mirror of
https://github.com/CTCaer/switch-l4t-atf.git
synced 2024-11-28 12:20:31 +00:00
f461fe346b
Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: |
||
---|---|---|
.. | ||
aarch32 | ||
aarch64 | ||
tbbr | ||
bl1_fwu.c | ||
bl1_main.c | ||
bl1_private.h | ||
bl1.ld.S | ||
bl1.mk |