crypto/subtle: add speculation barrier after DIT

When enabling DIT on ARM64, add speculation barrier instructions to
ensure that subsequent instructions are executed using the updated
DIT state.

See https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms#Enable-DIT-for-constant-time-cryptographic-operations
which recommends doing this. The Arm documentation for DIT doesn't tell
you to do this, but it seems prudent.

Change-Id: Idbc87b332650a77b8cb3509c11377bf5c724f3cf
Reviewed-on: https://go-review.googlesource.com/c/go/+/726980
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/src/internal/runtime/sys/dit_arm64.s b/src/internal/runtime/sys/dit_arm64.s
index c27dfc9af3..408b60c8c0 100644
--- a/src/internal/runtime/sys/dit_arm64.s
+++ b/src/internal/runtime/sys/dit_arm64.s
@@ -9,6 +9,11 @@ TEXT ·EnableDIT(SB),$0-1
     UBFX $24, R0, $1, R1
     MOVB R1, ret+0(FP)
     MSR $1, DIT
+    // TODO(roland): the SB instruction is significantly more
+    // performant when available. We should detect its availability
+    // and use it when we can.
+    DSB $7  // nsh
+    ISB $15 // sy
     RET
 
 TEXT ·DITEnabled(SB),$0-1