From e81e999b9da33ab5d2d3e5185b1ad7c46046329c Mon Sep 17 00:00:00 2001
From: Okash Khawaja <okash@google.com>
Date: Thu, 21 Apr 2022 13:15:56 +0100
Subject: [PATCH] fix(security): workaround for CVE-2022-23960 for Cortex-X1

Implements the loop workaround for Cortex-X1.

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I5828a26c1ec3cfb718246ea5c3b099dabc0fb3d7
---
 include/lib/cpus/aarch64/cortex_x1.h |  3 +++
 lib/cpus/aarch64/cortex_x1.S         | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/include/lib/cpus/aarch64/cortex_x1.h b/include/lib/cpus/aarch64/cortex_x1.h
index 83be10d8e..e3661a882 100644
--- a/include/lib/cpus/aarch64/cortex_x1.h
+++ b/include/lib/cpus/aarch64/cortex_x1.h
@@ -10,6 +10,9 @@
 /* Cortex-X1 MIDR for r1p0 */
 #define CORTEX_X1_MIDR			U(0x411fd440)
 
+/* Cortex-X1 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_X1_BHB_LOOP_COUNT	U(32)
+
 /*******************************************************************************
  * CPU Extended Control register specific definitions.
  ******************************************************************************/
diff --git a/lib/cpus/aarch64/cortex_x1.S b/lib/cpus/aarch64/cortex_x1.S
index c8bc190ea..9a7f66652 100644
--- a/lib/cpus/aarch64/cortex_x1.S
+++ b/lib/cpus/aarch64/cortex_x1.S
@@ -7,6 +7,7 @@
 #include <asm_macros.S>
 #include <cortex_x1.h>
 #include <cpu_macros.S>
+#include "wa_cve_2022_23960_bhb_vector.S"
 
 /* Hardware handled coherency */
 #if HW_ASSISTED_COHERENCY == 0
@@ -18,6 +19,10 @@
 #error "Cortex-X1 supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
 #endif
 
+#if WORKAROUND_CVE_2022_23960
+	wa_cve_2022_23960_bhb_vector_table CORTEX_X1_BHB_LOOP_COUNT, cortex_x1
+#endif /* WORKAROUND_CVE_2022_23960 */
+
 /* --------------------------------------------------
  * Errata Workaround for X1 Erratum 1821534.
  * This applies to revision r0p0 and r1p0 of X1.
@@ -101,6 +106,15 @@ func check_errata_1827429
 	b	cpu_rev_var_ls
 endfunc check_errata_1827429
 
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+	mov	x0, #ERRATA_APPLIES
+#else
+	mov	x0, #ERRATA_MISSING
+#endif
+	ret
+endfunc check_errata_cve_2022_23960
+
 	/* -------------------------------------------------
 	 * The CPU Ops reset function for Cortex-X1.
 	 * Shall clobber: x0-x19
@@ -126,6 +140,15 @@ func cortex_x1_reset_func
 	bl	errata_x1_1827429_wa
 #endif
 
+#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
+	/*
+	 * The Cortex-X1 generic vectors are overridden to apply errata
+	 * mitigation on exception entry from lower ELs.
+	 */
+	adr	x0, wa_cve_vbar_cortex_x1
+	msr	vbar_el3, x0
+#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
+
 	isb
 	ret	x19
 endfunc cortex_x1_reset_func
@@ -163,6 +186,7 @@ func cortex_x1_errata_report
 	report_errata ERRATA_X1_1821534, cortex_x1, 1821534
 	report_errata ERRATA_X1_1688305, cortex_x1, 1688305
 	report_errata ERRATA_X1_1827429, cortex_x1, 1827429
+	report_errata WORKAROUND_CVE_2022_23960, cortex_x1, cve_2022_23960
 
 	ldp	x8, x30, [sp], #16
 	ret