Add GUI components for MDS mitigation. Implements #9532

While here, add option to disable PTI display in sysinfo widget.
Implements #9323

(cherry picked from commit 42c48efe1c326273079ac38176098a1993f8ae88)

3 files changed, 56 insertions, 2 deletions

diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup
index 925b469..99354de 100755
--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -197,6 +197,11 @@ echo "Setting up interfaces microcode...";
 setup_microcode();
 echo "done.\n";
 
+if (isset($config['system']['mds_disable']) &&
+    (strlen($config['system']['mds_disable']) > 0)) {
+	set_single_sysctl("hw.mds_disable" , (int)$config['system']['mds_disable']);
+}
+
 /* remove leftover dhcp6c lock files if they exist */
 foreach ($config['interfaces'] as $interface) {
         if ($interface['ipaddrv6'] == "dhcp6") {
diff --git a/src/usr/local/www/system_advanced_misc.php b/src/usr/local/www/system_advanced_misc.php
index 918473e..6eb142e 100644
--- a/src/usr/local/www/system_advanced_misc.php
+++ b/src/usr/local/www/system_advanced_misc.php
@@ -44,6 +44,13 @@ $powerd_modes = array(
 	'min' => gettext('Minimum'),
 	'max' => gettext('Maximum'),
 );
+$mds_modes = array(
+	'' => gettext('Default'),
+	0 => gettext('Mitigation disabled'),
+	1 => gettext('VERW instruction (microcode) mitigation enabled'),
+	2 => gettext('Software sequence mitigation enabled (not recommended)'),
+	3 => gettext('Automatic VERW or Software selection'),
+);
 
 $pconfig['proxyurl'] = $config['system']['proxyurl'];
 $pconfig['proxyport'] = $config['system']['proxyport'];
@@ -56,6 +63,7 @@ $pconfig['powerd_enable'] = isset($config['system']['powerd_enable']);
 $pconfig['crypto_hardware'] = $config['system']['crypto_hardware'];
 $pconfig['thermal_hardware'] = $config['system']['thermal_hardware'];
 $pconfig['pti_disabled'] = isset($config['system']['pti_disabled']);
+$pconfig['mds_disable'] = $config['system']['mds_disable'];
 $pconfig['schedule_states'] = isset($config['system']['schedule_states']);
 $pconfig['gw_down_kill_states'] = isset($config['system']['gw_down_kill_states']);
 $pconfig['skip_rules_gw_down'] = isset($config['system']['skip_rules_gw_down']);
@@ -140,6 +148,9 @@ if ($_POST) {
 	if (!in_array($_POST['powerd_normal_mode'], array_keys($powerd_modes))) {
 		$input_errors[] = gettext("Invalid Unknown Power mode.");
 	}
+	if (!in_array($_POST['mds_disable'], array_keys($mds_modes))) {
+		$input_errors[] = gettext("Invalid MDS Mode.");
+	}
 
 	if (!$input_errors) {
 
@@ -233,6 +244,11 @@ if ($_POST) {
 		} else {
 			unset($config['system']['pti_disabled']);
 		}
+		if (isset($_POST['mds_disable']) && (strlen($_POST['mds_disable']) > 0)) {
+			$config['system']['mds_disable'] = $_POST['mds_disable'];
+		} else {
+			unset($config['system']['mds_disable']);
+		}
 
 		if ($_POST['schedule_states'] == "yes") {
 			$config['system']['schedule_states'] = true;
@@ -310,6 +326,10 @@ if ($_POST) {
 		if ($old_pti_state != isset($config['system']['pti_disabled'])) {
 			setup_loader_settings();
 		}
+		if (isset($config['system']['mds_disable']) &&
+		    (strlen($config['system']['mds_disable']) > 0)) {
+			set_single_sysctl("hw.mds_disable" , (int)$config['system']['mds_disable']);
+		}
 		activate_powerd();
 		load_crypto();
 		load_thermal_hardware();
@@ -476,6 +496,7 @@ $section->addInput(new Form_Select(
 	'"none" and then reboot.');
 
 $form->add($section);
+
 $pti = get_single_sysctl('vm.pmap.pti');
 if (strlen($pti) > 0) {
 	$section = new Form_Section('Kernel Page Table Isolation');
@@ -490,6 +511,21 @@ if (strlen($pti) > 0) {
 		    'Current PTI status: %2$s', "<br/>", ($pti == "1") ? "Enabled" : "Disabled");
 	$form->add($section);
 }
+
+$mds = get_single_sysctl('hw.mds_disable_state');
+if (strlen($mds) > 0) {
+	$section = new Form_Section('Microarchitectural Data Sampling Mitigation');
+	$section->addInput(new Form_Select(
+		'mds_disable',
+		'MDS Mode',
+		$pconfig['mds_disable'],
+		$mds_modes
+	))->setHelp('Microarchitectural Data Sampling mitigation. If disabled the kernel memory can be accessed by unprivileged users on affected CPUs. ' .
+		    'This option controls which method of MDS mitigation is used, if any. %1$s%1$s' .
+		    'Current MDS status: %2$s', "<br/>", ucwords(htmlspecialchars($mds)));
+	$form->add($section);
+}
+
 $section = new Form_Section('Schedules');
 
 $section->addInput(new Form_Checkbox(
diff --git a/src/usr/local/www/widgets/widgets/system_information.widget.php b/src/usr/local/www/widgets/widgets/system_information.widget.php
index dbde517..46cc9ba 100644
--- a/src/usr/local/www/widgets/widgets/system_information.widget.php
+++ b/src/usr/local/www/widgets/widgets/system_information.widget.php
@@ -38,6 +38,8 @@ $sysinfo_items = array(
 	'version' => gettext('Version'),
 	'cpu_type' => gettext('CPU Type'),
 	'hwcrypto' => gettext('Hardware Crypto'),
+	'pti' => gettext('Kernel PTI'),
+	'mds' => gettext('MDS Mitigation'),
 	'uptime' => gettext('Uptime'),
 	'current_datetime' => gettext('Current Date/Time'),
 	'dns_servers' => gettext('DNS Server(s)'),
@@ -279,14 +281,25 @@ $temp_use_f = (isset($user_settings['widgets']['thermal_sensors-0']) && !empty($
 <?php
 	endif;
 	$pti = get_single_sysctl('vm.pmap.pti');
-	if (strlen($pti) > 0) {
+	if ((strlen($pti) > 0) && !in_array('pti', $skipsysinfoitems)):
+		$rows_displayed = true;
 ?>
 		<tr>
 			<th><?=gettext("Kernel PTI");?></th>
 			<td><?=($pti == 0) ? gettext("Disabled") : gettext("Enabled");?></td>
 		</tr>
 <?php
-	}
+	endif;
+	$mds = get_single_sysctl('hw.mds_disable_state');
+	if ((strlen($mds) > 0) && !in_array('mds', $skipsysinfoitems)):
+		$rows_displayed = true;
+?>
+		<tr>
+			<th><?=gettext("MDS Mitigation");?></th>
+			<td><?=ucwords(htmlspecialchars($mds));?></td>
+		</tr>
+<?php
+	endif;
 	if (!in_array('uptime', $skipsysinfoitems)):
 		$rows_displayed = true;
 ?>