fix(security): loop workaround for CVE-2022-23960 for Cortex-A76

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I8d433b39a5c0f9e1cef978df8a2986d7a35d3745
This commit is contained in:
Bipin Ravi 2022-02-08 19:32:38 -06:00
parent 921081049e
commit a10a5cb609
2 changed files with 112 additions and 16 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,38 +10,41 @@
#include <lib/utils_def.h>
/* Cortex-A76 MIDR for revision 0 */
#define CORTEX_A76_MIDR U(0x410fd0b0)
#define CORTEX_A76_MIDR U(0x410fd0b0)
/* Cortex-A76 loop count for CVE-2022-23960 mitigation */
#define CORTEX_A76_BHB_LOOP_COUNT U(24)
/*******************************************************************************
* CPU Extended Control register specific definitions.
******************************************************************************/
#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
#define CORTEX_A76_CPUECTLR_EL1 S3_0_C15_C1_4
#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
#define CORTEX_A76_CPUECTLR_EL1 S3_0_C15_C1_4
#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
/*******************************************************************************
* CPU Auxiliary Control register specific definitions.
******************************************************************************/
#define CORTEX_A76_CPUACTLR_EL1 S3_0_C15_C1_0
#define CORTEX_A76_CPUACTLR_EL1 S3_0_C15_C1_0
#define CORTEX_A76_CPUACTLR_EL1_DISABLE_STATIC_PREDICTION (ULL(1) << 6)
#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
#define CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE (ULL(1) << 16)
#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1) << 10)
#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1) << 10)
/* Definitions of register field mask in CORTEX_A76_CPUPWRCTLR_EL1 */
#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
#endif /* CORTEX_A76_H */

View File

@ -7,11 +7,11 @@
#include <arch.h>
#include <asm_macros.S>
#include <common/bl_common.h>
#include <context.h>
#include <cortex_a76.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include <services/arm_arch_svc.h>
#include "wa_cve_2022_23960_bhb.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -63,8 +63,10 @@
*/
ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
.endm
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
vector_base cortex_a76_wa_cve_2018_3639_a76_vbar
#if DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960
vector_base cortex_a76_wa_cve_vbar
/* ---------------------------------------------------------------------
* Current EL with SP_EL0 : 0x0 - 0x200
@ -111,22 +113,54 @@ end_vector_entry cortex_a76_serror_sp_elx
* ---------------------------------------------------------------------
*/
vector_entry cortex_a76_sync_exception_aarch64
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=1 _esr_el3_val=ESR_EL3_A64_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b sync_exception_aarch64
end_vector_entry cortex_a76_sync_exception_aarch64
vector_entry cortex_a76_irq_aarch64
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b irq_aarch64
end_vector_entry cortex_a76_irq_aarch64
vector_entry cortex_a76_fiq_aarch64
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b fiq_aarch64
end_vector_entry cortex_a76_fiq_aarch64
vector_entry cortex_a76_serror_aarch64
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A64_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b serror_aarch64
end_vector_entry cortex_a76_serror_aarch64
@ -135,25 +169,59 @@ end_vector_entry cortex_a76_serror_aarch64
* ---------------------------------------------------------------------
*/
vector_entry cortex_a76_sync_exception_aarch32
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=1 _esr_el3_val=ESR_EL3_A32_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b sync_exception_aarch32
end_vector_entry cortex_a76_sync_exception_aarch32
vector_entry cortex_a76_irq_aarch32
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b irq_aarch32
end_vector_entry cortex_a76_irq_aarch32
vector_entry cortex_a76_fiq_aarch32
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b fiq_aarch32
end_vector_entry cortex_a76_fiq_aarch32
vector_entry cortex_a76_serror_aarch32
#if WORKAROUND_CVE_2022_23960
apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
#endif /* WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
b serror_aarch32
end_vector_entry cortex_a76_serror_aarch32
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960 */
#if DYNAMIC_WORKAROUND_CVE_2018_3639
/*
* -----------------------------------------------------------------
* This function applies the mitigation for CVE-2018-3639
@ -549,6 +617,15 @@ func check_errata_1165522
#endif
endfunc check_errata_1165522
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif /* WORKAROUND_CVE_2022_23960 */
ret
endfunc check_errata_cve_2022_23960
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A76.
* Shall clobber: x0-x19
@ -620,16 +697,31 @@ func cortex_a76_reset_func
* The Cortex-A76 generic vectors are overwritten to use the vectors
* defined above. This is required in order to apply mitigation
* against CVE-2018-3639 on exception entry from lower ELs.
* If the below vector table is used, skip overriding it again for
* CVE_2022_23960 as both use the same vbar.
*/
adr x0, cortex_a76_wa_cve_2018_3639_a76_vbar
adr x0, cortex_a76_wa_cve_vbar
msr vbar_el3, x0
isb
b 2f
#endif /* IMAGE_BL31 */
1:
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
#endif /* WORKAROUND_CVE_2018_3639 */
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex-A76 generic vectors are overridden to apply errata
* mitigation on exception entry from lower ELs. This will be bypassed
* if DYNAMIC_WORKAROUND_CVE_2018_3639 has overridden the vectors.
*/
adr x0, cortex_a76_wa_cve_vbar
msr vbar_el3, x0
isb
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
2:
#if ERRATA_DSU_798953
bl errata_dsu_798953_wa
#endif
@ -686,6 +778,7 @@ func cortex_a76_errata_report
report_errata WORKAROUND_CVE_2018_3639, cortex_a76, cve_2018_3639
report_errata ERRATA_DSU_798953, cortex_a76, dsu_798953
report_errata ERRATA_DSU_936184, cortex_a76, dsu_936184
report_errata WORKAROUND_CVE_2022_23960, cortex_a76, cve_2022_23960
ldp x8, x30, [sp], #16
ret