From e76fcb77ba82649bc6aed808af06d6d2184847d8 Mon Sep 17 00:00:00 2001
From: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Date: Wed, 25 Jan 2017 20:43:59 +0100
Subject: [PATCH] HBSD: hide the Silicon Debug CPU capability from bhyve VMM

There is no place for a strongly hardware related and risky feature
in bhyve's vmm, so filter out this capability.

MFC-to: 10-STABLE 11-STABLE
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
---
 sys/amd64/vmm/x86.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/amd64/vmm/x86.c b/sys/amd64/vmm/x86.c
index 525e1d9b912f9..ea2ee1876df78 100644
--- a/sys/amd64/vmm/x86.c
+++ b/sys/amd64/vmm/x86.c
@@ -283,6 +283,11 @@ x86_emulate_cpuid(struct vm *vm, int vcpu_id,
 			regs[2] &= ~CPUID2_TSCDLT;
 
 			/*
+			 * Hide the Silicon Debug functionality.
+			 */
+			regs[2] &= ~(CPUID2_SDBG);
+
+			/*
 			 * Hide thermal monitoring
 			 */
 			regs[3] &= ~(CPUID_ACPI | CPUID_TM);