fix(security): workaround for CVE-2022-23960 for Cortex-A57, Cortex-A72

Implements mitigation for Cortex-A72 CPU versions that support the CSV2 feature(from r1p0). It also applies the mitigation for Cortex-A57 CPU. Signed-off-by: Bipin Ravi <bipin.ravi@arm.com> Change-Id: I7cfcf06537710f144f6e849992612033ddd79d33
2022-02-15 23:24:51 -06:00 · 2022-02-15 23:24:51 -06:00 · be9121fd31
parent fdb9166b94
commit be9121fd31
3 changed files with 53 additions and 5 deletions
--- a/include/lib/cpus/aarch64/cortex_a72.h
+++ b/include/lib/cpus/aarch64/cortex_a72.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -12,6 +12,9 @@
 /* Cortex-A72 midr for revision 0 */
 #define CORTEX_A72_MIDR 				U(0x410FD080)

+/* Cortex-A72 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_A72_BHB_LOOP_COUNT			U(8)
+
 /*******************************************************************************
 * CPU Extended Control register specific definitions.
 ******************************************************************************/
--- a/lib/cpus/aarch64/cortex_a57.S
+++ b/lib/cpus/aarch64/cortex_a57.S
@ -470,7 +470,12 @@ func cortex_a57_reset_func
 	bl	errata_a57_859972_wa
 #endif

-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && ( WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960 )
+	/* ---------------------------------------------------------------
+	 * Override vector table & enable existing workaround if either of
+	 * the build flags are enabled
+	 * ---------------------------------------------------------------
+	 */
 	adr	x0, wa_cve_2017_5715_mmu_vbar
 	msr	vbar_el3, x0
 	/* isb will be performed before returning from this function */
@ -506,6 +511,15 @@ func cortex_a57_reset_func
 	ret	x19
 endfunc cortex_a57_reset_func

+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+	mov	x0, #ERRATA_APPLIES
+#else
+	mov	x0, #ERRATA_MISSING
+#endif
+	ret
+endfunc check_errata_cve_2022_23960
+
 	/* ----------------------------------------------------
 	 * The CPU Ops core power down function for Cortex-A57.
 	 * ----------------------------------------------------
@ -630,6 +644,7 @@ func cortex_a57_errata_report
 	report_errata ERRATA_A57_1319537, cortex_a57, 1319537
 	report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
 	report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639
+	report_errata WORKAROUND_CVE_2022_23960, cortex_a57, cve_2022_23960

 	ldp	x8, x30, [sp], #16
 	ret
--- a/lib/cpus/aarch64/cortex_a72.S
+++ b/lib/cpus/aarch64/cortex_a72.S
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -9,6 +9,11 @@
 #include <cortex_a72.h>
 #include <cpu_macros.S>
 #include <plat_macros.S>
+#include "wa_cve_2022_23960_bhb_vector.S"
+
+#if WORKAROUND_CVE_2022_23960
+	wa_cve_2022_23960_bhb_vector_table CORTEX_A72_BHB_LOOP_COUNT, cortex_a72
+#endif /* WORKAROUND_CVE_2022_23960 */

 	/* ---------------------------------------------
 	 * Disable L1 data cache and unified L2 cache
@ -133,6 +138,15 @@ func check_errata_1319367
 	ret
 endfunc check_errata_1319367

+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+	mov	x0, #ERRATA_APPLIES
+#else
+	mov	x0, #ERRATA_MISSING
+#endif
+	ret
+endfunc check_errata_cve_2022_23960
+
 	/* -------------------------------------------------
 	 * The CPU Ops reset function for Cortex-A72.
 	 * -------------------------------------------------
@ -147,13 +161,28 @@ func cortex_a72_reset_func
 	bl	errata_a72_859971_wa
 #endif

-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && (WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960)
 	cpu_check_csv2	x0, 1f
 	adr	x0, wa_cve_2017_5715_mmu_vbar
 	msr	vbar_el3, x0
 	/* isb will be performed before returning from this function */
+
+	/* Skip CVE_2022_23960 mitigation if cve_2017_5715 mitigation applied */
+	b	2f
 1:
-#endif
+#if WORKAROUND_CVE_2022_23960
+	/*
+	 * The Cortex-A72 generic vectors are overridden to apply the
+         * mitigation on exception entry from lower ELs for revisions >= r1p0
+	 * which has CSV2 implemented.
+	 */
+	adr	x0, wa_cve_vbar_cortex_a72
+	msr	vbar_el3, x0
+
+	/* isb will be performed before returning from this function */
+#endif /* WORKAROUND_CVE_2022_23960 */
+2:
+#endif /* IMAGE_BL31 &&  (WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960) */

 #if WORKAROUND_CVE_2018_3639
 	mrs	x0, CORTEX_A72_CPUACTLR_EL1
@ -299,6 +328,7 @@ func cortex_a72_errata_report
 	report_errata ERRATA_A72_1319367, cortex_a72, 1319367
 	report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715
 	report_errata WORKAROUND_CVE_2018_3639, cortex_a72, cve_2018_3639
+	report_errata WORKAROUND_CVE_2022_23960, cortex_a72, cve_2022_23960

 	ldp	x8, x30, [sp], #16
 	ret