• J
    arm64: Mitigate spectre style branch history side channels · 558c303c
    James Morse 提交于
    Speculation attacks against some high-performance processors can
    make use of branch history to influence future speculation.
    When taking an exception from user-space, a sequence of branches
    or a firmware call overwrites or invalidates the branch history.
    
    The sequence of branches is added to the vectors, and should appear
    before the first indirect branch. For systems using KPTI the sequence
    is added to the kpti trampoline where it has a free register as the exit
    from the trampoline is via a 'ret'. For systems not using KPTI, the same
    register tricks are used to free up a register in the vectors.
    
    For the firmware call, arch-workaround-3 clobbers 4 registers, so
    there is no choice but to save them to the EL1 stack. This only happens
    for entry from EL0, so if we take an exception due to the stack access,
    it will not become re-entrant.
    
    For KVM, the existing branch-predictor-hardening vectors are used.
    When a spectre version of these vectors is in use, the firmware call
    is sufficient to mitigate against Spectre-BHB. For the non-spectre
    versions, the sequence of branches is added to the indirect vector.
    Reviewed-by: NCatalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: NJames Morse <james.morse@arm.com>
    558c303c
cpufeature.h 27.9 KB