From: Will Deacon will.deacon@arm.com
commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream
Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack.
This patch emits an SB sequence after each ERET so that speculation is held up on exception return.
Signed-off-by: Will Deacon will.deacon@arm.com [florian: Adjust hyp-entry.S to account for the label] Signed-off-by: Florian Fainelli f.fainelli@gmail.com --- Will,
Can you confirm that for 4.9 these are the only places that require patching? Thank you!
arch/arm64/kernel/entry.S | 2 ++ arch/arm64/kvm/hyp/entry.S | 1 + arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++ 3 files changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index ca978d7d98eb..3408c782702c 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -255,6 +255,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 .else eret .endif + sb .endm
.macro get_thread_info, rd @@ -945,6 +946,7 @@ __ni_sys_trace: mrs x30, far_el1 .endif eret + sb .endm
.align 11 diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S index a360ac6e89e9..bc5c6cdb8538 100644 --- a/arch/arm64/kvm/hyp/entry.S +++ b/arch/arm64/kvm/hyp/entry.S @@ -83,6 +83,7 @@ ENTRY(__guest_enter)
// Do not touch any register after this! eret + sb ENDPROC(__guest_enter)
ENTRY(__guest_exit) diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S index bf4988f9dae8..3675e7f0ab72 100644 --- a/arch/arm64/kvm/hyp/hyp-entry.S +++ b/arch/arm64/kvm/hyp/hyp-entry.S @@ -97,6 +97,7 @@ el1_sync: // Guest trapped into EL2 do_el2_call
2: eret + sb
el1_hvc_guest: /* @@ -147,6 +148,7 @@ wa_epilogue: mov x0, xzr add sp, sp, #16 eret + sb
el1_trap: get_vcpu_ptr x1, x0 @@ -198,6 +200,7 @@ el2_error: b.ne __hyp_panic mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) eret + sb
ENTRY(__hyp_do_panic) mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ @@ -206,6 +209,7 @@ ENTRY(__hyp_do_panic) ldr lr, =panic msr elr_el2, lr eret + sb ENDPROC(__hyp_do_panic)
ENTRY(__hyp_panic)
On 6/11/20 9:42 PM, Florian Fainelli wrote:
From: Will Deacon will.deacon@arm.com
commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream
Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack.
This patch emits an SB sequence after each ERET so that speculation is held up on exception return.
Signed-off-by: Will Deacon will.deacon@arm.com [florian: Adjust hyp-entry.S to account for the label] Signed-off-by: Florian Fainelli f.fainelli@gmail.com
Will,
Can you confirm that for 4.9 these are the only places that require patching? Thank you!
Hi Will, Catalin,
Does this look good to you for a 4.9 backport? I would like to see this included at some point since this pertains to CVE-2020-13844.
Thanks!
On Tue, Jun 23, 2020 at 11:46:37AM -0700, Florian Fainelli wrote:
On 6/11/20 9:42 PM, Florian Fainelli wrote:
From: Will Deacon will.deacon@arm.com
commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream
Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack.
This patch emits an SB sequence after each ERET so that speculation is held up on exception return.
Signed-off-by: Will Deacon will.deacon@arm.com [florian: Adjust hyp-entry.S to account for the label] Signed-off-by: Florian Fainelli f.fainelli@gmail.com
Will,
Can you confirm that for 4.9 these are the only places that require patching? Thank you!
Hi Will, Catalin,
Does this look good to you for a 4.9 backport? I would like to see this included at some point since this pertains to CVE-2020-13844.
I think you're missing one of the ERET instructions in hyp/entry.S
Will
linux-stable-mirror@lists.linaro.org
-
Florian Fainelli -
Will Deacon