aarch32: stop speculative execution past exception returns

aarch32 CPUs speculatively execute instructions following a
ERET as if it was not a jump instruction. This could lead to
cache-based side channel vulnerabilities. The software fix is
to place barrier instructions following ERET.

The counterpart patch for aarch64 is merged:
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f461fe346b728d0e88142fd7b8f2816415af18bc

Change-Id: I2aa3105bee0b92238f389830b3a3b8650f33af3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

diff --git a/bl1/aarch32/bl1_exceptions.S b/bl1/aarch32/bl1_exceptions.S
index f2af9ab5b1bc0b00ac762b5a04adaf9782cc0acc..493d2ca4e56c3960d09bc2f3c790c22737a4e708 100644 (file)
--- a/bl1/aarch32/bl1_exceptions.S
+++ b/bl1/aarch32/bl1_exceptions.S
@@ -80,7 +80,7 @@ debug_loop:
 
        add     r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET
        ldm     r8, {r0, r1, r2, r3}
-       eret
+       exception_return
 endfunc bl1_aarch32_smc_handler
 
        /* -----------------------------------------------------

diff --git a/bl2/aarch32/bl2_el3_entrypoint.S b/bl2/aarch32/bl2_el3_entrypoint.S
index 9b4da6b136006e2abb9d17f1a5381fc9dd911088..2e851e61a44d1fc40d16aa42e7b565bfd7e9fdb3 100644 (file)
--- a/bl2/aarch32/bl2_el3_entrypoint.S
+++ b/bl2/aarch32/bl2_el3_entrypoint.S
@@ -87,5 +87,5 @@ func bl2_run_next_image
 
        add     r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET
        ldm     r8, {r0, r1, r2, r3}
-       eret
+       exception_return
 endfunc bl2_run_next_image

diff --git a/include/arch/aarch32/asm_macros.S b/include/arch/aarch32/asm_macros.S
index 8cfa21231a9fffb0de5b1a43e0ab126b8e06b9dd..ea1636e245d8c93b416157ab0dd483b7edadf7c1 100644 (file)
--- a/include/arch/aarch32/asm_macros.S
+++ b/include/arch/aarch32/asm_macros.S
@@ -95,11 +95,24 @@
 
 #if ARM_ARCH_MAJOR == 7 && !defined(ARMV7_SUPPORTS_VIRTUALIZATION)
        /*
+        * Macro for mitigating against speculative execution.
         * ARMv7 cores without Virtualization extension do not support the
         * eret instruction.
         */
-       .macro eret
+       .macro exception_return
        movs    pc, lr
+       dsb     nsh
+       isb
+       .endm
+
+#else
+       /*
+        * Macro for mitigating against speculative execution beyond ERET.
+        */
+       .macro exception_return
+       eret
+       dsb     nsh
+       isb
        .endm
 #endif
 

diff --git a/include/arch/aarch32/smccc_macros.S b/include/arch/aarch32/smccc_macros.S
index 4ec229218fdaa284a0dbabc39906b3327c3b95ad..ea7835a42584b00b48979c969fe7449de3be8513 100644 (file)
--- a/include/arch/aarch32/smccc_macros.S
+++ b/include/arch/aarch32/smccc_macros.S
@@ -235,7 +235,7 @@
 
        /* Restore the rest of the general purpose registers */
        ldm     r0, {r0-r12}
-       eret
+       exception_return
        .endm
 
 #endif /* SMCCC_MACROS_S */