On 22/02/2021 00.20, Hector Martin wrote:
I haven't tested things at EL0 yet, but it looks like the stateful instructions known to be usable in EL0 (AMX) already default to trap on this platform, so we should be safe there. Everything else looks like it probably either shouldn't work in EL0 (I sure hope the address translation one doesn't...) or is probably stateless. I'll dig deeper and test EL0 in the future, but so far things look OK (for some questionable values of OK :) ).
Follow-up: I have EL0 testing scaffolding now, and I found some more mutable state (an IMP-DEF, pre-standard version of FEAT_AFP, using a separate status register for the bits), but thankfully it traps at EL0 by default.
And then I found some other mutable IMP-DEF state that does not trap at EL0. And which is a 0-day CVE in macOS, because it doesn't save/restore/clear it either, nor does it trap there.
E-mailing security@xxxxxxxxx... -- Hector Martin (marcan@xxxxxxxxx) Public Key: https://mrcn.st/pub
