Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-18 02:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(security): workaround for CVE-2022-23960

Browse source 
Implements the loop workaround for Cortex Makalu/Makalu-ELP/Hunter
and Neoverse Demeter/Poseidon.

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: If5f6689b662ecac92491e0c0902df4270051ce5b
This commit is contained in:
Bipin Ravi 2022-05-06 16:02:30 -05:00
parent 15ff61f5ce
commit c2a15217c3
10 changed files with 223 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
include/lib/cpus/aarch64/cortex_hunter.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -9,6 +9,9 @@
#define CORTEX_HUNTER_MIDR U(0x410FD810)
/* Cortex Hunter loop count for CVE-2022-23960 mitigation */
#define CORTEX_HUNTER_BHB_LOOP_COUNT U(132)
/*******************************************************************************
* CPU Extended Control register specific definitions
******************************************************************************/

5
include/lib/cpus/aarch64/cortex_makalu.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -9,6 +9,9 @@
#define CORTEX_MAKALU_MIDR U(0x410FD4D0)
/* Cortex Makalu loop count for CVE-2022-23960 mitigation */
#define CORTEX_MAKALU_BHB_LOOP_COUNT U(38)
/*******************************************************************************
* CPU Extended Control register specific definitions
******************************************************************************/

5
include/lib/cpus/aarch64/cortex_makalu_elp_arm.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -9,6 +9,9 @@
#define CORTEX_MAKALU_ELP_ARM_MIDR U(0x410FD4E0)
/* Cortex Makalu ELP loop count for CVE-2022-23960 mitigation */
#define CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT U(132)
/*******************************************************************************
* CPU Extended Control register specific definitions
******************************************************************************/

5
include/lib/cpus/aarch64/neoverse_demeter.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -9,6 +9,9 @@
#define NEOVERSE_DEMETER_MIDR U(0x410FD4F0)
/* Neoverse Demeter loop count for CVE-2022-23960 mitigation */
#define NEOVERSE_DEMETER_BHB_LOOP_COUNT U(132)
/*******************************************************************************
* CPU Extended Control register specific definitions
******************************************************************************/

3
include/lib/cpus/aarch64/neoverse_poseidon.h
View file

@ -10,6 +10,9 @@
#define NEOVERSE_POSEIDON_MIDR U(0x410FD830)
/* Neoverse Poseidon loop count for CVE-2022-23960 mitigation */
#define NEOVERSE_POSEIDON_BHB_LOOP_COUNT U(132)
/*******************************************************************************
* CPU Extended Control register specific definitions.
******************************************************************************/

38
lib/cpus/aarch64/cortex_hunter.S
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,6 +10,7 @@
#include <cortex_hunter.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -21,9 +22,32 @@
#error "Cortex Hunter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_HUNTER_BHB_LOOP_COUNT, cortex_hunter
#endif /* WORKAROUND_CVE_2022_23960 */
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_hunter_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Hunter generic vectors are overridden to apply errata
* mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_hunter
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc cortex_hunter_reset_func
@ -49,6 +73,18 @@ endfunc cortex_hunter_core_pwr_dwn
* Errata printing function for Cortex Hunter. Must follow AAPCS.
*/
func cortex_hunter_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_hunter, cve_2022_23960
ldp x8, x30, [sp], #16
ret
endfunc cortex_hunter_errata_report
#endif

38
lib/cpus/aarch64/cortex_makalu.S
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,6 +10,7 @@
#include <cortex_makalu.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -21,9 +22,32 @@
#error "Cortex Makalu supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_BHB_LOOP_COUNT, cortex_makalu
#endif /* WORKAROUND_CVE_2022_23960 */
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_makalu_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Makalu generic vectors are overridden to apply errata
* mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_makalu
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc cortex_makalu_reset_func
@ -49,6 +73,18 @@ endfunc cortex_makalu_core_pwr_dwn
* Errata printing function for Cortex Makalu. Must follow AAPCS.
*/
func cortex_makalu_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_makalu, cve_2022_23960
ldp x8, x30, [sp], #16
ret
endfunc cortex_makalu_errata_report
#endif

52
lib/cpus/aarch64/cortex_makalu_elp_arm.S
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,6 +10,7 @@
#include <cortex_makalu_elp_arm.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Cortex Makalu ELP supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT, cortex_makalu_elp_arm
#endif /* WORKAROUND_CVE_2022_23960 */
/* ----------------------------------------------------
* HW will do the cache maintenance while powering down
* ----------------------------------------------------
@ -37,22 +42,53 @@ func cortex_makalu_elp_arm_core_pwr_dwn
ret
endfunc cortex_makalu_elp_arm_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func cortex_makalu_elp_arm_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Cortex Makalu ELP generic vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_cortex_makalu_elp_arm
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc cortex_makalu_elp_arm_reset_func
#if REPORT_ERRATA
/*
* Errata printing function for Cortex Makalu ELP. Must follow AAPCS.
*/
func cortex_makalu_elp_arm_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, cortex_makalu_elp_arm, cve_2022_23960
ldp x8, x30, [sp], #16
ret
endfunc cortex_makalu_elp_arm_errata_report
#endif
func cortex_makalu_elp_arm_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc cortex_makalu_elp_arm_reset_func
/* ---------------------------------------------
* This function provides Cortex Makalu ELP-
* specific register information for crash

51
lib/cpus/aarch64/neoverse_demeter.S
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2021, Arm Limited. All rights reserved.
* Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,6 +10,7 @@
#include <neoverse_demeter.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Neoverse Demeter supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table NEOVERSE_DEMETER_BHB_LOOP_COUNT, neoverse_demeter
#endif /* WORKAROUND_CVE_2022_23960 */
/* ----------------------------------------------------
* HW will do the cache maintenance while powering down
* ----------------------------------------------------
@ -37,22 +42,52 @@ func neoverse_demeter_core_pwr_dwn
ret
endfunc neoverse_demeter_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func neoverse_demeter_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Neoverse Demeter vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_neoverse_demeter
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc neoverse_demeter_reset_func
#if REPORT_ERRATA
/*
* Errata printing function for Neoverse Demeter. Must follow AAPCS.
*/
func neoverse_demeter_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, neoverse_demeter, cve_2022_23960
ldp x8, x30, [sp], #16
ret
endfunc neoverse_demeter_errata_report
#endif
func neoverse_demeter_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc neoverse_demeter_reset_func
/* ---------------------------------------------
* This function provides Neoverse Demeter-
* specific register information for crash

50
lib/cpus/aarch64/neoverse_poseidon.S
View file

@ -10,6 +10,7 @@
#include <neoverse_poseidon.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@ -21,6 +22,10 @@
#error "Neoverse Poseidon supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
wa_cve_2022_23960_bhb_vector_table NEOVERSE_POSEIDON_BHB_LOOP_COUNT, neoverse_poseidon
#endif /* WORKAROUND_CVE_2022_23960 */
/* ---------------------------------------------
* HW will do the cache maintenance while powering down
* ---------------------------------------------
@ -37,22 +42,53 @@ func neoverse_poseidon_core_pwr_dwn
ret
endfunc neoverse_poseidon_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
mov x0, #ERRATA_APPLIES
#else
mov x0, #ERRATA_MISSING
#endif
ret
endfunc check_errata_cve_2022_23960
func neoverse_poseidon_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
* The Neoverse Poseidon generic vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
adr x0, wa_cve_vbar_neoverse_poseidon
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
endfunc neoverse_poseidon_reset_func
#if REPORT_ERRATA
/*
* Errata printing function for Neoverse Poseidon. Must follow AAPCS.
*/
func neoverse_poseidon_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
mov x8, x0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2022_23960, neoverse_poseidon, cve_2022_23960
ldp x8, x30, [sp], #16
ret
endfunc neoverse_poseidon_errata_report
#endif
func neoverse_poseidon_reset_func
/* Disable speculative loads */
msr SSBS, xzr
isb
ret
endfunc neoverse_poseidon_reset_func
/* ---------------------------------------------
* This function provides Neoverse-Poseidon specific
* register information for crash reporting.