diff options
author | Bin Lu <bin.lu@arm.com> | 2020-09-10 02:47:10 -0400 |
---|---|---|
committer | Bin Lu <bin.lu@arm.com> | 2020-09-10 02:47:13 -0400 |
commit | 6d688347791526e2a1101333ccc7a410735cf31a (patch) | |
tree | e93a14b20c356a3044bf06eb6b66cfed4a1ecf2d /pkg/sentry | |
parent | 1ab097b08fc16d67b90f094a4316883c289ef77f (diff) |
arm64:place an SB sequence following an ERET instruction
Some CPUs(eg: ampere-emag) can speculate past an ERET instruction and potentially perform
speculative accesses to memory before processing the exception return.
Since the register state is often controlled by a lower privilege level
at the point of an ERET, this could potentially be used as part of a
side-channel attack.
Signed-off-by: Bin Lu <bin.lu@arm.com>
Diffstat (limited to 'pkg/sentry')
-rw-r--r-- | pkg/sentry/platform/ring0/entry_arm64.s | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/pkg/sentry/platform/ring0/entry_arm64.s b/pkg/sentry/platform/ring0/entry_arm64.s index 9d29b7168..1e477cc49 100644 --- a/pkg/sentry/platform/ring0/entry_arm64.s +++ b/pkg/sentry/platform/ring0/entry_arm64.s @@ -27,7 +27,9 @@ // ERET returns using the ELR and SPSR for the current exception level. #define ERET() \ - WORD $0xd69f03e0 + WORD $0xd69f03e0; \ + DSB $7; \ + ISB $15; // RSV_REG is a register that holds el1 information temporarily. #define RSV_REG R18_PLATFORM |