On Tue, Aug 16, 2022 at 01:48:31PM +0200, Jens Wiklander wrote:
On Mon, Aug 1, 2022 at 7:21 PM Abdellatif El Khlifi abdellatif.elkhlifi@arm.com wrote:
set to zero the x0-x17 registers
As per the SMCCC v1.2 spec, unused result and scratch registers can leak information after an SMC call. We can mitigate against this risk by returning zero in each register.
Signed-off-by: Abdellatif El Khlifi abdellatif.elkhlifi@arm.com Cc: Tom Rini trini@konsulko.com Cc: Ilias Apalodimas ilias.apalodimas@linaro.org Cc: Jens Wiklander jens.wiklander@linaro.org
arch/arm/cpu/armv8/smccc-call.S | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)
diff --git a/arch/arm/cpu/armv8/smccc-call.S b/arch/arm/cpu/armv8/smccc-call.S index ec6f299bc9..8ac3e461e4 100644 --- a/arch/arm/cpu/armv8/smccc-call.S +++ b/arch/arm/cpu/armv8/smccc-call.S @@ -84,6 +84,26 @@ ENDPROC(__arm_smccc_hvc) stp x14, x15, [x19, #ARM_SMCCC_1_2_REGS_X14_OFFS] stp x16, x17, [x19, #ARM_SMCCC_1_2_REGS_X16_OFFS]
/* x0-x17 registers can leak information after an SMC or HVC call. Let's clear them */mov x0, xzrmov x1, xzrmov x2, xzrmov x3, xzrmov x4, xzrmov x5, xzrmov x6, xzrmov x7, xzrmov x8, xzrmov x9, xzrmov x10, xzrmov x11, xzrmov x12, xzrmov x13, xzrmov x14, xzrmov x15, xzrmov x16, xzrmov x17, xzrIs this information leakage worse than the information leakage from an ordinary C function? My point is, is this needed?
The leakage we are referring to is data leakage across exception levels. The intent is to prevent lower exception levels (EL1/EL0) to read the data exchanged at EL2.
The linux kernel clears the general purpose registers before switching to EL0. As far as I know u-boot doesn't.
So, the code above makes sure the registers are cleared. An improved version of this has been releases in this patch: https://lore.kernel.org/all/20220926101723.9965-3-abdellatif.elkhlifi@arm.co...
Thanks, Jens
/* Restore original x19 */ ldp xzr, x19, [sp], #16 ret-- 2.17.1