fix(security): apply SMCCC_ARCH_WORKAROUND_4 to affected cpus

This patch implements SMCCC_ARCH_WORKAROUND_4 and
allows discovery through SMCCC_ARCH_FEATURES.
This mechanism is enabled if CVE_2024_7881 [1] is enabled
by the platform. If CVE_2024_7881 mitigation
is implemented, the discovery call returns 0,
if not -1 (SMC_ARCH_CALL_NOT_SUPPORTED).

For more information about SMCCC_ARCH_WORKAROUND_4 [2], please
refer to the SMCCC Specification reference provided below.

[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881
[2]: https://developer.arm.com/documentation/den0028/latest

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I1b1ffaa1f806f07472fd79d5525f81764d99bc79
(cherry picked from commit 8ae6b1ad6c)

include/lib/cpus/errata.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2024, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2025, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -48,6 +48,8 @@ static inline bool errata_a75_764081_applies(void)
 unsigned int check_if_affected_core(void);
 #endif
 
+int check_wa_cve_2024_7881(void);
+
 /*
  * NOTE that this structure will be different on AArch32 and AArch64. The
  * uintptr_t will reflect the change and the alignment will be correct in both.

include/services/arm_arch_svc.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2018-2025, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,6 +13,7 @@
 #define SMCCC_ARCH_WORKAROUND_1		U(0x80008000)
 #define SMCCC_ARCH_WORKAROUND_2		U(0x80007FFF)
 #define SMCCC_ARCH_WORKAROUND_3		U(0x80003FFF)
+#define SMCCC_ARCH_WORKAROUND_4		U(0x80000004)
 
 #define SMCCC_GET_SOC_VERSION		U(0)
 #define SMCCC_GET_SOC_REVISION		U(1)

lib/cpus/aarch64/cortex_x3.S

@@ -162,6 +162,10 @@ func cortex_x3_cpu_reg_dump
 	ret
 endfunc cortex_x3_cpu_reg_dump
 
-declare_cpu_ops cortex_x3, CORTEX_X3_MIDR, \
+declare_cpu_ops_wa_4 cortex_x3, CORTEX_X3_MIDR, \
 	cortex_x3_reset_func, \
+	CPU_NO_EXTRA1_FUNC, \
+	CPU_NO_EXTRA2_FUNC, \
+	CPU_NO_EXTRA3_FUNC, \
+	check_erratum_cortex_x3_7881, \
 	cortex_x3_core_pwr_dwn

lib/cpus/aarch64/cortex_x4.S

@@ -160,6 +160,10 @@ func cortex_x4_cpu_reg_dump
 	ret
 endfunc cortex_x4_cpu_reg_dump
 
-declare_cpu_ops cortex_x4, CORTEX_X4_MIDR, \
+declare_cpu_ops_wa_4 cortex_x4, CORTEX_X4_MIDR, \
 	cortex_x4_reset_func, \
+	CPU_NO_EXTRA1_FUNC, \
+	CPU_NO_EXTRA2_FUNC, \
+	CPU_NO_EXTRA3_FUNC, \
+	check_erratum_cortex_x4_7881, \
 	cortex_x4_core_pwr_dwn

lib/cpus/aarch64/cortex_x925.S

@@ -77,6 +77,10 @@ func cortex_x925_cpu_reg_dump
 	ret
 endfunc cortex_x925_cpu_reg_dump
 
-declare_cpu_ops cortex_x925, CORTEX_X925_MIDR, \
+declare_cpu_ops_wa_4 cortex_x925, CORTEX_X925_MIDR, \
 	cortex_x925_reset_func, \
+	CPU_NO_EXTRA1_FUNC, \
+	CPU_NO_EXTRA2_FUNC, \
+	CPU_NO_EXTRA3_FUNC, \
+	check_erratum_cortex_x925_7881, \
 	cortex_x925_core_pwr_dwn

lib/cpus/aarch64/cpu_helpers.S

@@ -326,6 +326,43 @@ func check_wa_cve_2017_5715
 	ret
 endfunc check_wa_cve_2017_5715
 
+/*
+ * int check_wa_cve_2024_7881(void);
+ *
+ * This function returns:
+ *  - ERRATA_APPLIES when firmware mitigation is required.
+ *  - ERRATA_NOT_APPLIES when firmware mitigation is _not_ required.
+ *  - ERRATA_MISSING when firmware mitigation would be required but
+ *    is not compiled in.
+ *
+ * NOTE: Must be called only after cpu_ops have been initialized
+ *       in per-CPU data.
+ */
+.globl	check_wa_cve_2024_7881
+func check_wa_cve_2024_7881
+	mrs	x0, tpidr_el3
+#if ENABLE_ASSERTIONS
+	cmp	x0, #0
+	ASM_ASSERT(ne)
+#endif
+	ldr	x0, [x0, #CPU_DATA_CPU_OPS_PTR]
+#if ENABLE_ASSERTIONS
+	cmp	x0, #0
+	ASM_ASSERT(ne)
+#endif
+	ldr	x0, [x0, #CPU_EXTRA4_FUNC]
+	/*
+	 * If the reserved function pointer is NULL, this CPU
+	 * is unaffected by CVE-2024-7881 so bail out.
+	 */
+	cmp	x0, #CPU_NO_EXTRA4_FUNC
+	beq	1f
+	br	x0
+1:
+	mov	x0, #ERRATA_NOT_APPLIES
+	ret
+endfunc check_wa_cve_2024_7881
+
 /*
  * void *wa_cve_2018_3639_get_disable_ptr(void);
  *

lib/cpus/aarch64/neoverse_v2.S

@@ -153,6 +153,10 @@ func neoverse_v2_cpu_reg_dump
 	ret
 endfunc neoverse_v2_cpu_reg_dump
 
-declare_cpu_ops neoverse_v2, NEOVERSE_V2_MIDR, \
+declare_cpu_ops_wa_4 neoverse_v2, NEOVERSE_V2_MIDR, \
 	neoverse_v2_reset_func, \
+	CPU_NO_EXTRA1_FUNC, \
+	CPU_NO_EXTRA2_FUNC, \
+	CPU_NO_EXTRA3_FUNC, \
+	check_erratum_neoverse_v2_7881, \
 	neoverse_v2_core_pwr_dwn

lib/cpus/aarch64/neoverse_v3.S

@@ -101,6 +101,10 @@ declare_cpu_ops neoverse_v3, NEOVERSE_V3_VNAE_MIDR, \
 	neoverse_v3_reset_func, \
 	neoverse_v3_core_pwr_dwn
 
-declare_cpu_ops neoverse_v3, NEOVERSE_V3_MIDR, \
+declare_cpu_ops_wa_4 neoverse_v3, NEOVERSE_V3_MIDR, \
 	neoverse_v3_reset_func, \
+	CPU_NO_EXTRA1_FUNC, \
+	CPU_NO_EXTRA2_FUNC, \
+	CPU_NO_EXTRA3_FUNC, \
+	check_erratum_neoverse_v3_7881, \
 	neoverse_v3_core_pwr_dwn

services/arm_arch_svc/arm_arch_svc_setup.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2024, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2018-2025, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -90,6 +90,15 @@ static int32_t smccc_arch_features(u_register_t arg1)
 		}
 		return 0; /* ERRATA_APPLIES || ERRATA_MISSING */
 #endif
+
+#if WORKAROUND_CVE_2024_7881
+	case SMCCC_ARCH_WORKAROUND_4:
+		if (check_wa_cve_2024_7881() != ERRATA_APPLIES) {
+			return SMC_ARCH_CALL_NOT_SUPPORTED;
+		}
+		return 0;
+#endif /* WORKAROUND_CVE_2024_7881 */
+
 #endif /* __aarch64__ */
 
 	/* Fallthrough */
@@ -160,6 +169,15 @@ static uintptr_t arm_arch_svc_smc_handler(uint32_t smc_fid,
 		 */
 		SMC_RET0(handle);
 #endif
+#if WORKAROUND_CVE_2024_7881
+	case SMCCC_ARCH_WORKAROUND_4:
+		/*
+		 * The workaround has already been applied on affected PEs
+		 * during cold boot. This function has no effect whether PE is
+		 * affected or not.
+		 */
+		SMC_RET0(handle);
+#endif /* WORKAROUND_CVE_2024_7881 */
 #endif /* __aarch64__ */
 	default:
 		WARN("Unimplemented Arm Architecture Service Call: 0x%x \n",