From: Peng Fan <[email protected]> >From Linux Kernel commit 679db70801da ("arm64: entry: Place an SB sequence following an ERET instruction") " Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack. "
Use Speculation barrier sequences: - SB - DSB followed by ISB Since we not have ARMv8.5 with SB extension hardware, so only use the 2nd approach now. Signed-off-by: Peng Fan <[email protected]> --- Take from OP-TEE commit: abfd092aa19f9c025 " It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior is demonstrated in [4] and [5]. Link: [1] torvalds/linux@679db70 Link: [2] freebsd/freebsd@29fb48a Link: [3] openbsd/src@3a08873 Link: [4] https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc Link: [5] https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c " hypervisor/arch/arm64/entry.S | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hypervisor/arch/arm64/entry.S b/hypervisor/arch/arm64/entry.S index 27e148c6..1b6fa696 100644 --- a/hypervisor/arch/arm64/entry.S +++ b/hypervisor/arch/arm64/entry.S @@ -378,6 +378,14 @@ el1_trap: ldr x4, [sp, #(2 * 16 + 1 * 8)] add sp, sp, #(16 * 16) eret + /* + * Mitigate Straight-line Speculation. + * Guard against Speculating past an ERET instruction and + * potentially perform speculative accesses to memory before + * processing the exception return + */ + dsb nsh + isb .endm /* @@ -522,4 +530,12 @@ __vmreturn: ldr x0, [sp, #(1 * 8)] add sp, sp, #(16 * 16) eret + /* + * Mitigate Straight-line Speculation. + * Guard against Speculating past an ERET instruction and + * potentially perform speculative accesses to memory before + * processing the exception return + */ + dsb nsh + isb .popsection -- 2.16.4 -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jailhouse-dev/20200819090350.22368-1-peng.fan%40nxp.com.
