From 6d688347791526e2a1101333ccc7a410735cf31a Mon Sep 17 00:00:00 2001 From: Bin Lu Date: Thu, 10 Sep 2020 02:47:10 -0400 Subject: arm64:place an SB sequence following an ERET instruction Some CPUs(eg: ampere-emag) can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack. Signed-off-by: Bin Lu --- pkg/sentry/platform/ring0/entry_arm64.s | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'pkg') diff --git a/pkg/sentry/platform/ring0/entry_arm64.s b/pkg/sentry/platform/ring0/entry_arm64.s index 9d29b7168..1e477cc49 100644 --- a/pkg/sentry/platform/ring0/entry_arm64.s +++ b/pkg/sentry/platform/ring0/entry_arm64.s @@ -27,7 +27,9 @@ // ERET returns using the ELR and SPSR for the current exception level. #define ERET() \ - WORD $0xd69f03e0 + WORD $0xd69f03e0; \ + DSB $7; \ + ISB $15; // RSV_REG is a register that holds el1 information temporarily. #define RSV_REG R18_PLATFORM -- cgit v1.2.3