fix(security): loop workaround for CVE-2022-23960 for Cortex-A76
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com> Change-Id: I8d433b39a5c0f9e1cef978df8a2986d7a35d3745
This commit is contained in:
parent
921081049e
commit
a10a5cb609
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -10,38 +10,41 @@
|
|||
#include <lib/utils_def.h>
|
||||
|
||||
/* Cortex-A76 MIDR for revision 0 */
|
||||
#define CORTEX_A76_MIDR U(0x410fd0b0)
|
||||
#define CORTEX_A76_MIDR U(0x410fd0b0)
|
||||
|
||||
/* Cortex-A76 loop count for CVE-2022-23960 mitigation */
|
||||
#define CORTEX_A76_BHB_LOOP_COUNT U(24)
|
||||
|
||||
/*******************************************************************************
|
||||
* CPU Extended Control register specific definitions.
|
||||
******************************************************************************/
|
||||
#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
|
||||
#define CORTEX_A76_CPUECTLR_EL1 S3_0_C15_C1_4
|
||||
#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
|
||||
#define CORTEX_A76_CPUECTLR_EL1 S3_0_C15_C1_4
|
||||
|
||||
#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
|
||||
#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
|
||||
#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
|
||||
#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
|
||||
|
||||
/*******************************************************************************
|
||||
* CPU Auxiliary Control register specific definitions.
|
||||
******************************************************************************/
|
||||
#define CORTEX_A76_CPUACTLR_EL1 S3_0_C15_C1_0
|
||||
#define CORTEX_A76_CPUACTLR_EL1 S3_0_C15_C1_0
|
||||
|
||||
#define CORTEX_A76_CPUACTLR_EL1_DISABLE_STATIC_PREDICTION (ULL(1) << 6)
|
||||
|
||||
#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
|
||||
#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
|
||||
|
||||
#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
|
||||
#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
|
||||
|
||||
#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
|
||||
#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
|
||||
|
||||
#define CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE (ULL(1) << 16)
|
||||
|
||||
#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
|
||||
#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
|
||||
|
||||
#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1) << 10)
|
||||
#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1) << 10)
|
||||
|
||||
|
||||
/* Definitions of register field mask in CORTEX_A76_CPUPWRCTLR_EL1 */
|
||||
#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
|
||||
#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
|
||||
|
||||
#endif /* CORTEX_A76_H */
|
||||
|
|
|
@ -7,11 +7,11 @@
|
|||
#include <arch.h>
|
||||
#include <asm_macros.S>
|
||||
#include <common/bl_common.h>
|
||||
#include <context.h>
|
||||
#include <cortex_a76.h>
|
||||
#include <cpu_macros.S>
|
||||
#include <plat_macros.S>
|
||||
#include <services/arm_arch_svc.h>
|
||||
#include "wa_cve_2022_23960_bhb.S"
|
||||
|
||||
/* Hardware handled coherency */
|
||||
#if HW_ASSISTED_COHERENCY == 0
|
||||
|
@ -63,8 +63,10 @@
|
|||
*/
|
||||
ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
|
||||
.endm
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
|
||||
|
||||
vector_base cortex_a76_wa_cve_2018_3639_a76_vbar
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960
|
||||
vector_base cortex_a76_wa_cve_vbar
|
||||
|
||||
/* ---------------------------------------------------------------------
|
||||
* Current EL with SP_EL0 : 0x0 - 0x200
|
||||
|
@ -111,22 +113,54 @@ end_vector_entry cortex_a76_serror_sp_elx
|
|||
* ---------------------------------------------------------------------
|
||||
*/
|
||||
vector_entry cortex_a76_sync_exception_aarch64
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=1 _esr_el3_val=ESR_EL3_A64_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b sync_exception_aarch64
|
||||
end_vector_entry cortex_a76_sync_exception_aarch64
|
||||
|
||||
vector_entry cortex_a76_irq_aarch64
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b irq_aarch64
|
||||
end_vector_entry cortex_a76_irq_aarch64
|
||||
|
||||
vector_entry cortex_a76_fiq_aarch64
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b fiq_aarch64
|
||||
end_vector_entry cortex_a76_fiq_aarch64
|
||||
|
||||
vector_entry cortex_a76_serror_aarch64
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b serror_aarch64
|
||||
end_vector_entry cortex_a76_serror_aarch64
|
||||
|
||||
|
@ -135,25 +169,59 @@ end_vector_entry cortex_a76_serror_aarch64
|
|||
* ---------------------------------------------------------------------
|
||||
*/
|
||||
vector_entry cortex_a76_sync_exception_aarch32
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=1 _esr_el3_val=ESR_EL3_A32_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b sync_exception_aarch32
|
||||
end_vector_entry cortex_a76_sync_exception_aarch32
|
||||
|
||||
vector_entry cortex_a76_irq_aarch32
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b irq_aarch32
|
||||
end_vector_entry cortex_a76_irq_aarch32
|
||||
|
||||
vector_entry cortex_a76_fiq_aarch32
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b fiq_aarch32
|
||||
end_vector_entry cortex_a76_fiq_aarch32
|
||||
|
||||
vector_entry cortex_a76_serror_aarch32
|
||||
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
|
||||
|
||||
b serror_aarch32
|
||||
end_vector_entry cortex_a76_serror_aarch32
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960 */
|
||||
|
||||
#if DYNAMIC_WORKAROUND_CVE_2018_3639
|
||||
/*
|
||||
* -----------------------------------------------------------------
|
||||
* This function applies the mitigation for CVE-2018-3639
|
||||
|
@ -549,6 +617,15 @@ func check_errata_1165522
|
|||
#endif
|
||||
endfunc check_errata_1165522
|
||||
|
||||
func check_errata_cve_2022_23960
|
||||
#if WORKAROUND_CVE_2022_23960
|
||||
mov x0, #ERRATA_APPLIES
|
||||
#else
|
||||
mov x0, #ERRATA_MISSING
|
||||
#endif /* WORKAROUND_CVE_2022_23960 */
|
||||
ret
|
||||
endfunc check_errata_cve_2022_23960
|
||||
|
||||
/* -------------------------------------------------
|
||||
* The CPU Ops reset function for Cortex-A76.
|
||||
* Shall clobber: x0-x19
|
||||
|
@ -620,16 +697,31 @@ func cortex_a76_reset_func
|
|||
* The Cortex-A76 generic vectors are overwritten to use the vectors
|
||||
* defined above. This is required in order to apply mitigation
|
||||
* against CVE-2018-3639 on exception entry from lower ELs.
|
||||
* If the below vector table is used, skip overriding it again for
|
||||
* CVE_2022_23960 as both use the same vbar.
|
||||
*/
|
||||
adr x0, cortex_a76_wa_cve_2018_3639_a76_vbar
|
||||
adr x0, cortex_a76_wa_cve_vbar
|
||||
msr vbar_el3, x0
|
||||
isb
|
||||
b 2f
|
||||
#endif /* IMAGE_BL31 */
|
||||
|
||||
1:
|
||||
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
|
||||
#endif /* WORKAROUND_CVE_2018_3639 */
|
||||
|
||||
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
|
||||
/*
|
||||
* The Cortex-A76 generic vectors are overridden to apply errata
|
||||
* mitigation on exception entry from lower ELs. This will be bypassed
|
||||
* if DYNAMIC_WORKAROUND_CVE_2018_3639 has overridden the vectors.
|
||||
*/
|
||||
adr x0, cortex_a76_wa_cve_vbar
|
||||
msr vbar_el3, x0
|
||||
isb
|
||||
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
|
||||
2:
|
||||
|
||||
#if ERRATA_DSU_798953
|
||||
bl errata_dsu_798953_wa
|
||||
#endif
|
||||
|
@ -686,6 +778,7 @@ func cortex_a76_errata_report
|
|||
report_errata WORKAROUND_CVE_2018_3639, cortex_a76, cve_2018_3639
|
||||
report_errata ERRATA_DSU_798953, cortex_a76, dsu_798953
|
||||
report_errata ERRATA_DSU_936184, cortex_a76, dsu_936184
|
||||
report_errata WORKAROUND_CVE_2022_23960, cortex_a76, cve_2022_23960
|
||||
|
||||
ldp x8, x30, [sp], #16
|
||||
ret
|
||||
|
|
Loading…
Reference in New Issue