From patchwork Mon Jul 20 18:29:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Fainelli X-Patchwork-Id: 237576 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2222682ilg; Mon, 20 Jul 2020 11:30:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGGDFGKR6Ii52qfN9HoA16euX+ZJ3NxmpoYPNYFQ7ikOMVyC0UpkdqTyDB4WuN/qHVTe5X X-Received: by 2002:aa7:d848:: with SMTP id f8mr22353182eds.329.1595269802661; Mon, 20 Jul 2020 11:30:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595269802; cv=none; d=google.com; s=arc-20160816; b=rqjoYcqC27IurXJkLcb739Ub35SN8zwn3sreEebKNdfTZfU6UgCYmabmqhjJcSw9c/ u7tY3A5eLFhRB+f5mqqVSKQau5sUXrM8vA14WF9ZVtSBmd5bmnw1CKgqda/CnNtGaoMy QjZQin1962Ac0o/AippwKTXRblTvHpNQz8zcpQ4Wwo6wCuZnET903s/pnkv7O68PrP8g RbkEgLDjocq+rVfjCC3Q/yUJzgqzp1EzievKMP+9xI7ctqbkpk73b2nT7sZjPdnQTj8p pJXH88NK8ORwSDcZjxjRxnYJPBIVKAvUXdbtjFnASbFUT69Ak4a8ghanPpB0rJVdTQtT Qs0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=D95gU7RsNuUebcW/DXQQNWzRuFfBAwdF1di0SQ6P2nw=; b=rM+RoE8yktjaOrKRNNldWZ2c1i0bbJD4BdTARFl64HmJjS1CygjbkENpzLait1lS2n ozmnuYp13iBkn1ez9KrGdIIymwkDgN+0KZht+Zy15SXYhZ5zguHuEp9Tqd7hjdKfdGHl KfjtrPdBdM9UzDyZzWGtMCLq0lc/p/QbUwIa73puxe2M9v4mLU6pQDlRySpakOFaeumw 7xCW0rS+99PBaYbmjiJCDRA7+8goHZZPrQO0FbZSPEmjrcEgRSTWIcjA+rukQlFPu2ce +a0flQTRrJtxfE6pj5pW7ZTJt5DwQLZAOqW+A3xaBx9ZUB8rgk5vO8rzEL2Q1oLLMcWq gCLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sDanTDz9; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bo3si11250899ejb.494.2020.07.20.11.30.02; Mon, 20 Jul 2020 11:30:02 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sDanTDz9; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728001AbgGTSaB (ORCPT + 15 others); Mon, 20 Jul 2020 14:30:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726506AbgGTSaB (ORCPT ); Mon, 20 Jul 2020 14:30:01 -0400 Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3499C061794; Mon, 20 Jul 2020 11:30:00 -0700 (PDT) Received: by mail-wr1-x441.google.com with SMTP id s10so18761124wrw.12; Mon, 20 Jul 2020 11:30:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=D95gU7RsNuUebcW/DXQQNWzRuFfBAwdF1di0SQ6P2nw=; b=sDanTDz9hQdQObRogJlHwmOHojVMQOpAxSiTkEanBT0XY9l3Gpd0ajVJ39dh28KnZ1 5WVKz547vQqodfPVaymCAI1W15ib7JdeC/iXEtH0vt92s9EvfoPPBmKbrBUeKZFa/vam 6Mn2576MlwaWKATO4KYwr6c4l+BIS0n+PMG9gmiz0pU4U2IHOHdIhqgximQmuAmo0dI/ F9I/YvZ90hvtqeyeCzC04Gg844jbh5ZtqwqVrfoqkQfY5j1r5ltoOdZ61drE6LA8z5V9 8kXX1s0QZSseZl4+ErzFEWNoZHGQpV5MWkiCQIA5nQWtrEepgnPUGY5ct9mxdyb45VfB ai+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=D95gU7RsNuUebcW/DXQQNWzRuFfBAwdF1di0SQ6P2nw=; b=MjjYJ7Z1KtQrF7gvYElGvwxTH30tH9CcxJnrWup01LtWjZkjlQMz9gEPYHF9Mh8Z9k YSHv5kYUWpDN+Sagz2GyLz7MaraUSneqp8y0JzwlYudbyPhokN86Jo4JguGwkP0aF+5O N1yLqmIjKISHNE6abCb2VOVhU1i+5MyqlNvfdZSqvT6Ws1hgB5xjby+Z5EFIAGlv4XjF g/f87Q0EHF+exPMYukf1l9AqG0zNJ2A4UAcrc/POYn9563xMdQUZSuBowID6zfToYwEZ LxS3MP7mSSVzM+eUsn5BsTd1yFido8dEZFpKY4Ic+NplK5/f6av6AffN2ofrmL4nKdfe Bfag== X-Gm-Message-State: AOAM533AZH5nzd7xcwu8A+acNZF65le/G/9A6pK2ncSNclE8aUrS3X5p JrZ3RvZSE3fAma7Ma4CEo+DhNaIX X-Received: by 2002:a5d:6603:: with SMTP id n3mr24164764wru.142.1595269799106; Mon, 20 Jul 2020 11:29:59 -0700 (PDT) Received: from fainelli-desktop.igp.broadcom.net ([192.19.223.252]) by smtp.gmail.com with ESMTPSA id t15sm477825wmj.14.2020.07.20.11.29.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Jul 2020 11:29:58 -0700 (PDT) From: Florian Fainelli To: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, will@kernel.org, Will Deacon , Florian Fainelli , Catalin Marinas , Christoffer Dall , Marc Zyngier , Shanker Donthineni , Greg Kroah-Hartman , Ard Biesheuvel , linux-arm-kernel@lists.infradead.org (moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)), kvmarm@lists.cs.columbia.edu (open list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)) Subject: [PATCH stable 4.14.y] arm64: entry: Place an SB sequence following an ERET instruction Date: Mon, 20 Jul 2020 11:29:36 -0700 Message-Id: <20200720182937.14099-1-f.fainelli@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Will Deacon commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by a lower privilege level at the point of an ERET, this could potentially be used as part of a side-channel attack. This patch emits an SB sequence after each ERET so that speculation is held up on exception return. Signed-off-by: Will Deacon [florian: update arch/arm64/kvm/entry.S::__fpsimd_guest_restore] Signed-off-by: Florian Fainelli --- arch/arm64/kernel/entry.S | 2 ++ arch/arm64/kvm/hyp/entry.S | 2 ++ arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++ 3 files changed, 8 insertions(+) -- 2.17.1 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index c1ffa95c0ad2..f70e0893ba51 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -367,6 +367,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 .else eret .endif + sb .endm .macro irq_stack_entry @@ -1046,6 +1047,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 mrs x30, far_el1 .endif eret + sb .endm .align 11 diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S index a360ac6e89e9..93704e6894d2 100644 --- a/arch/arm64/kvm/hyp/entry.S +++ b/arch/arm64/kvm/hyp/entry.S @@ -83,6 +83,7 @@ ENTRY(__guest_enter) // Do not touch any register after this! eret + sb ENDPROC(__guest_enter) ENTRY(__guest_exit) @@ -195,4 +196,5 @@ alternative_endif ldp x0, x1, [sp], #16 eret + sb ENDPROC(__fpsimd_guest_restore) diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S index 3c283fd8c8f5..b4d6a6c6c6ce 100644 --- a/arch/arm64/kvm/hyp/hyp-entry.S +++ b/arch/arm64/kvm/hyp/hyp-entry.S @@ -96,6 +96,7 @@ el1_sync: // Guest trapped into EL2 do_el2_call eret + sb el1_hvc_guest: /* @@ -146,6 +147,7 @@ wa_epilogue: mov x0, xzr add sp, sp, #16 eret + sb el1_trap: get_vcpu_ptr x1, x0 @@ -204,6 +206,7 @@ el2_error: b.ne __hyp_panic mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) eret + sb ENTRY(__hyp_do_panic) mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ @@ -212,6 +215,7 @@ ENTRY(__hyp_do_panic) ldr lr, =panic msr elr_el2, lr eret + sb ENDPROC(__hyp_do_panic) ENTRY(__hyp_panic)