On 19.08.20 11:03, peng....@nxp.com wrote:
> From: Peng Fan <peng....@nxp.com>
>
> From Linux Kernel
> commit 679db70801da ("arm64: entry: Place an SB sequence following an ERET
> instruction")
> "
> Some CPUs can speculate past an ERET instruction and potentially perform
> speculative accesses to memory before processing the exception return.
> Since the register state is often controlled by a lower privilege level
> at the point of an ERET, this could potentially be used as part of a
> side-channel attack.
> "
>
> Use Speculation barrier sequences:
> - SB
> - DSB followed by ISB
>
> Since we not have ARMv8.5 with SB extension hardware, so only
> use the 2nd approach now.
>
> Signed-off-by: Peng Fan <peng....@nxp.com>
> ---
>
> Take from OP-TEE commit: abfd092aa19f9c025
> "
> It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior
> is demonstrated in [4] and [5].
>
> Link: [1] torvalds/linux@679db70
> Link: [2] freebsd/freebsd@29fb48a
> Link: [3] openbsd/src@3a08873
> Link: [4]
> https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc
> Link: [5]
> https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
> "
>
> hypervisor/arch/arm64/entry.S | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/hypervisor/arch/arm64/entry.S b/hypervisor/arch/arm64/entry.S
> index 27e148c6..1b6fa696 100644
> --- a/hypervisor/arch/arm64/entry.S
> +++ b/hypervisor/arch/arm64/entry.S
> @@ -378,6 +378,14 @@ el1_trap:
> ldr x4, [sp, #(2 * 16 + 1 * 8)]
> add sp, sp, #(16 * 16)
> eret
> + /*
> + * Mitigate Straight-line Speculation.
> + * Guard against Speculating past an ERET instruction and
> + * potentially perform speculative accesses to memory before
> + * processing the exception return
> + */
> + dsb nsh
> + isb
> .endm
>
> /*
> @@ -522,4 +530,12 @@ __vmreturn:
> ldr x0, [sp, #(1 * 8)]
> add sp, sp, #(16 * 16)
> eret
> + /*
> + * Mitigate Straight-line Speculation.
> + * Guard against Speculating past an ERET instruction and
> + * potentially perform speculative accesses to memory before
> + * processing the exception return
> + */
> + dsb nsh
> + isb
> .popsection
>
Thanks for taking care! Applied to next.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
--
You received this message because you are subscribed to the Google Groups
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jailhouse-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jailhouse-dev/9fbca684-b12d-d1b0-02c1-f056ce35af4b%40siemens.com.
