Workaround for CVE-2017-5715 for Cortex A9, A15 and A17

A per-cpu vbar is installed that implements the workaround by
invalidating the branch target buffer (BTB) directly in the case of A9
and A17 and indirectly by invalidating the icache in the case of A15.

For Cortex A57 and A72 there is currently no workaround implemented
when EL3 is in AArch32 mode so report it as missing.

For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
no changes since there is currently no upstream AArch32 EL3 support
for these CPUs.

Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This commit is contained in:
Dimitris Papastamos 2018-01-03 10:48:59 +00:00
parent 7343505d96
commit e4b34efa18
6 changed files with 127 additions and 4 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -15,6 +15,7 @@
/*******************************************************************************
* CPU Auxiliary Control register specific definitions.
******************************************************************************/
#define CORTEX_A15_ACTLR_INV_BTB_BIT (1 << 0)
#define CORTEX_A15_ACTLR_SMP_BIT (1 << 6)
#endif /* __CORTEX_A15_H__ */

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2016-2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -41,7 +41,46 @@ func cortex_a15_enable_smp
bx lr
endfunc cortex_a15_enable_smp
func check_errata_cve_2017_5715
#if WORKAROUND_CVE_2017_5715
mov r0, #ERRATA_APPLIES
#else
mov r0, #ERRATA_MISSING
#endif
bx lr
endfunc check_errata_cve_2017_5715
#if REPORT_ERRATA
/*
* Errata printing function for Cortex A15. Must follow AAPCS.
*/
func cortex_a15_errata_report
push {r12, lr}
bl cpu_get_rev_var
mov r4, r0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2017_5715, cortex_a15, cve_2017_5715
pop {r12, lr}
bx lr
endfunc cortex_a15_errata_report
#endif
func cortex_a15_reset_func
#if IMAGE_BL32 && WORKAROUND_CVE_2017_5715
ldcopr r0, ACTLR
orr r0, #CORTEX_A15_ACTLR_INV_BTB_BIT
stcopr r0, ACTLR
ldr r0, =workaround_icache_inv_runtime_exceptions
stcopr r0, VBAR
stcopr r0, MVBAR
/* isb will be applied in the course of the reset func */
#endif
b cortex_a15_enable_smp
endfunc cortex_a15_reset_func

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -35,7 +35,43 @@ func cortex_a17_enable_smp
bx lr
endfunc cortex_a17_enable_smp
func check_errata_cve_2017_5715
#if WORKAROUND_CVE_2017_5715
mov r0, #ERRATA_APPLIES
#else
mov r0, #ERRATA_MISSING
#endif
bx lr
endfunc check_errata_cve_2017_5715
#if REPORT_ERRATA
/*
* Errata printing function for Cortex A17. Must follow AAPCS.
*/
func cortex_a17_errata_report
push {r12, lr}
bl cpu_get_rev_var
mov r4, r0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2017_5715, cortex_a17, cve_2017_5715
pop {r12, lr}
bx lr
endfunc cortex_a17_errata_report
#endif
func cortex_a17_reset_func
#if IMAGE_BL32 && WORKAROUND_CVE_2017_5715
ldr r0, =workaround_bpiall_runtime_exceptions
stcopr r0, VBAR
stcopr r0, MVBAR
/* isb will be applied in the course of the reset func */
#endif
b cortex_a17_enable_smp
endfunc cortex_a17_reset_func

View File

@ -332,6 +332,11 @@ func check_errata_859972
b cpu_rev_var_ls
endfunc check_errata_859972
func check_errata_cve_2017_5715
mov r0, #ERRATA_MISSING
bx lr
endfunc check_errata_cve_2017_5715
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A57.
* Shall clobber: r0-r6
@ -519,6 +524,7 @@ func cortex_a57_errata_report
report_errata ERRATA_A57_829520, cortex_a57, 829520
report_errata ERRATA_A57_833471, cortex_a57, 833471
report_errata ERRATA_A57_859972, cortex_a57, 859972
report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
pop {r12, lr}
bx lr

View File

@ -87,6 +87,10 @@ func check_errata_859971
b cpu_rev_var_ls
endfunc check_errata_859971
func check_errata_cve_2017_5715
mov r0, #ERRATA_MISSING
bx lr
endfunc check_errata_cve_2017_5715
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A72.
@ -236,6 +240,7 @@ func cortex_a72_errata_report
* checking functions of each errata.
*/
report_errata ERRATA_A72_859971, cortex_a72, 859971
report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715
pop {r12, lr}
bx lr

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2016-2018, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -35,7 +35,43 @@ func cortex_a9_enable_smp
bx lr
endfunc cortex_a9_enable_smp
func check_errata_cve_2017_5715
#if WORKAROUND_CVE_2017_5715
mov r0, #ERRATA_APPLIES
#else
mov r0, #ERRATA_MISSING
#endif
bx lr
endfunc check_errata_cve_2017_5715
#if REPORT_ERRATA
/*
* Errata printing function for Cortex A9. Must follow AAPCS.
*/
func cortex_a9_errata_report
push {r12, lr}
bl cpu_get_rev_var
mov r4, r0
/*
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
report_errata WORKAROUND_CVE_2017_5715, cortex_a9, cve_2017_5715
pop {r12, lr}
bx lr
endfunc cortex_a9_errata_report
#endif
func cortex_a9_reset_func
#if IMAGE_BL32 && WORKAROUND_CVE_2017_5715
ldr r0, =workaround_bpiall_runtime_exceptions
stcopr r0, VBAR
stcopr r0, MVBAR
/* isb will be applied in the course of the reset func */
#endif
b cortex_a9_enable_smp
endfunc cortex_a9_reset_func