From c2a15217c3053117f4d39233002cb1830fa96670 Mon Sep 17 00:00:00 2001 From: Bipin Ravi Date: Fri, 6 May 2022 16:02:30 -0500 Subject: [PATCH] fix(security): workaround for CVE-2022-23960 Implements the loop workaround for Cortex Makalu/Makalu-ELP/Hunter and Neoverse Demeter/Poseidon. Signed-off-by: Bipin Ravi Change-Id: If5f6689b662ecac92491e0c0902df4270051ce5b --- include/lib/cpus/aarch64/cortex_hunter.h | 5 +- include/lib/cpus/aarch64/cortex_makalu.h | 5 +- .../lib/cpus/aarch64/cortex_makalu_elp_arm.h | 5 +- include/lib/cpus/aarch64/neoverse_demeter.h | 5 +- include/lib/cpus/aarch64/neoverse_poseidon.h | 3 ++ lib/cpus/aarch64/cortex_hunter.S | 38 +++++++++++++- lib/cpus/aarch64/cortex_makalu.S | 38 +++++++++++++- lib/cpus/aarch64/cortex_makalu_elp_arm.S | 52 ++++++++++++++++--- lib/cpus/aarch64/neoverse_demeter.S | 51 +++++++++++++++--- lib/cpus/aarch64/neoverse_poseidon.S | 50 +++++++++++++++--- 10 files changed, 223 insertions(+), 29 deletions(-) diff --git a/include/lib/cpus/aarch64/cortex_hunter.h b/include/lib/cpus/aarch64/cortex_hunter.h index 8b59fd9ea..24bd21760 100644 --- a/include/lib/cpus/aarch64/cortex_hunter.h +++ b/include/lib/cpus/aarch64/cortex_hunter.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,6 +9,9 @@ #define CORTEX_HUNTER_MIDR U(0x410FD810) +/* Cortex Hunter loop count for CVE-2022-23960 mitigation */ +#define CORTEX_HUNTER_BHB_LOOP_COUNT U(132) + /******************************************************************************* * CPU Extended Control register specific definitions ******************************************************************************/ diff --git a/include/lib/cpus/aarch64/cortex_makalu.h b/include/lib/cpus/aarch64/cortex_makalu.h index 4e0dc8625..ee59657da 100644 --- a/include/lib/cpus/aarch64/cortex_makalu.h +++ b/include/lib/cpus/aarch64/cortex_makalu.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,6 +9,9 @@ #define CORTEX_MAKALU_MIDR U(0x410FD4D0) +/* Cortex Makalu loop count for CVE-2022-23960 mitigation */ +#define CORTEX_MAKALU_BHB_LOOP_COUNT U(38) + /******************************************************************************* * CPU Extended Control register specific definitions ******************************************************************************/ diff --git a/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h b/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h index a0d788e39..9ed5ee3c7 100644 --- a/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h +++ b/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,6 +9,9 @@ #define CORTEX_MAKALU_ELP_ARM_MIDR U(0x410FD4E0) +/* Cortex Makalu ELP loop count for CVE-2022-23960 mitigation */ +#define CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT U(132) + /******************************************************************************* * CPU Extended Control register specific definitions ******************************************************************************/ diff --git a/include/lib/cpus/aarch64/neoverse_demeter.h b/include/lib/cpus/aarch64/neoverse_demeter.h index 230ed6651..f1afae7b0 100644 --- a/include/lib/cpus/aarch64/neoverse_demeter.h +++ b/include/lib/cpus/aarch64/neoverse_demeter.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -9,6 +9,9 @@ #define NEOVERSE_DEMETER_MIDR U(0x410FD4F0) +/* Neoverse Demeter loop count for CVE-2022-23960 mitigation */ +#define NEOVERSE_DEMETER_BHB_LOOP_COUNT U(132) + /******************************************************************************* * CPU Extended Control register specific definitions ******************************************************************************/ diff --git a/include/lib/cpus/aarch64/neoverse_poseidon.h b/include/lib/cpus/aarch64/neoverse_poseidon.h index 0a8b1d1f7..798ecd1f6 100644 --- a/include/lib/cpus/aarch64/neoverse_poseidon.h +++ b/include/lib/cpus/aarch64/neoverse_poseidon.h @@ -10,6 +10,9 @@ #define NEOVERSE_POSEIDON_MIDR U(0x410FD830) +/* Neoverse Poseidon loop count for CVE-2022-23960 mitigation */ +#define NEOVERSE_POSEIDON_BHB_LOOP_COUNT U(132) + /******************************************************************************* * CPU Extended Control register specific definitions. ******************************************************************************/ diff --git a/lib/cpus/aarch64/cortex_hunter.S b/lib/cpus/aarch64/cortex_hunter.S index 2ab429615..973637e44 100644 --- a/lib/cpus/aarch64/cortex_hunter.S +++ b/lib/cpus/aarch64/cortex_hunter.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -10,6 +10,7 @@ #include #include #include +#include "wa_cve_2022_23960_bhb_vector.S" /* Hardware handled coherency */ #if HW_ASSISTED_COHERENCY == 0 @@ -21,9 +22,32 @@ #error "Cortex Hunter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #endif +#if WORKAROUND_CVE_2022_23960 + wa_cve_2022_23960_bhb_vector_table CORTEX_HUNTER_BHB_LOOP_COUNT, cortex_hunter +#endif /* WORKAROUND_CVE_2022_23960 */ + +func check_errata_cve_2022_23960 +#if WORKAROUND_CVE_2022_23960 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2022_23960 + func cortex_hunter_reset_func /* Disable speculative loads */ msr SSBS, xzr + +#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960 + /* + * The Cortex Hunter generic vectors are overridden to apply errata + * mitigation on exception entry from lower ELs. + */ + adr x0, wa_cve_vbar_cortex_hunter + msr vbar_el3, x0 +#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */ + isb ret endfunc cortex_hunter_reset_func @@ -49,6 +73,18 @@ endfunc cortex_hunter_core_pwr_dwn * Errata printing function for Cortex Hunter. Must follow AAPCS. */ func cortex_hunter_errata_report + stp x8, x30, [sp, #-16]! + + bl cpu_get_rev_var + mov x8, x0 + + /* + * Report all errata. The revision-variant information is passed to + * checking functions of each errata. + */ + report_errata WORKAROUND_CVE_2022_23960, cortex_hunter, cve_2022_23960 + + ldp x8, x30, [sp], #16 ret endfunc cortex_hunter_errata_report #endif diff --git a/lib/cpus/aarch64/cortex_makalu.S b/lib/cpus/aarch64/cortex_makalu.S index 98c7d6dfc..7603210c5 100644 --- a/lib/cpus/aarch64/cortex_makalu.S +++ b/lib/cpus/aarch64/cortex_makalu.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -10,6 +10,7 @@ #include #include #include +#include "wa_cve_2022_23960_bhb_vector.S" /* Hardware handled coherency */ #if HW_ASSISTED_COHERENCY == 0 @@ -21,9 +22,32 @@ #error "Cortex Makalu supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #endif +#if WORKAROUND_CVE_2022_23960 + wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_BHB_LOOP_COUNT, cortex_makalu +#endif /* WORKAROUND_CVE_2022_23960 */ + +func check_errata_cve_2022_23960 +#if WORKAROUND_CVE_2022_23960 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2022_23960 + func cortex_makalu_reset_func /* Disable speculative loads */ msr SSBS, xzr + +#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960 + /* + * The Cortex Makalu generic vectors are overridden to apply errata + * mitigation on exception entry from lower ELs. + */ + adr x0, wa_cve_vbar_cortex_makalu + msr vbar_el3, x0 +#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */ + isb ret endfunc cortex_makalu_reset_func @@ -49,6 +73,18 @@ endfunc cortex_makalu_core_pwr_dwn * Errata printing function for Cortex Makalu. Must follow AAPCS. */ func cortex_makalu_errata_report + stp x8, x30, [sp, #-16]! + + bl cpu_get_rev_var + mov x8, x0 + + /* + * Report all errata. The revision-variant information is passed to + * checking functions of each errata. + */ + report_errata WORKAROUND_CVE_2022_23960, cortex_makalu, cve_2022_23960 + + ldp x8, x30, [sp], #16 ret endfunc cortex_makalu_errata_report #endif diff --git a/lib/cpus/aarch64/cortex_makalu_elp_arm.S b/lib/cpus/aarch64/cortex_makalu_elp_arm.S index fbbf20501..f4d2df09c 100644 --- a/lib/cpus/aarch64/cortex_makalu_elp_arm.S +++ b/lib/cpus/aarch64/cortex_makalu_elp_arm.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -10,6 +10,7 @@ #include #include #include +#include "wa_cve_2022_23960_bhb_vector.S" /* Hardware handled coherency */ #if HW_ASSISTED_COHERENCY == 0 @@ -21,6 +22,10 @@ #error "Cortex Makalu ELP supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #endif +#if WORKAROUND_CVE_2022_23960 + wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT, cortex_makalu_elp_arm +#endif /* WORKAROUND_CVE_2022_23960 */ + /* ---------------------------------------------------- * HW will do the cache maintenance while powering down * ---------------------------------------------------- @@ -37,22 +42,53 @@ func cortex_makalu_elp_arm_core_pwr_dwn ret endfunc cortex_makalu_elp_arm_core_pwr_dwn +func check_errata_cve_2022_23960 +#if WORKAROUND_CVE_2022_23960 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2022_23960 + +func cortex_makalu_elp_arm_reset_func + /* Disable speculative loads */ + msr SSBS, xzr + +#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960 + /* + * The Cortex Makalu ELP generic vectors are overridden to apply + * errata mitigation on exception entry from lower ELs. + */ + adr x0, wa_cve_vbar_cortex_makalu_elp_arm + msr vbar_el3, x0 +#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */ + + isb + ret +endfunc cortex_makalu_elp_arm_reset_func + #if REPORT_ERRATA /* * Errata printing function for Cortex Makalu ELP. Must follow AAPCS. */ func cortex_makalu_elp_arm_errata_report + stp x8, x30, [sp, #-16]! + + bl cpu_get_rev_var + mov x8, x0 + + /* + * Report all errata. The revision-variant information is passed to + * checking functions of each errata. + */ + report_errata WORKAROUND_CVE_2022_23960, cortex_makalu_elp_arm, cve_2022_23960 + + ldp x8, x30, [sp], #16 ret endfunc cortex_makalu_elp_arm_errata_report #endif -func cortex_makalu_elp_arm_reset_func - /* Disable speculative loads */ - msr SSBS, xzr - isb - ret -endfunc cortex_makalu_elp_arm_reset_func - /* --------------------------------------------- * This function provides Cortex Makalu ELP- * specific register information for crash diff --git a/lib/cpus/aarch64/neoverse_demeter.S b/lib/cpus/aarch64/neoverse_demeter.S index f43c18b6b..41cb4ee46 100644 --- a/lib/cpus/aarch64/neoverse_demeter.S +++ b/lib/cpus/aarch64/neoverse_demeter.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Arm Limited. All rights reserved. + * Copyright (c) 2021-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -10,6 +10,7 @@ #include #include #include +#include "wa_cve_2022_23960_bhb_vector.S" /* Hardware handled coherency */ #if HW_ASSISTED_COHERENCY == 0 @@ -21,6 +22,10 @@ #error "Neoverse Demeter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #endif +#if WORKAROUND_CVE_2022_23960 + wa_cve_2022_23960_bhb_vector_table NEOVERSE_DEMETER_BHB_LOOP_COUNT, neoverse_demeter +#endif /* WORKAROUND_CVE_2022_23960 */ + /* ---------------------------------------------------- * HW will do the cache maintenance while powering down * ---------------------------------------------------- @@ -37,22 +42,52 @@ func neoverse_demeter_core_pwr_dwn ret endfunc neoverse_demeter_core_pwr_dwn +func check_errata_cve_2022_23960 +#if WORKAROUND_CVE_2022_23960 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2022_23960 + +func neoverse_demeter_reset_func + /* Disable speculative loads */ + msr SSBS, xzr + +#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960 + /* + * The Neoverse Demeter vectors are overridden to apply + * errata mitigation on exception entry from lower ELs. + */ + adr x0, wa_cve_vbar_neoverse_demeter + msr vbar_el3, x0 +#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */ + isb + ret +endfunc neoverse_demeter_reset_func + #if REPORT_ERRATA /* * Errata printing function for Neoverse Demeter. Must follow AAPCS. */ func neoverse_demeter_errata_report + stp x8, x30, [sp, #-16]! + + bl cpu_get_rev_var + mov x8, x0 + + /* + * Report all errata. The revision-variant information is passed to + * checking functions of each errata. + */ + report_errata WORKAROUND_CVE_2022_23960, neoverse_demeter, cve_2022_23960 + + ldp x8, x30, [sp], #16 ret endfunc neoverse_demeter_errata_report #endif -func neoverse_demeter_reset_func - /* Disable speculative loads */ - msr SSBS, xzr - isb - ret -endfunc neoverse_demeter_reset_func - /* --------------------------------------------- * This function provides Neoverse Demeter- * specific register information for crash diff --git a/lib/cpus/aarch64/neoverse_poseidon.S b/lib/cpus/aarch64/neoverse_poseidon.S index 43a93aa3c..030293da0 100644 --- a/lib/cpus/aarch64/neoverse_poseidon.S +++ b/lib/cpus/aarch64/neoverse_poseidon.S @@ -10,6 +10,7 @@ #include #include #include +#include "wa_cve_2022_23960_bhb_vector.S" /* Hardware handled coherency */ #if HW_ASSISTED_COHERENCY == 0 @@ -21,6 +22,10 @@ #error "Neoverse Poseidon supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #endif +#if WORKAROUND_CVE_2022_23960 + wa_cve_2022_23960_bhb_vector_table NEOVERSE_POSEIDON_BHB_LOOP_COUNT, neoverse_poseidon +#endif /* WORKAROUND_CVE_2022_23960 */ + /* --------------------------------------------- * HW will do the cache maintenance while powering down * --------------------------------------------- @@ -37,22 +42,53 @@ func neoverse_poseidon_core_pwr_dwn ret endfunc neoverse_poseidon_core_pwr_dwn +func check_errata_cve_2022_23960 +#if WORKAROUND_CVE_2022_23960 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2022_23960 + +func neoverse_poseidon_reset_func + /* Disable speculative loads */ + msr SSBS, xzr + +#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960 + /* + * The Neoverse Poseidon generic vectors are overridden to apply + * errata mitigation on exception entry from lower ELs. + */ + adr x0, wa_cve_vbar_neoverse_poseidon + msr vbar_el3, x0 +#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */ + + isb + ret +endfunc neoverse_poseidon_reset_func + #if REPORT_ERRATA /* * Errata printing function for Neoverse Poseidon. Must follow AAPCS. */ func neoverse_poseidon_errata_report + stp x8, x30, [sp, #-16]! + + bl cpu_get_rev_var + mov x8, x0 + + /* + * Report all errata. The revision-variant information is passed to + * checking functions of each errata. + */ + report_errata WORKAROUND_CVE_2022_23960, neoverse_poseidon, cve_2022_23960 + + ldp x8, x30, [sp], #16 ret endfunc neoverse_poseidon_errata_report #endif -func neoverse_poseidon_reset_func - /* Disable speculative loads */ - msr SSBS, xzr - isb - ret -endfunc neoverse_poseidon_reset_func - /* --------------------------------------------- * This function provides Neoverse-Poseidon specific * register information for crash reporting.