Skip to content
Permalink
Browse files
arm64: entry: Place an SB sequence following an ERET instruction
Some CPUs can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by a lower privilege level
at the point of an ERET, this could potentially be used as part of a
side-channel attack.

This patch emits an SB sequence after each ERET so that speculation is
held up on exception return.

Signed-off-by: Will Deacon <will.deacon@arm.com>
  • Loading branch information
wildea01 committed Dec 6, 2018
1 parent bd4fb6d commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8
Showing with 7 additions and 0 deletions.
  1. +2 −0 arch/arm64/kernel/entry.S
  2. +1 −0 arch/arm64/kvm/hyp/entry.S
  3. +4 −0 arch/arm64/kvm/hyp/hyp-entry.S
@@ -363,6 +363,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
.else
eret
.endif
sb
.endm

.macro irq_stack_entry
@@ -1006,6 +1007,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
mrs x30, far_el1
.endif
eret
sb
.endm

.align 11
@@ -83,6 +83,7 @@ ENTRY(__guest_enter)

// Do not touch any register after this!
eret
sb
ENDPROC(__guest_enter)

ENTRY(__guest_exit)
@@ -96,6 +96,7 @@ el1_sync: // Guest trapped into EL2
do_el2_call

eret
sb

el1_hvc_guest:
/*
@@ -146,6 +147,7 @@ wa_epilogue:
mov x0, xzr
add sp, sp, #16
eret
sb

el1_trap:
get_vcpu_ptr x1, x0
@@ -199,6 +201,7 @@ el2_error:
b.ne __hyp_panic
mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
eret
sb

ENTRY(__hyp_do_panic)
mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\
@@ -207,6 +210,7 @@ ENTRY(__hyp_do_panic)
ldr lr, =panic
msr elr_el2, lr
eret
sb
ENDPROC(__hyp_do_panic)

ENTRY(__hyp_panic)

0 comments on commit 679db70

Please sign in to comment.