arm64:place an SB sequence following an ERET instruction

Some CPUs(eg: ampere-emag) can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack. Signed-off-by: Bin Lu <bin.lu@arm.com>
author: Bin Lu <bin.lu@arm.com> 2020-09-10 02:47:10 -0400
committer: Bin Lu <bin.lu@arm.com> 2020-09-10 02:47:13 -0400
commit: 6d688347791526e2a1101333ccc7a410735cf31a (patch)
tree: e93a14b20c356a3044bf06eb6b66cfed4a1ecf2d
parent: 1ab097b08fc16d67b90f094a4316883c289ef77f (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/pkg/sentry/platform/ring0/entry_arm64.s b/pkg/sentry/platform/ring0/entry_arm64.s
index 9d29b7168..1e477cc49 100644
--- a/pkg/sentry/platform/ring0/entry_arm64.s
+++ b/pkg/sentry/platform/ring0/entry_arm64.s
@@ -27,7 +27,9 @@
 
 // ERET returns using the ELR and SPSR for the current exception level.
 #define ERET() \
-  WORD $0xd69f03e0
+  WORD $0xd69f03e0; \
+  DSB $7; \
+  ISB $15;
 
 // RSV_REG is a register that holds el1 information temporarily.
 #define RSV_REG 	R18_PLATFORM
author	Bin Lu <bin.lu@arm.com>	2020-09-10 02:47:10 -0400
committer	Bin Lu <bin.lu@arm.com>	2020-09-10 02:47:13 -0400
commit	6d688347791526e2a1101333ccc7a410735cf31a (patch)
tree	e93a14b20c356a3044bf06eb6b66cfed4a1ecf2d
parent	1ab097b08fc16d67b90f094a4316883c289ef77f (diff)