cleanup: include/: move misc/speculation.h to sys/speculation.h

move misc/speculation.h to sys/speculation.h and
create a shim for backward-compatibility.

No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.

Related to #16539

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit is contained in:
Anas Nashif 2019-06-26 10:33:53 -04:00
commit d222553931
4 changed files with 65 additions and 50 deletions

View file

@ -27,7 +27,7 @@
#include <sys/sys_io.h>
#include <sys/__assert.h>
#include <sys/slist.h>
#include <misc/speculation.h>
#include <sys/speculation.h>
#include "gpio_utils.h"

View file

@ -1,55 +1,15 @@
/*
* Copyright (c) 2019 Intel Corporation.
* Copyright (c) 2019 Intel Corporation
*
* SPDX-License-Identifier: Apache-2.0
*/
#ifndef ZEPHYR_INCLUDE_MISC_SPECULATION_H_
#define ZEPHYR_INCLUDE_MISC_SPECULATION_H_
#ifndef ZEPHYR_MISC_SPECULATION_H
#define ZEPHYR_MISC_SPECULATION_H
#ifndef CONFIG_COMPAT_INCLUDES
#warning "This header file has moved, include <sys/speculation.h> instead."
#endif
#include <zephyr/types.h>
#include <sys/speculation.h>
/**
* Sanitize an array index against bounds check bypass attacks aka the
* Spectre V1 vulnerability.
*
* CPUs with speculative execution may speculate past any size checks and
* leak confidential data due to analysis of micro-architectural properties.
* This will unconditionally truncate any out-of-bounds indexes to
* zero in the speculative execution path using bit twiddling instead of
* any branch instructions.
*
* Example usage:
*
* if (index < size) {
* index = k_array_index_sanitize(index, size);
* data = array[index];
* }
*
* @param index Untrusted array index which has been validated, but not used
* @param array_size Size of the array
* @return The original index value if < size, or 0
*/
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
{
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
s32_t signed_index = index, signed_array_size = array_size;
/* Take the difference between index and max.
* A proper value will result in a negative result. We also AND in
* the complement of index, so that we automatically reject any large
* indexes which would wrap around the difference calculation.
*
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
* or all 0s (truncate).
*/
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
return index & mask;
#else
ARG_UNUSED(array_size);
return index;
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
}
#endif /* ZEPHYR_MISC_SPECULATION_H */
#endif /* ZEPHYR_INCLUDE_MISC_SPECULATION_H_ */

55
include/sys/speculation.h Normal file
View file

@ -0,0 +1,55 @@
/*
* Copyright (c) 2019 Intel Corporation.
*
* SPDX-License-Identifier: Apache-2.0
*/
#ifndef ZEPHYR_MISC_SPECULATION_H
#define ZEPHYR_MISC_SPECULATION_H
#include <zephyr/types.h>
/**
* Sanitize an array index against bounds check bypass attacks aka the
* Spectre V1 vulnerability.
*
* CPUs with speculative execution may speculate past any size checks and
* leak confidential data due to analysis of micro-architectural properties.
* This will unconditionally truncate any out-of-bounds indexes to
* zero in the speculative execution path using bit twiddling instead of
* any branch instructions.
*
* Example usage:
*
* if (index < size) {
* index = k_array_index_sanitize(index, size);
* data = array[index];
* }
*
* @param index Untrusted array index which has been validated, but not used
* @param array_size Size of the array
* @return The original index value if < size, or 0
*/
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
{
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
s32_t signed_index = index, signed_array_size = array_size;
/* Take the difference between index and max.
* A proper value will result in a negative result. We also AND in
* the complement of index, so that we automatically reject any large
* indexes which would wrap around the difference calculation.
*
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
* or all 0s (truncate).
*/
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
return index & mask;
#else
ARG_UNUSED(array_size);
return index;
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
}
#endif /* ZEPHYR_MISC_SPECULATION_H */

View file

@ -17,7 +17,7 @@
#include <fcntl.h>
#include <kernel.h>
#include <sys/fdtable.h>
#include <misc/speculation.h>
#include <sys/speculation.h>
struct fd_entry {
void *obj;