arm64 cpus speculatively execute instructions after ERET, and on some

processors not all microarchitectural side effects are abandoned,
leading to spectre-like effects.  This was fixed quietly and without
responsible disclosure by ARM in linux mainline a year ago, but
rediscovered independently by Anthony Steinhauser.  ok patrick
guenther kettenis

comment to ARM: "Responsible Disclosure" doesn't mean "downplay at
maximum to avoid damage to the bottom line", the responsibility aspect
entails ensuring "all customers are aware of the defect".  What
happened here is indistinguishable from Intel's behaviour, and that's
not the look you want.

2 files changed, 8 insertions, 2 deletions

diff --git a/sys/arch/arm64/arm64/exception.S b/sys/arch/arm64/arm64/exception.S
index 682066b5eb1..ad73e38068a 100644
--- a/sys/arch/arm64/arm64/exception.S
+++ b/sys/arch/arm64/arm64/exception.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: exception.S,v 1.9 2019/03/15 05:42:38 kevlo Exp $ */
+/* $OpenBSD: exception.S,v 1.10 2019/12/17 22:25:56 deraadt Exp $ */
 /*-
  * Copyright (c) 2014 Andrew Turner
  * All rights reserved.
@@ -161,6 +161,8 @@ handle_el1h_sync:
 	bl	do_el1h_sync
 	restore_registers 1
 	eret
+	dsb nsh
+	isb
 
 handle_el1h_irq:
 	save_registers 1
@@ -168,6 +170,8 @@ handle_el1h_irq:
 	bl	arm_cpu_intr
 	restore_registers 1
 	eret
+	dsb nsh
+	isb
 
 handle_el1h_error:
 	brk	0xf13
diff --git a/sys/arch/arm64/arm64/trampoline.S b/sys/arch/arm64/arm64/trampoline.S
index 4de835ddb5c..97240bb4e61 100644
--- a/sys/arch/arm64/arm64/trampoline.S
+++ b/sys/arch/arm64/arm64/trampoline.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: trampoline.S,v 1.1 2018/01/10 23:27:18 kettenis Exp $	*/
+/*	$OpenBSD: trampoline.S,v 1.2 2019/12/17 22:25:56 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2018 Mark Kettenis <kettenis@openbsd.org>
@@ -82,6 +82,8 @@ tramp_return:
 	mrs	x18, tpidrro_el0
 	msr	tpidrro_el0, xzr
 	eret
+	dsb nsh
+	isb
 
 /*
  * The next page contains the start of the EL0 exception handlers.