From 9f807cf84a9a7a011cf1df7895c54d6031a7596d Mon Sep 17 00:00:00 2001 From: Julien Grall Date: Thu, 19 Dec 2019 08:12:21 +0000 Subject: [PATCH] xen/arm: Place a speculation barrier sequence following an eret instruction Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack. Newer CPUs may implement a new SB barrier instruction which acts as an architected speculation barrier. For current CPUs, the sequence DSB; ISB is known to prevent speculation. The latter sequence is heavier than SB but it would never be executed (this is speculation after all!). Introduce a new macro 'sb' that could be used when a speculation barrier is required. For now it is using dsb; isb but this could easily be updated to cater SB in the future. This is XSA-312. Signed-off-by: Julien Grall --- xen/arch/arm/arm32/entry.S | 1 + xen/arch/arm/arm64/entry.S | 3 +++ xen/include/asm-arm/macros.h | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S index 31ccfb2631..b228d44b19 100644 --- a/xen/arch/arm/arm32/entry.S +++ b/xen/arch/arm/arm32/entry.S @@ -426,6 +426,7 @@ return_to_hypervisor: add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */ clrex eret + sb /* * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next) diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S index d35855af96..175ea2981e 100644 --- a/xen/arch/arm/arm64/entry.S +++ b/xen/arch/arm/arm64/entry.S @@ -354,6 +354,7 @@ guest_sync: */ mov x1, xzr eret + sb check_wa2: /* ARM_SMCCC_ARCH_WORKAROUND_2 handling */ @@ -393,6 +394,7 @@ wa2_end: #endif /* !CONFIG_ARM_SSBD */ mov x0, xzr eret + sb guest_sync_slowpath: /* * x0/x1 may have been scratch by the fast path above, so avoid @@ -457,6 +459,7 @@ return_from_trap: ldr lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */ eret + sb /* * Consume pending SError generated by the guest if any. diff --git a/xen/include/asm-arm/macros.h b/xen/include/asm-arm/macros.h index 91ea3505e4..4833671f4c 100644 --- a/xen/include/asm-arm/macros.h +++ b/xen/include/asm-arm/macros.h @@ -20,4 +20,13 @@ .endr .endm + /* + * Speculative barrier + * XXX: Add support for the 'sb' instruction + */ + .macro sb + dsb nsh + isb + .endm + #endif /* __ASM_ARM_MACROS_H */ -- 2.17.1