Skip to content

GitLab

Switch branch/tag
History Find file
Clone
Prevent speculative execution past ERET
Anthony Steinhauser authored 
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).

This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8
https://github.com/freebsd/f...
f461fe34
Name Last commit Last update
bl1 Prevent speculative execution past ERET
bl2 Prevent speculative execution past ERET
bl2u Reduce space lost to object alignment
bl31 Prevent speculative execution past ERET
bl32 Prevent speculative execution past ERET
common FDT helper functions: Fix MISRA issues
docs Merge changes from topic "add-versal-soc-support" into integration
drivers spi: stm32_qspi: Add QSPI support
fdts Merge "Replace dts includes with C preprocessor syntax" into integration
include Prevent speculative execution past ERET
lib Prevent speculative execution past ERET
make_helpers Replace dts includes with C preprocessor syntax
plat Prevent speculative execution past ERET
services Prevent speculative execution past ERET
tools cert_create: Remove some unused header files inclusions
.checkpatch.conf Re-apply GIT_COMMIT_ID check for checkpatch
.editorconfig doc: Final, pre-release fixes and updates
.gitignore meson: Rename platform directory to amlogic
Makefile Merge "Set lld as the default linker for Clang builds" into integration
dco.txt Drop requirement for CLA in contribution.md
license.rst doc: De-duplicate readme and license files
readme.rst doc: Formatting fixes for readme.rst
readme.rst

Trusted Firmware-A

Trusted Firmware-A (TF-A) is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor. It provides a suitable starting point for productization of secure world boot and runtime firmware, in either the AArch32 or AArch64 execution states.

TF-A implements Arm interface standards, including:

The code is designed to be portable and reusable across hardware platforms and software models that are based on the Armv8-A and Armv7-A architectures.

In collaboration with interested parties, we will continue to enhance TF-A with reference implementations of Arm standards to benefit developers working with Armv7-A and Armv8-A TrustZone technology.

Users are encouraged to do their own security validation, including penetration testing, on any secure world code derived from TF-A.

More Info and Documentation

To find out more about Trusted Firmware-A, please view the full documentation that is available through trustedfirmware.org.

Copyright (c) 2013-2019, Arm Limited and Contributors. All rights reserved.