Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: |
||
---|---|---|
bl1 | ||
bl2 | ||
bl2u | ||
bl31 | ||
bl32 | ||
common | ||
docs | ||
drivers | ||
fdts | ||
include | ||
lib | ||
make_helpers | ||
plat | ||
services | ||
tools | ||
.checkpatch.conf | ||
.editorconfig | ||
.gitignore | ||
Makefile | ||
dco.txt | ||
license.rst | ||
readme.rst |
readme.rst
Trusted Firmware-A
Trusted Firmware-A (TF-A) is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor. It provides a suitable starting point for productization of secure world boot and runtime firmware, in either the AArch32 or AArch64 execution states.
TF-A implements Arm interface standards, including:
- Power State Coordination Interface (PSCI)
- Trusted Board Boot Requirements CLIENT (TBBR-CLIENT)
- SMC Calling Convention
- System Control and Management Interface (SCMI)
- Software Delegated Exception Interface (SDEI)
The code is designed to be portable and reusable across hardware platforms and software models that are based on the Armv8-A and Armv7-A architectures.
In collaboration with interested parties, we will continue to enhance TF-A with reference implementations of Arm standards to benefit developers working with Armv7-A and Armv8-A TrustZone technology.
Users are encouraged to do their own security validation, including penetration testing, on any secure world code derived from TF-A.
More Info and Documentation
To find out more about Trusted Firmware-A, please view the full documentation that is available through trustedfirmware.org.
Copyright (c) 2013-2019, Arm Limited and Contributors. All rights reserved.