amd64/vmbus_vector.S index 8d09e24..6e396f3 100644 --- a/sys/dev/hyperv/vmbus/amd64/vmbus_vector.S +++ b/sys/dev/hyperv/vmbus/amd64/vmbus_vector.S @@ -26,19 +26,18 @@ * $FreeBSD$ */ +#include "assym.s" + #include #include -#include "assym.s" - /* * This is the Hyper-V vmbus channel direct callback interrupt. * Only used when it is running on Hyper-V. */ .text SUPERALIGN_TEXT -IDTVEC(vmbus_isr) - PUSH_FRAME + INTR_HANDLER vmbus_isr FAKE_MCOUNT(TF_RIP(%rsp)) movq %rsp, %rdi call vmbus_handle_intr diff --git a/sys/dev/hyperv/vmbus/i386/vmbus_vector.S b/sys/dev/hyperv/vmbus/i386/vmbus_vector.S index b9ea849..9e28ef6 100644 --- a/sys/dev/hyperv/vmbus/i386/vmbus_vector.S +++ b/sys/dev/hyperv/vmbus/i386/vmbus_vector.S @@ -37,6 +37,7 @@ */ .text SUPERALIGN_TEXT +IDTVEC(vmbus_isr_pti) IDTVEC(vmbus_isr) PUSH_FRAME SET_KERNEL_SREGS diff --git a/sys/dev/hyperv/vmbus/vmbus.c b/sys/dev/hyperv/vmbus/vmbus.c index 9999901..c0faada 100644 --- a/sys/dev/hyperv/vmbus/vmbus.c +++ b/sys/dev/hyperv/vmbus/vmbus.c @@ -46,6 +46,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -128,7 +129,7 @@ static void vmbus_event_proc_dummy(struct vmbus_softc *, static struct vmbus_softc *vmbus_sc; -extern inthand_t IDTVEC(vmbus_isr); +extern inthand_t IDTVEC(vmbus_isr), IDTVEC(vmbus_isr_pti); static const uint32_t vmbus_version[] = { VMBUS_VERSION_WIN8_1, @@ -928,7 +929,8 @@ vmbus_intr_setup(struct vmbus_softc *sc) * All Hyper-V ISR required resources are setup, now let's find a * free IDT vector for Hyper-V ISR and set it up. */ - sc->vmbus_idtvec = lapic_ipi_alloc(IDTVEC(vmbus_isr)); + sc->vmbus_idtvec = lapic_ipi_alloc(pti ? IDTVEC(vmbus_isr_pti) : + IDTVEC(vmbus_isr)); if (sc->vmbus_idtvec < 0) { device_printf(sc->vmbus_dev, "cannot find free IDT vector\n"); return ENXIO; diff --git a/sys/i386/i386/apic_vector.s b/sys/i386/i386/apic_vector.s index 9d56b93..944a236 100644 --- a/sys/i386/i386/apic_vector.s +++ b/sys/i386/i386/apic_vector.s @@ -70,6 +70,7 @@ as_lapic_eoi: #define ISR_VEC(index, vec_name) \ .text ; \ SUPERALIGN_TEXT ; \ +IDTVEC(vec_name ## _pti) ; \ IDTVEC(vec_name) ; \ PUSH_FRAME ; \ SET_KERNEL_SREGS ; \ @@ -123,6 +124,7 @@ IDTVEC(spuriousint) */ .text SUPERALIGN_TEXT +IDTVEC(timerint_pti) IDTVEC(timerint) PUSH_FRAME SET_KERNEL_SREGS @@ -139,6 +141,7 @@ IDTVEC(timerint) */ .text SUPERALIGN_TEXT +IDTVEC(cmcint_pti) IDTVEC(cmcint) PUSH_FRAME SET_KERNEL_SREGS @@ -153,6 +156,7 @@ IDTVEC(cmcint) */ .text SUPERALIGN_TEXT +IDTVEC(errorint_pti) IDTVEC(errorint) PUSH_FRAME SET_KERNEL_SREGS diff --git a/sys/i386/i386/atpic_vector.s b/sys/i386/i386/atpic_vector.s index a477aee..a7b8894 100644 --- a/sys/i386/i386/atpic_vector.s +++ b/sys/i386/i386/atpic_vector.s @@ -46,6 +46,7 @@ #define INTR(irq_num, vec_name) \ .text ; \ SUPERALIGN_TEXT ; \ +IDTVEC(vec_name ##_pti) ; \ IDTVEC(vec_name) ; \ PUSH_FRAME ; \ SET_KERNEL_SREGS ; \ diff --git a/sys/i386/i386/exception.s b/sys/i386/i386/exception.s index 73c67fe..362aa2c 100644 --- a/sys/i386/i386/exception.s +++ b/sys/i386/i386/exception.s @@ -133,6 +133,7 @@ IDTVEC(page) TRAP(T_PAGEFLT) IDTVEC(mchk) pushl $0; TRAP(T_MCHK) +IDTVEC(rsvd_pti) IDTVEC(rsvd) pushl $0; TRAP(T_RESERVED) IDTVEC(fpu) diff --git a/sys/i386/i386/machdep.c b/sys/i386/i386/machdep.c index fcc804c..24c1fe8 100644 --- a/sys/i386/i386/machdep.c +++ b/sys/i386/i386/machdep.c @@ -2577,7 +2577,7 @@ init386(int first) GSEL(GCODE_SEL, SEL_KPL)); #endif #ifdef XENHVM - setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYS386IGT, SEL_UPL, + setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYS386IGT, SEL_KPL, GSEL(GCODE_SEL, SEL_KPL)); #endif diff --git a/sys/i386/i386/pmap.c b/sys/i386/i386/pmap.c index 94b0d17..0d3fc91 100644 --- a/sys/i386/i386/pmap.c +++ b/sys/i386/i386/pmap.c @@ -283,6 +283,8 @@ SYSCTL_INT(_debug, OID_AUTO, PMAP1unchanged, CTLFLAG_RD, "Number of times pmap_pte_quick didn't change PMAP1"); static struct mtx PMAP2mutex; +int pti; + static void free_pv_chunk(struct pv_chunk *pc); static void free_pv_entry(pmap_t pmap, pv_entry_t pv); static pv_entry_t get_pv_entry(pmap_t pmap, boolean_t try); @@ -1043,7 +1045,7 @@ pmap_invalidate_page(pmap_t pmap, vm_offset_t va) CPU_AND(&other_cpus, &pmap->pm_active); mask = &other_cpus; } - smp_masked_invlpg(*mask, va); + smp_masked_invlpg(*mask, va, pmap); sched_unpin(); } @@ -1077,7 +1079,7 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) CPU_AND(&other_cpus, &pmap->pm_active); mask = &other_cpus; } - smp_masked_invlpg_range(*mask, sva, eva); + smp_masked_invlpg_range(*mask, sva, eva, pmap); sched_unpin(); } diff --git a/sys/i386/i386/support.s b/sys/i386/i386/support.s index d569970..feffc15 100644 --- a/sys/i386/i386/support.s +++ b/sys/i386/i386/support.s @@ -830,3 +830,11 @@ msr_onfault: movl $0,PCB_ONFAULT(%ecx) movl $EFAULT,%eax ret + +ENTRY(handle_ibrs_entry) + ret +END(handle_ibrs_entry) + +ENTRY(handle_ibrs_exit) + ret +END(handle_ibrs_exit) diff --git a/sys/i386/i386/vm_machdep.c b/sys/i386/i386/vm_machdep.c index 2b35f5c..64577c1 100644 --- a/sys/i386/i386/vm_machdep.c +++ b/sys/i386/i386/vm_machdep.c @@ -795,7 +795,7 @@ sf_buf_shootdown(struct sf_buf *sf, int flags) CPU_NAND(&other_cpus, &sf->cpumask); if (!CPU_EMPTY(&other_cpus)) { CPU_OR(&sf->cpumask, &other_cpus); - smp_masked_invlpg(other_cpus, sf->kva); + smp_masked_invlpg(other_cpus, sf->kva, kernel_pmap); } } sched_unpin(); diff --git a/sys/sys/cpuctl.h b/sys/sys/cpuctl.h index 30af524..65556ec 100644 --- a/sys/sys/cpuctl.h +++ b/sys/sys/cpuctl.h @@ -57,5 +57,6 @@ typedef struct { #define CPUCTL_MSRSBIT _IOWR('c', 5, cpuctl_msr_args_t) #define CPUCTL_MSRCBIT _IOWR('c', 6, cpuctl_msr_args_t) #define CPUCTL_CPUID_COUNT _IOWR('c', 7, cpuctl_cpuid_count_args_t) +#define CPUCTL_EVAL_CPU_FEATURES _IO('c', 8) #endif /* _CPUCTL_H_ */ diff --git a/sys/x86/include/apicvar.h b/sys/x86/include/apicvar.h index ba3a237..cd94ed5 100644 --- a/sys/x86/include/apicvar.h +++ b/sys/x86/include/apicvar.h @@ -179,7 +179,11 @@ inthand_t IDTVEC(apic_isr1), IDTVEC(apic_isr2), IDTVEC(apic_isr3), IDTVEC(apic_isr4), IDTVEC(apic_isr5), IDTVEC(apic_isr6), IDTVEC(apic_isr7), IDTVEC(cmcint), IDTVEC(errorint), - IDTVEC(spuriousint), IDTVEC(timerint); + IDTVEC(spuriousint), IDTVEC(timerint), + IDTVEC(apic_isr1_pti), IDTVEC(apic_isr2_pti), IDTVEC(apic_isr3_pti), + IDTVEC(apic_isr4_pti), IDTVEC(apic_isr5_pti), IDTVEC(apic_isr6_pti), + IDTVEC(apic_isr7_pti), IDTVEC(cmcint_pti), IDTVEC(errorint_pti), + IDTVEC(spuriousint_pti), IDTVEC(timerint_pti); extern vm_paddr_t lapic_paddr; extern int apic_cpuids[]; diff --git a/sys/x86/include/specialreg.h b/sys/x86/include/specialreg.h index 10bc4e7b..04b2489 100644 --- a/sys/x86/include/specialreg.h +++ b/sys/x86/include/specialreg.h @@ -374,6 +374,17 @@ #define CPUID_STDEXT2_SGXLC 0x40000000 /* + * CPUID instruction 7 Structured Extended Features, leaf 0 edx info + */ +#define CPUID_STDEXT3_IBPB 0x04000000 +#define CPUID_STDEXT3_STIBP 0x08000000 +#define CPUID_STDEXT3_ARCH_CAP 0x20000000 + +/* MSR IA32_ARCH_CAP(ABILITIES) bits */ +#define IA32_ARCH_CAP_RDCL_NO 0x00000001 +#define IA32_ARCH_CAP_IBRS_ALL 0x00000002 + +/* * CPUID manufacturers identifiers */ #define AMD_VENDOR_ID "AuthenticAMD" @@ -401,6 +412,8 @@ #define MSR_EBL_CR_POWERON 0x02a #define MSR_TEST_CTL 0x033 #define MSR_IA32_FEATURE_CONTROL 0x03a +#define MSR_IA32_SPEC_CTRL 0x048 +#define MSR_IA32_PRED_CMD 0x049 #define MSR_BIOS_UPDT_TRIG 0x079 #define MSR_BBL_CR_D0 0x088 #define MSR_BBL_CR_D1 0x089 @@ -413,6 +426,7 @@ #define MSR_APERF 0x0e8 #define MSR_IA32_EXT_CONFIG 0x0ee /* Undocumented. Core Solo/Duo only */ #define MSR_MTRRcap 0x0fe +#define MSR_IA32_ARCH_CAP 0x10a #define MSR_BBL_CR_ADDR 0x116 #define MSR_BBL_CR_DECC 0x118 #define MSR_BBL_CR_CTL 0x119 @@ -556,6 +570,17 @@ #define IA32_MISC_EN_XDD 0x0000000400000000ULL /* + * IA32_SPEC_CTRL and IA32_PRED_CMD MSRs are described in the Intel' + * document 336996-001 Speculative Execution Side Channel Mitigations. + */ +/* MSR IA32_SPEC_CTRL */ +#define IA32_SPEC_CTRL_IBRS 0x00000001 +#define IA32_SPEC_CTRL_STIBP 0x00000002 + +/* MSR IA32_PRED_CMD */ +#define IA32_PRED_CMD_IBPB_BARRIER 0x0000000000000001ULL + +/* * PAT modes. */ #define PAT_UNCACHEABLE 0x00 diff --git a/sys/x86/include/x86_smp.h b/sys/x86/include/x86_smp.h index 84a0eba..8d5980c 100644 --- a/sys/x86/include/x86_smp.h +++ b/sys/x86/include/x86_smp.h @@ -37,6 +37,7 @@ extern int cpu_logical; extern int cpu_cores; extern volatile uint32_t smp_tlb_generation; extern struct pmap *smp_tlb_pmap; +extern vm_offset_t smp_tlb_addr1, smp_tlb_addr2; extern u_int xhits_gbl[]; extern u_int xhits_pg[]; extern u_int xhits_rng[]; @@ -95,9 +96,9 @@ void ipi_selected(cpuset_t cpus, u_int ipi); u_int mp_bootaddress(u_int); void set_interrupt_apic_ids(void); void smp_cache_flush(void); -void smp_masked_invlpg(cpuset_t mask, vm_offset_t addr); +void smp_masked_invlpg(cpuset_t mask, vm_offset_t addr, struct pmap *pmap); void smp_masked_invlpg_range(cpuset_t mask, vm_offset_t startva, - vm_offset_t endva); + vm_offset_t endva, struct pmap *pmap); void smp_masked_invltlb(cpuset_t mask, struct pmap *pmap); void mem_range_AP_init(void); void topo_probe(void); diff --git a/sys/x86/include/x86_var.h b/sys/x86/include/x86_var.h index 92c9f1d..dc7d424 100644 --- a/sys/x86/include/x86_var.h +++ b/sys/x86/include/x86_var.h @@ -50,6 +50,8 @@ extern u_int via_feature_xcrypt; extern u_int cpu_clflush_line_size; extern u_int cpu_stdext_feature; extern u_int cpu_stdext_feature2; +extern u_int cpu_stdext_feature3; +extern uint64_t cpu_ia32_arch_caps; extern u_int cpu_fxsr; extern u_int cpu_high; extern u_int cpu_id; @@ -78,6 +80,7 @@ extern int _ufssel; extern int _ugssel; extern int use_xsave; extern uint64_t xsave_mask; +extern int pti; struct pcb; struct thread; @@ -115,18 +118,24 @@ void cpu_probe_amdc1e(void); void cpu_setregs(void); void dump_add_page(vm_paddr_t); void dump_drop_page(vm_paddr_t); -void identify_cpu(void); +void finishidentcpu(void); +void identify_cpu1(void); +void identify_cpu2(void); void initializecpu(void); void initializecpucache(void); bool fix_cpuid(void); void fillw(int /*u_short*/ pat, void *base, size_t cnt); int is_physical_memory(vm_paddr_t addr); int isa_nmi(int cd); +void handle_ibrs_entry(void); +void handle_ibrs_exit(void); +void hw_ibrs_recalculate(void); void nmi_call_kdb(u_int cpu, u_int type, struct trapframe *frame); void nmi_call_kdb_smp(u_int type, struct trapframe *frame); void nmi_handle_intr(u_int type, struct trapframe *frame); void pagecopy(void *from, void *to); void printcpuinfo(void); +int pti_get_default(void); int user_dbreg_trap(void); int minidumpsys(struct dumperinfo *); struct pcb *get_pcb_td(struct thread *td); diff --git a/sys/x86/isa/atpic.c b/sys/x86/isa/atpic.c index 43504e7..0364919 100644 --- a/sys/x86/isa/atpic.c +++ b/sys/x86/isa/atpic.c @@ -86,6 +86,16 @@ inthand_t IDTVEC(atpic_intr9), IDTVEC(atpic_intr10), IDTVEC(atpic_intr11), IDTVEC(atpic_intr12), IDTVEC(atpic_intr13), IDTVEC(atpic_intr14), IDTVEC(atpic_intr15); +/* XXXKIB i386 uses stubs until pti comes */ +inthand_t + IDTVEC(atpic_intr0_pti), IDTVEC(atpic_intr1_pti), + IDTVEC(atpic_intr2_pti), IDTVEC(atpic_intr3_pti), + IDTVEC(atpic_intr4_pti), IDTVEC(atpic_intr5_pti), + IDTVEC(atpic_intr6_pti), IDTVEC(atpic_intr7_pti), + IDTVEC(atpic_intr8_pti), IDTVEC(atpic_intr9_pti), + IDTVEC(atpic_intr10_pti), IDTVEC(atpic_intr11_pti), + IDTVEC(atpic_intr12_pti), IDTVEC(atpic_intr13_pti), + IDTVEC(atpic_intr14_pti), IDTVEC(atpic_intr15_pti); #define IRQ(ap, ai) ((ap)->at_irqbase + (ai)->at_irq) @@ -98,7 +108,7 @@ inthand_t #define INTSRC(irq) \ { { &atpics[(irq) / 8].at_pic }, IDTVEC(atpic_intr ## irq ), \ - (irq) % 8 } + IDTVEC(atpic_intr ## irq ## _pti), (irq) % 8 } struct atpic { struct pic at_pic; @@ -110,7 +120,7 @@ struct atpic { struct atpic_intsrc { struct intsrc at_intsrc; - inthand_t *at_intr; + inthand_t *at_intr, *at_intr_pti; int at_irq; /* Relative to PIC base. */ enum intr_trigger at_trigger; u_long at_count; @@ -435,7 +445,8 @@ atpic_startup(void) ai->at_intsrc.is_count = &ai->at_count; ai->at_intsrc.is_straycount = &ai->at_straycount; setidt(((struct atpic *)ai->at_intsrc.is_pic)->at_intbase + - ai->at_irq, ai->at_intr, SDT_ATPIC, SEL_KPL, GSEL_ATPIC); + ai->at_irq, pti ? ai->at_intr_pti : ai->at_intr, SDT_ATPIC, + SEL_KPL, GSEL_ATPIC); } #ifdef DEV_MCA diff --git a/sys/x86/x86/cpu_machdep.c b/sys/x86/x86/cpu_machdep.c index c2d42a9..9449d3e 100644 --- a/sys/x86/x86/cpu_machdep.c +++ b/sys/x86/x86/cpu_machdep.c @@ -139,6 +139,12 @@ acpi_cpu_idle_mwait(uint32_t mwait_hint) int *state; /* + * A comment in Linux patch claims that 'CPUs run faster with + * speculation protection disabled. All CPU threads in a core + * must disable speculation protection for it to be + * disabled. Disable it while we are idle so the other + * hyperthread can run fast.' + * * XXXKIB. Software coordination mode should be supported, * but all Intel CPUs provide hardware coordination. */ @@ -147,9 +153,11 @@ acpi_cpu_idle_mwait(uint32_t mwait_hint) KASSERT(*state == STATE_SLEEPING, ("cpu_mwait_cx: wrong monitorbuf state")); *state = STATE_MWAIT; + handle_ibrs_entry(); cpu_monitor(state, 0, 0); if (*state == STATE_MWAIT) cpu_mwait(MWAIT_INTRBREAK, mwait_hint); + handle_ibrs_exit(); /* * We should exit on any event that interrupts mwait, because @@ -578,3 +586,47 @@ nmi_handle_intr(u_int type, struct trapframe *frame) nmi_call_kdb(PCPU_GET(cpuid), type, frame); #endif } + +int hw_ibrs_active; +int hw_ibrs_disable = 1; + +SYSCTL_INT(_hw, OID_AUTO, ibrs_active, CTLFLAG_RD, &hw_ibrs_active, 0, + "Indirect Branch Restricted Speculation active"); + +void +hw_ibrs_recalculate(void) +{ + uint64_t v; + + if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_IBRS_ALL) != 0) { + if (hw_ibrs_disable) { + v= rdmsr(MSR_IA32_SPEC_CTRL); + v &= ~(uint64_t)IA32_SPEC_CTRL_IBRS; + wrmsr(MSR_IA32_SPEC_CTRL, v); + } else { + v= rdmsr(MSR_IA32_SPEC_CTRL); + v |= IA32_SPEC_CTRL_IBRS; + wrmsr(MSR_IA32_SPEC_CTRL, v); + } + return; + } + hw_ibrs_active = (cpu_stdext_feature3 & CPUID_STDEXT3_IBPB) != 0 && + !hw_ibrs_disable; +} + +static int +hw_ibrs_disable_handler(SYSCTL_HANDLER_ARGS) +{ + int error, val; + + val = hw_ibrs_disable; + error = sysctl_handle_int(oidp, &val, 0, req); + if (error != 0 || req->newptr == NULL) + return (error); + hw_ibrs_disable = val != 0; + hw_ibrs_recalculate(); + return (0); +} +SYSCTL_PROC(_hw, OID_AUTO, ibrs_disable, CTLTYPE_INT | CTLFLAG_RWTUN | + CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, hw_ibrs_disable_handler, "I", + "Disable Indirect Branch Restricted Speculation"); diff --git a/sys/x86/x86/identcpu.c b/sys/x86/x86/identcpu.c index 22f3966..dd58037 100644 --- a/sys/x86/x86/identcpu.c +++ b/sys/x86/x86/identcpu.c @@ -104,8 +104,10 @@ u_int cpu_vendor_id; /* CPU vendor ID */ u_int cpu_fxsr; /* SSE enabled */ u_int cpu_mxcsr_mask; /* Valid bits in mxcsr */ u_int cpu_clflush_line_size = 32; -u_int cpu_stdext_feature; -u_int cpu_stdext_feature2; +u_int cpu_stdext_feature; /* %ebx */ +u_int cpu_stdext_feature2; /* %ecx */ +u_int cpu_stdext_feature3; /* %edx */ +uint64_t cpu_ia32_arch_caps; u_int cpu_max_ext_state_size; u_int cpu_mon_mwait_flags; /* MONITOR/MWAIT flags (CPUID.05H.ECX) */ u_int cpu_mon_min_size; /* MONITOR minimum range size, bytes */ @@ -978,6 +980,16 @@ printcpuinfo(void) ); } + if (cpu_stdext_feature3 != 0) { + printf("\n Structured Extended Features3=0x%b", + cpu_stdext_feature3, + "\020" + "\033IBPB" + "\034STIBP" + "\036ARCH_CAP" + ); + } + if ((cpu_feature2 & CPUID2_XSAVE) != 0) { cpuid_count(0xd, 0x1, regs); if (regs[0] != 0) { @@ -991,6 +1003,15 @@ printcpuinfo(void) } } + if (cpu_ia32_arch_caps != 0) { + printf("\n IA32_ARCH_CAPS=0x%b", + (u_int)cpu_ia32_arch_caps, + "\020" + "\001RDCL_NO" + "\002IBRS_ALL" + ); + } + if (via_feature_rng != 0 || via_feature_xcrypt != 0) print_via_padlock_info(); @@ -1370,23 +1391,11 @@ fix_cpuid(void) return (false); } -/* - * Final stage of CPU identification. - */ -#ifdef __i386__ void -finishidentcpu(void) -#else -void -identify_cpu(void) -#endif +identify_cpu1(void) { - u_int regs[4], cpu_stdext_disable; -#ifdef __i386__ - u_char ccr3; -#endif + u_int regs[4]; -#ifdef __amd64__ do_cpuid(0, regs); cpu_high = regs[0]; ((u_int *)&cpu_vendor)[0] = regs[1]; @@ -1399,6 +1408,44 @@ identify_cpu(void) cpu_procinfo = regs[1]; cpu_feature = regs[3]; cpu_feature2 = regs[2]; +} + +void +identify_cpu2(void) +{ + u_int regs[4], cpu_stdext_disable; + + if (cpu_high >= 7) { + cpuid_count(7, 0, regs); + cpu_stdext_feature = regs[1]; + + /* + * Some hypervisors failed to filter out unsupported + * extended features. Allow to disable the + * extensions, activation of which requires setting a + * bit in CR4, and which VM monitors do not support. + */ + cpu_stdext_disable = 0; + TUNABLE_INT_FETCH("hw.cpu_stdext_disable", &cpu_stdext_disable); + cpu_stdext_feature &= ~cpu_stdext_disable; + + cpu_stdext_feature2 = regs[2]; + cpu_stdext_feature3 = regs[3]; + + if ((cpu_stdext_feature3 & CPUID_STDEXT3_ARCH_CAP) != 0) + cpu_ia32_arch_caps = rdmsr(MSR_IA32_ARCH_CAP); + } +} + +/* + * Final stage of CPU identification. + */ +void +finishidentcpu(void) +{ + u_int regs[4]; +#ifdef __i386__ + u_char ccr3; #endif identify_hypervisor(); @@ -1416,25 +1463,7 @@ identify_cpu(void) cpu_mon_max_size = regs[1] & CPUID5_MON_MAX_SIZE; } - if (cpu_high >= 7) { - cpuid_count(7, 0, regs); - cpu_stdext_feature = regs[1]; - - /* - * Some hypervisors fail to filter out unsupported - * extended features. For now, disable the - * extensions, activation of which requires setting a - * bit in CR4, and which VM monitors do not support. - */ - if (cpu_feature2 & CPUID2_HV) { - cpu_stdext_disable = CPUID_STDEXT_FSGSBASE | - CPUID_STDEXT_SMEP; - } else - cpu_stdext_disable = 0; - TUNABLE_INT_FETCH("hw.cpu_stdext_disable", &cpu_stdext_disable); - cpu_stdext_feature &= ~cpu_stdext_disable; - cpu_stdext_feature2 = regs[2]; - } + identify_cpu2(); #ifdef __i386__ if (cpu_high > 0 && @@ -1563,6 +1592,17 @@ identify_cpu(void) #endif } +int +pti_get_default(void) +{ + + if (strcmp(cpu_vendor, AMD_VENDOR_ID) == 0) + return (0); + if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) != 0) + return (0); + return (1); +} + static u_int find_cpu_vendor_id(void) { diff --git a/sys/x86/x86/local_apic.c b/sys/x86/x86/local_apic.c index 11041d4..085a28f 100644 --- a/sys/x86/x86/local_apic.c +++ b/sys/x86/x86/local_apic.c @@ -166,13 +166,23 @@ static inthand_t *ioint_handlers[] = { IDTVEC(apic_isr7), /* 224 - 255 */ }; +static inthand_t *ioint_pti_handlers[] = { + NULL, /* 0 - 31 */ + IDTVEC(apic_isr1_pti), /* 32 - 63 */ + IDTVEC(apic_isr2_pti), /* 64 - 95 */ + IDTVEC(apic_isr3_pti), /* 96 - 127 */ + IDTVEC(apic_isr4_pti), /* 128 - 159 */ + IDTVEC(apic_isr5_pti), /* 160 - 191 */ + IDTVEC(apic_isr6_pti), /* 192 - 223 */ + IDTVEC(apic_isr7_pti), /* 224 - 255 */ +}; static u_int32_t lapic_timer_divisors[] = { APIC_TDCR_1, APIC_TDCR_2, APIC_TDCR_4, APIC_TDCR_8, APIC_TDCR_16, APIC_TDCR_32, APIC_TDCR_64, APIC_TDCR_128 }; -extern inthand_t IDTVEC(rsvd); +extern inthand_t IDTVEC(rsvd_pti), IDTVEC(rsvd); volatile char *lapic_map; vm_paddr_t lapic_paddr; @@ -489,15 +499,18 @@ native_lapic_init(vm_paddr_t addr) PCPU_SET(apic_id, lapic_id()); /* Local APIC timer interrupt. */ - setidt(APIC_TIMER_INT, IDTVEC(timerint), SDT_APIC, SEL_KPL, GSEL_APIC); + setidt(APIC_TIMER_INT, pti ? IDTVEC(timerint_pti) : IDTVEC(timerint), + SDT_APIC, SEL_KPL, GSEL_APIC); /* Local APIC error interrupt. */ - setidt(APIC_ERROR_INT, IDTVEC(errorint), SDT_APIC, SEL_KPL, GSEL_APIC); + setidt(APIC_ERROR_INT, pti ? IDTVEC(errorint_pti) : IDTVEC(errorint), + SDT_APIC, SEL_KPL, GSEL_APIC); /* XXX: Thermal interrupt */ /* Local APIC CMCI. */ - setidt(APIC_CMC_INT, IDTVEC(cmcint), SDT_APICT, SEL_KPL, GSEL_APIC); + setidt(APIC_CMC_INT, pti ? IDTVEC(cmcint_pti) : IDTVEC(cmcint), + SDT_APICT, SEL_KPL, GSEL_APIC); if ((resource_int_value("apic", 0, "clock", &i) != 0 || i != 0)) { arat = 0; @@ -1561,8 +1574,8 @@ native_apic_enable_vector(u_int apic_id, u_int vector) KASSERT(vector != IDT_DTRACE_RET, ("Attempt to overwrite DTrace entry")); #endif - setidt(vector, ioint_handlers[vector / 32], SDT_APIC, SEL_KPL, - GSEL_APIC); + setidt(vector, (pti ? ioint_pti_handlers : ioint_handlers)[vector / 32], + SDT_APIC, SEL_KPL, GSEL_APIC); } static void @@ -1581,7 +1594,8 @@ native_apic_disable_vector(u_int apic_id, u_int vector) * We can not currently clear the idt entry because other cpus * may have a valid vector at this offset. */ - setidt(vector, &IDTVEC(rsvd), SDT_APICT, SEL_KPL, GSEL_APIC); + setidt(vector, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_APICT, + SEL_KPL, GSEL_APIC); #endif } @@ -2084,14 +2098,16 @@ native_lapic_ipi_alloc(inthand_t *ipifunc) long func; int idx, vector; - KASSERT(ipifunc != &IDTVEC(rsvd), ("invalid ipifunc %p", ipifunc)); + KASSERT(ipifunc != &IDTVEC(rsvd) && ipifunc != &IDTVEC(rsvd_pti), + ("invalid ipifunc %p", ipifunc)); vector = -1; mtx_lock_spin(&icu_lock); for (idx = IPI_DYN_FIRST; idx <= IPI_DYN_LAST; idx++) { ip = &idt[idx]; func = (ip->gd_hioffset << 16) | ip->gd_looffset; - if (func == (uintptr_t)&IDTVEC(rsvd)) { + if ((!pti && func == (uintptr_t)&IDTVEC(rsvd)) || + (pti && func == (uintptr_t)&IDTVEC(rsvd_pti))) { vector = idx; setidt(vector, ipifunc, SDT_APIC, SEL_KPL, GSEL_APIC); break; @@ -2113,8 +2129,10 @@ native_lapic_ipi_free(int vector) mtx_lock_spin(&icu_lock); ip = &idt[vector]; func = (ip->gd_hioffset << 16) | ip->gd_looffset; - KASSERT(func != (uintptr_t)&IDTVEC(rsvd), + KASSERT(func != (uintptr_t)&IDTVEC(rsvd) && + func != (uintptr_t)&IDTVEC(rsvd_pti), ("invalid idtfunc %#lx", func)); - setidt(vector, &IDTVEC(rsvd), SDT_APICT, SEL_KPL, GSEL_APIC); + setidt(vector, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_APICT, + SEL_KPL, GSEL_APIC); mtx_unlock_spin(&icu_lock); } diff --git a/sys/x86/x86/mp_x86.c b/sys/x86/x86/mp_x86.c index 7cc02d6..cd10782 100644 --- a/sys/x86/x86/mp_x86.c +++ b/sys/x86/x86/mp_x86.c @@ -1436,7 +1436,7 @@ SYSINIT(mp_ipi_intrcnt, SI_SUB_INTR, SI_ORDER_MIDDLE, mp_ipi_intrcnt, NULL); */ /* Variables needed for SMP tlb shootdown. */ -static vm_offset_t smp_tlb_addr1, smp_tlb_addr2; +vm_offset_t smp_tlb_addr1, smp_tlb_addr2; pmap_t smp_tlb_pmap; volatile uint32_t smp_tlb_generation; @@ -1509,11 +1509,11 @@ smp_masked_invltlb(cpuset_t mask, pmap_t pmap) } void -smp_masked_invlpg(cpuset_t mask, vm_offset_t addr) +smp_masked_invlpg(cpuset_t mask, vm_offset_t addr, pmap_t pmap) { if (smp_started) { - smp_targeted_tlb_shootdown(mask, IPI_INVLPG, NULL, addr, 0); + smp_targeted_tlb_shootdown(mask, IPI_INVLPG, pmap, addr, 0); #ifdef COUNT_XINVLTLB_HITS ipi_page++; #endif @@ -1521,11 +1521,12 @@ smp_masked_invlpg(cpuset_t mask, vm_offset_t addr) } void -smp_masked_invlpg_range(cpuset_t mask, vm_offset_t addr1, vm_offset_t addr2) +smp_masked_invlpg_range(cpuset_t mask, vm_offset_t addr1, vm_offset_t addr2, + pmap_t pmap) { if (smp_started) { - smp_targeted_tlb_shootdown(mask, IPI_INVLRNG, NULL, + smp_targeted_tlb_shootdown(mask, IPI_INVLRNG, pmap, addr1, addr2); #ifdef COUNT_XINVLTLB_HITS ipi_range++; diff --git a/sys/x86/xen/pv.c b/sys/x86/xen/pv.c index 9ad9aa9..f4b68f0 100644 --- a/sys/x86/xen/pv.c +++ b/sys/x86/xen/pv.c @@ -97,6 +97,7 @@ static int xen_pv_start_all_aps(void); #ifdef SMP /* Variables used by amd64 mp_machdep to start APs */ extern char *doublefault_stack; +extern char *mce_stack; extern char *nmi_stack; #endif @@ -217,6 +218,8 @@ start_xen_ap(int cpu) (void *)kmem_malloc(kernel_arena, stacksize, M_WAITOK | M_ZERO); doublefault_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); + mce_stack = + (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); dpcpu = diff --git a/usr.sbin/cpucontrol/cpucontrol.8 b/usr.sbin/cpucontrol/cpucontrol.8 index 91946d3..4af1273 100644 --- a/usr.sbin/cpucontrol/cpucontrol.8 +++ b/usr.sbin/cpucontrol/cpucontrol.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 30, 2009 +.Dd January 5, 2018 .Dt CPUCONTROL 8 .Os .Sh NAME @@ -36,44 +36,48 @@ device .Nm .Op Fl vh .Fl m Ar msr -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Fl m Ar msr Ns = Ns Ar value -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Fl m Ar msr Ns &= Ns Ar mask -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Fl m Ar msr Ns |= Ns Ar mask -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Fl i Ar level -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Fl i Ar level,level_type -.Bk .Ar device .Ek +.Bk .Nm .Op Fl vh .Op Fl d Ar datadir .Fl u +.Ar device +.Ek .Bk +.Nm +.Fl e .Ar device .Ek .Sh DESCRIPTION @@ -129,6 +133,20 @@ The .Nm utility will walk through the configured data directories and apply all firmware updates available for this CPU. +.It Fl e +Re-evaluate the kernel flags indicating the present CPU features. +This command is typically executed after a firmware update was applied +which changes information reported by the +.Dv CPUID +instruction. +.Pp +.Bf -symbolic +Only execute the +.Fl e +command after the microcode update was applied to all CPUs in the system. +The kernel does not operate correctly if the features of processors are +not identical. +.Ef .It Fl v Increase the verbosity level. .It Fl h diff --git a/usr.sbin/cpucontrol/cpucontrol.c b/usr.sbin/cpucontrol/cpucontrol.c index 48e12e7..5d7153a 100644 --- a/usr.sbin/cpucontrol/cpucontrol.c +++ b/usr.sbin/cpucontrol/cpucontrol.c @@ -60,6 +60,7 @@ int verbosity_level = 0; #define FLAG_I 0x01 #define FLAG_M 0x02 #define FLAG_U 0x04 +#define FLAG_E 0x10 #define OP_INVAL 0x00 #define OP_READ 0x01 @@ -114,7 +115,7 @@ usage(void) if (name == NULL) name = "cpuctl"; fprintf(stderr, "Usage: %s [-vh] [-d datadir] [-m msr[=value] | " - "-i level | -i level,level_type | -u] device\n", name); + "-i level | -i level,level_type | -e | -u] device\n", name); exit(EX_USAGE); } @@ -338,6 +339,25 @@ do_msr(const char *cmdarg, const char *dev) } static int +do_eval_cpu_features(const char *dev) +{ + int fd, error; + + assert(dev != NULL); + + fd = open(dev, O_RDWR); + if (fd < 0) { + WARN(0, "error opening %s for writing", dev); + return (1); + } + error = ioctl(fd, CPUCTL_EVAL_CPU_FEATURES, NULL); + if (error < 0) + WARN(0, "ioctl(%s, CPUCTL_EVAL_CPU_FEATURES)", dev); + close(fd); + return (error); +} + +static int do_update(const char *dev) { int fd; @@ -431,11 +451,14 @@ main(int argc, char *argv[]) * Add all default data dirs to the list first. */ datadir_add(DEFAULT_DATADIR); - while ((c = getopt(argc, argv, "d:hi:m:uv")) != -1) { + while ((c = getopt(argc, argv, "d:ehi:m:uv")) != -1) { switch (c) { case 'd': datadir_add(optarg); break; + case 'e': + flags |= FLAG_E; + break; case 'i': flags |= FLAG_I; cmdarg = optarg; @@ -464,22 +487,25 @@ main(int argc, char *argv[]) /* NOTREACHED */ } dev = argv[0]; - c = flags & (FLAG_I | FLAG_M | FLAG_U); + c = flags & (FLAG_E | FLAG_I | FLAG_M | FLAG_U); switch (c) { - case FLAG_I: - if (strstr(cmdarg, ",") != NULL) - error = do_cpuid_count(cmdarg, dev); - else - error = do_cpuid(cmdarg, dev); - break; - case FLAG_M: - error = do_msr(cmdarg, dev); - break; - case FLAG_U: - error = do_update(dev); - break; - default: - usage(); /* Only one command can be selected. */ + case FLAG_I: + if (strstr(cmdarg, ",") != NULL) + error = do_cpuid_count(cmdarg, dev); + else + error = do_cpuid(cmdarg, dev); + break; + case FLAG_M: + error = do_msr(cmdarg, dev); + break; + case FLAG_U: + error = do_update(dev); + break; + case FLAG_E: + error = do_eval_cpu_features(dev); + break; + default: + usage(); /* Only one command can be selected. */ } SLIST_FREE(&datadirs, next, free); return (error == 0 ? 0 : 1); -- cgit v1.1 From 0e2c6eafc8392d9e3fb835393c03c3f02b0e00fb Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 4 Apr 2018 05:33:56 +0000 Subject: Fix vt console memory disclosure. [SA-18:04.vt] Bump newvers.sh and UPDATING for today's patches. Submitted by: emaste Reported by: Dr Silvio Cesare of InfoSect Approved by: so Security: CVE-2018-6917 Security: FreeBSD-SA-18:04.vt Sponsored by: The FreeBSD Foundation --- UPDATING | 13 +++++++++++++ sys/conf/newvers.sh | 2 +- sys/dev/vt/vt_font.c | 4 +++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/UPDATING b/UPDATING index a754cca..dad80fa 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180404 p9 FreeBSD-SA-18:04.vt + FreeBSD-SA-18:05.ipsec + FreeBSD-EN-18:03.tzdata + FreeBSD-EN-18:04.mem + + Fix vt console memory disclosure. [SA-18:04.vt] + + Fix ipsec crash or denial of service. [SA-18:05.ipsec] + + Update timezone database information. [EN-18:03.tzdata] + + Fix multiple small kernel memory disclosures. [EN-18:04.mem] + 20180314 p8 FreeBSD-SA-18:03.speculative_execution Add mitigations for two classes of speculative execution vulnerabilities diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 2341b62..f296585 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/vt/vt_font.c b/sys/dev/vt/vt_font.c index 4c369c6..1e65e70 100644 --- a/sys/dev/vt/vt_font.c +++ b/sys/dev/vt/vt_font.c @@ -42,6 +42,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font"); /* Some limits to prevent abnormal fonts from being loaded. */ #define VTFONT_MAXMAPPINGS 65536 +#define VTFONT_MAXGLYPHS 131072 #define VTFONT_MAXGLYPHSIZE 2097152 #define VTFONT_MAXDIMENSION 128 @@ -171,7 +172,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret) /* Make sure the dimensions are valid. */ if (f->width < 1 || f->height < 1) return (EINVAL); - if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION) + if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION || + f->glyph_count > VTFONT_MAXGLYPHS) return (E2BIG); /* Not too many mappings. */ -- cgit v1.1 From 0ce10b6784cbf4e1763f41eaadbf25a600ea4f89 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 4 Apr 2018 05:37:52 +0000 Subject: Fix ipsec crash or denial of service. [SA-18:05.ipsec] Reported by: Maxime Villard Approved by: so Security: CVE-2018-6918 Security: FreeBSD-SA-18:05.ipsec --- sys/netipsec/xform_ah.c | 72 +++++++++++++++++++------------------------------ 1 file changed, 28 insertions(+), 44 deletions(-) diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 98d22f5..6716e70 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -264,7 +264,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) #ifdef INET6 struct ip6_ext *ip6e; struct ip6_hdr ip6; - int alloc, len, ad; + int ad, alloc, nxt, noff; #endif /* INET6 */ switch (proto) { @@ -293,7 +293,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) else ip->ip_off = htons(0); - ptr = mtod(m, unsigned char *) + sizeof(struct ip); + ptr = mtod(m, unsigned char *); /* IPv4 option processing */ for (off = sizeof(struct ip); off < skip;) { @@ -374,7 +374,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Zeroize all other options. */ count = ptr[off + 1]; - bcopy(ipseczeroes, ptr, count); + bcopy(ipseczeroes, ptr + off, count); off += count; break; } @@ -447,61 +447,44 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) } else break; - off = ip6.ip6_nxt & 0xff; /* Next header type. */ + nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ - for (len = 0; len < skip - sizeof(struct ip6_hdr);) - switch (off) { + for (off = 0; off < skip - sizeof(struct ip6_hdr);) + switch (nxt) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: - ip6e = (struct ip6_ext *) (ptr + len); + ip6e = (struct ip6_ext *)(ptr + off); + noff = off + ((ip6e->ip6e_len + 1) << 3); + + /* Sanity check. */ + if (noff > skip - sizeof(struct ip6_hdr)) + goto error6; /* - * Process the mutable/immutable - * options -- borrows heavily from the - * KAME code. + * Zero out mutable options. */ - for (count = len + sizeof(struct ip6_ext); - count < len + ((ip6e->ip6e_len + 1) << 3);) { + for (count = off + sizeof(struct ip6_ext); + count < noff;) { if (ptr[count] == IP6OPT_PAD1) { count++; continue; /* Skip padding. */ } - /* Sanity check. */ - if (count > len + - ((ip6e->ip6e_len + 1) << 3)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; - } + ad = ptr[count + 1] + 2; + if (count + ad > noff) + goto error6; - ad = ptr[count + 1]; - - /* If mutable option, zeroize. */ if (ptr[count] & IP6OPT_MUTABLE) - bcopy(ipseczeroes, ptr + count, - ptr[count + 1]); - + memset(ptr + count, 0, ad); count += ad; - - /* Sanity check. */ - if (count > - skip - sizeof(struct ip6_hdr)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; - } } + if (count != noff) + goto error6; + /* Advance. */ - len += ((ip6e->ip6e_len + 1) << 3); - off = ip6e->ip6e_nxt; + off += ((ip6e->ip6e_len + 1) << 3); + nxt = ip6e->ip6e_nxt; break; case IPPROTO_ROUTING: @@ -509,14 +492,15 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) * Always include routing headers in * computation. */ - ip6e = (struct ip6_ext *) (ptr + len); - len += ((ip6e->ip6e_len + 1) << 3); - off = ip6e->ip6e_nxt; + ip6e = (struct ip6_ext *) (ptr + off); + off += ((ip6e->ip6e_len + 1) << 3); + nxt = ip6e->ip6e_nxt; break; default: DPRINTF(("%s: unexpected IPv6 header type %d", __func__, off)); +error6: if (alloc) free(ptr, M_XDATA); m_freem(m); -- cgit v1.1 From 7b354623a7c28cdf0b77ccb43d3f6bfeeaa2f2ac Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 4 Apr 2018 05:40:48 +0000 Subject: Update timezone database information. [EN-18:03.tzdata] Submitted by: philip Approved by: so Security: FreeBSD-EN-18:03.tzdata --- contrib/tzdata/CONTRIBUTING | 12 +- contrib/tzdata/Makefile | 123 ++- contrib/tzdata/NEWS | 145 +++- contrib/tzdata/africa | 57 +- contrib/tzdata/antarctica | 3 +- contrib/tzdata/asia | 177 +++-- contrib/tzdata/australasia | 114 +-- contrib/tzdata/backzone | 48 +- contrib/tzdata/checktab.awk | 9 + contrib/tzdata/europe | 84 +- contrib/tzdata/northamerica | 27 +- contrib/tzdata/southamerica | 430 +++++++---- contrib/tzdata/theory.html | 1793 ++++++++++++++++++++++++------------------- contrib/tzdata/version | 2 +- contrib/tzdata/ziguard.awk | 62 ++ contrib/tzdata/zishrink.awk | 4 +- contrib/tzdata/zone.tab | 2 +- contrib/tzdata/zone1970.tab | 4 +- 18 files changed, 1889 insertions(+), 1207 deletions(-) create mode 100644 contrib/tzdata/ziguard.awk diff --git a/contrib/tzdata/CONTRIBUTING b/contrib/tzdata/CONTRIBUTING index 716f32b..0cfc77f 100644 --- a/contrib/tzdata/CONTRIBUTING +++ b/contrib/tzdata/CONTRIBUTING @@ -25,7 +25,8 @@ justification. Citations should use https: URLs if available. Please submit changes against either the latest release in or the master branch of the development -repository. If you use Git the following workflow may be helpful: +repository. The latter is preferred. If you use Git the following +workflow may be helpful: * Copy the development repository. @@ -42,6 +43,12 @@ repository. If you use Git the following workflow may be helpful: git checkout -b mybranch + * Sleuth by using 'git blame'. For example, when fixing data for + Africa/Sao_Tome, if the command 'git blame africa' outputs a line + '2951fa3b (Paul Eggert 2018-01-08 09:03:13 -0800 1068) Zone + Africa/Sao_Tome 0:26:56 - LMT 1884', commit 2951fa3b should + provide some justification for the 'Zone Africa/Sao_Tome' line. + * Edit source files. Include commentary that justifies the changes by citing reliable sources. @@ -67,6 +74,9 @@ repository. If you use Git the following workflow may be helpful: git send-email master + For an archived example of such an email, see + . + * Start anew by getting current with the master branch again (the second step above). diff --git a/contrib/tzdata/Makefile b/contrib/tzdata/Makefile index 4f448d2..c69e01b 100644 --- a/contrib/tzdata/Makefile +++ b/contrib/tzdata/Makefile @@ -10,6 +10,15 @@ VERSION= unknown # Email address for bug reports. BUGEMAIL= tz@iana.org +# Choose source data features. To get new features right away, use: +# DATAFORM= vanguard +# To wait a while before using new features, to give downstream users +# time to upgrade zic (the default), use: +# DATAFORM= main +# To wait even longer for new features, use: +# DATAFORM= rearguard +DATAFORM= main + # Change the line below for your time zone (after finding the zone you want in # the time zone files, or adding it to a time zone file). # Alternately, if you discover you've got the wrong time zone, you can just @@ -25,10 +34,10 @@ LOCALTIME= GMT # for handling POSIX-style time zone environment variables, # change the line below (after finding the zone you want in the # time zone files, or adding it to a time zone file). -# (When a POSIX-style environment variable is handled, the rules in the +# When a POSIX-style environment variable is handled, the rules in the # template file are used to determine "spring forward" and "fall back" days and # times; the environment variable itself specifies UT offsets of standard and -# summer time.) +# daylight saving time. # Alternately, if you discover you've got the wrong time zone, you can just # zic -p rightzone # to correct things. @@ -189,13 +198,18 @@ LDLIBS= # -DHAVE_STDINT_H if you have a non-C99 compiler with # -DHAVE_STRFTIME_L if declares locale_t and strftime_l # -DHAVE_STRDUP=0 if your system lacks the strdup function +# -DHAVE_STRTOLL=0 if your system lacks the strtoll function # -DHAVE_SYMLINK=0 if your system lacks the symlink function # -DHAVE_SYS_STAT_H=0 if your compiler lacks a # -DHAVE_SYS_WAIT_H=0 if your compiler lacks a # -DHAVE_TZSET=0 if your system lacks a tzset function # -DHAVE_UNISTD_H=0 if your compiler lacks a # -Dlocale_t=XXX if your system uses XXX instead of locale_t +# -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers +# with external linkage, e.g., applications cannot define 'localtime'. # -Dssize_t=long on hosts like MS-Windows that lack ssize_t +# -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has +# security implications and is not recommended for general use # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires; # not needed by the main-program tz code, which is single-threaded. # Append other compiler flags as needed, e.g., -pthread on GNU/Linux. @@ -394,13 +408,19 @@ SAFE_CHARSET3= 'abcdefghijklmnopqrstuvwxyz{|}~' SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3) SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]' +# Non-ASCII non-letters that OK_CHAR allows, as these characters are +# useful in commentary. XEmacs 21.5.34 displays them correctly, +# presumably because they are Latin-1. +UNUSUAL_OK_CHARSET= °±½¾× + # OK_CHAR matches any character allowed in the distributed files. -# This is the same as SAFE_CHAR, except that multibyte letters are -# also allowed so that commentary can contain people's names and quote -# non-English sources. For non-letters the sources are limited to -# ASCII renderings for the convenience of maintainers whose text editors -# mishandle UTF-8 by default (e.g., XEmacs 21.4.22). -OK_CHAR= '[][:alpha:]'$(SAFE_CHARSET)'-]' +# This is the same as SAFE_CHAR, except that UNUSUAL_OK_CHARSET and +# multibyte letters are also allowed so that commentary can contain a +# few safe symbols and people's names and can quote non-English sources. +# Other non-letters are limited to ASCII renderings for the +# convenience of maintainers using XEmacs 21.5.34, which by default +# mishandles Unicode characters U+0100 and greater. +OK_CHAR= '[][:alpha:]$(UNUSUAL_OK_CHARSET)'$(SAFE_CHARSET)'-]' # SAFE_LINE matches a line of safe characters. # SAFE_SHARP_LINE is similar, except any OK character can follow '#'; @@ -462,10 +482,12 @@ TDATA= $(YDATA) $(NDATA) $(BACKWARD) ZONETABLES= zone1970.tab zone.tab TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES) LEAP_DEPS= leapseconds.awk leap-seconds.list -TZDATA_ZI_DEPS= zishrink.awk version $(TDATA) $(PACKRATDATA) +TZDATA_ZI_DEPS= ziguard.awk zishrink.awk version $(TDATA) $(PACKRATDATA) +DSTDATA_ZI_DEPS= ziguard.awk $(TDATA) $(PACKRATDATA) DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \ leapseconds yearistype.sh $(ZONETABLES) -AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk zishrink.awk +AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk \ + ziguard.awk zishrink.awk MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl TZS_YEAR= 2050 TZS= to$(TZS_YEAR).tzs @@ -499,7 +521,8 @@ VERSION_DEPS= \ SHELL= /bin/sh -all: tzselect yearistype zic zdump libtz.a $(TABDATA) +all: tzselect yearistype zic zdump libtz.a $(TABDATA) \ + vanguard.zi main.zi rearguard.zi ALL: all date $(ENCHILADA) @@ -534,11 +557,15 @@ version: $(VERSION_DEPS) printf '%s\n' "$$V" >$@.out mv $@.out $@ -# This file can be tailored by setting BACKWARD, PACKRATDATA, etc. -tzdata.zi: $(TZDATA_ZI_DEPS) +# These files can be tailored by setting BACKWARD, PACKRATDATA, etc. +vanguard.zi main.zi rearguard.zi: $(DSTDATA_ZI_DEPS) + $(AWK) -v outfile='$@' -f ziguard.awk $(TDATA) $(PACKRATDATA) \ + >$@.out + mv $@.out $@ +tzdata.zi: $(DATAFORM).zi version version=`sed 1q version` && \ LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \ - $(TDATA) $(PACKRATDATA) >$@.out + $(DATAFORM).zi >$@.out mv $@.out $@ version.h: version @@ -614,19 +641,29 @@ posix_packrat: zones: $(REDO) +# dummy.zd is not a real file; it is mentioned here only so that the +# top-level 'make' does not have a syntax error. +ZDS = dummy.zd +# Rule used only by submakes invoked by the $(TZS_NEW) rule. +# It is separate so that GNU 'make -j' can run instances in parallel. +$(ZDS): zdump + ./zdump -i -c $(TZS_YEAR) '$(wd)/'$$(expr $@ : '\(.*\).zd') >$@ + $(TZS_NEW): tzdata.zi zdump zic - mkdir -p tzs.dir + rm -fr tzs.dir + mkdir tzs.dir $(zic) -d tzs.dir tzdata.zi $(AWK) '/^L/{print "Link\t" $$2 "\t" $$3}' \ tzdata.zi | LC_ALL=C sort >$@.out wd=`pwd` && \ - zones=`$(AWK) -v wd="$$wd" \ - '/^Z/{print wd "/tzs.dir/" $$2}' tzdata.zi \ - | LC_ALL=C sort` && \ - ./zdump -i -c $(TZS_YEAR) $$zones >>$@.out - sed 's,^TZ=".*tzs\.dir/,TZ=",' $@.out >$@.sed.out - rm -fr tzs.dir $@.out - mv $@.sed.out $@ + set x `$(AWK) '/^Z/{print "tzs.dir/" $$2 ".zd"}' tzdata.zi \ + | LC_ALL=C sort -t . -k 2,2` && \ + shift && \ + ZDS=$$* && \ + $(MAKE) wd="$$wd" TZS_YEAR=$(TZS_YEAR) ZDS="$$ZDS" $$ZDS && \ + sed 's,^TZ=".*tzs\.dir/,TZ=",' $$ZDS >>$@.out + rm -fr tzs.dir + mv $@.out $@ # If $(TZS) does not already exist (e.g., old-format tarballs), create it. # If it exists but 'make check_tzs' fails, a maintainer should inspect the @@ -669,8 +706,10 @@ check_character_set: $(ENCHILADA) sharp='#' && \ ! grep -Env $(SAFE_LINE) $(MANS) date.1 $(MANTXTS) \ $(MISC) $(SOURCES) $(WEB_PAGES) \ - CONTRIBUTING LICENSE Makefile README \ + CONTRIBUTING LICENSE README \ version tzdata.zi && \ + ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_CHARSET='$(OK_CHAR)'*$$' \ + Makefile && \ ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \ leapseconds yearistype.sh zone.tab && \ ! grep -Env $(OK_LINE) $(ENCHILADA); \ @@ -702,7 +741,7 @@ check_sorted: backward backzone iso3166.tab zone.tab zone1970.tab $(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \ LC_ALL=C sort -cu -check_links: checklinks.awk $(TDATA_TO_CHECK) +check_links: checklinks.awk $(TDATA_TO_CHECK) tzdata.zi $(AWK) -f checklinks.awk $(TDATA_TO_CHECK) $(AWK) -f checklinks.awk tzdata.zi @@ -720,17 +759,26 @@ check_tzs: $(TZS) $(TZS_NEW) check_web: tz-how-to.html $(VALIDATE_ENV) $(VALIDATE) $(VALIDATE_FLAGS) tz-how-to.html -# Check that tzdata.zi generates the same binary data that its sources do. -check_zishrink: tzdata.zi zic leapseconds $(PACKRATDATA) $(TDATA) +# Check that zishrink.awk does not alter the data, and that ziguard.awk +# preserves main-format data. +check_zishrink: zic leapseconds $(PACKRATDATA) $(TDATA) \ + $(DATAFORM).zi tzdata.zi for type in posix right; do \ - mkdir -p time_t.dir/$$type time_t.dir/$$type-shrunk && \ + mkdir -p time_t.dir/$$type time_t.dir/$$type-t \ + time_t.dir/$$type-shrunk && \ case $$type in \ right) leap='-L leapseconds';; \ *) leap=;; \ esac && \ - $(ZIC) $$leap -d time_t.dir/$$type $(TDATA) && \ - $(AWK) '/^Rule/' $(TDATA) | \ - $(ZIC) $$leap -d time_t.dir/$$type - $(PACKRATDATA) && \ + $(ZIC) $$leap -d time_t.dir/$$type $(DATAFORM).zi && \ + case $(DATAFORM) in \ + main) \ + $(ZIC) $$leap -d time_t.dir/$$type-t $(TDATA) && \ + $(AWK) '/^Rule/' $(TDATA) | \ + $(ZIC) $$leap -d time_t.dir/$$type-t - \ + $(PACKRATDATA) && \ + diff -r time_t.dir/$$type time_t.dir/$$type-t;; \ + esac && \ $(ZIC) $$leap -d time_t.dir/$$type-shrunk tzdata.zi && \ diff -r time_t.dir/$$type time_t.dir/$$type-shrunk || exit; \ done @@ -740,7 +788,7 @@ clean_misc: rm -f core *.o *.out \ date tzselect version.h zdump zic yearistype libtz.a clean: clean_misc - rm -fr *.dir tzdata.zi tzdb-*/ $(TZS_NEW) + rm -fr *.dir *.zi tzdb-*/ $(TZS_NEW) maintainer-clean: clean @echo 'This command is intended for maintainers to use; it' @@ -856,6 +904,9 @@ tarballs traditional_tarballs signatures traditional_signatures: version VERSION=`cat version` && \ $(MAKE) VERSION="$$VERSION" $@_version +# These *_version rules are intended for use if VERSION is set by some +# other means. Ordinarily these rules are used only by the above +# non-_version rules, which set VERSION on the 'make' command line. tarballs_version: traditional_tarballs_version tzdb-$(VERSION).tar.lz traditional_tarballs_version: \ tzcode$(VERSION).tar.gz tzdata$(VERSION).tar.gz @@ -917,13 +968,17 @@ zic.o: private.h tzfile.h version.h .KEEP_STATE: .PHONY: ALL INSTALL all -.PHONY: check check_character_set check_links +.PHONY: check check_character_set check_links check_name_lengths .PHONY: check_public check_sorted check_tables .PHONY: check_time_t_alternatives check_tzs check_web check_white_space .PHONY: check_zishrink -.PHONY: clean clean_misc force_tzs +.PHONY: clean clean_misc dummy.zd force_tzs .PHONY: install install_data maintainer-clean names .PHONY: posix_only posix_packrat posix_right .PHONY: public right_only right_posix signatures signatures_version -.PHONY: tarballs tarballs_version typecheck +.PHONY: tarballs tarballs_version +.PHONY: traditional_signatures traditional_signatures_version +.PHONY: traditional_tarballs traditional_tarballs_version +.PHONY: typecheck .PHONY: zonenames zones +.PHONY: $(ZDS) diff --git a/contrib/tzdata/NEWS b/contrib/tzdata/NEWS index 2bd0aa8..8afe3a4 100644 --- a/contrib/tzdata/NEWS +++ b/contrib/tzdata/NEWS @@ -1,9 +1,146 @@ News for the tz database +Release 2018d - 2018-03-22 07:05:46 -0700 + + Briefly: + + Palestine starts DST a week earlier in 2018. + Add support for vanguard and rearguard data consumers. + Add subsecond precision to source data format, though not to data. + + Changes to future time stamps + + In 2018, Palestine starts DST on March 24, not March 31. + Adjust future predictions accordingly. (Thanks to Sharef Mustafa.) + + Changes to past and future time stamps + + Casey Station in Antarctica changed from +11 to +08 on 2018-03-11 + at 04:00. (Thanks to Steffen Thorsen.) + + Changes to past time stamps + + Historical transitions for Uruguay, represented by + America/Montevideo, have been updated per official legal documents, + replacing previous data mainly originating from the inventions of + Shanks & Pottenger. This has resulted in adjustments ranging from + 30 to 90 minutes in either direction over at least two dozen + distinct periods ranging from one day to several years in length. + A mere handful of pre-1991 transitions are unaffected; data since + then has come from more reliable contemporaneous reporting. These + changes affect various timestamps in 1920-1923, 1936, 1939, + 1942-1943, 1959, 1966-1970, 1972, 1974-1980, and 1988-1990. + Additionally, Uruguay's pre-standard-time UT offset has been + adjusted westward by 7 seconds, from UT-03:44:44 to UT-03:44:51, to + match the location of the Observatory of the National Meteorological + Institute in Montevideo. + (Thanks to Jeremie Bonjour, Tim Parenti, and Michael Deckers.) + + Enderbury and Kiritimati skipped New Year's Eve 1994, not + New Year's Day 1995. (Thanks to Kerry Shetline.) + + Fix the 1912-01-01 transition for Portugual and its colonies. + This transition was at 00:00 according to the new UT offset, not + according to the old one. Also assume that Cape Verde switched on + the same date as the rest, not in 1907. This affects + Africa/Bissau, Africa/Sao_Tome, Asia/Macau, Atlantic/Azores, + Atlantic/Cape_Verde, Atlantic/Madeira, and Europe/Lisbon. + (Thanks to Michael Deckers.) + + Fix an off-by-1 error for pre-1913 timestamps in Jamaica and in + Turks & Caicos. + + Changes to past time zone abbreviations + + MMT took effect in Uruguay from 1908-06-10, not 1898-06-28. There + is no clock change associated with the transition. + + Changes to build procedure + + The new DATAFORM macro in the Makefile lets the installer choose + among three source data formats. The idea is to lessen downstream + disruption when data formats are improved. + + * DATAFORM=vanguard installs from the latest, bleeding-edge + format. DATAFORM=main (the default) installs from the format + used in the 'africa' etc. files. DATAFORM=rearguard installs + from a trailing-edge format. Eventually, elements of today's + vanguard format should move to the main format, and similarly + the main format's features should eventually move to the + rearguard format. + + * In the current version, the main and rearguard formats are + identical and match that of 2018c, so this change does not + affect default behavior. The vanguard format currently contains + one feature not in the main format: negative SAVE values. This + improves support for Ireland, which uses Irish Standard Time + (IST, UTC+01) in summer and GMT (UTC) in winter. tzcode has + supported negative SAVE values for decades, and this feature + should move to the main format soon. However, it will not move + to the rearguard format for quite some time because some + downstream parsers do not support it. + + * The build procedure constructs three files vanguard.zi, main.zi, + and rearguard.zi, one for each format. The files represent the + same data as closely as the formats allow. These three files + are intended for downstream data consumers and are not + installed. Zoneinfo parsers that do not support negative SAVE values + should start using rearguard.zi, so that they will be unaffected + when the negative-DST feature moves from vanguard to main. + Bleeding-edge Zoneinfo parsers that support the new features + already can use vanguard.zi; in this respect, current tzcode is + bleeding-edge. + + The Makefile should now be safe for parallelized builds, and 'make + -j to2050new.tzs' is now much faster on a multiprocessor host + with GNU Make. + + When built with -DSUPPRESS_TZDIR, the tzcode library no longer + prepends TZDIR/ to file names that do not begin with '/'. This is + not recommended for general use, due to its security implications. + (From a suggestion by Manuela Friedrich.) + + Changes to code + + zic now accepts subsecond precision in expressions like + 00:19:32.13, which is approximately the legal time of the + Netherlands from 1835 to 1937. However, because it is + questionable whether the few recorded uses of non-integer offsets + had subsecond precision in practice, there are no plans for tzdata + to use this feature. (Thanks to Steve Allen for pointing out + the limitations of historical data in this area.) + + The code is a bit more portable to MS-Windows. Installers can + compile with -DRESERVE_STD_EXT_IDS on MS-Windows platforms that + reserve identifiers like 'localtime'. (Thanks to Manuela + Friedrich). + + Changes to documentation and commentary + + theory.html now outlines tzdb's extensions to POSIX's model for + civil time, and has a section "POSIX features no longer needed" + that lists POSIX API components that are now vestigial. + (From suggestions by Steve Summit.) It also better distinguishes + time zones from tz regions. (From a suggestion by Guy Harris.) + + Commentary is now more consistent about using the phrase "daylight + saving time", to match the C name tm_isdst. Daylight saving time + need not occur in summer, and need not have a positive offset from + standard time. + + Commentary about historical transitions in Uruguay has been expanded + with links to many relevant legal documents. + (Thanks to Tim Parenti.) + + Commentary now uses some non-ASCII characters with Unicode value + less than U+0100, as they can be useful and should work even with + older editors such as XEmacs. + + Release 2018c - 2018-01-22 23:00:44 -0800 Briefly: - Revert Irish changes that relied on negative DST offsets. + Revert Irish changes that relied on negative SAVE values. Changes to tm_isdst @@ -14,8 +151,8 @@ Release 2018c - 2018-01-22 23:00:44 -0800 struct tm type. This reversion is intended to be a temporary workaround for problems discovered with downstream uses of releases 2018a and 2018b, which implemented Irish time by using - negative DST offsets in the Eire rules of the 'europe' file. - Although negative DST offsets have been part of tzcode for many + negative SAVE values in the Eire rules of the 'europe' file. + Although negative SAVE values have been part of tzcode for many years and are supported by many platforms, they were not documented before 2018a and ICU and OpenJDK do not currently support them. A mechanism to export data to platforms lacking @@ -900,7 +1037,7 @@ Release 2016b - 2016-03-12 17:30:14 -0800 Comments in zone tables have been improved. (Thanks to J William Piggott.) tzselect again limits its menu comments so that menus fit on a - 24x80 alphanumeric display. + 24×80 alphanumeric display. A new web page tz-how-to.html. (Thanks to Bill Seymour.) diff --git a/contrib/tzdata/africa b/contrib/tzdata/africa index 02115ad..2f7217a 100644 --- a/contrib/tzdata/africa +++ b/contrib/tzdata/africa @@ -115,13 +115,13 @@ Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 15 0:01 # Cape Verde / Cabo Verde # +# From Paul Eggert (2018-02-16): # Shanks gives 1907 for the transition to +02. -# Perhaps the 1911-05-26 Portuguese decree -# https://dre.pt/pdf1sdip/1911/05/12500/23132313.pdf -# merely made it official? +# For now, ignore that and follow the 1911-05-26 Portuguese decree +# (see Europe/Lisbon). # # Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone Atlantic/Cape_Verde -1:34:04 - LMT 1907 # Praia +Zone Atlantic/Cape_Verde -1:34:04 - LMT 1912 Jan 01 2:00u # Praia -2:00 - -02 1942 Sep -2:00 1:00 -01 1945 Oct 15 -2:00 - -02 1975 Nov 25 2:00 @@ -370,15 +370,34 @@ Zone Africa/Cairo 2:05:09 - LMT 1900 Oct # See Africa/Abidjan. # Ghana -# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S + +# From Paul Eggert (2018-01-30): # Whitman says DST was observed from 1931 to "the present"; -# Shanks & Pottenger say 1936 to 1942; -# and September 1 to January 1 is given by: -# Scott Keltie J, Epstein M (eds), The Statesman's Year-Book, -# 57th ed. Macmillan, London (1920), OCLC 609408015, pp xxviii. -# For lack of better info, assume DST was observed from 1920 to 1942. -Rule Ghana 1920 1942 - Sep 1 0:00 0:20 GHST -Rule Ghana 1920 1942 - Dec 31 0:00 0 GMT +# Shanks & Pottenger say 1936 to 1942 with 20 minutes of DST, +# with transitions on 09-01 and 12-31 at 00:00. +# Page 33 of Parish GCB, Colonial Reports - Annual. No. 1066. Gold +# Coast. Report for 1919. (March 1921), OCLC 784024077 +# http://libsysdigi.library.illinois.edu/ilharvest/africana/books2011-05/5530214/5530214_1919/5530214_1919_opt.pdf +# lists the Determination of the Time Ordinance, 1919, No. 18, +# "to advance the time observed locally by the space of twenty minutes +# during the last four months of each year; the object in view being +# to extend during those months the period of daylight-time available +# for evening recreation after office hours." +# Vanessa Ogle, The Global Transformation of Time, 1870-1950 (2015), p 33, +# writes "In 1919, the Gold Coast (Ghana as of 1957) made Greenwich +# time its legal time and simultaneously legalized a summer time of +# UTC - 00:20 minutes from March to October."; a footnote lists +# the ordinance as being dated 1919-11-24. +# The Crown Colonist, Volume 12 (1942), p 176, says "the Government +# intend advancing Gold Coast time half an hour ahead of G.M.T. +# The actual date of the alteration has not yet been announced." +# These sources are incomplete and contradictory. Possibly what is +# now Ghana observed different DST regimes in different years. For +# lack of better info, use Shanks except treat the minus sign as a +# typo, and assume DST started in 1920 not 1936. +# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S +Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - +Rule Ghana 1920 1942 - Dec 31 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Africa/Accra -0:00:52 - LMT 1918 0:00 Ghana GMT/+0020 @@ -388,13 +407,13 @@ Zone Africa/Accra -0:00:52 - LMT 1918 # Guinea-Bissau # +# From Paul Eggert (2018-02-16): # Shanks gives 1911-05-26 for the transition to WAT, # evidently confusing the date of the Portuguese decree -# https://dre.pt/pdf1sdip/1911/05/12500/23132313.pdf -# with the date that it took effect, namely 1912-01-01. +# (see Europe/Lisbon) with the date that it took effect. # # Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone Africa/Bissau -1:02:20 - LMT 1912 Jan 1 +Zone Africa/Bissau -1:02:20 - LMT 1912 Jan 1 1:00u -1:00 - -01 1975 0:00 - GMT @@ -590,9 +609,9 @@ Zone Africa/Tripoli 0:52:44 - LMT 1920 # at 2am (or 02:00) local time..." # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Mauritius 1982 only - Oct 10 0:00 1:00 S +Rule Mauritius 1982 only - Oct 10 0:00 1:00 - Rule Mauritius 1983 only - Mar 21 0:00 0 - -Rule Mauritius 2008 only - Oct lastSun 2:00 1:00 S +Rule Mauritius 2008 only - Oct lastSun 2:00 1:00 - Rule Mauritius 2009 only - Mar lastSun 2:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis @@ -1037,6 +1056,8 @@ Zone Indian/Reunion 3:41:52 - LMT 1911 Jun # Saint-Denis # São Tomé and Príncipe +# See Europe/Lisbon for info about the 1912 transition. + # From Steffen Thorsen (2018-01-08): # Multiple sources tell that São Tomé changed from UTC to UTC+1 as # they entered the year 2018. @@ -1045,7 +1066,7 @@ Zone Indian/Reunion 3:41:52 - LMT 1911 Jun # Saint-Denis # http://www.mnec.gov.st/index.php/publicacoes/documentos/file/90-decreto-lei-n-25-2017 Zone Africa/Sao_Tome 0:26:56 - LMT 1884 - -0:36:45 - LMT 1912 # Lisbon Mean Time + -0:36:45 - LMT 1912 Jan 1 00:00u # Lisbon MT 0:00 - GMT 2018 Jan 1 01:00 1:00 - WAT diff --git a/contrib/tzdata/antarctica b/contrib/tzdata/antarctica index d9c132a..866cf4f 100644 --- a/contrib/tzdata/antarctica +++ b/contrib/tzdata/antarctica @@ -75,7 +75,8 @@ Zone Antarctica/Casey 0 - -00 1969 8:00 - +08 2011 Oct 28 2:00 11:00 - +11 2012 Feb 21 17:00u 8:00 - +08 2016 Oct 22 - 11:00 - +11 + 11:00 - +11 2018 Mar 11 4:00 + 8:00 - +08 Zone Antarctica/Davis 0 - -00 1957 Jan 13 7:00 - +07 1964 Nov 0 - -00 1969 Feb diff --git a/contrib/tzdata/asia b/contrib/tzdata/asia index 3f6e95c..998a7d4 100644 --- a/contrib/tzdata/asia +++ b/contrib/tzdata/asia @@ -69,13 +69,13 @@ Rule EUAsia 1981 max - Mar lastSun 1:00u 1:00 S Rule EUAsia 1979 1995 - Sep lastSun 1:00u 0 - Rule EUAsia 1996 max - Oct lastSun 1:00u 0 - -Rule E-EurAsia 1981 max - Mar lastSun 0:00 1:00 S +Rule E-EurAsia 1981 max - Mar lastSun 0:00 1:00 - Rule E-EurAsia 1979 1995 - Sep lastSun 0:00 0 - Rule E-EurAsia 1996 max - Oct lastSun 0:00 0 - -Rule RussiaAsia 1981 1984 - Apr 1 0:00 1:00 S +Rule RussiaAsia 1981 1984 - Apr 1 0:00 1:00 - Rule RussiaAsia 1981 1983 - Oct 1 0:00 0 - Rule RussiaAsia 1984 1995 - Sep lastSun 2:00s 0 - -Rule RussiaAsia 1985 2010 - Mar lastSun 2:00s 1:00 S +Rule RussiaAsia 1985 2010 - Mar lastSun 2:00s 1:00 - Rule RussiaAsia 1996 2010 - Oct lastSun 2:00s 0 - # Afghanistan @@ -110,7 +110,7 @@ Zone Asia/Kabul 4:36:48 - LMT 1890 # (brief) # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Armenia 2011 only - Mar lastSun 2:00s 1:00 S +Rule Armenia 2011 only - Mar lastSun 2:00s 1:00 - Rule Armenia 2011 only - Oct lastSun 2:00s 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Yerevan 2:58:00 - LMT 1924 May 2 @@ -136,7 +136,7 @@ Zone Asia/Yerevan 2:58:00 - LMT 1924 May 2 # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Azer 1997 2015 - Mar lastSun 4:00 1:00 S +Rule Azer 1997 2015 - Mar lastSun 4:00 1:00 - Rule Azer 1997 2015 - Oct lastSun 5:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Baku 3:19:24 - LMT 1924 May 2 @@ -223,7 +223,7 @@ Zone Asia/Baku 3:19:24 - LMT 1924 May 2 # http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Dhaka 2009 only - Jun 19 23:00 1:00 S +Rule Dhaka 2009 only - Jun 19 23:00 1:00 - Rule Dhaka 2009 only - Dec 31 24:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -764,8 +764,9 @@ Rule Macau 1974 1977 - Oct Sun>=15 3:30 0 S Rule Macau 1975 1977 - Apr Sun>=15 3:30 1:00 D Rule Macau 1978 1980 - Apr Sun>=15 0:00 1:00 D Rule Macau 1978 1980 - Oct Sun>=15 0:00 0 S +# See Europe/Lisbon for info about the 1912 transition. # Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone Asia/Macau 7:34:20 - LMT 1912 Jan 1 +Zone Asia/Macau 7:34:20 - LMT 1911 Dec 31 16:00u 8:00 Macau C%sT @@ -1106,61 +1107,61 @@ Zone Asia/Jayapura 9:22:48 - LMT 1932 Nov # thirtieth day of Shahrivar. # # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Iran 1978 1980 - Mar 21 0:00 1:00 D -Rule Iran 1978 only - Oct 21 0:00 0 S -Rule Iran 1979 only - Sep 19 0:00 0 S -Rule Iran 1980 only - Sep 23 0:00 0 S -Rule Iran 1991 only - May 3 0:00 1:00 D -Rule Iran 1992 1995 - Mar 22 0:00 1:00 D -Rule Iran 1991 1995 - Sep 22 0:00 0 S -Rule Iran 1996 only - Mar 21 0:00 1:00 D -Rule Iran 1996 only - Sep 21 0:00 0 S -Rule Iran 1997 1999 - Mar 22 0:00 1:00 D -Rule Iran 1997 1999 - Sep 22 0:00 0 S -Rule Iran 2000 only - Mar 21 0:00 1:00 D -Rule Iran 2000 only - Sep 21 0:00 0 S -Rule Iran 2001 2003 - Mar 22 0:00 1:00 D -Rule Iran 2001 2003 - Sep 22 0:00 0 S -Rule Iran 2004 only - Mar 21 0:00 1:00 D -Rule Iran 2004 only - Sep 21 0:00 0 S -Rule Iran 2005 only - Mar 22 0:00 1:00 D -Rule Iran 2005 only - Sep 22 0:00 0 S -Rule Iran 2008 only - Mar 21 0:00 1:00 D -Rule Iran 2008 only - Sep 21 0:00 0 S -Rule Iran 2009 2011 - Mar 22 0:00 1:00 D -Rule Iran 2009 2011 - Sep 22 0:00 0 S -Rule Iran 2012 only - Mar 21 0:00 1:00 D -Rule Iran 2012 only - Sep 21 0:00 0 S -Rule Iran 2013 2015 - Mar 22 0:00 1:00 D -Rule Iran 2013 2015 - Sep 22 0:00 0 S -Rule Iran 2016 only - Mar 21 0:00 1:00 D -Rule Iran 2016 only - Sep 21 0:00 0 S -Rule Iran 2017 2019 - Mar 22 0:00 1:00 D -Rule Iran 2017 2019 - Sep 22 0:00 0 S -Rule Iran 2020 only - Mar 21 0:00 1:00 D -Rule Iran 2020 only - Sep 21 0:00 0 S -Rule Iran 2021 2023 - Mar 22 0:00 1:00 D -Rule Iran 2021 2023 - Sep 22 0:00 0 S -Rule Iran 2024 only - Mar 21 0:00 1:00 D -Rule Iran 2024 only - Sep 21 0:00 0 S -Rule Iran 2025 2027 - Mar 22 0:00 1:00 D -Rule Iran 2025 2027 - Sep 22 0:00 0 S -Rule Iran 2028 2029 - Mar 21 0:00 1:00 D -Rule Iran 2028 2029 - Sep 21 0:00 0 S -Rule Iran 2030 2031 - Mar 22 0:00 1:00 D -Rule Iran 2030 2031 - Sep 22 0:00 0 S -Rule Iran 2032 2033 - Mar 21 0:00 1:00 D -Rule Iran 2032 2033 - Sep 21 0:00 0 S -Rule Iran 2034 2035 - Mar 22 0:00 1:00 D -Rule Iran 2034 2035 - Sep 22 0:00 0 S +Rule Iran 1978 1980 - Mar 21 0:00 1:00 - +Rule Iran 1978 only - Oct 21 0:00 0 - +Rule Iran 1979 only - Sep 19 0:00 0 - +Rule Iran 1980 only - Sep 23 0:00 0 - +Rule Iran 1991 only - May 3 0:00 1:00 - +Rule Iran 1992 1995 - Mar 22 0:00 1:00 - +Rule Iran 1991 1995 - Sep 22 0:00 0 - +Rule Iran 1996 only - Mar 21 0:00 1:00 - +Rule Iran 1996 only - Sep 21 0:00 0 - +Rule Iran 1997 1999 - Mar 22 0:00 1:00 - +Rule Iran 1997 1999 - Sep 22 0:00 0 - +Rule Iran 2000 only - Mar 21 0:00 1:00 - +Rule Iran 2000 only - Sep 21 0:00 0 - +Rule Iran 2001 2003 - Mar 22 0:00 1:00 - +Rule Iran 2001 2003 - Sep 22 0:00 0 - +Rule Iran 2004 only - Mar 21 0:00 1:00 - +Rule Iran 2004 only - Sep 21 0:00 0 - +Rule Iran 2005 only - Mar 22 0:00 1:00 - +Rule Iran 2005 only - Sep 22 0:00 0 - +Rule Iran 2008 only - Mar 21 0:00 1:00 - +Rule Iran 2008 only - Sep 21 0:00 0 - +Rule Iran 2009 2011 - Mar 22 0:00 1:00 - +Rule Iran 2009 2011 - Sep 22 0:00 0 - +Rule Iran 2012 only - Mar 21 0:00 1:00 - +Rule Iran 2012 only - Sep 21 0:00 0 - +Rule Iran 2013 2015 - Mar 22 0:00 1:00 - +Rule Iran 2013 2015 - Sep 22 0:00 0 - +Rule Iran 2016 only - Mar 21 0:00 1:00 - +Rule Iran 2016 only - Sep 21 0:00 0 - +Rule Iran 2017 2019 - Mar 22 0:00 1:00 - +Rule Iran 2017 2019 - Sep 22 0:00 0 - +Rule Iran 2020 only - Mar 21 0:00 1:00 - +Rule Iran 2020 only - Sep 21 0:00 0 - +Rule Iran 2021 2023 - Mar 22 0:00 1:00 - +Rule Iran 2021 2023 - Sep 22 0:00 0 - +Rule Iran 2024 only - Mar 21 0:00 1:00 - +Rule Iran 2024 only - Sep 21 0:00 0 - +Rule Iran 2025 2027 - Mar 22 0:00 1:00 - +Rule Iran 2025 2027 - Sep 22 0:00 0 - +Rule Iran 2028 2029 - Mar 21 0:00 1:00 - +Rule Iran 2028 2029 - Sep 21 0:00 0 - +Rule Iran 2030 2031 - Mar 22 0:00 1:00 - +Rule Iran 2030 2031 - Sep 22 0:00 0 - +Rule Iran 2032 2033 - Mar 21 0:00 1:00 - +Rule Iran 2032 2033 - Sep 21 0:00 0 - +Rule Iran 2034 2035 - Mar 22 0:00 1:00 - +Rule Iran 2034 2035 - Sep 22 0:00 0 - # # The following rules are approximations starting in the year 2038. # These are the best post-2037 approximations available, given the # restrictions of a single rule using a Gregorian-based data format. # At some point this table will need to be extended, though quite # possibly Iran will change the rules first. -Rule Iran 2036 max - Mar 21 0:00 1:00 D -Rule Iran 2036 max - Sep 21 0:00 0 S +Rule Iran 2036 max - Mar 21 0:00 1:00 - +Rule Iran 2036 max - Sep 21 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Tehran 3:25:44 - LMT 1916 @@ -1196,17 +1197,17 @@ Zone Asia/Tehran 3:25:44 - LMT 1916 # https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Iraq 1982 only - May 1 0:00 1:00 D -Rule Iraq 1982 1984 - Oct 1 0:00 0 S -Rule Iraq 1983 only - Mar 31 0:00 1:00 D -Rule Iraq 1984 1985 - Apr 1 0:00 1:00 D -Rule Iraq 1985 1990 - Sep lastSun 1:00s 0 S -Rule Iraq 1986 1990 - Mar lastSun 1:00s 1:00 D +Rule Iraq 1982 only - May 1 0:00 1:00 - +Rule Iraq 1982 1984 - Oct 1 0:00 0 - +Rule Iraq 1983 only - Mar 31 0:00 1:00 - +Rule Iraq 1984 1985 - Apr 1 0:00 1:00 - +Rule Iraq 1985 1990 - Sep lastSun 1:00s 0 - +Rule Iraq 1986 1990 - Mar lastSun 1:00s 1:00 - # IATA SSIM (1991/1996) says Apr 1 12:01am UTC; guess the ':01' is a typo. # Shanks & Pottenger say Iraq did not observe DST 1992/1997; ignore this. # -Rule Iraq 1991 2007 - Apr 1 3:00s 1:00 D -Rule Iraq 1991 2007 - Oct 1 3:00s 0 S +Rule Iraq 1991 2007 - Apr 1 3:00s 1:00 - +Rule Iraq 1991 2007 - Oct 1 3:00s 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Baghdad 2:57:40 - LMT 1890 2:57:36 - BMT 1918 # Baghdad Mean Time? @@ -1478,8 +1479,7 @@ Rule Japan 1950 1951 - May Sat>=1 24:00 1:00 D # From Hideyuki Suzuki (1998-11-09): # 'Tokyo' usually stands for the former location of Tokyo Astronomical -# Observatory: 139 degrees 44' 40.90" E (9h 18m 58.727s), -# 35 degrees 39' 16.0" N. +# Observatory: 139° 44' 40.90" E (9h 18m 58.727s), 35° 39' 16.0" N. # This data is from 'Rika Nenpyou (Chronological Scientific Tables) 1996' # edited by National Astronomical Observatory of Japan.... # JST (Japan Standard Time) has been used since 1888-01-01 00:00 (JST). @@ -1487,10 +1487,10 @@ Rule Japan 1950 1951 - May Sat>=1 24:00 1:00 D # From Hideyuki Suzuki (1998-11-16): # The ordinance No. 51 (1886) established "standard time" in Japan, -# which stands for the time on 135 degrees E. +# which stands for the time on 135° E. # In the ordinance No. 167 (1895), "standard time" was renamed to "central # standard time". And the same ordinance also established "western standard -# time", which stands for the time on 120 degrees E.... But "western standard +# time", which stands for the time on 120° E.... But "western standard # time" was abolished in the ordinance No. 529 (1937). In the ordinance No. # 167, there is no mention regarding for what place western standard time is # standard.... @@ -1903,9 +1903,9 @@ Zone Asia/Oral 3:25:24 - LMT 1924 May 2 # or Ural'sk # From 2005-08-12 our GMT-offset is +6, w/o any daylight saving. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Kyrgyz 1992 1996 - Apr Sun>=7 0:00s 1:00 S +Rule Kyrgyz 1992 1996 - Apr Sun>=7 0:00s 1:00 - Rule Kyrgyz 1992 1996 - Sep lastSun 0:00 0 - -Rule Kyrgyz 1997 2005 - Mar lastSun 2:30 1:00 S +Rule Kyrgyz 1997 2005 - Mar lastSun 2:30 1:00 - Rule Kyrgyz 1997 2004 - Oct lastSun 2:30 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Bishkek 4:58:24 - LMT 1924 May 2 @@ -2037,7 +2037,7 @@ Zone Asia/Beirut 2:22:00 - LMT 1880 # Malaysia # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule NBorneo 1935 1941 - Sep 14 0:00 0:20 TS # one-Third Summer +Rule NBorneo 1935 1941 - Sep 14 0:00 0:20 - Rule NBorneo 1935 1941 - Dec 14 0:00 0 - # # peninsular Malaysia @@ -2182,7 +2182,7 @@ Zone Indian/Maldives 4:54:00 - LMT 1880 # Malé # http://zasag.mn/news/view/8969 # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Mongol 1983 1984 - Apr 1 0:00 1:00 S +Rule Mongol 1983 1984 - Apr 1 0:00 1:00 - Rule Mongol 1983 only - Oct 1 0:00 0 - # Shanks & Pottenger and IATA SSIM say 1990s switches occurred at 00:00, # but McDow says the 2001 switches occurred at 02:00. Also, IATA SSIM @@ -2199,13 +2199,13 @@ Rule Mongol 1983 only - Oct 1 0:00 0 - # Mongolian Government meeting has concluded today to cancel daylight # saving time adoption in Mongolia. Source: http://zasag.mn/news/view/16192 -Rule Mongol 1985 1998 - Mar lastSun 0:00 1:00 S +Rule Mongol 1985 1998 - Mar lastSun 0:00 1:00 - Rule Mongol 1984 1998 - Sep lastSun 0:00 0 - # IATA SSIM (1999-09) says Mongolia no longer observes DST. -Rule Mongol 2001 only - Apr lastSat 2:00 1:00 S +Rule Mongol 2001 only - Apr lastSat 2:00 1:00 - Rule Mongol 2001 2006 - Sep lastSat 2:00 0 - -Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 S -Rule Mongol 2015 2016 - Mar lastSat 2:00 1:00 S +Rule Mongol 2002 2006 - Mar lastSat 2:00 1:00 - +Rule Mongol 2015 2016 - Mar lastSat 2:00 1:00 - Rule Mongol 2015 2016 - Sep lastSat 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -2639,9 +2639,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 # [Google translation]: "The Council also decided to start daylight # saving in Palestine as of one o'clock on Saturday morning, # 2016-03-26, to provide the clock 60 minutes ahead." -# -# From Paul Eggert (2016-03-12): -# Predict spring transitions on March's last Saturday at 01:00 from now on. # From Sharef Mustafa (2016-10-19): # [T]he Palestinian cabinet decision (Mar 8th 2016) published on @@ -2658,6 +2655,16 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 # https://www.timeanddate.com/time/change/gaza-strip/gaza # https://www.timeanddate.com/time/change/west-bank/hebron +# From Sharef Mustafa (2018-03-16): +# Palestine summer time will start on Mar 24th 2018 by advancing the +# clock by 60 minutes as per Palestinian cabinet decision published on +# the offical website, though the decree did not specify the exact +# time of the time shift. +# http://www.palestinecabinet.gov.ps/Website/AR/NDecrees/ViewFile.ashx?ID=e7a42ab7-ee23-435a-b9c8-a4f7e81f3817 +# +# From Paul Eggert (2018-03-16): +# For 2016 on, predict spring transitions on March's fourth Saturday at 01:00. + # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule EgyptAsia 1957 only - May 10 0:00 1:00 S Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - @@ -2687,7 +2694,7 @@ Rule Palestine 2012 only - Sep 21 1:00 0 - Rule Palestine 2013 only - Sep Fri>=21 0:00 0 - Rule Palestine 2014 2015 - Oct Fri>=21 0:00 0 - Rule Palestine 2015 only - Mar lastFri 24:00 1:00 S -Rule Palestine 2016 max - Mar lastSat 1:00 1:00 S +Rule Palestine 2016 max - Mar Sat>=22 1:00 1:00 S Rule Palestine 2016 max - Oct lastSat 1:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -2737,11 +2744,11 @@ Zone Asia/Hebron 2:20:23 - LMT 1900 Oct # http://www.philstar.com/headlines/2014/08/05/1354152/pnoy-urged-declare-use-daylight-saving-time # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Phil 1936 only - Nov 1 0:00 1:00 S +Rule Phil 1936 only - Nov 1 0:00 1:00 - Rule Phil 1937 only - Feb 1 0:00 0 - -Rule Phil 1954 only - Apr 12 0:00 1:00 S +Rule Phil 1954 only - Apr 12 0:00 1:00 - Rule Phil 1954 only - Jul 1 0:00 0 - -Rule Phil 1978 only - Mar 22 0:00 1:00 S +Rule Phil 1978 only - Mar 22 0:00 1:00 - Rule Phil 1978 only - Sep 21 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Manila -15:56:00 - LMT 1844 Dec 31 @@ -3097,9 +3104,9 @@ Zone Asia/Tashkent 4:37:11 - LMT 1924 May 2 # and is the basis for the information below. # # The 1906 transition was effective July 1 and standardized Indochina to -# Phù Liễn Observatory, legally 104 deg. 17'17" east of Paris. +# Phù Liễn Observatory, legally 104° 17' 17" east of Paris. # It's unclear whether this meant legal Paris Mean Time (00:09:21) or -# the Paris Meridian (2 deg. 20'14.03" E); the former yields 07:06:30.1333... +# the Paris Meridian (2° 20' 14.03" E); the former yields 07:06:30.1333... # and the latter 07:06:29.333... so either way it rounds to 07:06:30, # which is used below even though the modern-day Phù Liễn Observatory # is closer to 07:06:31. Abbreviate Phù Liễn Mean Time as PLMT. diff --git a/contrib/tzdata/australasia b/contrib/tzdata/australasia index b4ef168..32ad61e 100644 --- a/contrib/tzdata/australasia +++ b/contrib/tzdata/australasia @@ -196,20 +196,20 @@ Zone Australia/Broken_Hill 9:25:48 - LMT 1895 Feb # Lord Howe Island # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule LH 1981 1984 - Oct lastSun 2:00 1:00 D -Rule LH 1982 1985 - Mar Sun>=1 2:00 0 S -Rule LH 1985 only - Oct lastSun 2:00 0:30 D -Rule LH 1986 1989 - Mar Sun>=15 2:00 0 S -Rule LH 1986 only - Oct 19 2:00 0:30 D -Rule LH 1987 1999 - Oct lastSun 2:00 0:30 D -Rule LH 1990 1995 - Mar Sun>=1 2:00 0 S -Rule LH 1996 2005 - Mar lastSun 2:00 0 S -Rule LH 2000 only - Aug lastSun 2:00 0:30 D -Rule LH 2001 2007 - Oct lastSun 2:00 0:30 D -Rule LH 2006 only - Apr Sun>=1 2:00 0 S -Rule LH 2007 only - Mar lastSun 2:00 0 S -Rule LH 2008 max - Apr Sun>=1 2:00 0 S -Rule LH 2008 max - Oct Sun>=1 2:00 0:30 D +Rule LH 1981 1984 - Oct lastSun 2:00 1:00 - +Rule LH 1982 1985 - Mar Sun>=1 2:00 0 - +Rule LH 1985 only - Oct lastSun 2:00 0:30 - +Rule LH 1986 1989 - Mar Sun>=15 2:00 0 - +Rule LH 1986 only - Oct 19 2:00 0:30 - +Rule LH 1987 1999 - Oct lastSun 2:00 0:30 - +Rule LH 1990 1995 - Mar Sun>=1 2:00 0 - +Rule LH 1996 2005 - Mar lastSun 2:00 0 - +Rule LH 2000 only - Aug lastSun 2:00 0:30 - +Rule LH 2001 2007 - Oct lastSun 2:00 0:30 - +Rule LH 2006 only - Apr Sun>=1 2:00 0 - +Rule LH 2007 only - Mar lastSun 2:00 0 - +Rule LH 2008 max - Apr Sun>=1 2:00 0 - +Rule LH 2008 max - Oct Sun>=1 2:00 0:30 - Zone Australia/Lord_Howe 10:36:20 - LMT 1895 Feb 10:00 - AEST 1981 Mar 10:30 LH +1030/+1130 1985 Jul @@ -367,15 +367,15 @@ Zone Indian/Cocos 6:27:40 - LMT 1900 # practice than guessing no DST. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Fiji 1998 1999 - Nov Sun>=1 2:00 1:00 S +Rule Fiji 1998 1999 - Nov Sun>=1 2:00 1:00 - Rule Fiji 1999 2000 - Feb lastSun 3:00 0 - -Rule Fiji 2009 only - Nov 29 2:00 1:00 S +Rule Fiji 2009 only - Nov 29 2:00 1:00 - Rule Fiji 2010 only - Mar lastSun 3:00 0 - -Rule Fiji 2010 2013 - Oct Sun>=21 2:00 1:00 S +Rule Fiji 2010 2013 - Oct Sun>=21 2:00 1:00 - Rule Fiji 2011 only - Mar Sun>=1 3:00 0 - Rule Fiji 2012 2013 - Jan Sun>=18 3:00 0 - Rule Fiji 2014 only - Jan Sun>=18 2:00 0 - -Rule Fiji 2014 max - Nov Sun>=1 2:00 1:00 S +Rule Fiji 2014 max - Nov Sun>=1 2:00 1:00 - Rule Fiji 2015 max - Jan Sun>=14 3:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Fiji 11:55:44 - LMT 1915 Oct 26 # Suva @@ -406,11 +406,11 @@ Zone Pacific/Tarawa 11:32:04 - LMT 1901 # Bairiki 12:00 - +12 Zone Pacific/Enderbury -11:24:20 - LMT 1901 -12:00 - -12 1979 Oct - -11:00 - -11 1995 + -11:00 - -11 1994 Dec 31 13:00 - +13 Zone Pacific/Kiritimati -10:29:20 - LMT 1901 -10:40 - -1040 1979 Oct - -10:00 - -10 1995 + -10:00 - -10 1994 Dec 31 14:00 - +14 # N Mariana Is @@ -447,9 +447,9 @@ Zone Pacific/Nauru 11:07:40 - LMT 1921 Jan 15 # Uaobe # New Caledonia # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule NC 1977 1978 - Dec Sun>=1 0:00 1:00 S +Rule NC 1977 1978 - Dec Sun>=1 0:00 1:00 - Rule NC 1978 1979 - Feb 27 0:00 0 - -Rule NC 1996 only - Dec 1 2:00s 1:00 S +Rule NC 1996 only - Dec 1 2:00s 1:00 - # Shanks & Pottenger say the following was at 2:00; go with IATA. Rule NC 1997 only - Mar 2 2:00s 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -469,27 +469,28 @@ Rule NZ 1929 1933 - Mar Sun>=15 2:00 0 M Rule NZ 1934 1940 - Apr lastSun 2:00 0 M Rule NZ 1934 1940 - Sep lastSun 2:00 0:30 S Rule NZ 1946 only - Jan 1 0:00 0 S -# Since 1957 Chatham has been 45 minutes ahead of NZ, but there's no -# convenient single notation for the date and time of this transition -# so we must duplicate the Rule lines. +# Since 1957 Chatham has been 45 minutes ahead of NZ, but until 2018a +# there was no documented single notation for the date and time of this +# transition. Duplicate the Rule lines for now, to give the 2018a change +# time to percolate out. Rule NZ 1974 only - Nov Sun>=1 2:00s 1:00 D -Rule Chatham 1974 only - Nov Sun>=1 2:45s 1:00 D +Rule Chatham 1974 only - Nov Sun>=1 2:45s 1:00 - Rule NZ 1975 only - Feb lastSun 2:00s 0 S -Rule Chatham 1975 only - Feb lastSun 2:45s 0 S +Rule Chatham 1975 only - Feb lastSun 2:45s 0 - Rule NZ 1975 1988 - Oct lastSun 2:00s 1:00 D -Rule Chatham 1975 1988 - Oct lastSun 2:45s 1:00 D +Rule Chatham 1975 1988 - Oct lastSun 2:45s 1:00 - Rule NZ 1976 1989 - Mar Sun>=1 2:00s 0 S -Rule Chatham 1976 1989 - Mar Sun>=1 2:45s 0 S +Rule Chatham 1976 1989 - Mar Sun>=1 2:45s 0 - Rule NZ 1989 only - Oct Sun>=8 2:00s 1:00 D -Rule Chatham 1989 only - Oct Sun>=8 2:45s 1:00 D +Rule Chatham 1989 only - Oct Sun>=8 2:45s 1:00 - Rule NZ 1990 2006 - Oct Sun>=1 2:00s 1:00 D -Rule Chatham 1990 2006 - Oct Sun>=1 2:45s 1:00 D +Rule Chatham 1990 2006 - Oct Sun>=1 2:45s 1:00 - Rule NZ 1990 2007 - Mar Sun>=15 2:00s 0 S -Rule Chatham 1990 2007 - Mar Sun>=15 2:45s 0 S +Rule Chatham 1990 2007 - Mar Sun>=15 2:45s 0 - Rule NZ 2007 max - Sep lastSun 2:00s 1:00 D -Rule Chatham 2007 max - Sep lastSun 2:45s 1:00 D +Rule Chatham 2007 max - Sep lastSun 2:45s 1:00 - Rule NZ 2008 max - Apr Sun>=1 2:00s 0 S -Rule Chatham 2008 max - Apr Sun>=1 2:45s 0 S +Rule Chatham 2008 max - Apr Sun>=1 2:45s 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Auckland 11:39:04 - LMT 1868 Nov 2 11:30 NZ NZ%sT 1946 Jan 1 @@ -513,9 +514,9 @@ Link Pacific/Auckland Antarctica/McMurdo # Cook Is # From Shanks & Pottenger: # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Cook 1978 only - Nov 12 0:00 0:30 HS +Rule Cook 1978 only - Nov 12 0:00 0:30 - Rule Cook 1979 1991 - Mar Sun>=1 0:00 0 - -Rule Cook 1979 1990 - Oct lastSun 0:00 0:30 HS +Rule Cook 1979 1990 - Oct lastSun 0:00 0:30 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Rarotonga -10:39:04 - LMT 1901 # Avarua -10:30 - -1030 1978 Nov 12 @@ -656,11 +657,11 @@ Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands # Assume the pattern instituted in 2012 will continue indefinitely. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule WS 2010 only - Sep lastSun 0:00 1 D -Rule WS 2011 only - Apr Sat>=1 4:00 0 S -Rule WS 2011 only - Sep lastSat 3:00 1 D -Rule WS 2012 max - Apr Sun>=1 4:00 0 S -Rule WS 2012 max - Sep lastSun 3:00 1 D +Rule WS 2010 only - Sep lastSun 0:00 1 - +Rule WS 2011 only - Apr Sat>=1 4:00 0 - +Rule WS 2011 only - Sep lastSat 3:00 1 - +Rule WS 2012 max - Apr Sun>=1 4:00 0 - +Rule WS 2012 max - Sep lastSun 3:00 1 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Apia 12:33:04 - LMT 1892 Jul 5 -11:26:56 - LMT 1911 @@ -700,11 +701,11 @@ Zone Pacific/Fakaofo -11:24:56 - LMT 1901 # Tonga # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Tonga 1999 only - Oct 7 2:00s 1:00 S +Rule Tonga 1999 only - Oct 7 2:00s 1:00 - Rule Tonga 2000 only - Mar 19 2:00s 0 - -Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 S +Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 - Rule Tonga 2001 2002 - Jan lastSun 2:00 0 - -Rule Tonga 2016 only - Nov Sun>=1 2:00 1:00 S +Rule Tonga 2016 only - Nov Sun>=1 2:00 1:00 - Rule Tonga 2017 only - Jan Sun>=15 3:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Tongatapu 12:19:20 - LMT 1901 @@ -781,12 +782,12 @@ Zone Pacific/Wake 11:06:28 - LMT 1901 # Vanuatu # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Vanuatu 1983 only - Sep 25 0:00 1:00 S +Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - -Rule Vanuatu 1984 only - Oct 23 0:00 1:00 S -Rule Vanuatu 1985 1991 - Sep Sun>=23 0:00 1:00 S +Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - +Rule Vanuatu 1985 1991 - Sep Sun>=23 0:00 1:00 - Rule Vanuatu 1992 1993 - Jan Sun>=23 0:00 0 - -Rule Vanuatu 1992 only - Oct Sun>=23 0:00 1:00 S +Rule Vanuatu 1992 only - Oct Sun>=23 0:00 1:00 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila 11:00 Vanuatu +11/+12 @@ -1085,6 +1086,13 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901 # South Australian time even though it's located in Western Australia. # Queensland + +# From Paul Eggert (2018-02-26): +# I lack access to the following source for Queensland DST: +# Pearce C. History of daylight saving time in Queensland. +# Queensland Hist J. 2017 Aug;23(6):389-403 +# https://search.informit.com.au/documentSummary;dn=994682348436426;res=IELHSS + # From George Shepherd via Simon Woodhead via Robert Elz (1991-03-06): # # The state of QUEENSLAND.. [ Courtesy Qld. Dept Premier Econ&Trade Devel ] # # [ Dec 1990 ] @@ -1511,6 +1519,12 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901 # "declared it the same day [throughout] the country as of Jan. 1, 1995" # as part of the competition to be first into the 21st century. +# From Kerry Shetline (2018-02-03): +# December 31 was the day that was skipped, so that the transition +# would be from Friday December 30, 1994 to Sunday January 1, 1995. +# From Paul Eggert (2018-02-04): +# One source for this is page 202 of: Bartky IR. One Time Fits All: +# The Campaigns for Global Uniformity (2007). # Kwajalein @@ -1603,7 +1617,7 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901 # From Howie Phelps (1999-11-10), who talked to a Pitcairner via shortwave: # Betty Christian told me yesterday that their local time is the same as -# Pacific Standard Time. They used to be 1/2 hour different from us here in +# Pacific Standard Time. They used to be ½ hour different from us here in # Sacramento but it was changed a couple of years ago. @@ -1642,7 +1656,7 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901 # 12 hours and 20 minutes ahead of GMT. When New Zealand adjusted its # standard time in 1940s, Tonga had the choice of subtracting from its # local time to come on the same standard time as New Zealand or of -# advancing its time to maintain the differential of 13 degrees +# advancing its time to maintain the differential of 13° # (approximately 50 minutes ahead of New Zealand time). # # Because His Majesty King Tāufaʻāhau Tupou IV, then Crown Prince diff --git a/contrib/tzdata/backzone b/contrib/tzdata/backzone index 3006b27..d1fd83b 100644 --- a/contrib/tzdata/backzone +++ b/contrib/tzdata/backzone @@ -170,13 +170,13 @@ Zone Africa/Lome 0:04:52 - LMT 1893 # Angola # +# From Paul Eggert (2018-02-16): # Shanks gives 1911-05-26 for the transition to WAT, # evidently confusing the date of the Portuguese decree -# https://dre.pt/pdf1sdip/1911/05/12500/23132313.pdf -# with the date that it took effect, namely 1912-01-01. +# (see Europe/Lisbon) with the date that it took effect. # Zone Africa/Luanda 0:52:56 - LMT 1892 - 0:52:04 - LMT 1912 Jan 1 # Luanda Mean Time? + 0:52:04 - LMT 1911 Dec 31 23:00u # Luanda MT? 1:00 - WAT # Democratic Republic of the Congo (east) @@ -271,9 +271,19 @@ Zone America/Aruba -4:40:24 - LMT 1912 Feb 12 # Oranjestad # Cayman Is Zone America/Cayman -5:25:32 - LMT 1890 # Georgetown - -5:07:11 - KMT 1912 Feb # Kingston Mean Time + -5:07:10 - KMT 1912 Feb # Kingston Mean Time -5:00 - EST +# United States +# +# From Paul Eggert (2018-03-18): +# America/Chillicothe would be tricky, as it was a city of two-timers: +# "To prevent a constant mixup at Chillicothe, caused by the courthouse +# clock running on central time and the city running on 'daylight saving' +# time, a third hand was added to the dial of the courthouse clock." +# -- Ohio news in brief. The Cedarville Herald. 1920-05-21;43(21):1 (col. 5) +# https://digitalcommons.cedarville.edu/cedarville_herald/794 + # Canada Zone America/Coral_Harbour -5:32:40 - LMT 1884 -5:00 NT_YK E%sT 1946 @@ -348,6 +358,30 @@ Zone America/Montreal -4:54:16 - LMT 1884 Zone America/Montserrat -4:08:52 - LMT 1911 Jul 1 0:01 # Cork Hill -4:00 - AST +# United States +# +# From Paul Eggert (2018-03-18): +# America/Palm_Springs would be tricky, as it kept two sets of clocks +# in 1946/7. See the following notes. +# +# From Steve Allen (2018-01-19): +# The shadow of Mt. San Jacinto brings darkness very early in the winter +# months. In 1946 the chamber of commerce decided to put the clocks of Palm +# Springs forward by an hour in the winter. +# https://www.desertsun.com/story/life/2017/12/27/palm-springs-struggle-daylight-savings-time-and-idea-sun-time/984416001/ +# Desert Sun, Number 18, 1 November 1946 +# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=DS19461101 +# has proposal for meeting on front page and page 21. +# Desert Sun, Number 19, 5 November 1946 +# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=DS19461105 +# reports that Sun Time won at the meeting on front page and page 5. +# Desert Sun, Number 37, 7 January 1947 +# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=DS19470107.2.12 +# front page reports request to abandon Sun Time and page 7 notes a "class war". +# Desert Sun, Number 38, 10 January 1947 +# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=DS19470110 +# front page reports on end. + # Argentina # This entry was intended for the following areas, but has been superseded by # more detailed zones. @@ -409,7 +443,7 @@ Zone Asia/Bahrain 3:22:20 - LMT 1920 # Manamah # From Paul Eggert (2014-08-21): # In tomorrow's The Hindu, Nitya Menon reports that India had two civil time # zones starting in 1884, one in Bombay and one in Calcutta, and that railways -# used a third time zone based on Madras time (80 deg. 18'30" E). Also, +# used a third time zone based on Madras time (80° 18' 30" E). Also, # in 1881 Bombay briefly switched to Madras time, but switched back. See: # http://www.thehindu.com/news/cities/chennai/madras-375-when-madras-clocked-the-time/article6339393.ece #Zone Asia/Chennai [not enough info to complete] @@ -532,7 +566,7 @@ Zone Europe/Belfast -0:23:40 - LMT 1880 Aug 2 # Data from Joseph S. Myers # https://mm.icann.org/pipermail/tz/2013-September/019883.html # References to be added -# LMT is for Town Church, St. Peter Port, 49 degrees 27'17"N 2 degrees 32'10"W +# LMT is for Town Church, St. Peter Port, 49° 27' 17" N, 2° 32' 10" W. Zone Europe/Guernsey -0:10:09 - LMT 1913 Jun 18 0:00 GB-Eire %s 1940 Jul 2 1:00 C-Eur CE%sT 1945 May 8 @@ -566,7 +600,7 @@ Zone Europe/Isle_of_Man -0:17:55 - LMT 1883 Mar 30 0:00s # Data from Joseph S. Myers # https://mm.icann.org/pipermail/tz/2013-September/019883.html # References to be added -# LMT is for Parish Church, St. Helier, 49 degrees 11'0.57"N 2 degrees 6'24.33"W +# LMT is for Parish Church, St. Helier, 49° 11' 0.57" N, 2° 6' 24.33" W. Zone Europe/Jersey -0:08:26 - LMT 1898 Jun 11 16:00u 0:00 GB-Eire %s 1940 Jul 2 1:00 C-Eur CE%sT 1945 May 8 diff --git a/contrib/tzdata/checktab.awk b/contrib/tzdata/checktab.awk index 2397673..393ab19 100644 --- a/contrib/tzdata/checktab.awk +++ b/contrib/tzdata/checktab.awk @@ -126,6 +126,7 @@ $1 ~ /^#/ { next } if ($1 == "Zone") { tz = $2 ruleUsed[$4] = 1 + if ($5 ~ /%/) rulePercentUsed[$4] = 1 } else if ($1 == "Link" && zone_table == "zone.tab") { # Ignore Link commands if source and destination basenames # are identical, e.g. Europe/Istanbul versus Asia/Istanbul. @@ -136,8 +137,10 @@ $1 ~ /^#/ { next } if (src != dst) tz = $3 } else if ($1 == "Rule") { ruleDefined[$2] = 1 + if ($10 != "-") ruleLetters[$2] = 1 } else { ruleUsed[$2] = 1 + if ($3 ~ /%/) rulePercentUsed[$2] = 1 } if (tz && tz ~ /\//) { if (!tztab[tz]) { @@ -156,6 +159,12 @@ END { status = 1 } } + for (tz in ruleLetters) { + if (!rulePercentUsed[tz]) { + printf "%s: Rule contains letters never used\n", tz + status = 1 + } + } for (tz in tztab) { if (!zoneSeen[tz]) { printf "%s:%d: no Zone table for '%s'\n", \ diff --git a/contrib/tzdata/europe b/contrib/tzdata/europe index 6c1ccbe..3f092a4 100644 --- a/contrib/tzdata/europe +++ b/contrib/tzdata/europe @@ -117,8 +117,8 @@ # along the towpath within a few yards of it.' # # I have a one inch to one mile map of London and my estimate of the stone's -# position is 51 degrees 28' 30" N, 0 degrees 18' 45" W. The longitude should -# be within about +-2". The Ordnance Survey grid reference is TQ172761. +# position is 51° 28' 30" N, 0° 18' 45" W. The longitude should +# be within about ±2". The Ordnance Survey grid reference is TQ172761. # # [This yields GMTOFF = -0:01:15 for London LMT in the 18th century.] @@ -158,7 +158,7 @@ # after-hours daylight in which to pursue his research. # In 1895 he presented a paper to the Wellington Philosophical Society # that proposed a two-hour daylight-saving shift. See: -# Hudson GV. On seasonal time-adjustment in countries south of lat. 30 deg. +# Hudson GV. On seasonal time-adjustment in countries south of lat. 30°. # Transactions and Proceedings of the New Zealand Institute. 1895;28:734 # http://rsnz.natlib.govt.nz/volume/rsnz_28/rsnz_28_00_006110.html # Although some interest was expressed in New Zealand, his proposal @@ -508,11 +508,25 @@ Link Europe/London Europe/Jersey Link Europe/London Europe/Guernsey Link Europe/London Europe/Isle_of_Man -# From Paul Eggert (2018-01-19): +# From Paul Eggert (2018-02-15): +# In January 2018 we discovered that the negative SAVE values in the +# Eire rules cause problems with tests for ICU: +# https://mm.icann.org/pipermail/tz/2018-January/025825.html +# and with tests for OpenJDK: +# https://mm.icann.org/pipermail/tz/2018-January/025822.html +# +# To work around this problem, the build procedure can translate the +# following data into two forms, one with negative SAVE values and the +# other form with a traditional approximation for Irish time stamps +# after 1971-10-31 02:00 UTC; although this approximation has tm_isdst +# flags that are reversed, its UTC offsets are correct and this often +# suffices. This source file currently uses only nonnegative SAVE +# values, but this is intended to change and downstream code should +# not rely on it. +# # The following is like GB-Eire and EU, except with standard time in -# summer and negative daylight saving time in winter. -# Although currently commented out, this will need to become uncommented -# once the ICU/OpenJDK workaround is removed; see below. +# summer and negative daylight saving time in winter. It is for when +# negative SAVE values are used. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S #Rule Eire 1971 only - Oct 31 2:00u -1:00 GMT #Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 IST @@ -533,24 +547,12 @@ Zone Europe/Dublin -0:25:00 - LMT 1880 Aug 2 0:00 1:00 IST 1947 Nov 2 2:00s 0:00 - GMT 1948 Apr 18 2:00s 0:00 GB-Eire GMT/IST 1968 Oct 27 -# From Paul Eggert (2018-01-18): -# The next line should look like this: +# The next line is for when negative SAVE values are used. # 1:00 Eire IST/GMT -# However, in January 2018 we discovered that the Eire rules cause -# problems with tests for ICU: -# https://mm.icann.org/pipermail/tz/2018-January/025825.html -# and with tests for OpenJDK: -# https://mm.icann.org/pipermail/tz/2018-January/025822.html -# To work around this problem, use a traditional approximation for -# time stamps after 1971-10-31 02:00 UTC, to give ICU and OpenJDK -# developers breathing room to fix bugs. This approximation has -# correct UTC offsets, but results in tm_isdst flags are the reverse -# of what they should be. This workaround is temporary and should be -# removed reasonably soon. +# These three lines are for when SAVE values are always nonnegative. 1:00 - IST 1971 Oct 31 2:00u 0:00 GB-Eire GMT/IST 1996 0:00 EU GMT/IST -# End of workaround for ICU and OpenJDK bugs. ############################################################################### @@ -1534,21 +1536,21 @@ Zone Europe/Budapest 1:16:20 - LMT 1890 Oct # http://www.almanak.hi.is/klukkan.html # # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Iceland 1917 1919 - Feb 19 23:00 1:00 S +Rule Iceland 1917 1919 - Feb 19 23:00 1:00 - Rule Iceland 1917 only - Oct 21 1:00 0 - Rule Iceland 1918 1919 - Nov 16 1:00 0 - -Rule Iceland 1921 only - Mar 19 23:00 1:00 S +Rule Iceland 1921 only - Mar 19 23:00 1:00 - Rule Iceland 1921 only - Jun 23 1:00 0 - -Rule Iceland 1939 only - Apr 29 23:00 1:00 S +Rule Iceland 1939 only - Apr 29 23:00 1:00 - Rule Iceland 1939 only - Oct 29 2:00 0 - -Rule Iceland 1940 only - Feb 25 2:00 1:00 S +Rule Iceland 1940 only - Feb 25 2:00 1:00 - Rule Iceland 1940 1941 - Nov Sun>=2 1:00s 0 - -Rule Iceland 1941 1942 - Mar Sun>=2 1:00s 1:00 S +Rule Iceland 1941 1942 - Mar Sun>=2 1:00s 1:00 - # 1943-1946 - first Sunday in March until first Sunday in winter -Rule Iceland 1943 1946 - Mar Sun>=1 1:00s 1:00 S +Rule Iceland 1943 1946 - Mar Sun>=1 1:00s 1:00 - Rule Iceland 1942 1948 - Oct Sun>=22 1:00s 0 - # 1947-1967 - first Sunday in April until first Sunday in winter -Rule Iceland 1947 1967 - Apr Sun>=1 1:00s 1:00 S +Rule Iceland 1947 1967 - Apr Sun>=1 1:00s 1:00 - # 1949 and 1967 Oct transitions delayed by 1 week Rule Iceland 1949 only - Oct 30 1:00s 0 - Rule Iceland 1950 1966 - Oct Sun>=22 1:00s 0 - @@ -2138,15 +2140,19 @@ Zone Europe/Warsaw 1:24:00 - LMT 1880 1:00 EU CE%sT # Portugal -# + # From Paul Eggert (2014-08-11), after a heads-up from Stephen Colebourne: # According to a Portuguese decree (1911-05-26) # https://dre.pt/application/dir/pdf1sdip/1911/05/12500/23132313.pdf # Lisbon was at -0:36:44.68, but switched to GMT on 1912-01-01 at 00:00. -# Round the old offset to -0:36:45. This agrees with Willett but disagrees -# with Shanks, who says the transition occurred on 1911-05-24 at 00:00 for -# Europe/Lisbon, Atlantic/Azores, and Atlantic/Madeira. +# Round the old offset to -0:36:45. This agrees with Willett.... # +# From Michael Deckers (2018-02-15): +# article 5 [of the 1911 decree; Deckers's translation] ...: +# These dispositions shall enter into force at the instant at which, +# according to the 2nd article, the civil day January 1, 1912 begins, +# all clocks therefore having to be advanced or set back correspondingly ... + # From Rui Pedro Salgueiro (1992-11-12): # Portugal has recently (September, 27) changed timezone # (from WET to MET or CET) to harmonize with EEC. @@ -2229,7 +2235,7 @@ Rule Port 1983 only - Mar lastSun 2:00s 1:00 S # # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Europe/Lisbon -0:36:45 - LMT 1884 - -0:36:45 - LMT 1912 Jan 1 # Lisbon Mean Time + -0:36:45 - LMT 1912 Jan 1 0:00u # Lisbon MT 0:00 Port WE%sT 1966 Apr 3 2:00 1:00 - CET 1976 Sep 26 1:00 0:00 Port WE%sT 1983 Sep 25 1:00s @@ -2238,7 +2244,7 @@ Zone Europe/Lisbon -0:36:45 - LMT 1884 0:00 EU WE%sT # This Zone can be simplified once we assume zic %z. Zone Atlantic/Azores -1:42:40 - LMT 1884 # Ponta Delgada - -1:54:32 - HMT 1912 Jan 1 # Horta Mean Time + -1:54:32 - HMT 1912 Jan 1 2:00u # Horta MT -2:00 Port -02/-01 1942 Apr 25 22:00s -2:00 Port +00 1942 Aug 15 22:00s -2:00 Port -02/-01 1943 Apr 17 22:00s @@ -2254,7 +2260,7 @@ Zone Atlantic/Azores -1:42:40 - LMT 1884 # Ponta Delgada -1:00 EU -01/+00 # This Zone can be simplified once we assume zic %z. Zone Atlantic/Madeira -1:07:36 - LMT 1884 # Funchal - -1:07:36 - FMT 1912 Jan 1 # Funchal Mean Time + -1:07:36 - FMT 1912 Jan 1 1:00u # Funchal MT -1:00 Port -01/+00 1942 Apr 25 22:00s -1:00 Port +01 1942 Aug 15 22:00s -1:00 Port -01/+00 1943 Apr 17 22:00s @@ -2592,13 +2598,13 @@ Zone Europe/Kaliningrad 1:22:00 - LMT 1893 Apr # From Vladimir Karpinsky (2014-07-08): # LMT in Moscow (before Jul 3, 1916) is 2:30:17, that was defined by Moscow -# Observatory (coordinates: 55 deg. 45'29.70", 37 deg. 34'05.30").... +# Observatory (coordinates: 55° 45' 29.70", 37° 34' 05.30").... # LMT in Moscow since Jul 3, 1916 is 2:31:01 as a result of new standard. # (The info is from the book by Byalokoz ... p. 18.) # The time in St. Petersburg as capital of Russia was defined by # Pulkov observatory, near St. Petersburg. In 1916 LMT Moscow # was synchronized with LMT St. Petersburg (+30 minutes), (Pulkov observatory -# coordinates: 59 deg. 46'18.70", 30 deg. 19'40.70") so 30 deg. 19'40.70" > +# coordinates: 59° 46' 18.70", 30° 19' 40.70") so 30° 19' 40.70" > # 2h01m18.7s = 2:01:19. LMT Moscow = LMT St.Petersburg + 30m 2:01:19 + 0:30 = # 2:31:19 ... # @@ -3427,7 +3433,7 @@ Zone Atlantic/Canary -1:01:36 - LMT 1922 Mar # Las Palmas de Gran C. # three degrees, or twelve minutes of time, to the west of the # meridian of the Observatory of Stockholm". The law is dated 1878-05-31. # -# The observatory at that time had the meridian 18 degrees 03' 30" +# The observatory at that time had the meridian 18° 03' 30" # eastern longitude = 01:12:14 in time. Less 12 minutes gives the # national standard time as 01:00:14 ahead of GMT.... # @@ -3531,7 +3537,7 @@ Zone Europe/Stockholm 1:12:12 - LMT 1879 Jan 1 # From Alois Treindl (2013-09-11): # The Federal regulations say # https://www.admin.ch/opc/de/classified-compilation/20071096/index.html -# ... the meridian for Bern mean time ... is 7 degrees 26' 22.50". +# ... the meridian for Bern mean time ... is 7° 26' 22.50". # Expressed in time, it is 0h29m45.5s. # From Pierre-Yves Berger (2013-09-11): diff --git a/contrib/tzdata/northamerica b/contrib/tzdata/northamerica index a014126..06db1a8 100644 --- a/contrib/tzdata/northamerica +++ b/contrib/tzdata/northamerica @@ -25,7 +25,7 @@ # in New York City (1869-10). His 1870 proposal was based on Washington, DC, # but in 1872-05 he moved the proposed origin to Greenwich. -# From Paul Eggert (2016-09-21): +# From Paul Eggert (2018-03-20): # Dowd's proposal left many details unresolved, such as where to draw # lines between time zones. The key individual who made time zones # work in the US was William Frederick Allen - railway engineer, @@ -36,10 +36,9 @@ # to the General Time Convention on 1883-04-11, saying that his plan # meant "local time would be practically abolished" - a plus for # railway scheduling. By the next convention on 1883-10-11 nearly all -# railroads had agreed and it took effect on 1883-11-18 at 12:00. -# That Sunday was called the "day of two noons", as the eastern parts -# of the new zones observed noon twice. Allen witnessed the -# transition in New York City, writing: +# railroads had agreed and it took effect on 1883-11-18. That Sunday +# was called the "day of two noons", as some locations observed noon +# twice. Allen witnessed the transition in New York City, writing: # # I heard the bells of St. Paul's strike on the old time. Four # minutes later, obedient to the electrical signal from the Naval @@ -424,8 +423,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 # ...according to the Census Bureau, the largest city is Beulah (although # it's commonly referred to as Beulah-Hazen, with Hazen being the next # largest city in Mercer County). Google Maps places Beulah's city hall -# at 47 degrees 15' 51" N, 101 degrees 46' 40" W, which yields an offset -# of 6h47'07". +# at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 -7:00 US M%sT 2010 Nov 7 2:00 @@ -458,7 +456,7 @@ Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 # California, northern Idaho (Benewah, Bonner, Boundary, Clearwater, # Kootenai, Latah, Lewis, Nez Perce, and Shoshone counties, Idaho county # north of the Salmon River, and the towns of Burgdorf and Warren), -# Nevada (except West Wendover), Oregon (except the northern 3/4 of +# Nevada (except West Wendover), Oregon (except the northern ¾ of # Malheur county), and Washington # From Paul Eggert (2016-08-20): @@ -956,6 +954,13 @@ Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 -5:00 - EST 2006 -5:00 US E%sT +# From Paul Eggert (2018-03-20): +# The Louisville & Nashville Railroad's 1883-11-18 change occurred at +# 10:00 old local time; train were supposed to come to a standstill +# for precisely 18 minutes. See Bartky Fig. 1 (page 50). It is not +# clear how this matched civil time in Louisville, so for now continue +# to assume Louisville switched at noon new local time, like New York. +# # Part of Kentucky left its clocks alone in 1974. # This also includes Clark, Floyd, and Harrison counties in Indiana. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER @@ -3264,8 +3269,8 @@ Zone America/Tegucigalpa -5:48:52 - LMT 1921 Apr # http://www.jamaicaobserver.com/columns/The-politician-in-all-of-us_17573647 # # Zone NAME GMTOFF RULES FORMAT [UNTIL] -Zone America/Jamaica -5:07:11 - LMT 1890 # Kingston - -5:07:11 - KMT 1912 Feb # Kingston Mean Time +Zone America/Jamaica -5:07:10 - LMT 1890 # Kingston + -5:07:10 - KMT 1912 Feb # Kingston Mean Time -5:00 - EST 1974 -5:00 US E%sT 1984 -5:00 - EST @@ -3415,7 +3420,7 @@ Zone America/Miquelon -3:44:40 - LMT 1911 May 15 # St Pierre # # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone America/Grand_Turk -4:44:32 - LMT 1890 - -5:07:11 - KMT 1912 Feb # Kingston Mean Time + -5:07:10 - KMT 1912 Feb # Kingston Mean Time -5:00 - EST 1979 -5:00 US E%sT 2015 Nov Sun>=1 2:00 -4:00 - AST 2018 Mar 11 3:00 diff --git a/contrib/tzdata/southamerica b/contrib/tzdata/southamerica index 2049177..9784044 100644 --- a/contrib/tzdata/southamerica +++ b/contrib/tzdata/southamerica @@ -47,28 +47,28 @@ # AR was chosen because they are the ISO letters that represent Argentina. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Arg 1930 only - Dec 1 0:00 1:00 S +Rule Arg 1930 only - Dec 1 0:00 1:00 - Rule Arg 1931 only - Apr 1 0:00 0 - -Rule Arg 1931 only - Oct 15 0:00 1:00 S +Rule Arg 1931 only - Oct 15 0:00 1:00 - Rule Arg 1932 1940 - Mar 1 0:00 0 - -Rule Arg 1932 1939 - Nov 1 0:00 1:00 S -Rule Arg 1940 only - Jul 1 0:00 1:00 S +Rule Arg 1932 1939 - Nov 1 0:00 1:00 - +Rule Arg 1940 only - Jul 1 0:00 1:00 - Rule Arg 1941 only - Jun 15 0:00 0 - -Rule Arg 1941 only - Oct 15 0:00 1:00 S +Rule Arg 1941 only - Oct 15 0:00 1:00 - Rule Arg 1943 only - Aug 1 0:00 0 - -Rule Arg 1943 only - Oct 15 0:00 1:00 S +Rule Arg 1943 only - Oct 15 0:00 1:00 - Rule Arg 1946 only - Mar 1 0:00 0 - -Rule Arg 1946 only - Oct 1 0:00 1:00 S +Rule Arg 1946 only - Oct 1 0:00 1:00 - Rule Arg 1963 only - Oct 1 0:00 0 - -Rule Arg 1963 only - Dec 15 0:00 1:00 S +Rule Arg 1963 only - Dec 15 0:00 1:00 - Rule Arg 1964 1966 - Mar 1 0:00 0 - -Rule Arg 1964 1966 - Oct 15 0:00 1:00 S +Rule Arg 1964 1966 - Oct 15 0:00 1:00 - Rule Arg 1967 only - Apr 2 0:00 0 - -Rule Arg 1967 1968 - Oct Sun>=1 0:00 1:00 S +Rule Arg 1967 1968 - Oct Sun>=1 0:00 1:00 - Rule Arg 1968 1969 - Apr Sun>=1 0:00 0 - -Rule Arg 1974 only - Jan 23 0:00 1:00 S +Rule Arg 1974 only - Jan 23 0:00 1:00 - Rule Arg 1974 only - May 1 0:00 0 - -Rule Arg 1988 only - Dec 1 0:00 1:00 S +Rule Arg 1988 only - Dec 1 0:00 1:00 - # # From Hernan G. Otero (1995-06-26): # These corrections were contributed by InterSoft Argentina S.A., @@ -76,7 +76,7 @@ Rule Arg 1988 only - Dec 1 0:00 1:00 S # Talleres de Hidrografía Naval Argentina # (Argentine Naval Hydrography Institute) Rule Arg 1989 1993 - Mar Sun>=1 0:00 0 - -Rule Arg 1989 1992 - Oct Sun>=15 0:00 1:00 S +Rule Arg 1989 1992 - Oct Sun>=15 0:00 1:00 - # # From Hernan G. Otero (1995-06-26): # From this moment on, the law that mandated the daylight saving @@ -87,7 +87,7 @@ Rule Arg 1989 1992 - Oct Sun>=15 0:00 1:00 S # On October 3, 1999, 0:00 local, Argentina implemented daylight savings time, # which did not result in the switch of a time zone, as they stayed 9 hours # from the International Date Line. -Rule Arg 1999 only - Oct Sun>=1 0:00 1:00 S +Rule Arg 1999 only - Oct Sun>=1 0:00 1:00 - # From Paul Eggert (2007-12-28): # DST was set to expire on March 5, not March 3, but since it was converted # to standard time on March 3 it's more convenient for us to pretend that @@ -190,9 +190,9 @@ Rule Arg 2000 only - Mar 3 0:00 0 - # la modificación del huso horario, ya que 2009 nos encuentra con # crecimiento en la producción y distribución energética." -Rule Arg 2007 only - Dec 30 0:00 1:00 S +Rule Arg 2007 only - Dec 30 0:00 1:00 - Rule Arg 2008 2009 - Mar Sun>=15 0:00 0 - -Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 S +Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 - # From Mariano Absatz (2004-05-21): # Today it was officially published that the Province of Mendoza is changing @@ -202,12 +202,14 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 S # It's Law No. 7,210. This change is due to a public power emergency, so for # now we'll assume it's for this year only. # -# From Paul Eggert (2014-08-09): +# From Paul Eggert (2018-01-31): # Hora de verano para la República Argentina # http://buenasiembra.com.ar/esoterismo/astrologia/hora-de-verano-de-la-republica-argentina-27.html # says that standard time in Argentina from 1894-10-31 # to 1920-05-01 was -4:16:48.25. Go with this more-precise value -# over Shanks & Pottenger. +# over Shanks & Pottenger. It is upward compatible with Milne, who +# says Córdoba time was -4:16:48.2. + # # From Mariano Absatz (2004-06-05): # These media articles from a major newspaper mostly cover the current state: @@ -381,9 +383,9 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 S # rules...San Luis is still using "Western ARgentina Time" and it got # stuck on Summer daylight savings time even though the summer is over. -# From Paul Eggert (2013-09-05): +# From Paul Eggert (2018-01-23): # Perhaps San Luis operates on the legal fiction that it is at -04 -# with perpetual summer time, but ordinary usage typically seems to +# with perpetual daylight saving time, but ordinary usage typically seems to # just say it's at -03; see, for example, # https://es.wikipedia.org/wiki/Hora_oficial_argentina # We've documented similar situations as being plain changes to @@ -392,9 +394,6 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 S # plus is that this silences a zic complaint that there's no POSIX TZ # setting for time stamps past 2038. -# From Paul Eggert (2013-02-21): -# Milne says Córdoba time was -4:16:48.2. Round to the nearest second. - # Zone NAME GMTOFF RULES FORMAT [UNTIL] # # Buenos Aires (BA), Capital Federal (CF), @@ -529,7 +528,7 @@ Zone America/Argentina/Mendoza -4:35:16 - LMT 1894 Oct 31 # San Luis (SL) Rule SanLuis 2008 2009 - Mar Sun>=8 0:00 0 - -Rule SanLuis 2007 2008 - Oct Sun>=8 0:00 1:00 S +Rule SanLuis 2007 2008 - Oct Sun>=8 0:00 1:00 - Zone America/Argentina/San_Luis -4:25:24 - LMT 1894 Oct 31 -4:16:48 - CMT 1920 May @@ -771,14 +770,14 @@ Zone America/La_Paz -4:32:36 - LMT 1890 # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S # Decree 20,466 (1931-10-01) # Decree 21,896 (1932-01-10) -Rule Brazil 1931 only - Oct 3 11:00 1:00 S +Rule Brazil 1931 only - Oct 3 11:00 1:00 - Rule Brazil 1932 1933 - Apr 1 0:00 0 - -Rule Brazil 1932 only - Oct 3 0:00 1:00 S +Rule Brazil 1932 only - Oct 3 0:00 1:00 - # Decree 23,195 (1933-10-10) # revoked DST. # Decree 27,496 (1949-11-24) # Decree 27,998 (1950-04-13) -Rule Brazil 1949 1952 - Dec 1 0:00 1:00 S +Rule Brazil 1949 1952 - Dec 1 0:00 1:00 - Rule Brazil 1950 only - Apr 16 1:00 0 - Rule Brazil 1951 1952 - Apr 1 0:00 0 - # Decree 32,308 (1953-02-24) @@ -790,51 +789,51 @@ Rule Brazil 1953 only - Mar 1 0:00 0 - # in SP, RJ, GB, MG, ES, due to the prolongation of the drought. # Decree 53,071 (1963-12-03) # extended the above decree to all of the national territory on 12-09. -Rule Brazil 1963 only - Dec 9 0:00 1:00 S +Rule Brazil 1963 only - Dec 9 0:00 1:00 - # Decree 53,604 (1964-02-25) # extended summer time by one day to 1964-03-01 00:00 (start of school). Rule Brazil 1964 only - Mar 1 0:00 0 - # Decree 55,639 (1965-01-27) -Rule Brazil 1965 only - Jan 31 0:00 1:00 S +Rule Brazil 1965 only - Jan 31 0:00 1:00 - Rule Brazil 1965 only - Mar 31 0:00 0 - # Decree 57,303 (1965-11-22) -Rule Brazil 1965 only - Dec 1 0:00 1:00 S +Rule Brazil 1965 only - Dec 1 0:00 1:00 - # Decree 57,843 (1966-02-18) Rule Brazil 1966 1968 - Mar 1 0:00 0 - -Rule Brazil 1966 1967 - Nov 1 0:00 1:00 S +Rule Brazil 1966 1967 - Nov 1 0:00 1:00 - # Decree 63,429 (1968-10-15) # revoked DST. # Decree 91,698 (1985-09-27) -Rule Brazil 1985 only - Nov 2 0:00 1:00 S +Rule Brazil 1985 only - Nov 2 0:00 1:00 - # Decree 92,310 (1986-01-21) # Decree 92,463 (1986-03-13) Rule Brazil 1986 only - Mar 15 0:00 0 - # Decree 93,316 (1986-10-01) -Rule Brazil 1986 only - Oct 25 0:00 1:00 S +Rule Brazil 1986 only - Oct 25 0:00 1:00 - Rule Brazil 1987 only - Feb 14 0:00 0 - # Decree 94,922 (1987-09-22) -Rule Brazil 1987 only - Oct 25 0:00 1:00 S +Rule Brazil 1987 only - Oct 25 0:00 1:00 - Rule Brazil 1988 only - Feb 7 0:00 0 - # Decree 96,676 (1988-09-12) # except for the states of AC, AM, PA, RR, RO, and AP (then a territory) -Rule Brazil 1988 only - Oct 16 0:00 1:00 S +Rule Brazil 1988 only - Oct 16 0:00 1:00 - Rule Brazil 1989 only - Jan 29 0:00 0 - # Decree 98,077 (1989-08-21) # with the same exceptions -Rule Brazil 1989 only - Oct 15 0:00 1:00 S +Rule Brazil 1989 only - Oct 15 0:00 1:00 - Rule Brazil 1990 only - Feb 11 0:00 0 - # Decree 99,530 (1990-09-17) # adopted by RS, SC, PR, SP, RJ, ES, MG, GO, MS, DF. # Decree 99,629 (1990-10-19) adds BA, MT. -Rule Brazil 1990 only - Oct 21 0:00 1:00 S +Rule Brazil 1990 only - Oct 21 0:00 1:00 - Rule Brazil 1991 only - Feb 17 0:00 0 - # Unnumbered decree (1991-09-25) # adopted by RS, SC, PR, SP, RJ, ES, MG, BA, GO, MT, MS, DF. -Rule Brazil 1991 only - Oct 20 0:00 1:00 S +Rule Brazil 1991 only - Oct 20 0:00 1:00 - Rule Brazil 1992 only - Feb 9 0:00 0 - # Unnumbered decree (1992-10-16) # adopted by same states. -Rule Brazil 1992 only - Oct 25 0:00 1:00 S +Rule Brazil 1992 only - Oct 25 0:00 1:00 - Rule Brazil 1993 only - Jan 31 0:00 0 - # Decree 942 (1993-09-28) # adopted by same states, plus AM. @@ -844,12 +843,12 @@ Rule Brazil 1993 only - Jan 31 0:00 0 - # adopted by same states, plus MT and TO. # Decree 1,674 (1995-10-13) # adds AL, SE. -Rule Brazil 1993 1995 - Oct Sun>=11 0:00 1:00 S +Rule Brazil 1993 1995 - Oct Sun>=11 0:00 1:00 - Rule Brazil 1994 1995 - Feb Sun>=15 0:00 0 - Rule Brazil 1996 only - Feb 11 0:00 0 - # Decree 2,000 (1996-09-04) # adopted by same states, minus AL, SE. -Rule Brazil 1996 only - Oct 6 0:00 1:00 S +Rule Brazil 1996 only - Oct 6 0:00 1:00 - Rule Brazil 1997 only - Feb 16 0:00 0 - # From Daniel C. Sobral (1998-02-12): # In 1997, the DS began on October 6. The stated reason was that @@ -859,19 +858,19 @@ Rule Brazil 1997 only - Feb 16 0:00 0 - # to help dealing with the shortages of electric power. # # Decree 2,317 (1997-09-04), adopted by same states. -Rule Brazil 1997 only - Oct 6 0:00 1:00 S +Rule Brazil 1997 only - Oct 6 0:00 1:00 - # Decree 2,495 # (1998-02-10) Rule Brazil 1998 only - Mar 1 0:00 0 - # Decree 2,780 (1998-09-11) # adopted by the same states as before. -Rule Brazil 1998 only - Oct 11 0:00 1:00 S +Rule Brazil 1998 only - Oct 11 0:00 1:00 - Rule Brazil 1999 only - Feb 21 0:00 0 - # Decree 3,150 # (1999-08-23) adopted by same states. # Decree 3,188 (1999-09-30) # adds SE, AL, PB, PE, RN, CE, PI, MA and RR. -Rule Brazil 1999 only - Oct 3 0:00 1:00 S +Rule Brazil 1999 only - Oct 3 0:00 1:00 - Rule Brazil 2000 only - Feb 27 0:00 0 - # Decree 3,592 (2000-09-06) # adopted by the same states as before. @@ -881,34 +880,34 @@ Rule Brazil 2000 only - Feb 27 0:00 0 - # repeals DST in SE, AL, PB, RN, CE, PI and MA, effective 2000-10-22 00:00. # Decree 3,916 # (2001-09-13) reestablishes DST in AL, CE, MA, PB, PE, PI, RN, SE. -Rule Brazil 2000 2001 - Oct Sun>=8 0:00 1:00 S +Rule Brazil 2000 2001 - Oct Sun>=8 0:00 1:00 - Rule Brazil 2001 2006 - Feb Sun>=15 0:00 0 - # Decree 4,399 (2002-10-01) repeals DST in AL, CE, MA, PB, PE, PI, RN, SE. # 4,399 -Rule Brazil 2002 only - Nov 3 0:00 1:00 S +Rule Brazil 2002 only - Nov 3 0:00 1:00 - # Decree 4,844 (2003-09-24; corrected 2003-09-26) repeals DST in BA, MT, TO. # 4,844 -Rule Brazil 2003 only - Oct 19 0:00 1:00 S +Rule Brazil 2003 only - Oct 19 0:00 1:00 - # Decree 5,223 (2004-10-01) reestablishes DST in MT. # 5,223 -Rule Brazil 2004 only - Nov 2 0:00 1:00 S +Rule Brazil 2004 only - Nov 2 0:00 1:00 - # Decree 5,539 (2005-09-19), # adopted by the same states as before. -Rule Brazil 2005 only - Oct 16 0:00 1:00 S +Rule Brazil 2005 only - Oct 16 0:00 1:00 - # Decree 5,920 (2006-10-03), # adopted by the same states as before. -Rule Brazil 2006 only - Nov 5 0:00 1:00 S +Rule Brazil 2006 only - Nov 5 0:00 1:00 - Rule Brazil 2007 only - Feb 25 0:00 0 - # Decree 6,212 (2007-09-26), # adopted by the same states as before. -Rule Brazil 2007 only - Oct Sun>=8 0:00 1:00 S +Rule Brazil 2007 only - Oct Sun>=8 0:00 1:00 - # From Frederico A. C. Neves (2008-09-10): # According to this decree # http://www.planalto.gov.br/ccivil_03/_Ato2007-2010/2008/Decreto/D6558.htm # [t]he DST period in Brazil now on will be from the 3rd Oct Sunday to the # 3rd Feb Sunday. There is an exception on the return date when this is # the Carnival Sunday then the return date will be the next Sunday... -Rule Brazil 2008 2017 - Oct Sun>=15 0:00 1:00 S +Rule Brazil 2008 2017 - Oct Sun>=15 0:00 1:00 - Rule Brazil 2008 2011 - Feb Sun>=15 0:00 0 - # Decree 7,584 (2011-10-13) # added Bahia. @@ -926,7 +925,7 @@ Rule Brazil 2016 2022 - Feb Sun>=15 0:00 0 - # ... https://www.timeanddate.com/news/time/brazil-delays-dst-2018.html # From Steffen Thorsen (2017-12-20): # http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2017/decreto/D9242.htm -Rule Brazil 2018 max - Nov Sun>=1 0:00 1:00 S +Rule Brazil 2018 max - Nov Sun>=1 0:00 1:00 - Rule Brazil 2023 only - Feb Sun>=22 0:00 0 - Rule Brazil 2024 2025 - Feb Sun>=15 0:00 0 - Rule Brazil 2026 only - Feb Sun>=22 0:00 0 - @@ -1233,28 +1232,28 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 # For now, assume that they will not revert. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Chile 1927 1931 - Sep 1 0:00 1:00 S +Rule Chile 1927 1931 - Sep 1 0:00 1:00 - Rule Chile 1928 1932 - Apr 1 0:00 0 - -Rule Chile 1968 only - Nov 3 4:00u 1:00 S +Rule Chile 1968 only - Nov 3 4:00u 1:00 - Rule Chile 1969 only - Mar 30 3:00u 0 - -Rule Chile 1969 only - Nov 23 4:00u 1:00 S +Rule Chile 1969 only - Nov 23 4:00u 1:00 - Rule Chile 1970 only - Mar 29 3:00u 0 - Rule Chile 1971 only - Mar 14 3:00u 0 - -Rule Chile 1970 1972 - Oct Sun>=9 4:00u 1:00 S +Rule Chile 1970 1972 - Oct Sun>=9 4:00u 1:00 - Rule Chile 1972 1986 - Mar Sun>=9 3:00u 0 - -Rule Chile 1973 only - Sep 30 4:00u 1:00 S -Rule Chile 1974 1987 - Oct Sun>=9 4:00u 1:00 S +Rule Chile 1973 only - Sep 30 4:00u 1:00 - +Rule Chile 1974 1987 - Oct Sun>=9 4:00u 1:00 - Rule Chile 1987 only - Apr 12 3:00u 0 - Rule Chile 1988 1990 - Mar Sun>=9 3:00u 0 - -Rule Chile 1988 1989 - Oct Sun>=9 4:00u 1:00 S -Rule Chile 1990 only - Sep 16 4:00u 1:00 S +Rule Chile 1988 1989 - Oct Sun>=9 4:00u 1:00 - +Rule Chile 1990 only - Sep 16 4:00u 1:00 - Rule Chile 1991 1996 - Mar Sun>=9 3:00u 0 - -Rule Chile 1991 1997 - Oct Sun>=9 4:00u 1:00 S +Rule Chile 1991 1997 - Oct Sun>=9 4:00u 1:00 - Rule Chile 1997 only - Mar 30 3:00u 0 - Rule Chile 1998 only - Mar Sun>=9 3:00u 0 - -Rule Chile 1998 only - Sep 27 4:00u 1:00 S +Rule Chile 1998 only - Sep 27 4:00u 1:00 - Rule Chile 1999 only - Apr 4 3:00u 0 - -Rule Chile 1999 2010 - Oct Sun>=9 4:00u 1:00 S +Rule Chile 1999 2010 - Oct Sun>=9 4:00u 1:00 - Rule Chile 2000 2007 - Mar Sun>=9 3:00u 0 - # N.B.: the end of March 29 in Chile is March 30 in Universal time, # which is used below in specifying the transition. @@ -1262,11 +1261,11 @@ Rule Chile 2008 only - Mar 30 3:00u 0 - Rule Chile 2009 only - Mar Sun>=9 3:00u 0 - Rule Chile 2010 only - Apr Sun>=1 3:00u 0 - Rule Chile 2011 only - May Sun>=2 3:00u 0 - -Rule Chile 2011 only - Aug Sun>=16 4:00u 1:00 S +Rule Chile 2011 only - Aug Sun>=16 4:00u 1:00 - Rule Chile 2012 2014 - Apr Sun>=23 3:00u 0 - -Rule Chile 2012 2014 - Sep Sun>=2 4:00u 1:00 S +Rule Chile 2012 2014 - Sep Sun>=2 4:00u 1:00 - Rule Chile 2016 max - May Sun>=9 3:00u 0 - -Rule Chile 2016 max - Aug Sun>=9 4:00u 1:00 S +Rule Chile 2016 max - Aug Sun>=9 4:00u 1:00 - # IATA SSIM anomalies: (1992-02) says 1992-03-14; # (1996-09) says 1998-03-08. Ignore these. # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -1331,7 +1330,7 @@ Zone Antarctica/Palmer 0 - -00 1965 # "A variation of fifteen minutes in the public clocks of Bogota is not rare." # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule CO 1992 only - May 3 0:00 1:00 S +Rule CO 1992 only - May 3 0:00 1:00 - Rule CO 1993 only - Apr 4 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone America/Bogota -4:56:16 - LMT 1884 Mar 13 @@ -1391,7 +1390,7 @@ Link America/Curacao America/Kralendijk # Caribbean Netherlands # repeated. For now, assume transitions were at 00:00 local time country-wide. # # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Ecuador 1992 only - Nov 28 0:00 1:00 S +Rule Ecuador 1992 only - Nov 28 0:00 1:00 - Rule Ecuador 1993 only - Feb 5 0:00 0 - # # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -1481,22 +1480,22 @@ Zone Pacific/Galapagos -5:58:24 - LMT 1931 # Puerto Baquerizo Moreno # the maintainers of the database to inform them we're adopting # the same policy this year and suggest recommendations for future years. # -# For now we will assume permanent summer time for the Falklands +# For now we will assume permanent -03 for the Falklands # until advised differently (to apply for 2012 and beyond, after the 2011 # experiment was apparently successful.) # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Falk 1937 1938 - Sep lastSun 0:00 1:00 S +Rule Falk 1937 1938 - Sep lastSun 0:00 1:00 - Rule Falk 1938 1942 - Mar Sun>=19 0:00 0 - -Rule Falk 1939 only - Oct 1 0:00 1:00 S -Rule Falk 1940 1942 - Sep lastSun 0:00 1:00 S +Rule Falk 1939 only - Oct 1 0:00 1:00 - +Rule Falk 1940 1942 - Sep lastSun 0:00 1:00 - Rule Falk 1943 only - Jan 1 0:00 0 - -Rule Falk 1983 only - Sep lastSun 0:00 1:00 S +Rule Falk 1983 only - Sep lastSun 0:00 1:00 - Rule Falk 1984 1985 - Apr lastSun 0:00 0 - -Rule Falk 1984 only - Sep 16 0:00 1:00 S -Rule Falk 1985 2000 - Sep Sun>=9 0:00 1:00 S +Rule Falk 1984 only - Sep 16 0:00 1:00 - +Rule Falk 1985 2000 - Sep Sun>=9 0:00 1:00 - Rule Falk 1986 2000 - Apr Sun>=16 0:00 0 - Rule Falk 2001 2010 - Apr Sun>=15 2:00 0 - -Rule Falk 2001 2010 - Sep Sun>=1 2:00 1:00 S +Rule Falk 2001 2010 - Sep Sun>=1 2:00 1:00 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Atlantic/Stanley -3:51:24 - LMT 1890 -3:51:24 - SMT 1912 Mar 12 # Stanley Mean Time @@ -1531,16 +1530,16 @@ Zone America/Guyana -3:52:40 - LMT 1915 Mar # Georgetown # adjust their clocks at 0 hour of the given dates. # # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Para 1975 1988 - Oct 1 0:00 1:00 S +Rule Para 1975 1988 - Oct 1 0:00 1:00 - Rule Para 1975 1978 - Mar 1 0:00 0 - Rule Para 1979 1991 - Apr 1 0:00 0 - -Rule Para 1989 only - Oct 22 0:00 1:00 S -Rule Para 1990 only - Oct 1 0:00 1:00 S -Rule Para 1991 only - Oct 6 0:00 1:00 S +Rule Para 1989 only - Oct 22 0:00 1:00 - +Rule Para 1990 only - Oct 1 0:00 1:00 - +Rule Para 1991 only - Oct 6 0:00 1:00 - Rule Para 1992 only - Mar 1 0:00 0 - -Rule Para 1992 only - Oct 5 0:00 1:00 S +Rule Para 1992 only - Oct 5 0:00 1:00 - Rule Para 1993 only - Mar 31 0:00 0 - -Rule Para 1993 1995 - Oct 1 0:00 1:00 S +Rule Para 1993 1995 - Oct 1 0:00 1:00 - Rule Para 1994 1995 - Feb lastSun 0:00 0 - Rule Para 1996 only - Mar 1 0:00 0 - # IATA SSIM (2000-02) says 1999-10-10; ignore this for now. @@ -1558,7 +1557,7 @@ Rule Para 1996 only - Mar 1 0:00 0 - # year, the time will change on the first Sunday of October; likewise, the # clock will be set back on the first Sunday of March. # -Rule Para 1996 2001 - Oct Sun>=1 0:00 1:00 S +Rule Para 1996 2001 - Oct Sun>=1 0:00 1:00 - # IATA SSIM (1997-09) says Mar 1; go with Shanks & Pottenger. Rule Para 1997 only - Feb lastSun 0:00 0 - # Shanks & Pottenger say 1999-02-28; IATA SSIM (1999-02) says 1999-02-27, but @@ -1569,7 +1568,7 @@ Rule Para 1998 2001 - Mar Sun>=1 0:00 0 - # dst method to be from the first Sunday in September to the first Sunday in # April. Rule Para 2002 2004 - Apr Sun>=1 0:00 0 - -Rule Para 2002 2003 - Sep Sun>=1 0:00 1:00 S +Rule Para 2002 2003 - Sep Sun>=1 0:00 1:00 - # # From Jesper Nørgaard Welen (2005-01-02): # There are several sources that claim that Paraguay made @@ -1578,7 +1577,7 @@ Rule Para 2002 2003 - Sep Sun>=1 0:00 1:00 S # Decree 1,867 (2004-03-05) # From Carlos Raúl Perasso via Jesper Nørgaard Welen (2006-10-13) # http://www.presidencia.gov.py/decretos/D1867.pdf -Rule Para 2004 2009 - Oct Sun>=15 0:00 1:00 S +Rule Para 2004 2009 - Oct Sun>=15 0:00 1:00 - Rule Para 2005 2009 - Mar Sun>=8 0:00 0 - # From Carlos Raúl Perasso (2010-02-18): # By decree number 3958 issued yesterday @@ -1591,7 +1590,7 @@ Rule Para 2005 2009 - Mar Sun>=8 0:00 0 - # and that on the first Sunday of the month of October, it is to be set # forward 60 minutes, in all the territory of the Paraguayan Republic. # ... -Rule Para 2010 max - Oct Sun>=1 0:00 1:00 S +Rule Para 2010 max - Oct Sun>=1 0:00 1:00 - Rule Para 2010 2012 - Apr Sun>=8 0:00 0 - # # From Steffen Thorsen (2013-03-07): @@ -1624,16 +1623,16 @@ Zone America/Asuncion -3:50:40 - LMT 1890 # Shanks & Pottenger don't have this transition. Assume 1986 was like 1987. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -Rule Peru 1938 only - Jan 1 0:00 1:00 S +Rule Peru 1938 only - Jan 1 0:00 1:00 - Rule Peru 1938 only - Apr 1 0:00 0 - -Rule Peru 1938 1939 - Sep lastSun 0:00 1:00 S +Rule Peru 1938 1939 - Sep lastSun 0:00 1:00 - Rule Peru 1939 1940 - Mar Sun>=24 0:00 0 - -Rule Peru 1986 1987 - Jan 1 0:00 1:00 S +Rule Peru 1986 1987 - Jan 1 0:00 1:00 - Rule Peru 1986 1987 - Apr 1 0:00 0 - -Rule Peru 1990 only - Jan 1 0:00 1:00 S +Rule Peru 1990 only - Jan 1 0:00 1:00 - Rule Peru 1990 only - Apr 1 0:00 0 - # IATA is ambiguous for 1993/1995; go with Shanks & Pottenger. -Rule Peru 1994 only - Jan 1 0:00 1:00 S +Rule Peru 1994 only - Jan 1 0:00 1:00 - Rule Peru 1994 only - Apr 1 0:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone America/Lima -5:08:12 - LMT 1890 @@ -1679,72 +1678,201 @@ Link America/Port_of_Spain America/Tortola # Virgin Islands (UK) # Uruguay # From Paul Eggert (1993-11-18): # Uruguay wins the prize for the strangest peacetime manipulation of the rules. -# From Shanks & Pottenger: +# +# From Tim Parenti (2018-02-20), per Jeremie Bonjour (2018-01-31) and Michael +# Deckers (2018-02-20): +# ... At least they kept good records... +# +# http://www.armada.mil.uy/ContenidosPDFs/sohma/web/almanaque/almanaque_2018.pdf#page=36 +# Page 36 of Almanaque 2018, published by the Oceanography, Hydrography, and +# Meteorology Service of the Uruguayan Navy, seems to give many transitions +# with greater clarity than we've had before. It directly references many laws +# and decrees which are, in turn, referenced below. They can be viewed in the +# public archives of the Diario Oficial (in Spanish) at +# http://www.impo.com.uy/diariooficial/ +# +# Ley No. 3920 of 1908-06-10 placed the determination of legal time under the +# auspices of the National Institute for the Prediction of Time. It is unclear +# exactly what offset was used during this period, though Ley No. 7200 of +# 1920-04-23 used the Observatory of the National Meteorological Institute in +# Montevideo (34° 54' 33" S, 56° 12' 45" W) as its reference meridian, +# retarding legal time by 15 minutes 9 seconds from 1920-04-30 24:00, +# resulting in UT-04. Assume the corresponding LMT of UT-03:44:51 (given on +# page 725 of the Proceedings of the Second Pan-American Scientific Congress, +# 1915-1916) was in use, and merely became official from 1908-06-10. +# https://www.impo.com.uy/diariooficial/1908/06/18/12 +# https://www.impo.com.uy/diariooficial/1920/04/27/9 +# +# Ley No. 7594 of 1923-06-28 specified legal time as Observatory time advanced +# by 44 minutes 51 seconds (UT-03) "from 30 September to 31 March", and by 14 +# minutes 51 seconds (UT-03:30) "the rest of the year"; a message from the +# National Council of Administration the same day, published directly below the +# law in the Diario Oficial, specified the first transition to be 1923-09-30 +# 24:00. This effectively established standard time at UT-03:30 with 30 +# minutes DST. Assume transitions at 24:00 on the specified days until Ley No. +# 7919 of 1926-03-05 ended this arrangement, repealing all "laws and other +# provisions which oppose" it, resulting in year-round UT-03:30; a Resolución +# of 1926-03-11 puts the final transition at 1926-03-31 24:00, the same as it +# would have been under the previous law. +# https://www.impo.com.uy/diariooficial/1923/07/02/2 +# https://www.impo.com.uy/diariooficial/1926/03/10/2 +# https://www.impo.com.uy/diariooficial/1926/03/18/2 +# # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -# Whitman gives 1923 Oct 1; go with Shanks & Pottenger. -Rule Uruguay 1923 only - Oct 2 0:00 0:30 HS +Rule Uruguay 1923 1925 - Oct 1 0:00 0:30 - Rule Uruguay 1924 1926 - Apr 1 0:00 0 - -Rule Uruguay 1924 1925 - Oct 1 0:00 0:30 HS -Rule Uruguay 1933 1935 - Oct lastSun 0:00 0:30 HS -# Shanks & Pottenger give 1935 Apr 1 0:00 & 1936 Mar 30 0:00; go with Whitman. -Rule Uruguay 1934 1936 - Mar Sat>=25 23:30s 0 - -Rule Uruguay 1936 only - Nov 1 0:00 0:30 HS -Rule Uruguay 1937 1941 - Mar lastSun 0:00 0 - -# Whitman gives 1937 Oct 3; go with Shanks & Pottenger. -Rule Uruguay 1937 1940 - Oct lastSun 0:00 0:30 HS -# Whitman gives 1941 Oct 24 - 1942 Mar 27, 1942 Dec 14 - 1943 Apr 13, -# and 1943 Apr 13 "to present time"; go with Shanks & Pottenger. -Rule Uruguay 1941 only - Aug 1 0:00 0:30 HS -Rule Uruguay 1942 only - Jan 1 0:00 0 - -Rule Uruguay 1942 only - Dec 14 0:00 1:00 S +# From Tim Parenti (2018-02-15): +# http://www.impo.com.uy/diariooficial/1933/10/27/6 +# +# It appears Ley No. 9122 of 1933 was never published as such in the Diario +# Oficial, but instead appeared as Document 26 in the Diario on Friday +# 1933-10-27 as a decree made Monday 1933-10-23 and filed under the Ministry of +# National Defense. It reinstituted a DST of 30 minutes (to UT-03) "from the +# last Sunday of October...until the last Saturday of March." In accordance +# with this provision, the first transition was explicitly specified in Article +# 2 of the decree as Saturday 1933-10-28 at 24:00; that is, Sunday 1933-10-29 +# at 00:00. Assume transitions at 00:00 Sunday throughout. +# +# Departing from the matter-of-fact nature of previous timekeeping laws, the +# 1933 decree "consider[s] the advantages of...the advance of legal time": +# +# "Whereas: The measure adopted by almost all nations at the time of the last +# World War still persists in North America and Europe, precisely because of +# the economic, hygienic, and social advantages derived from such an +# emergency measure... +# +# Whereas: The advance of the legal time during the summer seasons, by +# displacing social activity near sunrise, favors the citizen populations +# and especially the society that creates and works..." +# +# It further specified that "necessary measures" be taken to ensure that +# "public spectacles finish, in general, before [01:00]." +Rule Uruguay 1933 1938 - Oct lastSun 0:00 0:30 - +Rule Uruguay 1934 1941 - Mar lastSat 24:00 0 - +# From Tim Parenti (2018-02-15): +# Most of the Rules below, and their contemporaneous Zone lines, have been +# updated simply to match the Almanaque 2018. Although the document does not +# list exact transition times, midnight transitions were already present in our +# data here for all transitions through 2004-09, and this is both consistent +# with prior transitions and verified in several decrees marked below between +# 1939-09 and 2004-09, wherein the relevant text was typically of the form: +# +# "From 0 hours on [date], the legal time of the entire Republic will be... +# +# In accordance with [the preceding], on [previous date] at 24 hours, all +# clocks throughout the Republic will be [advanced/retarded] by..." +# +# It is possible that there is greater specificity to be found for the Rules +# below, but it is buried in no fewer than 40 different decrees individually +# referenced by the Almanaque for the period from 1939-09 to 2014-09. +# Four-fifths of these were promulgated less than two weeks before taking +# effect; more than half within a week and none more than 5 weeks. Only the +# handful with comments below have been checked with any thoroughness. +Rule Uruguay 1939 only - Oct 1 0:00 0:30 - +Rule Uruguay 1940 only - Oct 27 0:00 0:30 - +# From Tim Parenti (2018-02-15): +# Decreto 1145 of the Ministry of National Defense, dated 1941-07-26, specified +# UT-03 from Friday 1941-08-01 00:00, citing an "urgent...need to save fuel". +# http://www.impo.com.uy/diariooficial/1941/08/04/1 +Rule Uruguay 1941 only - Aug 1 0:00 0:30 - +# From Tim Parenti (2018-02-15): +# Decreto 1866 of the Ministry of National Defense, dated 1942-12-09, specified +# further advancement (to UT-02:30) from Sunday 1942-12-13 24:00. Since clocks +# never went back to UT-03:30 thereafter, this is modeled as advancing standard +# time by 30 minutes to UT-03, while retaining 30 minutes of DST. +# http://www.impo.com.uy/diariooficial/1942/12/16/3 +Rule Uruguay 1942 only - Dec 14 0:00 0:30 - Rule Uruguay 1943 only - Mar 14 0:00 0 - -Rule Uruguay 1959 only - May 24 0:00 1:00 S +Rule Uruguay 1959 only - May 24 0:00 0:30 - Rule Uruguay 1959 only - Nov 15 0:00 0 - -Rule Uruguay 1960 only - Jan 17 0:00 1:00 S +Rule Uruguay 1960 only - Jan 17 0:00 1:00 - Rule Uruguay 1960 only - Mar 6 0:00 0 - -Rule Uruguay 1965 1967 - Apr Sun>=1 0:00 1:00 S +Rule Uruguay 1965 only - Apr 4 0:00 1:00 - Rule Uruguay 1965 only - Sep 26 0:00 0 - -Rule Uruguay 1966 1967 - Oct 31 0:00 0 - -Rule Uruguay 1968 1970 - May 27 0:00 0:30 HS -Rule Uruguay 1968 1970 - Dec 2 0:00 0 - -Rule Uruguay 1972 only - Apr 24 0:00 1:00 S -Rule Uruguay 1972 only - Aug 15 0:00 0 - -Rule Uruguay 1974 only - Mar 10 0:00 0:30 HS -Rule Uruguay 1974 only - Dec 22 0:00 1:00 S -Rule Uruguay 1976 only - Oct 1 0:00 0 - -Rule Uruguay 1977 only - Dec 4 0:00 1:00 S -Rule Uruguay 1978 only - Apr 1 0:00 0 - -Rule Uruguay 1979 only - Oct 1 0:00 1:00 S -Rule Uruguay 1980 only - May 1 0:00 0 - -Rule Uruguay 1987 only - Dec 14 0:00 1:00 S -Rule Uruguay 1988 only - Mar 14 0:00 0 - -Rule Uruguay 1988 only - Dec 11 0:00 1:00 S -Rule Uruguay 1989 only - Mar 12 0:00 0 - -Rule Uruguay 1989 only - Oct 29 0:00 1:00 S -# Shanks & Pottenger say no DST was observed in 1990/1 and 1991/2, -# and that 1992/3's DST was from 10-25 to 03-01. Go with IATA. -Rule Uruguay 1990 1992 - Mar Sun>=1 0:00 0 - -Rule Uruguay 1990 1991 - Oct Sun>=21 0:00 1:00 S -Rule Uruguay 1992 only - Oct 18 0:00 1:00 S +# From Tim Parenti (2018-02-15): +# Decreto 321/968 of 1968-05-25, citing emergency drought measures decreed the +# day before, brought clocks forward 30 minutes from Monday 1968-05-27 00:00. +# http://www.impo.com.uy/diariooficial/1968/05/30/5 +Rule Uruguay 1968 only - May 27 0:00 0:30 - +Rule Uruguay 1968 only - Dec 1 0:00 0 - +# From Tim Parenti (2018-02-15): +# Decreto 188/970 of 1970-04-23 instituted restrictions on electricity +# consumption "as a consequence of the current rainfall regime in the country". +# Articles 13 and 14 advanced clocks by an hour from Saturday 1970-04-25 00:00. +# http://www.impo.com.uy/diariooficial/1970/04/29/4 +Rule Uruguay 1970 only - Apr 25 0:00 1:00 - +Rule Uruguay 1970 only - Jun 14 0:00 0 - +Rule Uruguay 1972 only - Apr 23 0:00 1:00 - +Rule Uruguay 1972 only - Jul 16 0:00 0 - +# From Tim Parenti (2018-02-15): +# Decreto 29/974 of 1974-01-11, citing "the international rise in the price of +# oil", advanced clocks by 90 minutes (to UT-01:30). Decreto 163/974 of +# 1974-03-04 returned 60 of those minutes (to UT-02:30), and the remaining 30 +# minutes followed in Decreto 679/974 of 1974-08-29. +# http://www.impo.com.uy/diariooficial/1974/01/22/11 +# http://www.impo.com.uy/diariooficial/1974/03/14/3 +# http://www.impo.com.uy/diariooficial/1974/09/04/6 +Rule Uruguay 1974 only - Jan 13 0:00 1:30 - +Rule Uruguay 1974 only - Mar 10 0:00 0:30 - +Rule Uruguay 1974 only - Sep 1 0:00 0 - +Rule Uruguay 1974 only - Dec 22 0:00 1:00 - +Rule Uruguay 1975 only - Mar 30 0:00 0 - +Rule Uruguay 1976 only - Dec 19 0:00 1:00 - +Rule Uruguay 1977 only - Mar 6 0:00 0 - +Rule Uruguay 1977 only - Dec 4 0:00 1:00 - +Rule Uruguay 1978 1979 - Mar Sun>=1 0:00 0 - +Rule Uruguay 1978 only - Dec 17 0:00 1:00 - +Rule Uruguay 1979 only - Apr 29 0:00 1:00 - +Rule Uruguay 1980 only - Mar 16 0:00 0 - +# From Tim Parenti (2018-02-15): +# Decreto 725/987 of 1987-12-04 cited "better use of national tourist +# attractions" to advance clocks one hour from Monday 1987-12-14 00:00. +# http://www.impo.com.uy/diariooficial/1988/01/25/1 +Rule Uruguay 1987 only - Dec 14 0:00 1:00 - +Rule Uruguay 1988 only - Feb 28 0:00 0 - +Rule Uruguay 1988 only - Dec 11 0:00 1:00 - +Rule Uruguay 1989 only - Mar 5 0:00 0 - +Rule Uruguay 1989 only - Oct 29 0:00 1:00 - +Rule Uruguay 1990 only - Feb 25 0:00 0 - +# From Tim Parenti (2018-02-15), per Paul Eggert (1999-11-04): +# IATA agrees as below for 1990-10 through 1993-02. Per Almanaque 2018, the +# 1992/1993 season appears to be the first in over half a century where DST +# both began and ended pursuant to the same decree. +Rule Uruguay 1990 1991 - Oct Sun>=21 0:00 1:00 - +Rule Uruguay 1991 1992 - Mar Sun>=1 0:00 0 - +Rule Uruguay 1992 only - Oct 18 0:00 1:00 - Rule Uruguay 1993 only - Feb 28 0:00 0 - # From Eduardo Cota (2004-09-20): # The Uruguayan government has decreed a change in the local time.... -# http://www.presidencia.gub.uy/decretos/2004091502.htm -Rule Uruguay 2004 only - Sep 19 0:00 1:00 S +# From Tim Parenti (2018-02-15): +# Decreto 328/004 of 2004-09-15. +# http://www.impo.com.uy/diariooficial/2004/09/23/documentos.pdf#page=1 +Rule Uruguay 2004 only - Sep 19 0:00 1:00 - # From Steffen Thorsen (2005-03-11): # Uruguay's DST was scheduled to end on Sunday, 2005-03-13, but in order to # save energy ... it was postponed two weeks.... -# http://www.presidencia.gub.uy/_Web/noticias/2005/03/2005031005.htm +# From Tim Parenti (2018-02-15): +# This 2005 postponement is not in Almanaque 2018. Go with the contemporaneous +# reporting, which is confirmed by Decreto 107/005 of 2005-03-10 amending +# Decreto 328/004: +# http://www.impo.com.uy/diariooficial/2005/03/15/documentos.pdf#page=1 +# The original decree specified a transition of 2005-03-12 24:00, but the new +# one specified 2005-03-27 02:00. Rule Uruguay 2005 only - Mar 27 2:00 0 - # From Eduardo Cota (2005-09-27): -# http://www.presidencia.gub.uy/_Web/decretos/2005/09/CM%20119_09%2009%202005_00001.PDF -# This means that from 2005-10-09 at 02:00 local time, until 2006-03-12 at -# 02:00 local time, official time in Uruguay will be at GMT -2. -Rule Uruguay 2005 only - Oct 9 2:00 1:00 S -Rule Uruguay 2006 only - Mar 12 2:00 0 - -# From Jesper Nørgaard Welen (2006-09-06): -# http://www.presidencia.gub.uy/_web/decretos/2006/09/CM%20210_08%2006%202006_00001.PDF -# +# ...from 2005-10-09 at 02:00 local time, until 2006-03-12 at 02:00 local time, +# official time in Uruguay will be at GMT -2. +# From Tim Parenti (2018-02-15): +# Decreto 318/005 of 2005-09-19. +# http://www.impo.com.uy/diariooficial/2005/09/23/documentos.pdf#page=1 +Rule Uruguay 2005 only - Oct 9 2:00 1:00 - +Rule Uruguay 2006 2015 - Mar Sun>=8 2:00 0 - +# From Tim Parenti (2018-02-15), per Jesper Nørgaard Welen (2006-09-06): +# Decreto 311/006 of 2006-09-04 established regular DST from the first Sunday +# of October at 02:00 through the second Sunday of March at 02:00. Almanaque +# 2018 appears to have a few typoed dates through this period; ignore them. +# http://www.impo.com.uy/diariooficial/2006/09/08/documentos.pdf#page=1 +Rule Uruguay 2006 2014 - Oct Sun>=1 2:00 1:00 - # From Steffen Thorsen (2015-06-30): # ... it looks like they will not be using DST the coming summer: # http://www.elobservador.com.uy/gobierno-resolvio-que-no-habra-cambio-horario-verano-n656787 @@ -1754,17 +1882,19 @@ Rule Uruguay 2006 only - Mar 12 2:00 0 - # instead of out to dinner. # From Pablo Camargo (2015-07-13): # http://archivo.presidencia.gub.uy/sci/decretos/2015/06/cons_min_201.pdf -# [dated 2015-06-29; repeals Decree 311/006 dated 2006-09-04] -Rule Uruguay 2006 2014 - Oct Sun>=1 2:00 1:00 S -Rule Uruguay 2007 2015 - Mar Sun>=8 2:00 0 - +# From Tim Parenti (2018-02-15): +# Decreto 178/015 of 2015-06-29; repeals Decreto 311/006. # This Zone can be simplified once we assume zic %z. -Zone America/Montevideo -3:44:44 - LMT 1898 Jun 28 - -3:44:44 - MMT 1920 May 1 # Montevideo MT +Zone America/Montevideo -3:44:51 - LMT 1908 Jun 10 + -3:44:51 - MMT 1920 May 1 # Montevideo MT + -4:00 - -04 1923 Oct 1 -3:30 Uruguay -0330/-03 1942 Dec 14 + -3:00 Uruguay -03/-0230 1960 -3:00 Uruguay -03/-02 1968 - -3:00 Uruguay -03/-0230 1971 + -3:00 Uruguay -03/-0230 1970 -3:00 Uruguay -03/-02 1974 + -3:00 Uruguay -03/-0130 1974 Mar 10 -3:00 Uruguay -03/-0230 1974 Dec 22 -3:00 Uruguay -03/-02 diff --git a/contrib/tzdata/theory.html b/contrib/tzdata/theory.html index ff85f53..4d8726d 100644 --- a/contrib/tzdata/theory.html +++ b/contrib/tzdata/theory.html @@ -1,26 +1,20 @@ - Theory and pragmatics of the tz code and data - - -

Theory and pragmatics of the tz code and data

+

Theory and pragmatics of the tz code and data

Outline

- -
-

Scope of the tz database

+
+

Scope of the tz database

-The tz database attempts to record the history and predicted future of -all computer-based clocks that track civil time. To represent this -data, the world is partitioned into regions whose clocks all agree -about timestamps that occur after the somewhat-arbitrary cutoff point -of the POSIX Epoch (1970-01-01 00:00:00 UTC). For each such region, -the database records all known clock transitions, and labels the region -with a notable location. Although 1970 is a somewhat-arbitrary -cutoff, there are significant challenges to moving the cutoff earlier -even by a decade or two, due to the wide variety of local practices -before computer timekeeping became prevalent. +The tz +database attempts to record the history and predicted future of +all computer-based clocks that track civil time. +It organizes time zone and daylight saving time +data by partitioning the world into regions +whose clocks all agree about timestamps that occur after the of the POSIX Epoch +(1970-01-01 00:00:00 UTC). +The database labels each such region with a notable location and +records all known clock transitions for that location. +Although 1970 is a somewhat-arbitrary cutoff, there are significant +challenges to moving the cutoff earlier even by a decade or two, due +to the wide variety of local practices before computer timekeeping +became prevalent.

@@ -59,193 +60,218 @@ necessarily follow database guidelines.

-As described below, reference source code for using the tz database is -also available. The tz code is upwards compatible with POSIX, an -international standard for UNIX-like systems. As of this writing, the -current edition of POSIX is: - - The Open Group Base Specifications Issue 7, - IEEE Std 1003.1-2008, 2016 Edition. +As described below, reference source code for using the +tz database is also available. +The tz code is upwards compatible with POSIX, an international +standard for UNIX-like systems. +As of this writing, the current edition of POSIX is: The Open +Group Base Specifications Issue 7, IEEE Std 1003.1-2008, 2016 +Edition. +Because the database's scope encompasses real-world changes to civil +timekeeping, its model for describing time is more complex than the +standard and daylight saving times supported by POSIX. +A tz region corresponds to a ruleset that can +have more than two changes per year, these changes need not merely +flip back and forth between two alternatives, and the rules themselves +can change at times. +Whether and when a tz region changes its +clock, and even the region's notional base offset from UTC, are variable. +It doesn't even really make sense to talk about a region's +"base offset", since it is not necessarily a single number.

-
+
- -
-

Names of time zone rules

+
+

Names of time zone rulesets

-Each of the database's time zone rules has a unique name. +Each tz region has a unique name that +corresponds to a set of time zone rules. Inexperienced users are not expected to select these names unaided. Distributors should provide documentation and/or a simple selection interface that explains the names; for one example, see the 'tzselect' -program in the tz code. The -Unicode Common Locale Data -Repository contains data that may be useful for other -selection interfaces. +program in the tz code. +The Unicode Common Locale Data +Repository contains data that may be useful for other selection +interfaces.

-The time zone rule naming conventions attempt to strike a balance +The naming conventions attempt to strike a balance among the following goals:

+
  • - Uniquely identify every region where clocks have agreed since 1970. - This is essential for the intended use: static clocks keeping local - civil time. + Uniquely identify every region where clocks have agreed since 1970. + This is essential for the intended use: static clocks keeping local + civil time.
  • - Indicate to experts where that region is. + Indicate to experts where that region is.
  • - Be robust in the presence of political changes. For example, names - of countries are ordinarily not used, to avoid incompatibilities - when countries change their name (e.g. Zaire→Congo) or when - locations change countries (e.g. Hong Kong from UK colony to - China). + Be robust in the presence of political changes. + For example, names of countries are ordinarily not used, to avoid + incompatibilities when countries change their name (e.g., + Zaire→Congo) or when locations change countries (e.g., Hong + Kong from UK colony to China).
  • - Be portable to a wide variety of implementations. + Be portable to a wide variety of implementations.
  • - Use a consistent naming conventions over the entire world. + Use a consistent naming conventions over the entire world.
+

-Names normally have the -form AREA/LOCATION, -where AREA is the name of a continent or ocean, -and LOCATION is the name of a specific -location within that region. North and South America share the same -area, 'America'. Typical names are -'Africa/Cairo', 'America/New_York', and -'Pacific/Honolulu'. +Names normally have the form +AREA/LOCATION, where +AREA is the name of a continent or ocean, and +LOCATION is the name of a specific location within that +region. +North and South America share the same area, 'America'. +Typical names are 'Africa/Cairo', +'America/New_York', and 'Pacific/Honolulu'.

-Here are the general rules used for choosing location names, +Here are the general guidelines used for +choosing tz region names, in decreasing order of importance:

+
  • - Use only valid POSIX file name components (i.e., the parts of - names other than '/'). Do not use the file name - components '.' and '..'. - Within a file name component, - use only ASCII letters, '.', - '-' and '_'. Do not use - digits, as that might create an ambiguity with POSIX - TZ strings. A file name component must not exceed 14 - characters or start with '-'. E.g., - prefer 'Brunei' to - 'Bandar_Seri_Begawan'. Exceptions: see - the discussion - of legacy names below. + Use only valid POSIX file name components (i.e., the parts of + names other than '/'). + Do not use the file name components '.' and + '..'. + Within a file name component, use only ASCII letters, + '.', '-' and '_'. + Do not use digits, as that might create an ambiguity with POSIX + TZ strings. + A file name component must not exceed 14 characters or start with + '-'. + E.g., prefer 'Brunei' to 'Bandar_Seri_Begawan'. + Exceptions: see the discussion of legacy names below.
  • - A name must not be empty, or contain '//', or - start or end with '/'. + A name must not be empty, or contain '//', or + start or end with '/'.
  • - Do not use names that differ only in case. Although the reference - implementation is case-sensitive, some other implementations - are not, and they would mishandle names differing only in case. + Do not use names that differ only in case. + Although the reference implementation is case-sensitive, some + other implementations are not, and they would mishandle names + differing only in case.
  • - If one name A is an initial prefix of another - name AB (ignoring case), then B - must not start with '/', as a - regular file cannot have - the same name as a directory in POSIX. For example, - 'America/New_York' precludes - 'America/New_York/Bronx'. + If one name A is an initial prefix of another + name AB (ignoring case), then B must not + start with '/', as a regular file cannot have the + same name as a directory in POSIX. + For example, 'America/New_York' precludes + 'America/New_York/Bronx'.
  • - Uninhabited regions like the North Pole and Bouvet Island - do not need locations, since local time is not defined there. + Uninhabited regions like the North Pole and Bouvet Island + do not need locations, since local time is not defined there.
  • - There should typically be at least one name for each ISO 3166-1 - officially assigned two-letter code for an inhabited country - or territory. + There should typically be at least one name for each ISO + 3166-1 officially assigned two-letter code for an inhabited + country or territory.
  • - If all the clocks in a region have agreed since 1970, - don't bother to include more than one location - even if subregions' clocks disagreed before 1970. - Otherwise these tables would become annoyingly large. + If all the clocks in a region have agreed since 1970, + don't bother to include more than one location + even if subregions' clocks disagreed before 1970. + Otherwise these tables would become annoyingly large.
  • - If a name is ambiguous, use a less ambiguous alternative; - e.g. many cities are named San José and Georgetown, so - prefer 'Costa_Rica' to 'San_Jose' and 'Guyana' to 'Georgetown'. + If a name is ambiguous, use a less ambiguous alternative; + e.g., many cities are named San José and Georgetown, so + prefer 'Costa_Rica' to 'San_Jose' and + 'Guyana' to 'Georgetown'.
  • - Keep locations compact. Use cities or small islands, not countries - or regions, so that any future time zone changes do not split - locations into different time zones. E.g. prefer - 'Paris' to 'France', since - France has had multiple time zones. + Keep locations compact. + Use cities or small islands, not countries or regions, so that any + future changes do not split individual locations into different + tz regions. + E.g., prefer 'Paris' to 'France', since + France + has had multiple time zones.
  • - Use mainstream English spelling, e.g. prefer - 'Rome' to 'Roma', and prefer - 'Athens' to the Greek - 'Αθήνα' or the Romanized - 'Athína'. - The POSIX file name restrictions encourage this rule. + Use mainstream English spelling, e.g., prefer 'Rome' + to 'Roma', and prefer 'Athens' to the + Greek 'Αθήνα' or the Romanized 'Athína'. + The POSIX file name restrictions encourage this guideline.
  • - Use the most populous among locations in a zone, - e.g. prefer 'Shanghai' to - 'Beijing'. Among locations with - similar populations, pick the best-known location, - e.g. prefer 'Rome' to 'Milan'. + Use the most populous among locations in a region, + e.g., prefer 'Shanghai' to + 'Beijing'. + Among locations with similar populations, pick the best-known + location, e.g., prefer 'Rome' to + 'Milan'.
  • - Use the singular form, e.g. prefer 'Canary' to 'Canaries'. + Use the singular form, e.g., prefer 'Canary' to + 'Canaries'.
  • - Omit common suffixes like '_Islands' and - '_City', unless that would lead to - ambiguity. E.g. prefer 'Cayman' to - 'Cayman_Islands' and - 'Guatemala' to - 'Guatemala_City', but prefer - 'Mexico_City' to 'Mexico' - because the country - of Mexico has several time zones. + Omit common suffixes like '_Islands' and + '_City', unless that would lead to ambiguity. + E.g., prefer 'Cayman' to + 'Cayman_Islands' and 'Guatemala' to + 'Guatemala_City', but prefer + 'Mexico_City' to 'Mexico' + because the + country of Mexico has several time zones.
  • - Use '_' to represent a space. + Use '_' to represent a space.
  • - Omit '.' from abbreviations in names, e.g. prefer - 'St_Helena' to 'St._Helena'. + Omit '.' from abbreviations in names. + E.g., prefer 'St_Helena' to 'St._Helena'.
  • - Do not change established names if they only marginally - violate the above rules. For example, don't change - the existing name 'Rome' to - 'Milan' merely because - Milan's population has grown to be somewhat greater - than Rome's. + Do not change established names if they only marginally violate + the above guidelines. + For example, don't change the existing name 'Rome' to + 'Milan' merely because Milan's population has grown + to be somewhat greater than Rome's.
  • - If a name is changed, put its old spelling in the - 'backward' file. - This means old spellings will continue to work. + If a name is changed, put its old spelling in the + 'backward' file. + This means old spellings will continue to work.

The file 'zone1970.tab' lists geographical locations used -to name time -zone rules. It is intended to be an exhaustive list of names for -geographic regions as described above; this is a subset of the names -in the data. Although a 'zone1970.tab' location's longitude -corresponds to its LMT offset with one hour for every 15° east -longitude, this relationship is not exact. +to name tz regions. +It is intended to be an exhaustive list of names for geographic +regions as described above; this is a subset of the names in the data. +Although a 'zone1970.tab' location's +longitude +corresponds to +its local mean +time (LMT) offset with one hour for every 15° +east longitude, this relationship is not exact.

@@ -254,843 +280,1008 @@ and these older names are still supported. See the file 'backward' for most of these older names (e.g., 'US/Eastern' instead of 'America/New_York'). The other old-fashioned names still supported are -'WET', 'CET', 'MET', and 'EET' (see the file 'europe'). +'WET', 'CET', 'MET', and +'EET' (see the file 'europe').

Older versions of this package defined legacy names that are -incompatible with the first rule of location names, but which are -still supported. These legacy names are mostly defined in the file -'etcetera'. Also, the file 'backward' defines the legacy names -'GMT0', 'GMT-0' and 'GMT+0', and the file 'northamerica' defines the -legacy names 'EST5EDT', 'CST6CDT', 'MST7MDT', and 'PST8PDT'. +incompatible with the first guideline of location names, but which are +still supported. +These legacy names are mostly defined in the file +'etcetera'. +Also, the file 'backward' defines the legacy names +'GMT0', 'GMT-0' and 'GMT+0', +and the file 'northamerica' defines the legacy names +'EST5EDT', 'CST6CDT', +'MST7MDT', and 'PST8PDT'.

-Excluding 'backward' should not affect the other data. If -'backward' is excluded, excluding 'etcetera' should not affect the -remaining data. +Excluding 'backward' should not affect the other data. +If 'backward' is excluded, excluding +'etcetera' should not affect the remaining data.

+
- -
-
-

Time zone abbreviations

+
+

Time zone abbreviations

When this package is installed, it generates time zone abbreviations like 'EST' to be compatible with human tradition and POSIX. -Here are the general rules used for choosing time zone abbreviations, +Here are the general guidelines used for choosing time zone abbreviations, in decreasing order of importance: +

+
  • - Use three to six characters that are ASCII alphanumerics or - '+' or '-'. - Previous editions of this database also used characters like - ' ' and '?', but these - characters have a special meaning to - the shell and cause commands like - 'set `date`' - to have unexpected effects. - Previous editions of this rule required upper-case letters, - but the Congressman who introduced Chamorro Standard Time - preferred "ChST", so lower-case letters are now allowed. - Also, POSIX from 2001 on relaxed the rule to allow - '-', '+', - and alphanumeric characters from the portable character set - in the current locale. In practice ASCII alphanumerics and - '+' and '-' are safe in all locales. - - In other words, in the C locale the POSIX extended regular - expression [-+[:alnum:]]{3,6} should match - the abbreviation. - This guarantees that all abbreviations could have been - specified by a POSIX TZ string. -
    • -
  • - Use abbreviations that are in common use among English-speakers, - e.g. 'EST' for Eastern Standard Time in North America. - We assume that applications translate them to other languages - as part of the normal localization process; for example, - a French application might translate 'EST' to 'HNE'. + Use three to six characters that are ASCII alphanumerics or + '+' or '-'. + Previous editions of this database also used characters like + ' ' and '?', but these characters have a + special meaning to the shell and cause commands like + 'set + `date`' + to have unexpected effects. + Previous editions of this guideline required upper-case letters, but the + Congressman who introduced + Chamorro + Standard Time preferred "ChST", so lower-case letters are now + allowed. + Also, POSIX from 2001 on relaxed the rule to allow '-', + '+', and alphanumeric characters from the portable + character set in the current locale. + In practice ASCII alphanumerics and '+' and + '-' are safe in all locales. -

    These abbreviations (for standard/daylight/etc. time) are: -ACST/ACDT Australian Central, -AST/ADT/APT/AWT/ADDT Atlantic, -AEST/AEDT Australian Eastern, -AHST/AHDT Alaska-Hawaii, -AKST/AKDT Alaska, -AWST/AWDT Australian Western, -BST/BDT Bering, -CAT/CAST Central Africa, -CET/CEST/CEMT Central European, -ChST Chamorro, -CST/CDT/CWT/CPT/CDDT Central [North America], -CST/CDT China, -GMT/BST/IST/BDST Greenwich, -EAT East Africa, -EST/EDT/EWT/EPT/EDDT Eastern [North America], -EET/EEST Eastern European, -GST Guam, -HST/HDT Hawaii, -HKT/HKST Hong Kong, -IST India, -IST/GMT Irish, -IST/IDT/IDDT Israel, -JST/JDT Japan, -KST/KDT Korea, -MET/MEST Middle European (a backward-compatibility alias for Central European), -MSK/MSD Moscow, -MST/MDT/MWT/MPT/MDDT Mountain, -NST/NDT/NWT/NPT/NDDT Newfoundland, -NST/NDT/NWT/NPT Nome, -NZMT/NZST New Zealand through 1945, -NZST/NZDT New Zealand 1946–present, -PKT/PKST Pakistan, -PST/PDT/PWT/PPT/PDDT Pacific, -SAST South Africa, -SST Samoa, -WAT/WAST West Africa, -WET/WEST/WEMT Western European, -WIB Waktu Indonesia Barat, -WIT Waktu Indonesia Timur, -WITA Waktu Indonesia Tengah, -YST/YDT/YWT/YPT/YDDT Yukon.

    -
    • -
  • - For zones whose times are taken from a city's longitude, use the -traditional xMT notation. The only abbreviation like this -in current use is 'GMT'. The others are for timestamps before 1960, -except that Monrovia Mean Time persisted until 1972. Typically, -numeric abbreviations (e.g., '-004430' for MMT) would -cause trouble here, as the numeric strings would exceed the POSIX length limit. +

    + In other words, in the C locale the POSIX extended regular + expression [-+[:alnum:]]{3,6} should match the + abbreviation. + This guarantees that all abbreviations could have been specified by a + POSIX TZ string. +

    +
    • +
  • + Use abbreviations that are in common use among English-speakers, + e.g., 'EST' for Eastern Standard Time in North America. + We assume that applications translate them to other languages + as part of the normal localization process; for example, + a French application might translate 'EST' to 'HNE'. -

    These abbreviations are: -AMT Amsterdam, Asunción, Athens; -BMT Baghdad, Bangkok, Batavia, Bern, Bogotá, Bridgetown, Brussels, Bucharest; -CMT Calamarca, Caracas, Chisinau, Colón, Copenhagen, Córdoba; -DMT Dublin/Dunsink; -EMT Easter; -FFMT Fort-de-France; -FMT Funchal; -GMT Greenwich; -HMT Havana, Helsinki, Horta, Howrah; -IMT Irkutsk, Istanbul; -JMT Jerusalem; -KMT Kaunas, Kiev, Kingston; -LMT Lima, Lisbon, local, Luanda; -MMT Macassar, Madras, Malé, Managua, Minsk, Monrovia, Montevideo, Moratuwa, - Moscow; -PLMT Phù Liễn; -PMT Paramaribo, Paris, Perm, Pontianak, Prague; -PMMT Port Moresby; -QMT Quito; -RMT Rangoon, Riga, Rome; -SDMT Santo Domingo; -SJMT San José; -SMT Santiago, Simferopol, Singapore, Stanley; -TBMT Tbilisi; -TMT Tallinn, Tehran; -WMT Warsaw.

    +

    + These abbreviations (for standard/daylight/etc. time) are: + ACST/ACDT Australian Central, + AST/ADT/APT/AWT/ADDT Atlantic, + AEST/AEDT Australian Eastern, + AHST/AHDT Alaska-Hawaii, + AKST/AKDT Alaska, + AWST/AWDT Australian Western, + BST/BDT Bering, + CAT/CAST Central Africa, + CET/CEST/CEMT Central European, + ChST Chamorro, + CST/CDT/CWT/CPT/CDDT Central [North America], + CST/CDT China, + GMT/BST/IST/BDST Greenwich, + EAT East Africa, + EST/EDT/EWT/EPT/EDDT Eastern [North America], + EET/EEST Eastern European, + GST Guam, + HST/HDT Hawaii, + HKT/HKST Hong Kong, + IST India, + IST/GMT Irish, + IST/IDT/IDDT Israel, + JST/JDT Japan, + KST/KDT Korea, + MET/MEST Middle European (a backward-compatibility alias for + Central European), + MSK/MSD Moscow, + MST/MDT/MWT/MPT/MDDT Mountain, + NST/NDT/NWT/NPT/NDDT Newfoundland, + NST/NDT/NWT/NPT Nome, + NZMT/NZST New Zealand through 1945, + NZST/NZDT New Zealand 1946–present, + PKT/PKST Pakistan, + PST/PDT/PWT/PPT/PDDT Pacific, + SAST South Africa, + SST Samoa, + WAT/WAST West Africa, + WET/WEST/WEMT Western European, + WIB Waktu Indonesia Barat, + WIT Waktu Indonesia Timur, + WITA Waktu Indonesia Tengah, + YST/YDT/YWT/YPT/YDDT Yukon. +

    +
    • +
  • +

    + For times taken from a city's longitude, use the + traditional xMT notation. + The only abbreviation like this in current use is 'GMT'. + The others are for timestamps before 1960, + except that Monrovia Mean Time persisted until 1972. + Typically, numeric abbreviations (e.g., '-004430' for + MMT) would cause trouble here, as the numeric strings would exceed + the POSIX length limit. +

    -

    A few abbreviations also follow the pattern that -GMT/BST established for time in the UK. They are: +

    + These abbreviations are: + AMT Amsterdam, Asunción, Athens; + BMT Baghdad, Bangkok, Batavia, Bern, Bogotá, Bridgetown, Brussels, + Bucharest; + CMT Calamarca, Caracas, Chisinau, Colón, Copenhagen, Córdoba; + DMT Dublin/Dunsink; + EMT Easter; + FFMT Fort-de-France; + FMT Funchal; + GMT Greenwich; + HMT Havana, Helsinki, Horta, Howrah; + IMT Irkutsk, Istanbul; + JMT Jerusalem; + KMT Kaunas, Kiev, Kingston; + LMT Lima, Lisbon, local, Luanda; + MMT Macassar, Madras, Malé, Managua, Minsk, Monrovia, Montevideo, + Moratuwa, Moscow; + PLMT Phù Liễn; + PMT Paramaribo, Paris, Perm, Pontianak, Prague; + PMMT Port Moresby; + QMT Quito; + RMT Rangoon, Riga, Rome; + SDMT Santo Domingo; + SJMT San José; + SMT Santiago, Simferopol, Singapore, Stanley; + TBMT Tbilisi; + TMT Tallinn, Tehran; + WMT Warsaw. +

    -CMT/BST for Calamarca Mean Time and Bolivian Summer Time -1890–1932, DMT/IST for Dublin/Dunsink Mean Time and Irish Summer Time -1880–1916, MMT/MST/MDST for Moscow 1880–1919, and RMT/LST -for Riga Mean Time and Latvian Summer time 1880–1926. -An extra-special case is SET for Swedish Time (svensk -normaltid) 1879–1899, 3° west of the Stockholm -Observatory.

    +

    + A few abbreviations also follow the pattern that + GMT/BST established for time in the UK. + They are: + CMT/BST for Calamarca Mean Time and Bolivian Summer Time + 1890–1932, + DMT/IST for Dublin/Dunsink Mean Time and Irish Summer Time + 1880–1916, + MMT/MST/MDST for Moscow 1880–1919, and + RMT/LST for Riga Mean Time and Latvian Summer time 1880–1926. + An extra-special case is SET for Swedish Time (svensk + normaltid) 1879–1899, 3° west of the Stockholm + Observatory. +

  • - Use 'LMT' for local mean time of locations before the introduction - of standard time; see "Scope of the - tz database". + Use 'LMT' for local mean time of locations before the + introduction of standard time; see "Scope of the + tz database".
  • - If there is no common English abbreviation, use numeric offsets like - -05 and +0830 that are - generated by zic's %z notation. + If there is no common English abbreviation, use numeric offsets like + -05 and +0830 that are generated + by zic's %z notation.
  • - Use current abbreviations for older timestamps to avoid confusion. - For example, in 1910 a common English abbreviation for UT +01 - in central Europe was 'MEZ' (short for both "Middle European - Zone" and for "Mitteleuropäische Zeit" in German). Nowadays - 'CET' ("Central European Time") is more common in English, and - the database uses 'CET' even for circa-1910 timestamps as this - is less confusing for modern users and avoids the need for - determining when 'CET' supplanted 'MEZ' in common usage. + Use current abbreviations for older timestamps to avoid confusion. + For example, in 1910 a common English abbreviation for time + in central Europe was 'MEZ' (short for both "Middle European + Zone" and for "Mitteleuropäische Zeit" in German). + Nowadays 'CET' ("Central European Time") is more common in + English, and the database uses 'CET' even for circa-1910 + timestamps as this is less confusing for modern users and avoids + the need for determining when 'CET' supplanted 'MEZ' in common + usage.
  • - Use a consistent style in a zone's history. For example, if a zone's - history tends to use numeric abbreviations and a particular - entry could go either way, use a numeric abbreviation. + Use a consistent style in a tz region's history. + For example, if history tends to use numeric + abbreviations and a particular entry could go either way, use a + numeric abbreviation.
  • - Use UT (with time zone abbreviation '-00') for - locations while uninhabited. The leading - '-' is a flag that the time - zone is in some sense undefined; this notation is - derived from Internet RFC 3339. + Use + Universal Time + (UT) (with time zone abbreviation '-00') for + locations while uninhabited. + The leading '-' is a flag that the UT offset is in + some sense undefined; this notation is derived + from Internet + RFC 3339.
+

Application writers should note that these abbreviations are ambiguous in practice: e.g., 'CST' means one thing in China and something else in North America, and 'IST' can refer to time in India, Ireland or -Israel. To avoid ambiguity, use numeric UT offsets like +Israel. +To avoid ambiguity, use numeric UT offsets like '-0600' instead of time zone abbreviations like 'CST'.

-
- +
-
-

Accuracy of the tz database

+
+

Accuracy of the tz database

-The tz database is not authoritative, and it surely has errors. +The tz database is not authoritative, and it +surely has errors. Corrections are welcome and encouraged; see the file CONTRIBUTING. Users requiring authoritative data should consult national standards bodies and the references cited in the database's comments.

-Errors in the tz database arise from many sources: +Errors in the tz database arise from many sources:

+
  • - The tz database predicts future timestamps, and current predictions - will be incorrect after future governments change the rules. - For example, if today someone schedules a meeting for 13:00 next - October 1, Casablanca time, and tomorrow Morocco changes its - daylight saving rules, software can mess up after the rule change - if it blithely relies on conversions made before the change. -
    • -
  • - The pre-1970 entries in this database cover only a tiny sliver of how - clocks actually behaved; the vast majority of the necessary - information was lost or never recorded. Thousands more zones would - be needed if the tz database's scope were extended to cover even - just the known or guessed history of standard time; for example, - the current single entry for France would need to split into dozens - of entries, perhaps hundreds. And in most of the world even this - approach would be misleading due to widespread disagreement or - indifference about what times should be observed. In her 2015 book - The Global Transformation of Time, 1870-1950, Vanessa Ogle writes - "Outside of Europe and North America there was no system of time - zones at all, often not even a stable landscape of mean times, - prior to the middle decades of the twentieth century". See: - Timothy Shenk, Booked: - A Global History of Time. Dissent 2015-12-17. -
    • -
  • - Most of the pre-1970 data entries come from unreliable sources, often - astrology books that lack citations and whose compilers evidently - invented entries when the true facts were unknown, without - reporting which entries were known and which were invented. - These books often contradict each other or give implausible entries, - and on the rare occasions when they are checked they are - typically found to be incorrect. -
    • -
  • - For the UK the tz database relies on years of first-class work done by - Joseph Myers and others; see - "History of - legal time in Britain". - Other countries are not done nearly as well. -
    • -
  • - Sometimes, different people in the same city would maintain clocks - that differed significantly. Railway time was used by railroad - companies (which did not always agree with each other), - church-clock time was used for birth certificates, etc. - Often this was merely common practice, but sometimes it was set by law. - For example, from 1891 to 1911 the UT offset in France was legally - 0:09:21 outside train stations and 0:04:21 inside. -
    • -
  • - Although a named location in the tz database stands for the - containing region, its pre-1970 data entries are often accurate for - only a small subset of that region. For example, Europe/London - stands for the United Kingdom, but its pre-1847 times are valid - only for locations that have London's exact meridian, and its 1847 - transition to GMT is known to be valid only for the L&NW and the - Caledonian railways. -
    • -
  • - The tz database does not record the earliest time for which a zone's - data entries are thereafter valid for every location in the region. - For example, Europe/London is valid for all locations in its - region after GMT was made the standard time, but the date of - standardization (1880-08-02) is not in the tz database, other than - in commentary. For many zones the earliest time of validity is - unknown. -
    • -
  • - The tz database does not record a region's boundaries, and in many - cases the boundaries are not known. For example, the zone - America/Kentucky/Louisville represents a region around - the city of - Louisville, the boundaries of which are unclear. -
    • -
  • - Changes that are modeled as instantaneous transitions in the tz - database were often spread out over hours, days, or even decades. -
    • -
  • - Even if the time is specified by law, locations sometimes - deliberately flout the law. -
    • -
  • - Early timekeeping practices, even assuming perfect clocks, were - often not specified to the accuracy that the tz database requires. -
    • -
  • - Sometimes historical timekeeping was specified more precisely - than what the tz database can handle. For example, from 1909 to - 1937 Netherlands clocks were legally UT +00:19:32.13, but the tz - database cannot represent the fractional second. -
    • -
  • - Even when all the timestamp transitions recorded by the tz database - are correct, the tz rules that generate them may not faithfully - reflect the historical rules. For example, from 1922 until World - War II the UK moved clocks forward the day following the third - Saturday in April unless that was Easter, in which case it moved - clocks forward the previous Sunday. Because the tz database has no - way to specify Easter, these exceptional years are entered as - separate tz Rule lines, even though the legal rules did not change. -
    • -
  • - The tz database models pre-standard time using the proleptic Gregorian - calendar and local mean time (LMT), but many people used other - calendars and other timescales. For example, the Roman Empire used - the Julian calendar, and had 12 varying-length daytime hours with a - non-hour-based system at night. -
    • -
  • - Early clocks were less reliable, and data entries do not represent - clock error. -
    • -
  • - The tz database assumes Universal Time (UT) as an origin, even - though UT is not standardized for older timestamps. In the tz - database commentary, UT denotes a family of time standards that - includes Coordinated Universal Time (UTC) along with other variants - such as UT1 and GMT, with days starting at midnight. Although UT - equals UTC for modern timestamps, UTC was not defined until 1960, - so commentary uses the more-general abbreviation UT for timestamps - that might predate 1960. Since UT, UT1, etc. disagree slightly, - and since pre-1972 UTC seconds varied in length, interpretation of - older timestamps can be problematic when subsecond accuracy is - needed. -
    • -
  • - Civil time was not based on atomic time before 1972, and we don't - know the history of earth's rotation accurately enough to map SI - seconds to historical solar time to more than about one-hour - accuracy. See: Stephenson FR, Morrison LV, Hohenkerk CY. - Measurement - of the Earth's rotation: 720 BC to AD 2015. - Proc Royal Soc A. 2016 Dec 7;472:20160404. - Also see: Espenak F. Uncertainty - in Delta T (ΔT). -
    • -
  • - The relationship between POSIX time (that is, UTC but ignoring leap - seconds) and UTC is not agreed upon after 1972. Although the POSIX - clock officially stops during an inserted leap second, at least one - proposed standard has it jumping back a second instead; and in - practice POSIX clocks more typically either progress glacially during - a leap second, or are slightly slowed while near a leap second. -
    • -
  • - The tz database does not represent how uncertain its information is. - Ideally it would contain information about when data entries are - incomplete or dicey. Partial temporal knowledge is a field of - active research, though, and it's not clear how to apply it here. + The tz database predicts future + timestamps, and current predictions + will be incorrect after future governments change the rules. + For example, if today someone schedules a meeting for 13:00 next + October 1, Casablanca time, and tomorrow Morocco changes its + daylight saving rules, software can mess up after the rule change + if it blithely relies on conversions made before the change. +
    • +
  • + The pre-1970 entries in this database cover only a tiny sliver of how + clocks actually behaved; the vast majority of the necessary + information was lost or never recorded. + Thousands more tz regions would be needed if + the tz database's scope were extended to + cover even just the known or guessed history of standard time; for + example, the current single entry for France would need to split + into dozens of entries, perhaps hundreds. + And in most of the world even this approach would be misleading + due to widespread disagreement or indifference about what times + should be observed. + In her 2015 book + The + Global Transformation of Time, 1870–1950, + Vanessa Ogle writes + "Outside of Europe and North America there was no system of time + zones at all, often not even a stable landscape of mean times, + prior to the middle decades of the twentieth century". + See: Timothy Shenk, Booked: + A Global History of Time. Dissent 2015-12-17. +
    • +
  • + Most of the pre-1970 data entries come from unreliable sources, often + astrology books that lack citations and whose compilers evidently + invented entries when the true facts were unknown, without + reporting which entries were known and which were invented. + These books often contradict each other or give implausible entries, + and on the rare occasions when they are checked they are + typically found to be incorrect. +
    • +
  • + For the UK the tz database relies on + years of first-class work done by + Joseph Myers and others; see + "History of + legal time in Britain". + Other countries are not done nearly as well. +
    • +
  • + Sometimes, different people in the same city maintain clocks + that differ significantly. + Historically, railway time was used by railroad companies (which + did not always + agree with each other), church-clock time was used for birth + certificates, etc. + More recently, competing political groups might disagree about + clock settings. Often this is merely common practice, but + sometimes it is set by law. + For example, from 1891 to 1911 the UT offset in France + was legally UT +00:09:21 outside train stations and + UT +00:04:21 inside. Other examples include + Chillicothe in 1920, Palm Springs in 1946/7, and Jerusalem and + Ürümqi to this day. +
    • +
  • + Although a named location in the tz + database stands for the containing region, its pre-1970 data + entries are often accurate for only a small subset of that region. + For example, Europe/London stands for the United + Kingdom, but its pre-1847 times are valid only for locations that + have London's exact meridian, and its 1847 transition + to GMT is known to be valid only for the L&NW and + the Caledonian railways. +
    • +
  • + The tz database does not record the + earliest time for which a tz region's + data entries are thereafter valid for every location in the region. + For example, Europe/London is valid for all locations + in its region after GMT was made the standard time, + but the date of standardization (1880-08-02) is not in the + tz database, other than in commentary. + For many tz regions the earliest time of + validity is unknown. +
    • +
  • + The tz database does not record a + region's boundaries, and in many cases the boundaries are not known. + For example, the tz region + America/Kentucky/Louisville represents a region + around the city of Louisville, the boundaries of which are + unclear. +
    • +
  • + Changes that are modeled as instantaneous transitions in the + tz + database were often spread out over hours, days, or even decades. +
    • +
  • + Even if the time is specified by law, locations sometimes + deliberately flout the law. +
    • +
  • + Early timekeeping practices, even assuming perfect clocks, were + often not specified to the accuracy that the + tz database requires. +
    • +
  • + Sometimes historical timekeeping was specified more precisely + than what the tz code can handle. + For example, from 1909 to 1937 Netherlands clocks were legally Amsterdam Mean + Time (estimated to be UT + +00:19:32.13), but the tz + code cannot represent the fractional second. + In practice these old specifications were rarely if ever + implemented to subsecond precision. +
    • +
  • + Even when all the timestamp transitions recorded by the + tz database are correct, the + tz rules that generate them may not + faithfully reflect the historical rules. + For example, from 1922 until World War II the UK moved clocks + forward the day following the third Saturday in April unless that + was Easter, in which case it moved clocks forward the previous + Sunday. + Because the tz database has no + way to specify Easter, these exceptional years are entered as + separate tz Rule lines, even though the + legal rules did not change. +
    • +
  • + The tz database models pre-standard time + using the proleptic + Gregorian calendar and local mean time, but many people used + other calendars and other timescales. + For example, the Roman Empire used + the Julian + calendar, + and Roman + timekeeping had twelve varying-length daytime hours with a + non-hour-based system at night. +
    • +
  • + Early clocks were less reliable, and data entries do not represent + clock error. +
    • +
  • + The tz database assumes Universal Time + (UT) as an origin, even though UT is not + standardized for older timestamps. + In the tz database commentary, + UT denotes a family of time standards that includes + Coordinated Universal Time (UTC) along with other + variants such as UT1 and GMT, + with days starting at midnight. + Although UT equals UTC for modern + timestamps, UTC was not defined until 1960, so + commentary uses the more-general abbreviation UT for + timestamps that might predate 1960. + Since UT, UT1, etc. disagree slightly, + and since pre-1972 UTC seconds varied in length, + interpretation of older timestamps can be problematic when + subsecond accuracy is needed. +
    • +
  • + Civil time was not based on atomic time before 1972, and we don't + know the history of + earth's + rotation accurately enough to map SI seconds to + historical solar time + to more than about one-hour accuracy. + See: Stephenson FR, Morrison LV, Hohenkerk CY. + Measurement of + the Earth's rotation: 720 BC to AD 2015. + Proc Royal Soc A. 2016 Dec 7;472:20160404. + Also see: Espenak F. Uncertainty + in Delta T (ΔT). +
    • +
  • + The relationship between POSIX time (that is, UTC but + ignoring leap + seconds) and UTC is not agreed upon after 1972. + Although the POSIX + clock officially stops during an inserted leap second, at least one + proposed standard has it jumping back a second instead; and in + practice POSIX clocks more typically either progress glacially during + a leap second, or are slightly slowed while near a leap second. +
    • +
  • + The tz database does not represent how + uncertain its information is. + Ideally it would contain information about when data entries are + incomplete or dicey. + Partial temporal knowledge is a field of active research, though, + and it's not clear how to apply it here.
-

-In short, many, perhaps most, of the tz database's pre-1970 and future -timestamps are either wrong or misleading. Any attempt to pass the -tz database off as the definition of time should be unacceptable to -anybody who cares about the facts. In particular, the tz database's -LMT offsets should not be considered meaningful, and should not prompt -creation of zones merely because two locations differ in LMT or -transitioned to standard time at different dates. -

-
- -
-

Time and date functions

-The tz code contains time and date functions that are upwards -compatible with those of POSIX. +In short, many, perhaps most, of the tz +database's pre-1970 and future timestamps are either wrong or +misleading. +Any attempt to pass the +tz database off as the definition of time +should be unacceptable to anybody who cares about the facts. +In particular, the tz database's +LMT offsets should not be considered meaningful, and +should not prompt creation of tz regions +merely because two locations +differ in LMT or transitioned to standard time at +different dates.

+
+
+

Time and date functions

-POSIX has the following properties and limitations. +The tz code contains time and date functions +that are upwards compatible with those of POSIX. +Code compatible with this package is already +part of many platforms, where the +primary use of this package is to update obsolete time-related files. +To do this, you may need to compile the time zone compiler +'zic' supplied with this package instead of using the +system 'zic', since the format of zic's +input is occasionally extended, and a platform may still be shipping +an older zic.

+ +

POSIX properties and limitations

  • - In POSIX, time display in a process is controlled by the - environment variable TZ. Unfortunately, the POSIX TZ string takes - a form that is hard to describe and is error-prone in practice. - Also, POSIX TZ strings can't deal with other (for example, Israeli) - daylight saving time rules, or situations where more than two - time zone abbreviations are used in an area. + In POSIX, time display in a process is controlled by the + environment variable TZ. + Unfortunately, the POSIX + TZ string takes a form that is hard to describe and + is error-prone in practice. + Also, POSIX TZ strings can't deal with daylight + saving time rules not based on the Gregorian calendar (as in + Iran), or with situations where more than two time zone + abbreviations or UT offsets are used in an area.

    +

    - The POSIX TZ string takes the following form: + The POSIX TZ string takes the following form:

    +

    - stdoffset[dst[offset][,date[/time],date[/time]]] + stdoffset[dst[offset][,date[/time],date[/time]]]

    +

    - where: + where: +

    +
    std and dst
    - are 3 or more characters specifying the standard - and daylight saving time (DST) zone names. - Starting with POSIX.1-2001, std - and dst may also be - in a quoted form like '<+09>'; this allows - "+" and "-" in the names. + are 3 or more characters specifying the standard + and daylight saving time (DST) zone names. + Starting with POSIX.1-2001, std and dst + may also be in a quoted form like '<+09>'; + this allows "+" and "-" in the names.
    offset
    - is of the form - '[±]hh:[mm[:ss]]' - and specifies the offset west of UT. 'hh' - may be a single digit; 0≤hh≤24. - The default DST offset is one hour ahead of standard time. + is of the form + '[±]hh:[mm[:ss]]' + and specifies the offset west of UT. + 'hh' may be a single digit; + 0≤hh≤24. + The default DST offset is one hour ahead of + standard time.
    date[/time],date[/time]
    - specifies the beginning and end of DST. If this is absent, - the system supplies its own rules for DST, and these can - differ from year to year; typically US DST rules are used. + specifies the beginning and end of DST. + If this is absent, the system supplies its own ruleset + for DST, and its rules can differ from year to year; + typically US DST rules are used.
    time
    - takes the form - 'hh:[mm[:ss]]' - and defaults to 02:00. - This is the same format as the offset, except that a - leading '+' or '-' is not allowed. + takes the form + 'hh:[mm[:ss]]' + and defaults to 02:00. + This is the same format as the offset, except that a + leading '+' or '-' is not allowed.
    date
    - takes one of the following forms: + takes one of the following forms:
    Jn (1≤n≤365)
    - origin-1 day number not counting February 29 -
    + origin-1 day number not counting February 29 +
    n (0≤n≤365)
    - origin-0 day number counting February 29 if present -
    -
    Mm.n.d (0[Sunday]≤d≤6[Saturday], 1≤n≤5, 1≤m≤12)
    - for the dth day of - week n of month m of the - year, where week 1 is the first week in which - day d appears, and '5' - stands for the last week in which - day d appears - (which may be either the 4th or 5th week). - Typically, this is the only useful form; - the n - and Jn forms are - rarely used. + origin-0 day number counting February 29 if present +
    +
    Mm.n.d + (0[Sunday]≤d≤6[Saturday], 1≤n≤5, + 1≤m≤12)
    + for the dth day of week n of + month m of the year, where week 1 is the first + week in which day d appears, and + '5' stands for the last week in which + day d appears (which may be either the 4th or + 5th week). + Typically, this is the only useful form; the n + and Jn forms are rarely used.
    -
    - - - Here is an example POSIX TZ string for New Zealand after 2007. - It says that standard time (NZST) is 12 hours ahead of UT, - and that daylight saving time (NZDT) is observed from September's - last Sunday at 02:00 until April's first Sunday at 03:00: + + + - 
    TZ='NZST-12NZDT,M9.5.0,M4.1.0/3'
    +

    + Here is an example POSIX TZ string for New + Zealand after 2007. + It says that standard time (NZST) is 12 hours ahead + of UT, and that daylight saving time + (NZDT) is observed from September's last Sunday at + 02:00 until April's first Sunday at 03:00: +

    + + 
    TZ='NZST-12NZDT,M9.5.0,M4.1.0/3'
    + +

    + This POSIX TZ string is hard to remember, and + mishandles some timestamps before 2008. + With this package you can use this instead: +

    - This POSIX TZ string is hard to remember, and mishandles some - timestamps before 2008. With this package you can use this - instead: + 
    TZ='Pacific/Auckland'
    +
    • +
  • + POSIX does not define the exact meaning of TZ values like + "EST5EDT". + Typically the current US DST rules + are used to interpret such values, but this means that the + US DST rules are compiled into each + program that does time conversion. + This means that when + US time conversion rules change (as in the United + States in 1987), all programs that do time conversion must be + recompiled to ensure proper results. +
    • +
  • + The TZ environment variable is process-global, which + makes it hard to write efficient, thread-safe applications that + need access to multiple time zone rulesets. +
    • +
  • + In POSIX, there's no tamper-proof way for a process to learn the + system's best idea of local wall clock. + (This is important for applications that an administrator wants + used only at certain times – without regard to whether the + user has fiddled the + TZ environment variable. + While an administrator can "do everything in UT" to + get around the problem, doing so is inconvenient and precludes + handling daylight saving time shifts - as might be required to + limit phone calls to off-peak hours.) +
    • +
  • + POSIX provides no convenient and efficient way to determine + the UT offset and time zone abbreviation of arbitrary + timestamps, particularly for tz regions + that do not fit into the POSIX model. +
    • +
  • + POSIX requires that systems ignore leap seconds. +
    • +
  • + The tz code attempts to support all the + time_t implementations allowed by POSIX. + The time_t type represents a nonnegative count of seconds + since 1970-01-01 00:00:00 UTC, ignoring leap seconds. + In practice, time_t is usually a signed 64- or 32-bit + integer; 32-bit signed time_t values stop working after + 2038-01-19 03:14:07 UTC, so new implementations these + days typically use a signed 64-bit integer. + Unsigned 32-bit integers are used on one or two platforms, and 36-bit + and 40-bit integers are also used occasionally. + Although earlier POSIX versions allowed time_t to be a + floating-point type, this was not supported by any practical systems, + and POSIX.1-2013 and the tz code both + require time_t to be an integer type. +
    • +
- 
TZ='Pacific/Auckland'
+

Extensions to POSIX in the +tz code

+
    +
  • +

    + The TZ environment variable is used in generating + the name of a binary file from which time-related information is read + (or is interpreted à la POSIX); TZ is no longer + constrained to be a three-letter time zone + abbreviation followed by a number of hours and an optional three-letter + daylight time zone abbreviation. + The daylight saving time rules to be used for a + particular tz region are encoded in the + binary file; the format of the file + allows U.S., Australian, and other rules to be encoded, and + allows for situations where more than two time zone + abbreviations are used. +

    +

    + It was recognized that allowing the TZ environment + variable to take on values such as 'America/New_York' + might cause "old" programs (that expect TZ to have a + certain form) to operate incorrectly; consideration was given to using + some other environment variable (for example, TIMEZONE) + to hold the string used to generate the binary file's name. + In the end, however, it was decided to continue using + TZ: it is widely used for time zone purposes; + separately maintaining both TZ + and TIMEZONE seemed a nuisance; and systems where + "new" forms of TZ might cause problems can simply + use TZ values such as "EST5EDT" which + can be used both by "new" programs (à la POSIX) and "old" + programs (as zone names and offsets). +

  • - POSIX does not define the exact meaning of TZ values like - "EST5EDT". - Typically the current US DST rules are used to interpret such values, - but this means that the US DST rules are compiled into each program - that does time conversion. This means that when US time conversion - rules change (as in the United States in 1987), all programs that - do time conversion must be recompiled to ensure proper results. + The code supports platforms with a UT offset member + in struct tm, e.g., tm_gmtoff.
  • - The TZ environment variable is process-global, which makes it hard - to write efficient, thread-safe applications that need access - to multiple time zones. + The code supports platforms with a time zone abbreviation member in + struct tm, e.g., tm_zone.
  • - In POSIX, there's no tamper-proof way for a process to learn the - system's best idea of local wall clock. (This is important for - applications that an administrator wants used only at certain - times – - without regard to whether the user has fiddled the TZ environment - variable. While an administrator can "do everything in UT" to get - around the problem, doing so is inconvenient and precludes handling - daylight saving time shifts - as might be required to limit phone - calls to off-peak hours.) + Functions tzalloc, tzfree, + localtime_rz, and mktime_z for + more-efficient thread-safe applications that need to use multiple + time zone rulesets. + The tzalloc and tzfree functions + allocate and free objects of type timezone_t, + and localtime_rz and mktime_z are + like localtime_r and mktime with an + extra timezone_t argument. + The functions were inspired by NetBSD.
  • - POSIX provides no convenient and efficient way to determine the UT - offset and time zone abbreviation of arbitrary timestamps, - particularly for time zone settings that do not fit into the - POSIX model. + A function tzsetwall has been added to arrange for the + system's best approximation to local wall clock time to be delivered + by subsequent calls to localtime. + Source code for portable applications that "must" run on local wall + clock time should call tzsetwall; + if such code is moved to "old" systems that don't + provide tzsetwall, you won't be able to generate an + executable program. + (These functions also arrange for local wall clock time to + be used if tzset is called – directly or + indirectly – and there's no TZ environment + variable; portable applications should not, however, rely on this + behavior since it's not the way SVR2 systems behave.)
  • - POSIX requires that systems ignore leap seconds. + Negative time_t values are supported, on systems + where time_t is signed.
  • - The tz code attempts to support all the time_t - implementations allowed by POSIX. The time_t - type represents a nonnegative count of - seconds since 1970-01-01 00:00:00 UTC, ignoring leap seconds. - In practice, time_t is usually a signed 64- or - 32-bit integer; 32-bit signed time_t values stop - working after 2038-01-19 03:14:07 UTC, so - new implementations these days typically use a signed 64-bit integer. - Unsigned 32-bit integers are used on one or two platforms, - and 36-bit and 40-bit integers are also used occasionally. - Although earlier POSIX versions allowed time_t to be a - floating-point type, this was not supported by any practical - systems, and POSIX.1-2013 and the tz code both - require time_t - to be an integer type. + These functions can account for leap seconds, thanks to Bradley White.
+ +

POSIX features no longer needed

-These are the extensions that have been made to the POSIX functions: +POSIX and ISO C +define some APIs that are vestigial: +they are not needed, and are relics of a too-simple model that does +not suffice to handle many real-world timestamps. +Although the tz code supports these +vestigial APIs for backwards compatibility, they should +be avoided in portable applications. +The vestigial APIs are:

  • -

    - The TZ environment variable is used in generating the name of a file - from which time zone information is read (or is interpreted a la - POSIX); TZ is no longer constrained to be a three-letter time zone - name followed by a number of hours and an optional three-letter - daylight time zone name. The daylight saving time rules to be used - for a particular time zone are encoded in the time zone file; - the format of the file allows U.S., Australian, and other rules to be - encoded, and allows for situations where more than two time zone - abbreviations are used. -

    -

    - It was recognized that allowing the TZ environment variable to - take on values such as 'America/New_York' might - cause "old" programs - (that expect TZ to have a certain form) to operate incorrectly; - consideration was given to using some other environment variable - (for example, TIMEZONE) to hold the string used to generate the - time zone information file name. In the end, however, it was decided - to continue using TZ: it is widely used for time zone purposes; - separately maintaining both TZ and TIMEZONE seemed a nuisance; - and systems where "new" forms of TZ might cause problems can simply - use TZ values such as "EST5EDT" which can be used both by - "new" programs (a la POSIX) and "old" programs (as zone names and - offsets). -

    -
    • -
  • - The code supports platforms with a UT offset member - in struct tm, - e.g., tm_gmtoff. -
    • -
  • - The code supports platforms with a time zone abbreviation member in - struct tm, e.g., tm_zone. -
    • -
  • - Since the TZ environment variable can now be used to control time - conversion, the daylight - and timezone variables are no longer needed. - (These variables are defined and set by tzset; - however, their values will not be used - by localtime.) -
    • -
  • - Functions tzalloc, tzfree, - localtime_rz, and mktime_z for - more-efficient thread-safe applications that need to use - multiple time zones. The tzalloc - and tzfree functions allocate and free objects of - type timezone_t, and localtime_rz - and mktime_z are like localtime_r - and mktime with an extra - timezone_t argument. The functions were inspired - by NetBSD. -
    • -
  • - A function tzsetwall has been added to arrange - for the system's - best approximation to local wall clock time to be delivered by - subsequent calls to localtime. Source code for portable - applications that "must" run on local wall clock time should call - tzsetwall; if such code is moved to "old" systems that don't - provide tzsetwall, you won't be able to generate an executable program. - (These time zone functions also arrange for local wall clock time to be - used if tzset is called – directly or indirectly – - and there's no TZ - environment variable; portable applications should not, however, rely - on this behavior since it's not the way SVR2 systems behave.) -
    • -
  • - Negative time_t values are supported, on systems - where time_t is signed. -
    • -
  • - These functions can account for leap seconds, thanks to Bradley White. -
    • + The POSIX tzname variable does not suffice and is no + longer needed. + To get a timestamp's time zone abbreviation, consult + the tm_zone member if available; otherwise, + use strftime's "%Z" conversion + specification. + +
  • + The POSIX daylight and timezone + variables do not suffice and are no longer needed. + To get a timestamp's UT offset, consult + the tm_gmtoff member if available; otherwise, + subtract values returned by localtime + and gmtime using the rules of the Gregorian calendar, + or use strftime's "%z" conversion + specification if a string like "+0900" suffices. +
    • +
  • + The tm_isdst member is almost never needed and most of + its uses should be discouraged in favor of the abovementioned + APIs. + Although it can still be used in arguments to + mktime to disambiguate timestamps near + a DST transition when the clock jumps back, this + disambiguation does not work when standard time itself jumps back, + which can occur when a location changes to a time zone with a + lesser UT offset. +
-

-Points of interest to folks with other systems: -

+ +

Other portability notes

  • - Code compatible with this package is already part of many platforms, - including GNU/Linux, Android, the BSDs, Chromium OS, Cygwin, AIX, iOS, - BlackBery 10, macOS, Microsoft Windows, OpenVMS, and Solaris. - On such hosts, the primary use of this package - is to update obsolete time zone rule tables. - To do this, you may need to compile the time zone compiler - 'zic' supplied with this package instead of using - the system 'zic', since the format - of zic's input is occasionally extended, and a - platform may still be shipping an older zic. -
    • -
  • - The UNIX Version 7 timezone function is not - present in this package; - it's impossible to reliably map timezone's arguments (a "minutes west - of GMT" value and a "daylight saving time in effect" flag) to a - time zone abbreviation, and we refuse to guess. - Programs that in the past used the timezone function may now examine - localtime(&clock)->tm_zone - (if TM_ZONE is defined) or - tzname[localtime(&clock)->tm_isdst] - (if HAVE_TZNAME is defined) - to learn the correct time zone abbreviation to use. -
    • -
  • - The 4.2BSD gettimeofday function is not used in - this package. - This formerly let users obtain the current UTC offset and DST flag, - but this functionality was removed in later versions of BSD. -
    • -
  • - In SVR2, time conversion fails for near-minimum or near-maximum - time_t values when doing conversions for places - that don't use UT. - This package takes care to do these conversions correctly. - A comment in the source code tells how to get compatibly wrong - results. + The 7th Edition + UNIX timezone function is not present in this + package; it's impossible to reliably map timezone's + arguments (a "minutes west of GMT" value and a + "daylight saving time in effect" flag) to a time zone + abbreviation, and we refuse to guess. + Programs that in the past used the timezone function + may now examine localtime(&clock)->tm_zone + (if TM_ZONE is defined) or + tzname[localtime(&clock)->tm_isdst] + (if HAVE_TZNAME is defined) to learn the correct time + zone abbreviation to use. +
    • +
  • + The 4.2BSD gettimeofday function is not + used in this package. + This formerly let users obtain the current UTC offset + and DST flag, but this functionality was removed in + later versions of BSD. +
    • +
  • + In SVR2, time conversion fails for near-minimum or + near-maximum time_t values when doing conversions + for places that don't use UT. + This package takes care to do these conversions correctly. + A comment in the source code tells how to get compatibly wrong + results. +
    • +
  • + The functions that are conditionally compiled + if STD_INSPIRED is defined should, at this point, be + looked on primarily as food for thought. + They are not in any sense "standard compatible" – some are + not, in fact, specified in any standard. + They do, however, represent responses of various authors to + standardization proposals. +
    • +
  • + Other time conversion proposals, in particular the one developed + by folks at Hewlett Packard, offer a wider selection of functions + that provide capabilities beyond those provided here. + The absence of such functions from this package is not meant to + discourage the development, standardization, or use of such + functions. + Rather, their absence reflects the decision to make this package + contain valid extensions to POSIX, to ensure its broad + acceptability. + If more powerful time conversion functions can be standardized, so + much the better.
-

-The functions that are conditionally compiled -if STD_INSPIRED is defined -should, at this point, be looked on primarily as food for thought. They are -not in any sense "standard compatible" – some are not, in fact, -specified in any standard. They do, however, represent responses of -various authors to -standardization proposals. -

+
+
+

Interface stability

-Other time conversion proposals, in particular the one developed by folks at -Hewlett Packard, offer a wider selection of functions that provide capabilities -beyond those provided here. The absence of such functions from this package -is not meant to discourage the development, standardization, or use of such -functions. Rather, their absence reflects the decision to make this package -contain valid extensions to POSIX, to ensure its broad acceptability. If -more powerful time conversion functions can be standardized, so much the -better. +The tz code and data supply the following interfaces:

-
- -
-

Interface stability

-

-The tz code and data supply the following interfaces: -

  • - A set of zone names as per "Names of time zone - rules" above. + A set of tz region names as per + "Names of time zone rulesets" above.
  • - Library functions described in "Time and date - functions" above. + Library functions described in "Time and date + functions" above.
  • - The programs tzselect, zdump, - and zic, documented in their man pages. + The programs tzselect, zdump, + and zic, documented in their man pages.
  • - The format of zic input files, documented in - the zic man page. + The format of zic input files, documented in + the zic man page.
  • - The format of zic output files, documented in - the tzfile man page. + The format of zic output files, documented in + the tzfile man page.
  • - The format of zone table files, documented in zone1970.tab. + The format of zone table files, documented in zone1970.tab.
  • - The format of the country code file, documented in iso3166.tab. + The format of the country code file, documented in iso3166.tab.
  • - The version number of the code and data, as the first line of - the text file 'version' in each release. + The version number of the code and data, as the first line of + the text file 'version' in each release.
+

Interface changes in a release attempt to preserve compatibility with -recent releases. For example, tz data files typically do not rely on -recently-added zic features, so that users can run -older zic versions to process newer data -files. Sources for time zone and daylight -saving time data describes how -releases are tagged and distributed. +recent releases. +For example, tz data files typically do not +rely on recently-added zic features, so that users can +run older zic versions to process newer data files. +Downloading +the tz database describes how releases +are tagged and distributed.

-Interfaces not listed above are less stable. For example, users -should not rely on particular UT offsets or abbreviations for -timestamps, as data entries are often based on guesswork and these -guesses may be corrected or improved. +Interfaces not listed above are less stable. +For example, users should not rely on particular UT +offsets or abbreviations for timestamps, as data entries are often +based on guesswork and these guesses may be corrected or improved.

-
+
- -
-

Calendrical issues

+
+

Calendrical issues

Calendrical issues are a bit out of scope for a time zone database, but they indicate the sort of problems that we would run into if we -extended the time zone database further into the past. An excellent -resource in this area is Nachum Dershowitz and Edward M. Reingold, -Calendrical +extended the time zone database further into the past. +An excellent resource in this area is Nachum Dershowitz and Edward M. +Reingold, Calendrical Calculations: Third Edition, Cambridge University Press (2008). -Other information and sources are given in the file 'calendars' -in the tz distribution. They sometimes disagree. +Other information and sources are given in the file 'calendars' +in the tz distribution. +They sometimes disagree.

-
- +
-
-

Time and time zones on other planets

+
+

Time and time zones on other planets

-Some people's work schedules use Mars time. Jet Propulsion Laboratory -(JPL) coordinators have kept Mars time on and off at least since 1997 -for the Mars Pathfinder mission. Some of their family members have -also adapted to Mars time. Dozens of special Mars watches were built -for JPL workers who kept Mars time during the Mars Exploration -Rovers mission (2004). These timepieces look like normal Seikos and -Citizens but use Mars seconds rather than terrestrial seconds. +Some people's work schedules +use Mars time. +Jet Propulsion Laboratory (JPL) coordinators have kept Mars time on +and off at least since 1997 for the +Mars +Pathfinder mission. +Some of their family members have also adapted to Mars time. +Dozens of special Mars watches were built for JPL workers who kept +Mars time during the Mars Exploration Rovers mission (2004). +These timepieces look like normal Seikos and Citizens but use Mars +seconds rather than terrestrial seconds.

A Mars solar day is called a "sol" and has a mean period equal to -about 24 hours 39 minutes 35.244 seconds in terrestrial time. It is -divided into a conventional 24-hour clock, so each Mars second equals -about 1.02749125 terrestrial seconds. +about 24 hours 39 minutes 35.244 seconds in terrestrial time. +It is divided into a conventional 24-hour clock, so each Mars second +equals about 1.02749125 terrestrial seconds.

-The prime meridian of Mars goes through the center of the crater -Airy-0, named in honor of the British astronomer who built the -Greenwich telescope that defines Earth's prime meridian. Mean solar -time on the Mars prime meridian is called Mars Coordinated Time (MTC). +The prime +meridian of Mars goes through the center of the crater +Airy-0, named in +honor of the British astronomer who built the Greenwich telescope that +defines Earth's prime meridian. +Mean solar time on the Mars prime meridian is +called Mars +Coordinated Time (MTC).

Each landed mission on Mars has adopted a different reference for solar time keeping, so there is no real standard for Mars time zones. -For example, the Mars Exploration Rover project (2004) defined two -time zones "Local Solar Time A" and "Local Solar Time B" for its two -missions, each zone designed so that its time equals local true solar -time at approximately the middle of the nominal mission. Such a "time -zone" is not particularly suited for any application other than the -mission itself. +For example, the +Mars +Exploration Rover project (2004) defined two time zones "Local +Solar Time A" and "Local Solar Time B" for its two missions, each zone +designed so that its time equals local true solar time at +approximately the middle of the nominal mission. +Such a "time zone" is not particularly suited for any application +other than the mission itself.

Many calendars have been proposed for Mars, but none have achieved -wide acceptance. Astronomers often use Mars Sol Date (MSD) which is a +wide acceptance. +Astronomers often use Mars Sol Date (MSD) which is a sequential count of Mars solar days elapsed since about 1873-12-29 -12:00 GMT. +12:00 GMT.

In our solar system, Mars is the planet with time and calendar most -like Earth's. On other planets, Sun-based time and calendars would -work quite differently. For example, although Mercury's sidereal -rotation period is 58.646 Earth days, Mercury revolves around the Sun -so rapidly that an observer on Mercury's equator would see a sunrise -only every 175.97 Earth days, i.e., a Mercury year is 0.5 of a Mercury -day. Venus is more complicated, partly because its rotation is -slightly retrograde: its year is 1.92 of its days. Gas giants like -Jupiter are trickier still, as their polar and equatorial regions -rotate at different rates, so that the length of a day depends on -latitude. This effect is most pronounced on Neptune, where the day is -about 12 hours at the poles and 18 hours at the equator. +like Earth's. +On other planets, Sun-based time and calendars would work quite +differently. +For example, although Mercury's +sidereal +rotation period is 58.646 Earth days, Mercury revolves around the +Sun so rapidly that an observer on Mercury's equator would see a +sunrise only every 175.97 Earth days, i.e., a Mercury year is 0.5 of a +Mercury day. +Venus is more complicated, partly because its rotation is slightly +retrograde: +its year is 1.92 of its days. +Gas giants like Jupiter are trickier still, as their polar and +equatorial regions rotate at different rates, so that the length of a +day depends on latitude. +This effect is most pronounced on Neptune, where the day is about 12 +hours at the poles and 18 hours at the equator.

-Although the tz database does not support time on other planets, it is -documented here in the hopes that support will be added eventually. +Although the tz database does not support +time on other planets, it is documented here in the hopes that support +will be added eventually.

-Sources: +Sources for time on other planets:

+ -
+
-
-
-This file is in the public domain, so clarified as of 2009-05-17 by -Arthur David Olson. -
+
+
+ This file is in the public domain, so clarified as of 2009-05-17 by + Arthur David Olson. +
diff --git a/contrib/tzdata/version b/contrib/tzdata/version index f6a71fe..ae3ff7c 100644 --- a/contrib/tzdata/version +++ b/contrib/tzdata/version @@ -1 +1 @@ -2018c +2018d diff --git a/contrib/tzdata/ziguard.awk b/contrib/tzdata/ziguard.awk new file mode 100644 index 0000000..6da3691 --- /dev/null +++ b/contrib/tzdata/ziguard.awk @@ -0,0 +1,62 @@ +# Convert tzdata source into vanguard or rearguard form. + +# Contributed by Paul Eggert. This file is in the public domain. + +# This is not a general-purpose converter; it is designed for current tzdata. +# +# When converting to vanguard form, the output can use negative SAVE +# values. +# +# When converting to rearguard form, the output uses only nonnegative +# SAVE values. The idea is for the output data to simulate the behavior +# of the input data as best it can within the constraints of the +# rearguard format. + +BEGIN { + dst_type["vanguard.zi"] = 1 + dst_type["main.zi"] = 1 + dst_type["rearguard.zi"] = 1 + + # The command line should set OUTFILE to the name of the output file. + if (!dst_type[outfile]) exit 1 + vanguard = outfile == "vanguard.zi" +} + +/^Zone/ { zone = $2 } + +outfile != "main.zi" { + in_comment = /^#/ + + # If this line should differ due to Ireland using negative SAVE values, + # uncomment the desired version and comment out the undesired one. + Rule_Eire = /^#?Rule[\t ]+Eire[\t ]/ + Zone_Dublin_post_1968 \ + = (zone == "Europe/Dublin" && /^#?[\t ]+[01]:00[\t ]/ \ + && (!$(in_comment + 4) || 1968 < $(in_comment + 4))) + if (Rule_Eire || Zone_Dublin_post_1968) { + if ((Rule_Eire \ + || (Zone_Dublin_post_1968 && $(in_comment + 3) == "IST/GMT")) \ + == vanguard) { + sub(/^#/, "") + } else if (/^[^#]/) { + sub(/^/, "#") + } + } +} + +# If a Link line is followed by a Zone line for the same data, comment +# out the Link line. This can happen if backzone overrides a Link +# with a Zone. +/^Link/ { + linkline[$3] = NR +} +/^Zone/ { + sub(/^Link/, "#Link", line[linkline[$2]]) +} + +{ line[NR] = $0 } + +END { + for (i = 1; i <= NR; i++) + print line[i] +} diff --git a/contrib/tzdata/zishrink.awk b/contrib/tzdata/zishrink.awk index 23d623e..d617644 100644 --- a/contrib/tzdata/zishrink.awk +++ b/contrib/tzdata/zishrink.awk @@ -37,7 +37,7 @@ function process_input_line(line, field, end, i, n, startdef) # Remove comments, normalize spaces, and append a space to each line. sub(/#.*/, "", line) line = line " " - gsub(/[\f\r\t\v ]+/, " ", line) + gsub(/[\t ]+/, " ", line) # Abbreviate keywords. Do not abbreviate "Link" to just "L", # as pre-2017c zic erroneously diagnoses "Li" as ambiguous. @@ -148,7 +148,7 @@ BEGIN { print "# This zic input file is in the public domain." } -/^[\f\r\t\v ]*[^#\f\r\t\v ]/ { +/^[\t ]*[^#\t ]/ { process_input_line($0) } diff --git a/contrib/tzdata/zone.tab b/contrib/tzdata/zone.tab index e1bfdee..f92c919 100644 --- a/contrib/tzdata/zone.tab +++ b/contrib/tzdata/zone.tab @@ -429,7 +429,7 @@ US +593249-1394338 America/Yakutat Alaska - Yakutat US +643004-1652423 America/Nome Alaska (west) US +515248-1763929 America/Adak Aleutian Islands US +211825-1575130 Pacific/Honolulu Hawaii -UY -3453-05611 America/Montevideo +UY -345433-0561245 America/Montevideo UZ +3940+06648 Asia/Samarkand Uzbekistan (west) UZ +4120+06918 Asia/Tashkent Uzbekistan (east) VA +415408+0122711 Europe/Vatican diff --git a/contrib/tzdata/zone1970.tab b/contrib/tzdata/zone1970.tab index 7c4793a..64273f6 100644 --- a/contrib/tzdata/zone1970.tab +++ b/contrib/tzdata/zone1970.tab @@ -13,7 +13,7 @@ # See the file '/usr/share/misc/iso3166'. # 2. Latitude and longitude of the zone's principal location # in ISO 6709 sign-degrees-minutes-seconds format, -# either +-DDMM+-DDDMM or +-DDMMSS+-DDDMMSS, +# either ±DDMM±DDDMM or ±DDMMSS±DDDMMSS, # first latitude (+ is north), then longitude (+ is east). # 3. Zone name used in value of TZ environment variable. # Please see the theory.html file for how zone names are chosen. @@ -372,7 +372,7 @@ US +593249-1394338 America/Yakutat Alaska - Yakutat US +643004-1652423 America/Nome Alaska (west) US +515248-1763929 America/Adak Aleutian Islands US,UM +211825-1575130 Pacific/Honolulu Hawaii -UY -3453-05611 America/Montevideo +UY -345433-0561245 America/Montevideo UZ +3940+06648 Asia/Samarkand Uzbekistan (west) UZ +4120+06918 Asia/Tashkent Uzbekistan (east) VE +1030-06656 America/Caracas -- cgit v1.1 From c0eaeb9c07bf0a6724d7ebb3ed64b4e3dfcd4d16 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 4 Apr 2018 05:43:03 +0000 Subject: Fix multiple small kernel memory disclosures. [EN-18:04.mem] Reported by: Ilja van Sprundel Approved by: so Security: CVE-2018-6919 Security: FreeBSD-EN-18:04.mem --- sys/compat/svr4/svr4_misc.c | 1 + sys/dev/drm/drm_bufs.c | 1 + sys/dev/drm/drm_irq.c | 2 +- sys/dev/hpt27xx/hpt27xx_osm_bsd.c | 4 ++-- sys/dev/hptnr/hptnr_osm_bsd.c | 4 ++-- sys/dev/hptrr/hptrr_osm_bsd.c | 4 ++-- sys/i386/ibcs2/ibcs2_misc.c | 1 + 7 files changed, 10 insertions(+), 7 deletions(-) diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c index 46be42c..de04b97 100644 --- a/sys/compat/svr4/svr4_misc.c +++ b/sys/compat/svr4/svr4_misc.c @@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap) u_long *cookies = NULL, *cookiep; int ncookies; + memset(&svr4_dirent, 0, sizeof(svr4_dirent)); DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n", uap->fd, uap->nbytes)); error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp); diff --git a/sys/dev/drm/drm_bufs.c b/sys/dev/drm/drm_bufs.c index 1ee0ffa..26b70b9 100644 --- a/sys/dev/drm/drm_bufs.c +++ b/sys/dev/drm/drm_bufs.c @@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, struct drm_file *file_priv) if (dma->bufs[i].buf_count) { struct drm_buf_desc from; + memset(&from, 0, sizeof(from)); from.count = dma->bufs[i].buf_count; from.size = dma->bufs[i].buf_size; from.low_mark = dma->bufs[i].freelist.low_mark; diff --git a/sys/dev/drm/drm_irq.c b/sys/dev/drm/drm_irq.c index 5965699..afe2963 100644 --- a/sys/dev/drm/drm_irq.c +++ b/sys/dev/drm/drm_irq.c @@ -351,7 +351,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data, goto out; crtc = modeset->crtc; - if (crtc >= dev->num_crtcs) { + if (crtc < 0 || crtc >= dev->num_crtcs) { ret = EINVAL; goto out; } diff --git a/sys/dev/hpt27xx/hpt27xx_osm_bsd.c b/sys/dev/hpt27xx/hpt27xx_osm_bsd.c index 6df9aca..e44231b 100644 --- a/sys/dev/hpt27xx/hpt27xx_osm_bsd.c +++ b/sys/dev/hpt27xx/hpt27xx_osm_bsd.c @@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru { PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data; IOCTL_ARG ioctl_args; - HPT_U32 bytesReturned; + HPT_U32 bytesReturned = 0; switch (cmd){ case HPT_DO_IOCONTROL: @@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru } if (ioctl_args.nOutBufferSize) { - ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK); + ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO); if (!ioctl_args.lpOutBuffer) goto invalid; } diff --git a/sys/dev/hptnr/hptnr_osm_bsd.c b/sys/dev/hptnr/hptnr_osm_bsd.c index 338770c..9bd5b95 100644 --- a/sys/dev/hptnr/hptnr_osm_bsd.c +++ b/sys/dev/hptnr/hptnr_osm_bsd.c @@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru { PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data; IOCTL_ARG ioctl_args; - HPT_U32 bytesReturned; + HPT_U32 bytesReturned = 0; switch (cmd){ case HPT_DO_IOCONTROL: @@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru } if (ioctl_args.nOutBufferSize) { - ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK); + ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO); if (!ioctl_args.lpOutBuffer) goto invalid; } diff --git a/sys/dev/hptrr/hptrr_osm_bsd.c b/sys/dev/hptrr/hptrr_osm_bsd.c index d2c58d4..b87613b 100644 --- a/sys/dev/hptrr/hptrr_osm_bsd.c +++ b/sys/dev/hptrr/hptrr_osm_bsd.c @@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru { PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data; IOCTL_ARG ioctl_args; - HPT_U32 bytesReturned; + HPT_U32 bytesReturned = 0; switch (cmd){ case HPT_DO_IOCONTROL: @@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru } if (ioctl_args.nOutBufferSize) { - ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK); + ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO); if (!ioctl_args.lpOutBuffer) goto invalid; } diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c index ccf5190..b23a757 100644 --- a/sys/i386/ibcs2/ibcs2_misc.c +++ b/sys/i386/ibcs2/ibcs2_misc.c @@ -342,6 +342,7 @@ ibcs2_getdents(td, uap) #define BSD_DIRENT(cp) ((struct dirent *)(cp)) #define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short)) + memset(&idb, 0, sizeof(idb)); error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp); if (error != 0) return (error); -- cgit v1.1