This erratum can only be worked around on revisions >= r3p0 because the
register that needs to be accessed only exists in those revisions[1].
[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0438g/CIHEAAAD.html
Change-Id: I5d773547d7a09b5bd01dabcd19ceeaf53c186faa
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
In AArch32, execution of 2 instructions with opposite condition code
might lead to either a data corruption or a CPU deadlock. Set the bit
12 of the Diagnostic Register to prevent this.
Change-Id: I22b4f25fe933e2942fd785e411e7c0aa39d5c1f4
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Concurrent instruction TLB miss and mispredicted return instruction
might fetch wrong instruction stream. Set bit 6 of CPUACTLR_EL1 to
prevent this.
Change-Id: I2da4f30cd2df3f5e885dd3c4825c557492d1ac58
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Streaming store under specific conditions might cause deadlock or data
corruption. Set bit 25:24 of CPUECTLR_EL1, which disables write
streaming to the L2 to prevent this.
Change-Id: Ib5cabb997b35ada78b27e75787afd610ea606dcf
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Broadcast maintainance operations might not be correctly synchronized
between cores. Set bit 7 of S3_0_C15_C0_2 to prevent this.
Change-Id: I67fb62c0b458d44320ebaedafcb8495ff26c814b
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Armv8.5 introduces the field CSV2 to register ID_AA64PFR0_EL1. It can
have the following 3 values:
- 0: Branch targets trained in one hardware described context may affect
speculative execution in a different hardware described context. In
some CPUs it may be needed to apply mitigations.
- 1: Branch targets trained in one hardware described context can only
affect speculative execution in a different hardware described
context in a hard-to-determine way. No mitigation required.
- 2: Same as 1, but the device is also aware of SCXTNUM_ELx register
contexts. The TF doesn't use the registers, so there is no
difference with 1.
The field CSV2 was originally introduced in the TRM of the Cortex-A76
before the release of the Armv8.5 architecture. That TRM only mentions
the meaning of values 0 and 1. Because of this, the code only checks if
the field has value 1 to know whether to enable or disable the
mitigations.
This patch makes it aware of value 2 as well. Both values 1 and 2
disable the mitigation, and 0 enables it.
Change-Id: I5af33de25a0197c98173f52c6c8c77b51a51429f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There are some incorrect casts and some missing casts in the headers.
This patch fixes the ones that were 64-bit or 32-bit wide wrongly and
adds casts where they were missing.
Note that none of the changes of the patch actually changes the values
of the definitions. This patch is just for correctness.
Change-Id: Iad6458021bad521922ce4f91bafff38b116b49eb
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There are some values that should be 64-bit immediates but that resolve
to 0 because the type of the value is 32-bit wide. This patch casts the
expressions to 64-bit before the shift so that the definition has the
correct value.
The definitions are only used in assembly so far, so the code is not
actually affected by this bug. The assembler treats all values as 64-bit
values, so there are no overflows.
Change-Id: I965e4be631c1d28787c0913661d224c82a6b9155
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.
Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
macro jump_if_cpu_midr is used commonly by many arm platform.
It has now been relocated to common place to remove duplication
of code.
Change-Id: Ic0876097dbc085df4f90eadb4b7687dde7c726da
Signed-off-by: Deepak Pandey <Deepak.Pandey@arm.com>
For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.
This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.
Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html
Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This check was added to ensure the correct behaviour of fill_constants
macro. This macro has been verified and it is known his correct
behaviour. The check generates an error when the clang assembler is
used, so it is better to remove the check.
Change-Id: I3447ff9e9e5ee5cf0502f65e53c3d105d9396b8b
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This directive is not implemented by clang assembler. The traditional
way to implement structs in assembly is using two macros for every field,
one for the offset, and another one for the size. For every field, the
offset can be calculated using the size and offset of the previous field.
Change-Id: Iacc6781e8f302fb925898737b8e85ab4e88a51cc
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
A fix for errata 843419 may be available in revision r0p4 of the
Cortex-A53 processor. The presence of the fix is determined by checking
bit 8 in the REVIDR register.
If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.
Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
return either:
* -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
requires firmware mitigation for CVE-2017-5715 but the mitigation
is not compiled in.
* 0 to indicate that firmware mitigation is required, or
* 1 to indicate that no firmware mitigation is required.
This patch complies with v1.2 of the firmware interfaces
specification (ARM DEN 0070A).
Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A72 and A73.
Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>