Anthony Steinhauser f461fe346b Prevent speculative execution past ERET ... Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: 679db70801 29fb48ace4 3a08873ece abfd092aa1 It is demonstrated in a SafeSide example: https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c Signed-off-by: Anthony Steinhauser <asteinhauser@google.com> Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f		2020-01-22 21:42:51 +00:00
..
aarch32	Refactor SPSR initialisation code	2019-07-24 12:49:54 +01:00
aarch64	Prevent speculative execution past ERET	2020-01-22 21:42:51 +00:00
tbbr	Sanitise includes across codebase	2019-01-04 10:43:17 +00:00
bl1.ld.S	Reduce space lost to object alignment	2019-12-04 02:59:30 -06:00
bl1.mk	Add support for Branch Target Identification	2019-05-24 14:44:45 +01:00
bl1_fwu.c	Unsigned long should not be used as per coding guidelines	2019-09-13 23:51:02 +03:00
bl1_main.c	TF-A: Add support for ARMv8.3-PAuth in BL1 SMC calls and BL2U	2019-10-03 14:43:55 +01:00
bl1_private.h	Move BL1 and BL2 private defines to bl_common.h	2019-01-15 13:52:32 +00:00