summaryrefslogtreecommitdiffstats
path: root/system/xen/xsa/xsa312.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa312.patch')
-rw-r--r--system/xen/xsa/xsa312.patch93
1 files changed, 93 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa312.patch b/system/xen/xsa/xsa312.patch
new file mode 100644
index 0000000000..ae3fa4041b
--- /dev/null
+++ b/system/xen/xsa/xsa312.patch
@@ -0,0 +1,93 @@
+From 9f807cf84a9a7a011cf1df7895c54d6031a7596d Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien@xen.org>
+Date: Thu, 19 Dec 2019 08:12:21 +0000
+Subject: [PATCH] xen/arm: Place a speculation barrier sequence following an
+ eret instruction
+
+Some CPUs can speculate past an ERET instruction and potentially perform
+speculative accesses to memory before processing the exception return.
+Since the register state is often controlled by lower privilege level
+at the point of an ERET, this could potentially be used as part of a
+side-channel attack.
+
+Newer CPUs may implement a new SB barrier instruction which acts
+as an architected speculation barrier. For current CPUs, the sequence
+DSB; ISB is known to prevent speculation.
+
+The latter sequence is heavier than SB but it would never be executed
+(this is speculation after all!).
+
+Introduce a new macro 'sb' that could be used when a speculation barrier
+is required. For now it is using dsb; isb but this could easily be
+updated to cater SB in the future.
+
+This is XSA-312.
+
+Signed-off-by: Julien Grall <julien@xen.org>
+---
+ xen/arch/arm/arm32/entry.S | 1 +
+ xen/arch/arm/arm64/entry.S | 3 +++
+ xen/include/asm-arm/macros.h | 9 +++++++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
+index 31ccfb2631..b228d44b19 100644
+--- a/xen/arch/arm/arm32/entry.S
++++ b/xen/arch/arm/arm32/entry.S
+@@ -426,6 +426,7 @@ return_to_hypervisor:
+ add sp, #(UREGS_SP_usr - UREGS_sp); /* SP, LR, SPSR, PC */
+ clrex
+ eret
++ sb
+
+ /*
+ * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)
+diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
+index d35855af96..175ea2981e 100644
+--- a/xen/arch/arm/arm64/entry.S
++++ b/xen/arch/arm/arm64/entry.S
+@@ -354,6 +354,7 @@ guest_sync:
+ */
+ mov x1, xzr
+ eret
++ sb
+
+ check_wa2:
+ /* ARM_SMCCC_ARCH_WORKAROUND_2 handling */
+@@ -393,6 +394,7 @@ wa2_end:
+ #endif /* !CONFIG_ARM_SSBD */
+ mov x0, xzr
+ eret
++ sb
+ guest_sync_slowpath:
+ /*
+ * x0/x1 may have been scratch by the fast path above, so avoid
+@@ -457,6 +459,7 @@ return_from_trap:
+ ldr lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */
+
+ eret
++ sb
+
+ /*
+ * Consume pending SError generated by the guest if any.
+diff --git a/xen/include/asm-arm/macros.h b/xen/include/asm-arm/macros.h
+index 91ea3505e4..4833671f4c 100644
+--- a/xen/include/asm-arm/macros.h
++++ b/xen/include/asm-arm/macros.h
+@@ -20,4 +20,13 @@
+ .endr
+ .endm
+
++ /*
++ * Speculative barrier
++ * XXX: Add support for the 'sb' instruction
++ */
++ .macro sb
++ dsb nsh
++ isb
++ .endm
++
+ #endif /* __ASM_ARM_MACROS_H */
+--
+2.17.1
+
generated by cgit v1.2.3 (git 2.32.0) at 2024-05-01 14:51:05 +0200