File 5e1dcedd-Arm-place-speculation-barrier-after-ER... of Package xen.14764

Overview Repositories Revisions Requests Users Attributes Meta

File 5e1dcedd-Arm-place-speculation-barrier-after-ERET.patch of Package xen.14764

# Commit c7de94fd6ec5aba53ce5b8fd6ceb6031c53bb28d
# Date 2020-01-14 14:23:25 +0000
# Author Julien Grall <julien@xen.org>
# Committer Julien Grall <julien@xen.org>
xen/arm: Place a speculation barrier sequence following an eret instruction

Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by lower privilege level
at the point of an ERET, this could potentially be used as part of a
side-channel attack.

Newer CPUs may implement a new SB barrier instruction which acts
as an architected speculation barrier. For current CPUs, the sequence
DSB; ISB is known to prevent speculation.

The latter sequence is heavier than SB but it would never be executed
(this is speculation after all!).

Introduce a new macro 'sb' that could be used when a speculation barrier
is required. For now it is using dsb; isb but this could easily be
updated to cater SB in the future.

This is XSA-312.

Signed-off-by: Julien Grall <julien@xen.org>

--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -426,6 +426,7 @@ return_to_hypervisor:
         add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */
         clrex
         eret
+        sb
 
 /*
  * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)
--- a/xen/arch/arm/arm64/entry.S
+++ b/xen/arch/arm/arm64/entry.S
@@ -359,6 +359,7 @@ guest_sync:
          */
         mov     x1, xzr
         eret
+        sb
 
 check_wa2:
         /* ARM_SMCCC_ARCH_WORKAROUND_2 handling */
@@ -398,6 +399,7 @@ wa2_end:
 #endif /* !CONFIG_ARM_SSBD */
         mov     x0, xzr
         eret
+        sb
 guest_sync_slowpath:
         /*
          * x0/x1 may have been scratch by the fast path above, so avoid
@@ -462,6 +464,7 @@ return_from_trap:
         ldr     lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */
 
         eret
+        sb
 
 /*
  * Consume pending SError generated by the guest if any.
--- a/xen/include/asm-arm/macros.h
+++ b/xen/include/asm-arm/macros.h
@@ -20,4 +20,13 @@
     .endr
     .endm
 
+    /*
+     * Speculative barrier
+     * XXX: Add support for the 'sb' instruction
+     */
+    .macro sb
+    dsb nsh
+    isb
+    .endm
+
 #endif /* __ASM_ARM_MACROS_H */

Places

File 5e1dcedd-Arm-place-speculation-barrier-after-ERET.patch of Package xen.14764

Places