[PATCH] ArmPkg/ArmSvcLib: prevent speculative execution beyond svc

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Vijayenthiran Subramaniam" <vijayenthiran.subramaniam@arm.com>
To: devel@edk2.groups.io, leif@nuviainc.com, Ard.Biesheuvel@arm.com
Cc: thomas.abraham@arm.com, Sami.Mujawar@arm.com, richard.storer@arm.com
Subject: [PATCH] ArmPkg/ArmSvcLib: prevent speculative execution beyond svc
Date: Thu,  4 Jun 2020 18:42:09 +0530	[thread overview]
Message-ID: <1591276329-20607-1-git-send-email-vijayenthiran.subramaniam@arm.com> (raw)

Supervisor Call instruction (SVC) is used by the Arm Standalone MM
environment to request services from the privileged software (such as
ARM Trusted Firmware running in EL3) and also return back to the
non-secure caller via EL3. Some Arm CPUs speculatively executes the
instructions after the SVC instruction without crossing the privilege
level (S-EL0). Although the results of this execution are
architecturally discarded, adversary running on the non-secure side can
manipulate the contents of the general purpose registers to leak the
secure work memory through spectre like micro-architectural side channel
attacks. This behavior is demonstrated by the SafeSide project [1] and
[2]. Add barrier instructions after SVC to prevent speculative execution
to mitigate such attacks.

[1]: https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc
[2]: https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c

Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
---
 ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S | 5 ++++-
 ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.S     | 5 ++++-
 ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.asm   | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S b/ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S
index 7c94db3451f0..ee265f94b960 100644
--- a/ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S
+++ b/ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S
@@ -1,5 +1,5 @@
 //
-//  Copyright (c) 2012 - 2017, ARM Limited. All rights reserved.
+//  Copyright (c) 2012 - 2020, ARM Limited. All rights reserved.
 //
 //  SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -25,6 +25,9 @@ ASM_PFX(ArmCallSvc):
   ldp   x0, x1, [x0, #0]
 
   svc   #0
+  // Prevent speculative execution beyond svc instruction
+  dsb   nsh
+  isb
 
   // Pop the ARM_SVC_ARGS structure address from the stack into x9
   ldr   x9, [sp, #16]
diff --git a/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.S b/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.S
index fc2886b6b53e..e81eb88f2e87 100644
--- a/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.S
+++ b/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.S
@@ -1,5 +1,5 @@
 //
-//  Copyright (c) 2016 - 2017, ARM Limited. All rights reserved.
+//  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
 //
 //  SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -18,6 +18,9 @@ ASM_PFX(ArmCallSvc):
     ldm     r0, {r0-r7}
 
     svc     #0
+    // Prevent speculative execution beyond svc instruction
+    dsb     nsh
+    isb
 
     // Load the ARM_SVC_ARGS structure address from the stack into r8
     ldr     r8, [sp]
diff --git a/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.asm b/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.asm
index 82d10c023ae3..d1751488b2b1 100644
--- a/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.asm
+++ b/ArmPkg/Library/ArmSvcLib/Arm/ArmSvc.asm
@@ -1,5 +1,5 @@
 //
-//  Copyright (c) 2016 - 2017, ARM Limited. All rights reserved.
+//  Copyright (c) 2016 - 2020, ARM Limited. All rights reserved.
 //
 //  SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -16,6 +16,9 @@
     ldm     r0, {r0-r7}
 
     svc     #0
+    // Prevent speculative execution beyond svc instruction
+    dsb     nsh
+    isb
 
     // Load the ARM_SVC_ARGS structure address from the stack into r8
     ldr     r8, [sp]
-- 
2.7.4

next             reply	other threads:[~2020-06-04 13:12 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-04 13:12 Vijayenthiran Subramaniam [this message]
2020-06-05  8:05 ` [PATCH] ArmPkg/ArmSvcLib: prevent speculative execution beyond svc Ard Biesheuvel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7c94db3451f dfblob:ee265f94b96 dfblob:fc2886b6b53
dfblob:e81eb88f2e8 dfblob:82d10c023ae dfblob:d1751488b2b )
 OR (
bs:"[PATCH] ArmPkg/ArmSvcLib: prevent speculative execution beyond svc" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1591276329-20607-1-git-send-email-vijayenthiran.subramaniam@arm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox