Hi Raghu,
On 02/07/2020 15:52, Raghu K wrote:
- However, is an ISB sufficient? ISB does not prevent speculative execution of any
instruction, before the ISB is complete, it only causes a refetch after the completion of ISB, IIUC.
So in an implementation, an AT instruction could speculatively execute before the ISB(for whatever micro-architectural reason, and this may not apply to the cores under consideration), fill the TLB with garbage
For this to happen, the target translation regime must have already had its registers in a state that allowed the wrong translation.
Any workaround needs to ensure that a speculated AT instruction either gets the correct result, or fails.
(the damage is done), the ISB is executed and the speculative instructions are flushed and refetch occurs.
I think you are referring to: | ensure TCR_EL1.EPDx =1 prior to SCTLR_EL1.M =1 using isb()
(the hazards of top posting)
In this case, EL3 needs to be aware that SCTLR_EL1.M could have been 0. Its possible the TTBRx_EL1 registers are junk. EL3 needs to ensure the TCR_EL1.EPDx bits have been set, and the CPU is honouring the side effects, before it maybe-enables the EL1 stage1 MMU.
Without the barrier, the side effects from these two system register writes could complete in either order.
The only barrier that guarantees this wont happen is a DSB, which is why i was suggesting it.
If the registers were already in a state that allowed the wrong translation, I don't think there is any barrier that would help.
- For (b) in the fix, would you not require a barrier after the restore? If you don't
have it, you could have a speculative AT between the window of time where the SCTLR and TCR registers are restored and ERET.
Provided the TCR_EL1 and SCTLR_EL1 writes complete in the expected order, this would get the correct result.
There certainly needs to be something to ensure the TCR_EL1 and SCTLR_EL1 writes happen in the order that means a speculated AT either fails, or gets the correct result.
- "So prior to use of AT, ensure the PTW are re-enabled and disabled back again after the AT instructions" -
I assume this cannot be done on any entry to EL3 except through SMC's. Otherwise we would have the same issue of not being sure that the EL1 registers are in a state that would not cause this issue.
This would be needed wherever EL3 uses AT instructions deliberately. Because step 'a' nobbled stage1 translations, it can't expect AT instructions to work.
Thanks,
James