[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/2] xen/arm: Mitigate straight-line speculation

To: security@xxxxxxxxxxxxxx
From: Julien Grall <julien@xxxxxxx>
Date: Tue, 16 Jun 2020 18:59:11 +0100
Cc: sstabellini@xxxxxxxxxx, paul@xxxxxxx, Andre.Przywara@xxxxxxx, Julien Grall <jgrall@xxxxxxxxxx>, Bertrand.Marquis@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Volodymyr_Babchuk@xxxxxxxx
Delivery-date: Tue, 16 Jun 2020 17:59:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Julien Grall <jgrall@xxxxxxxxxx>

Hi all,

Arm recently released a whitepaper about a new category of speculation.
(see [1] and [2]). In short, a processor may be able to speculate past
some of the unconditional control flow instructions (e.g eret, smc, br).

In some of the cases, the registers will contain values controlled by
the guest. While there is no known gadget afterwards, we still want to
prevent any leakage in the future.

The mitigation is planned in two parts:
   1) Arm provided patches for both GCC and LLVM to add speculation barrier
   and remove problematic code sequence.
   2) Inspection of assembly code and call to higher level (e.g smc in our 
case).

I am still waiting on more input for 1), so this series only address 2)
for the moment.

Note that the ERET instruction was already addressed as part of XSA-312.

The patch series is directly sent on the mailing list as the
security team has been aware of the issues after the whitepaper was
publicly released.

Cheers,

[1] 
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
[2] 
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation

Julien Grall (2):
  xen/arm: entry: Place a speculation barrier following an ret
    instruction
  xen/arm: Mitigate straight-line speculation for SMC call

 xen/arch/arm/arm32/entry.S   |  1 +
 xen/arch/arm/arm64/entry.S   |  2 ++
 xen/arch/arm/arm64/smc.S     |  1 +
 xen/include/asm-arm/smccc.h  | 13 +++++++++++++
 xen/include/asm-arm/system.h |  8 ++++++++
 5 files changed, 25 insertions(+)

-- 
2.17.1

Follow-Ups:
- [PATCH 2/2] xen/arm: Mitigate straight-line speculation for SMC call
  - From: Julien Grall
- [PATCH 1/2] xen/arm: entry: Place a speculation barrier following an ret instruction
  - From: Julien Grall

Prev by Date: Re: [PATCH v1 7/7] x86/vmx: switch IPT MSRs on vmentry/vmexit
Next by Date: [PATCH 1/2] xen/arm: entry: Place a speculation barrier following an ret instruction
Previous by thread: [OSSTEST PATCH 1/4] standalone: Fix spurious ]
Next by thread: [PATCH 1/2] xen/arm: entry: Place a speculation barrier following an ret instruction
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.