On 19.08.20 11:03, peng....@nxp.com wrote: > From: Peng Fan <peng....@nxp.com> > > From Linux Kernel > commit 679db70801da ("arm64: entry: Place an SB sequence following an ERET > instruction") > " > Some CPUs can speculate past an ERET instruction and potentially perform > speculative accesses to memory before processing the exception return. > Since the register state is often controlled by a lower privilege level > at the point of an ERET, this could potentially be used as part of a > side-channel attack. > " > > Use Speculation barrier sequences: > - SB > - DSB followed by ISB > > Since we not have ARMv8.5 with SB extension hardware, so only > use the 2nd approach now. > > Signed-off-by: Peng Fan <peng....@nxp.com> > --- > > Take from OP-TEE commit: abfd092aa19f9c025 > " > It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior > is demonstrated in [4] and [5]. > > Link: [1] torvalds/linux@679db70 > Link: [2] freebsd/freebsd@29fb48a > Link: [3] openbsd/src@3a08873 > Link: [4] > https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc > Link: [5] > https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c > " > > hypervisor/arch/arm64/entry.S | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/hypervisor/arch/arm64/entry.S b/hypervisor/arch/arm64/entry.S > index 27e148c6..1b6fa696 100644 > --- a/hypervisor/arch/arm64/entry.S > +++ b/hypervisor/arch/arm64/entry.S > @@ -378,6 +378,14 @@ el1_trap: > ldr x4, [sp, #(2 * 16 + 1 * 8)] > add sp, sp, #(16 * 16) > eret > + /* > + * Mitigate Straight-line Speculation. > + * Guard against Speculating past an ERET instruction and > + * potentially perform speculative accesses to memory before > + * processing the exception return > + */ > + dsb nsh > + isb > .endm > > /* > @@ -522,4 +530,12 @@ __vmreturn: > ldr x0, [sp, #(1 * 8)] > add sp, sp, #(16 * 16) > eret > + /* > + * Mitigate Straight-line Speculation. > + * Guard against Speculating past an ERET instruction and > + * potentially perform speculative accesses to memory before > + * processing the exception return > + */ > + dsb nsh > + isb > .popsection >
Thanks for taking care! Applied to next. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to jailhouse-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jailhouse-dev/9fbca684-b12d-d1b0-02c1-f056ce35af4b%40siemens.com.