Message ID | 20220801172053.20163-3-abdellatif.elkhlifi@arm.com |
---|---|
State | Superseded |
Delegated to: | Tom Rini |
Headers | show |
Series | introduce Arm FF-A support | expand |
On Mon, Aug 1, 2022 at 7:21 PM Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> wrote: > > set to zero the x0-x17 registers > > As per the SMCCC v1.2 spec, unused result and scratch registers can leak > information after an SMC call. We can mitigate against this risk by > returning zero in each register. > > Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> > Cc: Tom Rini <trini@konsulko.com> > Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> > Cc: Jens Wiklander <jens.wiklander@linaro.org> > --- > arch/arm/cpu/armv8/smccc-call.S | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/arch/arm/cpu/armv8/smccc-call.S b/arch/arm/cpu/armv8/smccc-call.S > index ec6f299bc9..8ac3e461e4 100644 > --- a/arch/arm/cpu/armv8/smccc-call.S > +++ b/arch/arm/cpu/armv8/smccc-call.S > @@ -84,6 +84,26 @@ ENDPROC(__arm_smccc_hvc) > stp x14, x15, [x19, #ARM_SMCCC_1_2_REGS_X14_OFFS] > stp x16, x17, [x19, #ARM_SMCCC_1_2_REGS_X16_OFFS] > > + /* x0-x17 registers can leak information after an SMC or HVC call. Let's clear them */ > + mov x0, xzr > + mov x1, xzr > + mov x2, xzr > + mov x3, xzr > + mov x4, xzr > + mov x5, xzr > + mov x6, xzr > + mov x7, xzr > + mov x8, xzr > + mov x9, xzr > + mov x10, xzr > + mov x11, xzr > + mov x12, xzr > + mov x13, xzr > + mov x14, xzr > + mov x15, xzr > + mov x16, xzr > + mov x17, xzr > + Is this information leakage worse than the information leakage from an ordinary C function? My point is, is this needed? Thanks, Jens > /* Restore original x19 */ > ldp xzr, x19, [sp], #16 > ret > -- > 2.17.1 >
On Tue, Aug 16, 2022 at 01:48:31PM +0200, Jens Wiklander wrote: > On Mon, Aug 1, 2022 at 7:21 PM Abdellatif El Khlifi > <abdellatif.elkhlifi@arm.com> wrote: > > > > set to zero the x0-x17 registers > > > > As per the SMCCC v1.2 spec, unused result and scratch registers can leak > > information after an SMC call. We can mitigate against this risk by > > returning zero in each register. > > > > Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> > > Cc: Tom Rini <trini@konsulko.com> > > Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> > > Cc: Jens Wiklander <jens.wiklander@linaro.org> > > --- > > arch/arm/cpu/armv8/smccc-call.S | 20 ++++++++++++++++++++ > > 1 file changed, 20 insertions(+) > > > > diff --git a/arch/arm/cpu/armv8/smccc-call.S b/arch/arm/cpu/armv8/smccc-call.S > > index ec6f299bc9..8ac3e461e4 100644 > > --- a/arch/arm/cpu/armv8/smccc-call.S > > +++ b/arch/arm/cpu/armv8/smccc-call.S > > @@ -84,6 +84,26 @@ ENDPROC(__arm_smccc_hvc) > > stp x14, x15, [x19, #ARM_SMCCC_1_2_REGS_X14_OFFS] > > stp x16, x17, [x19, #ARM_SMCCC_1_2_REGS_X16_OFFS] > > > > + /* x0-x17 registers can leak information after an SMC or HVC call. Let's clear them */ > > + mov x0, xzr > > + mov x1, xzr > > + mov x2, xzr > > + mov x3, xzr > > + mov x4, xzr > > + mov x5, xzr > > + mov x6, xzr > > + mov x7, xzr > > + mov x8, xzr > > + mov x9, xzr > > + mov x10, xzr > > + mov x11, xzr > > + mov x12, xzr > > + mov x13, xzr > > + mov x14, xzr > > + mov x15, xzr > > + mov x16, xzr > > + mov x17, xzr > > + > > Is this information leakage worse than the information leakage from an > ordinary C function? > My point is, is this needed? The leakage we are referring to is data leakage across exception levels. The intent is to prevent lower exception levels (EL1/EL0) to read the data exchanged at EL2. The linux kernel clears the general purpose registers before switching to EL0. As far as I know u-boot doesn't. So, the code above makes sure the registers are cleared. An improved version of this has been releases in this patch: https://lore.kernel.org/all/20220926101723.9965-3-abdellatif.elkhlifi@arm.com/ > > Thanks, > Jens > > > /* Restore original x19 */ > > ldp xzr, x19, [sp], #16 > > ret > > -- > > 2.17.1 > >
diff --git a/arch/arm/cpu/armv8/smccc-call.S b/arch/arm/cpu/armv8/smccc-call.S index ec6f299bc9..8ac3e461e4 100644 --- a/arch/arm/cpu/armv8/smccc-call.S +++ b/arch/arm/cpu/armv8/smccc-call.S @@ -84,6 +84,26 @@ ENDPROC(__arm_smccc_hvc) stp x14, x15, [x19, #ARM_SMCCC_1_2_REGS_X14_OFFS] stp x16, x17, [x19, #ARM_SMCCC_1_2_REGS_X16_OFFS] + /* x0-x17 registers can leak information after an SMC or HVC call. Let's clear them */ + mov x0, xzr + mov x1, xzr + mov x2, xzr + mov x3, xzr + mov x4, xzr + mov x5, xzr + mov x6, xzr + mov x7, xzr + mov x8, xzr + mov x9, xzr + mov x10, xzr + mov x11, xzr + mov x12, xzr + mov x13, xzr + mov x14, xzr + mov x15, xzr + mov x16, xzr + mov x17, xzr + /* Restore original x19 */ ldp xzr, x19, [sp], #16 ret
set to zero the x0-x17 registers As per the SMCCC v1.2 spec, unused result and scratch registers can leak information after an SMC call. We can mitigate against this risk by returning zero in each register. Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> Cc: Tom Rini <trini@konsulko.com> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> Cc: Jens Wiklander <jens.wiklander@linaro.org> --- arch/arm/cpu/armv8/smccc-call.S | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)