arm64: use RET instruction for exiting the trampoline
authorWill Deacon <will.deacon@arm.com>
Tue, 14 Nov 2017 16:15:59 +0000 (16:15 +0000)
committerCatalin Marinas <catalin.marinas@arm.com>
Mon, 8 Jan 2018 18:43:31 +0000 (18:43 +0000)
commitbe04a6d1126b02c6a28741155b899d648739fc5b
treed5ef283426b675e5e8d776e70f6e4655f3437e2c
parent3b3b681097fae73b7f5dcdd42db6cfdf32943d4c
arm64: use RET instruction for exiting the trampoline

Speculation attacks against the entry trampoline can potentially resteer
the speculative instruction stream through the indirect branch and into
arbitrary gadgets within the kernel.

This patch defends against these attacks by forcing a misprediction
through the return stack: a dummy BL instruction loads an entry into
the stack, so that the predicted program flow of the subsequent RET
instruction is to a branch-to-self instruction which is finally resolved
as a branch to the kernel vectors with speculation suppressed.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
arch/arm64/kernel/entry.S