[PATCH v3 0/2] xen/arm: Mitigate straight-line speculation

Julien Grall posted 2 patches 1 week, 5 days ago
Test gitlab-ci failed
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20210401164444.20377-1-julien@xen.org
xen/arch/arm/Makefile                |  2 +-
xen/arch/arm/arm32/entry.S           |  2 +-
xen/arch/arm/arm32/head.S            |  1 -
xen/arch/arm/arm32/lib/lib1funcs.S   |  1 +
xen/arch/arm/arm32/proc-v7.S         |  1 -
xen/arch/arm/arm64/debug-cadence.inc |  1 -
xen/arch/arm/arm64/debug-pl011.inc   |  2 --
xen/arch/arm/arm64/entry.S           |  2 --
xen/arch/arm/arm64/head.S            |  2 --
xen/arch/arm/arm64/smc.S             |  3 ---
xen/include/asm-arm/arm64/macros.h   |  6 ++++++
xen/include/asm-arm/config.h         |  6 ++++++
xen/include/asm-arm/macros.h         | 18 +++++++++---------
13 files changed, 24 insertions(+), 23 deletions(-)

[PATCH v3 0/2] xen/arm: Mitigate straight-line speculation

Posted by Julien Grall 1 week, 5 days ago
From: Julien Grall <jgrall@amazon.com>

Hi all,

Last year, Arm released a whitepaper about a new category of speculation.
(see [1] and [2]). In short, a processor may be able to speculate past
some of the unconditional control flow instructions (e.g eret, smc, br).

In some of the cases, the registers will contain values controlled by
the guest. While there is no known gadget afterwards, we still want to
prevent any leakage in the future.

The mitigation is planned in two parts:
   1) Arm provided patches for both GCC and LLVM to add speculation barrier
   and remove problematic code sequence.
   2) Inspection of assembly code and call to higher level (e.g smc in our case).

I still haven't looked at 1) and how to mitigate properly Arm32 (see
patch #1) and SMC call. So this issue is not fully addressed.

Note that the ERET instruction was already addressed as part of XSA-312.

Cheers,

[1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
[2] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation

Julien Grall (2):
  xen/arm: Include asm/asm-offsets.h and asm/macros.h on every assembly
    files
  xen/arm64: Place a speculation barrier following an ret instruction

 xen/arch/arm/Makefile                |  2 +-
 xen/arch/arm/arm32/entry.S           |  2 +-
 xen/arch/arm/arm32/head.S            |  1 -
 xen/arch/arm/arm32/lib/lib1funcs.S   |  1 +
 xen/arch/arm/arm32/proc-v7.S         |  1 -
 xen/arch/arm/arm64/debug-cadence.inc |  1 -
 xen/arch/arm/arm64/debug-pl011.inc   |  2 --
 xen/arch/arm/arm64/entry.S           |  2 --
 xen/arch/arm/arm64/head.S            |  2 --
 xen/arch/arm/arm64/smc.S             |  3 ---
 xen/include/asm-arm/arm64/macros.h   |  6 ++++++
 xen/include/asm-arm/config.h         |  6 ++++++
 xen/include/asm-arm/macros.h         | 18 +++++++++---------
 13 files changed, 24 insertions(+), 23 deletions(-)

-- 
2.17.1