commit | abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a | [log] [tgz] |
---|---|---|
author | Anthony Steinhauser <asteinhauser@google.com> | Mon Dec 23 07:15:22 2019 -0800 |
committer | Jérôme Forissier <jerome@forissier.org> | Mon Jan 06 21:32:59 2020 +0100 |
tree | df7f7110a9a72a08756a091f9ef8db755db87643 | |
parent | ce50e716c5895e01795691d5c10c3ac736456d30 [diff] |
core: arm64: fix speculative execution past ERET vulnerability Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior is demonstrated in [4] and [5]. Link: [1] https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8 Link: [2] https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61 Link: [3] https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2 Link: [4] https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc Link: [5] https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c Signed-off-by: Anthony Steinhauser <asteinhauser@google.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
This git contains source code for the secure side implementation of OP-TEE project.
All official OP-TEE documentation has moved to http://optee.readthedocs.io.
// OP-TEE core maintainers