cleanup: include/: move misc/speculation.h to sys/speculation.h

move misc/speculation.h to sys/speculation.h and create a shim for backward-compatibility. No functional changes to the headers. A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES. Related to #16539 Signed-off-by: Anas Nashif <anas.nashif@intel.com>
2019-06-26 10:33:53 -04:00 · 2019-06-26 10:33:53 -04:00 · d222553931
commit d222553931
parent 536dd5a71f
4 changed files with 65 additions and 50 deletions
--- a/drivers/gpio/gpio_intel_apl.c
+++ b/drivers/gpio/gpio_intel_apl.c
@ -27,7 +27,7 @@
 #include <sys/sys_io.h>
 #include <sys/__assert.h>
 #include <sys/slist.h>
-#include <misc/speculation.h>
+#include <sys/speculation.h>

 #include "gpio_utils.h"

--- a/include/misc/speculation.h
+++ b/include/misc/speculation.h
@ -1,55 +1,15 @@
 /*
- * Copyright (c) 2019 Intel Corporation.
+ * Copyright (c) 2019 Intel Corporation
 *
 * SPDX-License-Identifier: Apache-2.0
 */
+#ifndef ZEPHYR_INCLUDE_MISC_SPECULATION_H_
+#define ZEPHYR_INCLUDE_MISC_SPECULATION_H_

-#ifndef ZEPHYR_MISC_SPECULATION_H
-#define ZEPHYR_MISC_SPECULATION_H
+#ifndef CONFIG_COMPAT_INCLUDES
+#warning "This header file has moved, include <sys/speculation.h> instead."
+#endif

-#include <zephyr/types.h>
+#include <sys/speculation.h>

-/**
- * Sanitize an array index against bounds check bypass attacks aka the
- * Spectre V1 vulnerability.
- *
- * CPUs with speculative execution may speculate past any size checks and
- * leak confidential data due to analysis of micro-architectural properties.
- * This will unconditionally truncate any out-of-bounds indexes to
- * zero in the speculative execution path using bit twiddling instead of
- * any branch instructions.
- *
- * Example usage:
- *
- * if (index < size) {
- *     index = k_array_index_sanitize(index, size);
- *     data = array[index];
- * }
- *
- * @param index Untrusted array index which has been validated, but not used
- * @param array_size Size of the array
- * @return The original index value if < size, or 0
- */
-static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
-{
-#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
-	s32_t signed_index = index, signed_array_size = array_size;
-
-	/* Take the difference between index and max.
-	 * A proper value will result in a negative result. We also AND in
-	 * the complement of index, so that we automatically reject any large
-	 * indexes which would wrap around the difference calculation.
-	 *
-	 * Sign-extend just the sign bit to produce a mask of all 1s (accept)
-	 * or all 0s (truncate).
-	 */
-	u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
-
-	return index & mask;
-#else
-	ARG_UNUSED(array_size);
-
-	return index;
-#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
-}
-#endif /* ZEPHYR_MISC_SPECULATION_H */
+#endif /* ZEPHYR_INCLUDE_MISC_SPECULATION_H_ */
--- a/include/sys/speculation.h
+++ b/include/sys/speculation.h
@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2019 Intel Corporation.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef ZEPHYR_MISC_SPECULATION_H
+#define ZEPHYR_MISC_SPECULATION_H
+
+#include <zephyr/types.h>
+
+/**
+ * Sanitize an array index against bounds check bypass attacks aka the
+ * Spectre V1 vulnerability.
+ *
+ * CPUs with speculative execution may speculate past any size checks and
+ * leak confidential data due to analysis of micro-architectural properties.
+ * This will unconditionally truncate any out-of-bounds indexes to
+ * zero in the speculative execution path using bit twiddling instead of
+ * any branch instructions.
+ *
+ * Example usage:
+ *
+ * if (index < size) {
+ *     index = k_array_index_sanitize(index, size);
+ *     data = array[index];
+ * }
+ *
+ * @param index Untrusted array index which has been validated, but not used
+ * @param array_size Size of the array
+ * @return The original index value if < size, or 0
+ */
+static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
+{
+#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
+	s32_t signed_index = index, signed_array_size = array_size;
+
+	/* Take the difference between index and max.
+	 * A proper value will result in a negative result. We also AND in
+	 * the complement of index, so that we automatically reject any large
+	 * indexes which would wrap around the difference calculation.
+	 *
+	 * Sign-extend just the sign bit to produce a mask of all 1s (accept)
+	 * or all 0s (truncate).
+	 */
+	u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
+
+	return index & mask;
+#else
+	ARG_UNUSED(array_size);
+
+	return index;
+#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
+}
+#endif /* ZEPHYR_MISC_SPECULATION_H */
--- a/lib/os/fdtable.c
+++ b/lib/os/fdtable.c
@ -17,7 +17,7 @@
 #include <fcntl.h>
 #include <kernel.h>
 #include <sys/fdtable.h>
-#include <misc/speculation.h>
+#include <sys/speculation.h>

 struct fd_entry {
 	void *obj;