[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.11] xen/arm: Place a speculation barrier sequence following an eret instruction

commit ddffc4d8a072f146320f4ca58c768c4b563ab571
Author:     Julien Grall <julien@xxxxxxx>
AuthorDate: Thu Dec 19 08:12:21 2019 +0000
Commit:     Julien Grall <julien@xxxxxxx>
CommitDate: Tue Jan 14 14:26:14 2020 +0000

    xen/arm: Place a speculation barrier sequence following an eret instruction
    
    Some CPUs can speculate past an ERET instruction and potentially perform
    speculative accesses to memory before processing the exception return.
    Since the register state is often controlled by lower privilege level
    at the point of an ERET, this could potentially be used as part of a
    side-channel attack.
    
    Newer CPUs may implement a new SB barrier instruction which acts
    as an architected speculation barrier. For current CPUs, the sequence
    DSB; ISB is known to prevent speculation.
    
    The latter sequence is heavier than SB but it would never be executed
    (this is speculation after all!).
    
    Introduce a new macro 'sb' that could be used when a speculation barrier
    is required. For now it is using dsb; isb but this could easily be
    updated to cater SB in the future.
    
    This is XSA-312.
    
    Signed-off-by: Julien Grall <julien@xxxxxxx>
---
 xen/arch/arm/arm32/entry.S   | 2 ++
 xen/arch/arm/arm64/entry.S   | 3 +++
 xen/include/asm-arm/macros.h | 9 +++++++++
 3 files changed, 14 insertions(+)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index 16d9f93653..464c8b8645 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -1,4 +1,5 @@
 #include <asm/asm_defns.h>
+#include <asm/macros.h>
 #include <asm/regs.h>
 #include <asm/alternative.h>
 #include <public/xen.h>
@@ -379,6 +380,7 @@ return_to_hypervisor:
         add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */
         clrex
         eret
+        sb
 
 /*
  * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)
diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
index 12df95e901..a42c51e489 100644
--- a/xen/arch/arm/arm64/entry.S
+++ b/xen/arch/arm/arm64/entry.S
@@ -2,6 +2,7 @@
 #include <asm/regs.h>
 #include <asm/alternative.h>
 #include <asm/smccc.h>
+#include <asm/macros.h>
 #include <public/xen.h>
 
 /*
@@ -288,6 +289,7 @@ guest_sync:
          */
         mov     x1, xzr
         eret
+        sb
 
 1:
         /*
@@ -413,6 +415,7 @@ return_from_trap:
         ldr     lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */
 
         eret
+        sb
 
 /*
  * This function is used to check pending virtual SError in the gap of
diff --git a/xen/include/asm-arm/macros.h b/xen/include/asm-arm/macros.h
index 5d837cb38b..539f613ee5 100644
--- a/xen/include/asm-arm/macros.h
+++ b/xen/include/asm-arm/macros.h
@@ -13,4 +13,13 @@
 # error "unknown ARM variant"
 #endif
 
+    /*
+     * Speculative barrier
+     * XXX: Add support for the 'sb' instruction
+     */
+    .macro sb
+    dsb nsh
+    isb
+    .endm
+
 #endif /* __ASM_ARM_MACROS_H */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.11

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.