[coreboot-gerrit] [S] Change in coreboot[master]: cpu/x86/smm_stub.S: Add a retpoline around the main C handler

Attention is currently required from: Martin L Roth, Subrata Banik, Patrick Rudolph, Benjamin Doron, Julius Werner, Maximilian Brune, Arthur Heymans, Jan Samek.

Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/67735 )

Change subject: cpu/x86/smm_stub.S: Add a retpoline around the main C handler ......................................................................

Patch Set 2:

(2 comments)

File src/cpu/x86/smm/smm_stub.S:

https://review.coreboot.org/c/coreboot/+/67735/comment/60aae84f_b21a7b50 PS2, Line 256: 2f

What are these offsets targeting?

The `2:` below (f for forward).

https://review.coreboot.org/c/coreboot/+/67735/comment/3040493b_1ac0e963 PS2, Line 268: 1b

Ditto.

The `1:` above (b for backward).

I didn't look into retpolines before, but by the name it's a trampoline (jumping around) using a ret(urn) somehow. It's indeed not easy to follow, here is what happens:

* we have a stack frame #0 * jump to 2: * call 1: (creates a new stack frame #1) * call call_c_handler: (creates new stack frame #2) * `movq %rax, (%rsp)` overwrites the return address with c_handler that is still in `rax` since line 253 * `ret` returns to stack frame #1, but execution is in the c_handler now oO * when c_handler returns we return to frame #0, hence continue after the call in line 268

So `trap:` never gets executed and the `lfence` only instructs the speculators (that would assume that the `ret` in line 265 returns to `trap:`) to stop speculating, AIUI.