lockalt

In 2023, I was experimenting with repurposing an old Lex Systems CV860A thin client. The 800 MHz VIA Samuel 2 processor contained within this device featured the infamous VIA Alternate Instruction Set, which although intrinsically interesting to toy with on its own, is widely documented to provide a trivial privilege escalation from userspace, for example.

Of course, there exists a model-specific register (1107h) to disable this possibility, as is usually done at boot time by the system firmware, however on this device no such protection was afforded. I decided to write a NetBSD kernel module that would toggle the necessary bit for me instead.

The code, originally intended for NetBSD 10.1, and a corresponding BSD Makefile, is provided here. Below, a formatted version of the original README is provided verbatim.

This is the source code for a NetBSD kernel module that disables or enables the Alternate Instruction Set feature in VIA C3/Samuel 2 processors.

The AIS is disabled on module load, and re-enabled on module unload. This module exists because some BIOS programs provided with C3-capable motherboards do not implement this functionality themselves, and either leave the AIS enabled by default, or forcibly enable it themselves.

The general idea is that this module should disable the AIS at regular runtime in order to prevent severe privilege escalation capabilities in user-mode processes, as the AIS does not respect any kind of protection level and can be initiated at any level too.

To build the module, you need the syssrc (kernel sources) set located in the /usr/src directory, see here for more information.

Then, simply run "make" and "make install" as usual. (Make sure the latter command is executed as root)

To load and unload the module manually (after installation):

modload lockalt
modunload lockalt

To load it automatically at boot:

echo "modules=YES" >> /etc/rc.conf
echo "lockalt" >> /etc/modules.conf