Andrew Geissler | b7d2861 | 2020-07-24 16:15:54 -0500 | [diff] [blame] | 1 | CVE: CVE-2020-13844 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 1ff243934ac443b5f58cd02a5012ce58ecc31fb2 Mon Sep 17 00:00:00 2001 |
| 6 | From: Matthew Malcomson <matthew.malcomson@arm.com> |
| 7 | Date: Thu, 9 Jul 2020 09:11:58 +0100 |
| 8 | Subject: [PATCH 1/3] aarch64: New Straight Line Speculation (SLS) mitigation |
| 9 | flags |
| 10 | |
| 11 | Here we introduce the flags that will be used for straight line speculation. |
| 12 | |
| 13 | The new flag introduced is `-mharden-sls=`. |
| 14 | This flag can take arguments of `none`, `all`, or a comma seperated list of one |
| 15 | or more of `retbr` or `blr`. |
| 16 | `none` indicates no special mitigation of the straight line speculation |
| 17 | vulnerability. |
| 18 | `all` requests all mitigations currently implemented. |
| 19 | `retbr` requests that the RET and BR instructions have a speculation barrier |
| 20 | inserted after them. |
| 21 | `blr` requests that BLR instructions are replaced by a BL to a function stub |
| 22 | using a BR with a speculation barrier after it. |
| 23 | |
| 24 | Setting this on a per-function basis using attributes or the like is not |
| 25 | enabled, but may be in the future. |
| 26 | |
| 27 | gcc/ChangeLog: |
| 28 | |
| 29 | 2020-06-02 Matthew Malcomson <matthew.malcomson@arm.com> |
| 30 | |
| 31 | * config/aarch64/aarch64-protos.h (aarch64_harden_sls_retbr_p): |
| 32 | New. |
| 33 | (aarch64_harden_sls_blr_p): New. |
| 34 | * config/aarch64/aarch64.c (enum aarch64_sls_hardening_type): |
| 35 | New. |
| 36 | (aarch64_harden_sls_retbr_p): New. |
| 37 | (aarch64_harden_sls_blr_p): New. |
| 38 | (aarch64_validate_sls_mitigation): New. |
| 39 | (aarch64_override_options): Parse options for SLS mitigation. |
| 40 | * config/aarch64/aarch64.opt (-mharden-sls): New option. |
| 41 | * doc/invoke.texi: Document new option. |
| 42 | --- |
| 43 | gcc/config/aarch64/aarch64-protos.h | 3 ++ |
| 44 | gcc/config/aarch64/aarch64.c | 76 +++++++++++++++++++++++++++++++++++++ |
| 45 | gcc/config/aarch64/aarch64.opt | 4 ++ |
| 46 | gcc/doc/invoke.texi | 12 ++++++ |
| 47 | 4 files changed, 95 insertions(+) |
| 48 | |
| 49 | diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h |
| 50 | index 723d9ba..eb5f4b4 100644 |
| 51 | --- a/gcc/config/aarch64/aarch64-protos.h |
| 52 | +++ b/gcc/config/aarch64/aarch64-protos.h |
| 53 | @@ -781,4 +781,7 @@ extern const atomic_ool_names aarch64_ool_ldeor_names; |
| 54 | |
| 55 | tree aarch64_resolve_overloaded_builtin_general (location_t, tree, void *); |
| 56 | |
| 57 | +extern bool aarch64_harden_sls_retbr_p (void); |
| 58 | +extern bool aarch64_harden_sls_blr_p (void); |
| 59 | + |
| 60 | #endif /* GCC_AARCH64_PROTOS_H */ |
| 61 | diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c |
| 62 | index b86434a..437a9cf 100644 |
| 63 | --- a/gcc/config/aarch64/aarch64.c |
| 64 | +++ b/gcc/config/aarch64/aarch64.c |
| 65 | @@ -14494,6 +14494,79 @@ aarch64_validate_mcpu (const char *str, const struct processor **res, |
| 66 | return false; |
| 67 | } |
| 68 | |
| 69 | +/* Straight line speculation indicators. */ |
| 70 | +enum aarch64_sls_hardening_type |
| 71 | +{ |
| 72 | + SLS_NONE = 0, |
| 73 | + SLS_RETBR = 1, |
| 74 | + SLS_BLR = 2, |
| 75 | + SLS_ALL = 3, |
| 76 | +}; |
| 77 | +static enum aarch64_sls_hardening_type aarch64_sls_hardening; |
| 78 | + |
| 79 | +/* Return whether we should mitigatate Straight Line Speculation for the RET |
| 80 | + and BR instructions. */ |
| 81 | +bool |
| 82 | +aarch64_harden_sls_retbr_p (void) |
| 83 | +{ |
| 84 | + return aarch64_sls_hardening & SLS_RETBR; |
| 85 | +} |
| 86 | + |
| 87 | +/* Return whether we should mitigatate Straight Line Speculation for the BLR |
| 88 | + instruction. */ |
| 89 | +bool |
| 90 | +aarch64_harden_sls_blr_p (void) |
| 91 | +{ |
| 92 | + return aarch64_sls_hardening & SLS_BLR; |
| 93 | +} |
| 94 | + |
| 95 | +/* As of yet we only allow setting these options globally, in the future we may |
| 96 | + allow setting them per function. */ |
| 97 | +static void |
| 98 | +aarch64_validate_sls_mitigation (const char *const_str) |
| 99 | +{ |
| 100 | + char *token_save = NULL; |
| 101 | + char *str = NULL; |
| 102 | + |
| 103 | + if (strcmp (const_str, "none") == 0) |
| 104 | + { |
| 105 | + aarch64_sls_hardening = SLS_NONE; |
| 106 | + return; |
| 107 | + } |
| 108 | + if (strcmp (const_str, "all") == 0) |
| 109 | + { |
| 110 | + aarch64_sls_hardening = SLS_ALL; |
| 111 | + return; |
| 112 | + } |
| 113 | + |
| 114 | + char *str_root = xstrdup (const_str); |
| 115 | + str = strtok_r (str_root, ",", &token_save); |
| 116 | + if (!str) |
| 117 | + error ("invalid argument given to %<-mharden-sls=%>"); |
| 118 | + |
| 119 | + int temp = SLS_NONE; |
| 120 | + while (str) |
| 121 | + { |
| 122 | + if (strcmp (str, "blr") == 0) |
| 123 | + temp |= SLS_BLR; |
| 124 | + else if (strcmp (str, "retbr") == 0) |
| 125 | + temp |= SLS_RETBR; |
| 126 | + else if (strcmp (str, "none") == 0 || strcmp (str, "all") == 0) |
| 127 | + { |
| 128 | + error ("%<%s%> must be by itself for %<-mharden-sls=%>", str); |
| 129 | + break; |
| 130 | + } |
| 131 | + else |
| 132 | + { |
| 133 | + error ("invalid argument %<%s%> for %<-mharden-sls=%>", str); |
| 134 | + break; |
| 135 | + } |
| 136 | + str = strtok_r (NULL, ",", &token_save); |
| 137 | + } |
| 138 | + aarch64_sls_hardening = (aarch64_sls_hardening_type) temp; |
| 139 | + free (str_root); |
| 140 | +} |
| 141 | + |
| 142 | /* Parses CONST_STR for branch protection features specified in |
| 143 | aarch64_branch_protect_types, and set any global variables required. Returns |
| 144 | the parsing result and assigns LAST_STR to the last processed token from |
| 145 | @@ -14738,6 +14811,9 @@ aarch64_override_options (void) |
| 146 | selected_arch = NULL; |
| 147 | selected_tune = NULL; |
| 148 | |
| 149 | + if (aarch64_harden_sls_string) |
| 150 | + aarch64_validate_sls_mitigation (aarch64_harden_sls_string); |
| 151 | + |
| 152 | if (aarch64_branch_protection_string) |
| 153 | aarch64_validate_mbranch_protection (aarch64_branch_protection_string); |
| 154 | |
| 155 | diff --git a/gcc/config/aarch64/aarch64.opt b/gcc/config/aarch64/aarch64.opt |
| 156 | index d99d14c..5170361 100644 |
| 157 | --- a/gcc/config/aarch64/aarch64.opt |
| 158 | +++ b/gcc/config/aarch64/aarch64.opt |
| 159 | @@ -71,6 +71,10 @@ mgeneral-regs-only |
| 160 | Target Report RejectNegative Mask(GENERAL_REGS_ONLY) Save |
| 161 | Generate code which uses only the general registers. |
| 162 | |
| 163 | +mharden-sls= |
| 164 | +Target RejectNegative Joined Var(aarch64_harden_sls_string) |
| 165 | +Generate code to mitigate against straight line speculation. |
| 166 | + |
| 167 | mfix-cortex-a53-835769 |
| 168 | Target Report Var(aarch64_fix_a53_err835769) Init(2) Save |
| 169 | Workaround for ARM Cortex-A53 Erratum number 835769. |
| 170 | diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi |
| 171 | index a2794a6..bd5b77a 100644 |
| 172 | --- a/gcc/doc/invoke.texi |
| 173 | +++ b/gcc/doc/invoke.texi |
| 174 | @@ -696,6 +696,7 @@ Objective-C and Objective-C++ Dialects}. |
| 175 | -msign-return-address=@var{scope} @gol |
| 176 | -mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf} |
| 177 | +@var{b-key}]|@var{bti} @gol |
| 178 | +-mharden-sls=@var{opts} @gol |
| 179 | -march=@var{name} -mcpu=@var{name} -mtune=@var{name} @gol |
| 180 | -moverride=@var{string} -mverbose-cost-dump @gol |
| 181 | -mstack-protector-guard=@var{guard} -mstack-protector-guard-reg=@var{sysreg} @gol |
| 182 | @@ -17065,6 +17066,17 @@ functions. The optional argument @samp{b-key} can be used to sign the functions |
| 183 | with the B-key instead of the A-key. |
| 184 | @samp{bti} turns on branch target identification mechanism. |
| 185 | |
| 186 | +@item -mharden-sls=@var{opts} |
| 187 | +@opindex mharden-sls |
| 188 | +Enable compiler hardening against straight line speculation (SLS). |
| 189 | +@var{opts} is a comma-separated list of the following options: |
| 190 | +@table @samp |
| 191 | +@item retbr |
| 192 | +@item blr |
| 193 | +@end table |
| 194 | +In addition, @samp{-mharden-sls=all} enables all SLS hardening while |
| 195 | +@samp{-mharden-sls=none} disables all SLS hardening. |
| 196 | + |
| 197 | @item -msve-vector-bits=@var{bits} |
| 198 | @opindex msve-vector-bits |
| 199 | Specify the number of bits in an SVE vector register. This option only has |
| 200 | -- |
| 201 | 2.7.4 |
| 202 | |