SSBS: init SPSR register with default SSBS value

This patch introduces an additional precautionary step to further
enhance protection against variant 4. During the context initialisation
before we enter the various BL stages, the SPSR.SSBS bit is explicitly
set to zero. As such, speculative loads/stores are by default disabled
for all BL stages when they start executing. Subsequently, each BL
stage, can choose to enable speculative loads/stores or keep them
disabled.

This change doesn't affect the initial execution context of BL33 which
is totally platform dependent and, thus, it is intentionally left up to
each platform to initialise.

For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
that, for Arm platforms, all BL stages start with speculative
loads/stores disabled.

Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

diff --git a/include/arch/aarch32/arch.h b/include/arch/aarch32/arch.h
index 0db414588a137fb632373c07a01e3074d6cbe9b0..34036d78526d328e18224e6e7f1e24698f8eb69f 100644 (file)
--- a/include/arch/aarch32/arch.h
+++ b/include/arch/aarch32/arch.h
@@ -294,6 +294,8 @@
 #define SPSR_MODE_SHIFT                U(0)
 #define SPSR_MODE_MASK         U(0x7)
 
+#define SPSR_SSBS_BIT          BIT_32(23)
+
 #define DISABLE_ALL_EXCEPTIONS \
                (SPSR_FIQ_BIT | SPSR_IRQ_BIT | SPSR_ABT_BIT)
 
@@ -384,11 +386,12 @@
 #define GET_M32(mode)          (((mode) >> MODE32_SHIFT) & MODE32_MASK)
 
 #define SPSR_MODE32(mode, isa, endian, aif)            \
-       (MODE_RW_32 << MODE_RW_SHIFT |                  \
+       ((MODE_RW_32 << MODE_RW_SHIFT |                 \
        ((mode) & MODE32_MASK) << MODE32_SHIFT |        \
        ((isa) & SPSR_T_MASK) << SPSR_T_SHIFT |         \
        ((endian) & SPSR_E_MASK) << SPSR_E_SHIFT |      \
-       ((aif) & SPSR_AIF_MASK) << SPSR_AIF_SHIFT)
+       ((aif) & SPSR_AIF_MASK) << SPSR_AIF_SHIFT) &    \
+       (~(SPSR_SSBS_BIT)))
 
 /*
  * TTBR definitions

diff --git a/include/arch/aarch64/arch.h b/include/arch/aarch64/arch.h
index 913b62c532253ad01add286023ab1dd033fde1c1..968396412055f3b69c3e013b4d27c52535440815 100644 (file)
--- a/include/arch/aarch64/arch.h
+++ b/include/arch/aarch64/arch.h
@@ -411,6 +411,9 @@
 #define SPSR_M_AARCH64         U(0x0)
 #define SPSR_M_AARCH32         U(0x1)
 
+#define SPSR_SSBS_BIT_AARCH64  BIT_64(12)
+#define SPSR_SSBS_BIT_AARCH32  BIT_64(23)
+
 #define DISABLE_ALL_EXCEPTIONS \
                (DAIF_FIQ_BIT | DAIF_IRQ_BIT | DAIF_ABT_BIT | DAIF_DBG_BIT)
 
@@ -535,18 +538,20 @@
 #define GET_SP(mode)           (((mode) >> MODE_SP_SHIFT) & MODE_SP_MASK)
 #define GET_M32(mode)          (((mode) >> MODE32_SHIFT) & MODE32_MASK)
 
-#define SPSR_64(el, sp, daif)                          \
-       ((MODE_RW_64 << MODE_RW_SHIFT) |                \
-       (((el) & MODE_EL_MASK) << MODE_EL_SHIFT) |      \
-       (((sp) & MODE_SP_MASK) << MODE_SP_SHIFT) |      \
-       (((daif) & SPSR_DAIF_MASK) << SPSR_DAIF_SHIFT))
+#define SPSR_64(el, sp, daif)                                  \
+       (((MODE_RW_64 << MODE_RW_SHIFT) |                       \
+       (((el) & MODE_EL_MASK) << MODE_EL_SHIFT) |              \
+       (((sp) & MODE_SP_MASK) << MODE_SP_SHIFT) |              \
+       (((daif) & SPSR_DAIF_MASK) << SPSR_DAIF_SHIFT)) &       \
+       (~(SPSR_SSBS_BIT_AARCH64)))
 
 #define SPSR_MODE32(mode, isa, endian, aif)            \
-       ((MODE_RW_32 << MODE_RW_SHIFT) |                \
+       (((MODE_RW_32 << MODE_RW_SHIFT) |               \
        (((mode) & MODE32_MASK) << MODE32_SHIFT) |      \
        (((isa) & SPSR_T_MASK) << SPSR_T_SHIFT) |       \
        (((endian) & SPSR_E_MASK) << SPSR_E_SHIFT) |    \
-       (((aif) & SPSR_AIF_MASK) << SPSR_AIF_SHIFT))
+       (((aif) & SPSR_AIF_MASK) << SPSR_AIF_SHIFT)) &  \
+       (~(SPSR_SSBS_BIT_AARCH32)))
 
 /*
  * TTBR Definitions