Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-25 14:25:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge "fix(security): workaround for CVE-2022-23960" into integration

Browse source
This commit is contained in:
Madhukar Pappireddy 2022-05-12 20:24:10 +02:00 committed by TrustedFirmware Code Review
commit 15e498de74
10 changed files with 223 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
include/lib/cpus/aarch64/cortex_hunter.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -9,6 +9,9 @@
#define CORTEX_HUNTER_MIDR U(0x410FD810) #define CORTEX_HUNTER_MIDR U(0x410FD810)
/* Cortex Hunter loop count for CVE-2022-23960 mitigation */
#define CORTEX_HUNTER_BHB_LOOP_COUNT U(132)
/******************************************************************************* /*******************************************************************************
* CPU Extended Control register specific definitions * CPU Extended Control register specific definitions
******************************************************************************/ ******************************************************************************/

5
include/lib/cpus/aarch64/cortex_makalu.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -9,6 +9,9 @@
#define CORTEX_MAKALU_MIDR U(0x410FD4D0) #define CORTEX_MAKALU_MIDR U(0x410FD4D0)
/* Cortex Makalu loop count for CVE-2022-23960 mitigation */
#define CORTEX_MAKALU_BHB_LOOP_COUNT U(38)
/******************************************************************************* /*******************************************************************************
* CPU Extended Control register specific definitions * CPU Extended Control register specific definitions
******************************************************************************/ ******************************************************************************/

5
include/lib/cpus/aarch64/cortex_makalu_elp_arm.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -9,6 +9,9 @@
#define CORTEX_MAKALU_ELP_ARM_MIDR U(0x410FD4E0) #define CORTEX_MAKALU_ELP_ARM_MIDR U(0x410FD4E0)
/* Cortex Makalu ELP loop count for CVE-2022-23960 mitigation */
#define CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT U(132)
/******************************************************************************* /*******************************************************************************
* CPU Extended Control register specific definitions * CPU Extended Control register specific definitions
******************************************************************************/ ******************************************************************************/

5
include/lib/cpus/aarch64/neoverse_demeter.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -9,6 +9,9 @@
#define NEOVERSE_DEMETER_MIDR U(0x410FD4F0) #define NEOVERSE_DEMETER_MIDR U(0x410FD4F0)
/* Neoverse Demeter loop count for CVE-2022-23960 mitigation */
#define NEOVERSE_DEMETER_BHB_LOOP_COUNT U(132)
/******************************************************************************* /*******************************************************************************
* CPU Extended Control register specific definitions * CPU Extended Control register specific definitions
******************************************************************************/ ******************************************************************************/

3
include/lib/cpus/aarch64/neoverse_poseidon.h
View file

@ -10,6 +10,9 @@
#define NEOVERSE_POSEIDON_MIDR U(0x410FD830) #define NEOVERSE_POSEIDON_MIDR U(0x410FD830)
/* Neoverse Poseidon loop count for CVE-2022-23960 mitigation */
#define NEOVERSE_POSEIDON_BHB_LOOP_COUNT U(132)
/******************************************************************************* /*******************************************************************************
* CPU Extended Control register specific definitions. * CPU Extended Control register specific definitions.
******************************************************************************/ ******************************************************************************/

38
lib/cpus/aarch64/cortex_hunter.S
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -10,6 +10,7 @@
#include <cortex_hunter.h> #include <cortex_hunter.h>
#include <cpu_macros.S> #include <cpu_macros.S>
#include <plat_macros.S> #include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */ /* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0 #if HW_ASSISTED_COHERENCY == 0
@ -21,9 +22,32 @@
#error "Cortex Hunter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #error "Cortex Hunter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif #endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_HUNTER_BHB_LOOP_COUNT, cortex_hunter
#endif /* WORKAROUND_CVE_2022_23960 */
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_hunter_reset_func func cortex_hunter_reset_func
/* Disable speculative loads */ /* Disable speculative loads */
msr SSBS, xzr msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Hunter generic vectors are overridden to apply errata
* mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_hunter
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb isb
ret ret
endfunc cortex_hunter_reset_func endfunc cortex_hunter_reset_func
@ -49,6 +73,18 @@ endfunc cortex_hunter_core_pwr_dwn
* Errata printing function for Cortex Hunter. Must follow AAPCS. * Errata printing function for Cortex Hunter. Must follow AAPCS.
*/ */
func cortex_hunter_errata_report func cortex_hunter_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_hunter, cve_2022_23960
ldp x8, x30, [sp], #16
ret ret
endfunc cortex_hunter_errata_report endfunc cortex_hunter_errata_report
#endif #endif

38
lib/cpus/aarch64/cortex_makalu.S
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -10,6 +10,7 @@
#include <cortex_makalu.h> #include <cortex_makalu.h>
#include <cpu_macros.S> #include <cpu_macros.S>
#include <plat_macros.S> #include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */ /* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0 #if HW_ASSISTED_COHERENCY == 0
@ -21,9 +22,32 @@
#error "Cortex Makalu supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #error "Cortex Makalu supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif #endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_BHB_LOOP_COUNT, cortex_makalu
#endif /* WORKAROUND_CVE_2022_23960 */
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_makalu_reset_func func cortex_makalu_reset_func
/* Disable speculative loads */ /* Disable speculative loads */
msr SSBS, xzr msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Makalu generic vectors are overridden to apply errata
* mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_makalu
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb isb
ret ret
endfunc cortex_makalu_reset_func endfunc cortex_makalu_reset_func
@ -49,6 +73,18 @@ endfunc cortex_makalu_core_pwr_dwn
* Errata printing function for Cortex Makalu. Must follow AAPCS. * Errata printing function for Cortex Makalu. Must follow AAPCS.
*/ */
func cortex_makalu_errata_report func cortex_makalu_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_makalu, cve_2022_23960
ldp x8, x30, [sp], #16
ret ret
endfunc cortex_makalu_errata_report endfunc cortex_makalu_errata_report
#endif #endif

52
lib/cpus/aarch64/cortex_makalu_elp_arm.S
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -10,6 +10,7 @@
#include <cortex_makalu_elp_arm.h> #include <cortex_makalu_elp_arm.h>
#include <cpu_macros.S> #include <cpu_macros.S>
#include <plat_macros.S> #include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */ /* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0 #if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Cortex Makalu ELP supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #error "Cortex Makalu ELP supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif #endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT, cortex_makalu_elp_arm
#endif /* WORKAROUND_CVE_2022_23960 */
/* ---------------------------------------------------- /* ----------------------------------------------------
* HW will do the cache maintenance while powering down * HW will do the cache maintenance while powering down
* ---------------------------------------------------- * ----------------------------------------------------
@ -37,22 +42,53 @@ func cortex_makalu_elp_arm_core_pwr_dwn
ret ret
endfunc cortex_makalu_elp_arm_core_pwr_dwn endfunc cortex_makalu_elp_arm_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_makalu_elp_arm_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Makalu ELP generic vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_makalu_elp_arm
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc cortex_makalu_elp_arm_reset_func
#if REPORT_ERRATA #if REPORT_ERRATA
/* /*
* Errata printing function for Cortex Makalu ELP. Must follow AAPCS. * Errata printing function for Cortex Makalu ELP. Must follow AAPCS.
*/ */
func cortex_makalu_elp_arm_errata_report func cortex_makalu_elp_arm_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_makalu_elp_arm, cve_2022_23960
ldp x8, x30, [sp], #16
ret ret
endfunc cortex_makalu_elp_arm_errata_report endfunc cortex_makalu_elp_arm_errata_report
#endif #endif
func cortex_makalu_elp_arm_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc cortex_makalu_elp_arm_reset_func
/* --------------------------------------------- /* ---------------------------------------------
* This function provides Cortex Makalu ELP- * This function provides Cortex Makalu ELP-
* specific register information for crash * specific register information for crash

51
lib/cpus/aarch64/neoverse_demeter.S
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Arm Limited. All rights reserved. * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -10,6 +10,7 @@
#include <neoverse_demeter.h> #include <neoverse_demeter.h>
#include <cpu_macros.S> #include <cpu_macros.S>
#include <plat_macros.S> #include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */ /* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0 #if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Neoverse Demeter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #error "Neoverse Demeter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif #endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table NEOVERSE_DEMETER_BHB_LOOP_COUNT, neoverse_demeter
#endif /* WORKAROUND_CVE_2022_23960 */
/* ---------------------------------------------------- /* ----------------------------------------------------
* HW will do the cache maintenance while powering down * HW will do the cache maintenance while powering down
* ---------------------------------------------------- * ----------------------------------------------------
@ -37,22 +42,52 @@ func neoverse_demeter_core_pwr_dwn
ret ret
endfunc neoverse_demeter_core_pwr_dwn endfunc neoverse_demeter_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func neoverse_demeter_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Neoverse Demeter vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_neoverse_demeter
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc neoverse_demeter_reset_func
#if REPORT_ERRATA #if REPORT_ERRATA
/* /*
* Errata printing function for Neoverse Demeter. Must follow AAPCS. * Errata printing function for Neoverse Demeter. Must follow AAPCS.
*/ */
func neoverse_demeter_errata_report func neoverse_demeter_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, neoverse_demeter, cve_2022_23960
ldp x8, x30, [sp], #16
ret ret
endfunc neoverse_demeter_errata_report endfunc neoverse_demeter_errata_report
#endif #endif
func neoverse_demeter_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc neoverse_demeter_reset_func
/* --------------------------------------------- /* ---------------------------------------------
* This function provides Neoverse Demeter- * This function provides Neoverse Demeter-
* specific register information for crash * specific register information for crash

50
lib/cpus/aarch64/neoverse_poseidon.S
View file

@ -10,6 +10,7 @@
#include <neoverse_poseidon.h> #include <neoverse_poseidon.h>
#include <cpu_macros.S> #include <cpu_macros.S>
#include <plat_macros.S> #include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */ /* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0 #if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Neoverse Poseidon supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0" #error "Neoverse Poseidon supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif #endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table NEOVERSE_POSEIDON_BHB_LOOP_COUNT, neoverse_poseidon
#endif /* WORKAROUND_CVE_2022_23960 */
/* --------------------------------------------- /* ---------------------------------------------
* HW will do the cache maintenance while powering down * HW will do the cache maintenance while powering down
* --------------------------------------------- * ---------------------------------------------
@ -37,22 +42,53 @@ func neoverse_poseidon_core_pwr_dwn
ret ret
endfunc neoverse_poseidon_core_pwr_dwn endfunc neoverse_poseidon_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func neoverse_poseidon_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Neoverse Poseidon generic vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_neoverse_poseidon
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc neoverse_poseidon_reset_func
#if REPORT_ERRATA #if REPORT_ERRATA
/* /*
* Errata printing function for Neoverse Poseidon. Must follow AAPCS. * Errata printing function for Neoverse Poseidon. Must follow AAPCS.
*/ */
func neoverse_poseidon_errata_report func neoverse_poseidon_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, neoverse_poseidon, cve_2022_23960
ldp x8, x30, [sp], #16
ret ret
endfunc neoverse_poseidon_errata_report endfunc neoverse_poseidon_errata_report
#endif #endif
func neoverse_poseidon_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc neoverse_poseidon_reset_func
/* --------------------------------------------- /* ---------------------------------------------
* This function provides Neoverse-Poseidon specific * This function provides Neoverse-Poseidon specific
* register information for crash reporting. * register information for crash reporting.