diff options
42 files changed, 572 insertions, 320 deletions
diff --git a/bl31/bl31.mk b/bl31/bl31.mk index 0e47ddf6..a6c0a9a0 100644 --- a/bl31/bl31.mk +++ b/bl31/bl31.mk @@ -61,8 +61,8 @@ BL31_SOURCES += lib/extensions/sve/sve.c endif ifeq (${WORKAROUND_CVE_2017_5715},1) -BL31_SOURCES += lib/cpus/aarch64/workaround_cve_2017_5715_bpiall.S \ - lib/cpus/aarch64/workaround_cve_2017_5715_mmu.S +BL31_SOURCES += lib/cpus/aarch64/wa_cve_2017_5715_bpiall.S \ + lib/cpus/aarch64/wa_cve_2017_5715_mmu.S endif BL31_LINKERFILE := bl31/bl31.ld.S diff --git a/bl32/sp_min/sp_min.mk b/bl32/sp_min/sp_min.mk index 193b1d5e..6233299d 100644 --- a/bl32/sp_min/sp_min.mk +++ b/bl32/sp_min/sp_min.mk @@ -29,8 +29,8 @@ BL32_SOURCES += lib/extensions/amu/aarch32/amu.c\ endif ifeq (${WORKAROUND_CVE_2017_5715},1) -BL32_SOURCES += bl32/sp_min/workaround_cve_2017_5715_bpiall.S \ - bl32/sp_min/workaround_cve_2017_5715_icache_inv.S +BL32_SOURCES += bl32/sp_min/wa_cve_2017_5715_bpiall.S \ + bl32/sp_min/wa_cve_2017_5715_icache_inv.S endif BL32_LINKERFILE := bl32/sp_min/sp_min.ld.S diff --git a/bl32/sp_min/workaround_cve_2017_5715_bpiall.S b/bl32/sp_min/wa_cve_2017_5715_bpiall.S index 5387cefc..385f3d4b 100644 --- a/bl32/sp_min/workaround_cve_2017_5715_bpiall.S +++ b/bl32/sp_min/wa_cve_2017_5715_bpiall.S @@ -6,9 +6,9 @@ #include <asm_macros.S> - .globl workaround_bpiall_runtime_exceptions + .globl wa_cve_2017_5715_bpiall_vbar -vector_base workaround_bpiall_runtime_exceptions +vector_base wa_cve_2017_5715_bpiall_vbar /* We encode the exception entry in the bottom 3 bits of SP */ add sp, sp, #1 /* Reset: 0b111 */ add sp, sp, #1 /* Undef: 0b110 */ diff --git a/bl32/sp_min/workaround_cve_2017_5715_icache_inv.S b/bl32/sp_min/wa_cve_2017_5715_icache_inv.S index 9102b02f..d0a46250 100644 --- a/bl32/sp_min/workaround_cve_2017_5715_icache_inv.S +++ b/bl32/sp_min/wa_cve_2017_5715_icache_inv.S @@ -6,9 +6,9 @@ #include <asm_macros.S> - .globl workaround_icache_inv_runtime_exceptions + .globl wa_cve_2017_5715_icache_inv_vbar -vector_base workaround_icache_inv_runtime_exceptions +vector_base wa_cve_2017_5715_icache_inv_vbar /* We encode the exception entry in the bottom 3 bits of SP */ add sp, sp, #1 /* Reset: 0b111 */ add sp, sp, #1 /* Undef: 0b110 */ diff --git a/docs/cpu-specific-build-macros.rst b/docs/cpu-specific-build-macros.rst index 65f6adb8..c11f6403 100644 --- a/docs/cpu-specific-build-macros.rst +++ b/docs/cpu-specific-build-macros.rst @@ -24,6 +24,17 @@ vulnerability workarounds should be applied at runtime. with the recommendation in the spec regarding workaround discovery. Defaults to 1. +- ``WORKAROUND_CVE_2018_3639``: Enables the security workaround for + `CVE-2018-3639`_. Defaults to 1. The TF-A project recommends to keep + the default value of 1 even on platforms that are unaffected by + CVE-2018-3639, in order to comply with the recommendation in the spec + regarding workaround discovery. + +- ``DYNAMIC_WORKAROUND_CVE_2018_3639``: Enables dynamic mitigation for + `CVE-2018-3639`_. This build option should be set to 1 if the target + platform contains at least 1 CPU that requires dynamic mitigation. + Defaults to 0. + CPU Errata Workarounds ---------------------- diff --git a/docs/firmware-design.rst b/docs/firmware-design.rst index 477eeaa5..51f5b42e 100644 --- a/docs/firmware-design.rst +++ b/docs/firmware-design.rst @@ -516,8 +516,8 @@ This functionality can be tested with FVP loading the image directly in memory and changing the address where the system jumps at reset. For example: - -C cluster0.cpu0.RVBAR=0x4014000 - --data cluster0.cpu0=bl2.bin@0x4014000 + -C cluster0.cpu0.RVBAR=0x4020000 + --data cluster0.cpu0=bl2.bin@0x4020000 With this configuration, FVP is like a platform of the first case, where the Boot ROM jumps always to the same address. For simplification, @@ -1743,17 +1743,20 @@ The following list describes the memory layout on the Arm development platforms: this is also used for the MHU payload when passing messages to and from the SCP. +- Another 4 KB page is reserved for passing memory layout between BL1 and BL2 + and also the dynamic firmware configurations. + - On FVP, BL1 is originally sitting in the Trusted ROM at address ``0x0``. On Juno, BL1 resides in flash memory at address ``0x0BEC0000``. BL1 read-write data are relocated to the top of Trusted SRAM at runtime. +- BL2 is loaded below BL1 RW + - EL3 Runtime Software, BL31 for AArch64 and BL32 for AArch32 (e.g. SP\_MIN), is loaded at the top of the Trusted SRAM, such that its NOBITS sections will - overwrite BL1 R/W data. This implies that BL1 global variables remain valid - only until execution reaches the EL3 Runtime Software entry point during a - cold boot. - -- BL2 is loaded below EL3 Runtime Software. + overwrite BL1 R/W data and BL2. This implies that BL1 global variables + remain valid only until execution reaches the EL3 Runtime Software entry + point during a cold boot. - On Juno, SCP\_BL2 is loaded temporarily into the EL3 Runtime Software memory region and transfered to the SCP before being overwritten by EL3 Runtime @@ -1766,9 +1769,8 @@ The following list describes the memory layout on the Arm development platforms: - Secure region of DRAM (top 16MB of DRAM configured by the TrustZone controller) - When BL32 (for AArch64) is loaded into Trusted SRAM, its NOBITS sections - are allowed to overlay BL2. This memory layout is designed to give the - BL32 image as much memory as possible when it is loaded into Trusted SRAM. + When BL32 (for AArch64) is loaded into Trusted SRAM, it is loaded below + BL31. When LOAD\_IMAGE\_V2 is disabled the memory regions for the overlap detection mechanism at boot time are defined as follows (shown per API): @@ -1814,21 +1816,32 @@ an example. Note: Loading the BL32 image in TZC secured DRAM doesn't change the memory layout of the other images in Trusted SRAM. -**FVP with TSP in Trusted SRAM (default option):** +**FVP with TSP in Trusted SRAM with firmware configs :** (These diagrams only cover the AArch64 case) :: + DRAM + 0xffffffff +----------+ + : : + |----------| + |HW_CONFIG | + 0x83000000 |----------| (non-secure) + | | + 0x80000000 +----------+ + Trusted SRAM - 0x04040000 +----------+ loaded by BL2 ------------------ - | BL1 (rw) | <<<<<<<<<<<<< | BL31 NOBITS | + 0x04040000 +----------+ loaded by BL2 +----------------+ + | BL1 (rw) | <<<<<<<<<<<<< | | + |----------| <<<<<<<<<<<<< | BL31 NOBITS | + | BL2 | <<<<<<<<<<<<< | | |----------| <<<<<<<<<<<<< |----------------| | | <<<<<<<<<<<<< | BL31 PROGBITS | - |----------| ------------------ - | BL2 | <<<<<<<<<<<<< | BL32 NOBITS | - |----------| <<<<<<<<<<<<< |----------------| - | | <<<<<<<<<<<<< | BL32 PROGBITS | - 0x04001000 +----------+ ------------------ + | | <<<<<<<<<<<<< |----------------| + | | <<<<<<<<<<<<< | BL32 | + 0x04002000 +----------+ +----------------+ + |fw_configs| + 0x04001000 +----------+ | Shared | 0x04000000 +----------+ @@ -1837,7 +1850,7 @@ layout of the other images in Trusted SRAM. | BL1 (ro) | 0x00000000 +----------+ -**FVP with TSP in Trusted DRAM with TB_FW_CONFIG and HW_CONFIG :** +**FVP with TSP in Trusted DRAM with firmware configs (default option):** :: @@ -1856,17 +1869,15 @@ layout of the other images in Trusted SRAM. 0x06000000 +--------------+ Trusted SRAM - 0x04040000 +--------------+ loaded by BL2 ------------------ - | BL1 (rw) | <<<<<<<<<<<<< | BL31 NOBITS | + 0x04040000 +--------------+ loaded by BL2 +----------------+ + | BL1 (rw) | <<<<<<<<<<<<< | | + |--------------| <<<<<<<<<<<<< | BL31 NOBITS | + | BL2 | <<<<<<<<<<<<< | | |--------------| <<<<<<<<<<<<< |----------------| | | <<<<<<<<<<<<< | BL31 PROGBITS | - |--------------| ------------------ - | BL2 | - |--------------| - | | - |--------------| - | TB_FW_CONFIG | - |--------------| + | | +----------------+ + +--------------+ + | fw_configs | 0x04001000 +--------------+ | Shared | 0x04000000 +--------------+ @@ -1876,7 +1887,7 @@ layout of the other images in Trusted SRAM. | BL1 (ro) | 0x00000000 +--------------+ -**FVP with TSP in TZC-Secured DRAM:** +**FVP with TSP in TZC-Secured DRAM with firmware configs :** :: @@ -1885,19 +1896,22 @@ layout of the other images in Trusted SRAM. | BL32 | (secure) 0xff000000 +----------+ | | - : : (non-secure) + |----------| + |HW_CONFIG | + 0x83000000 |----------| (non-secure) | | 0x80000000 +----------+ Trusted SRAM - 0x04040000 +----------+ loaded by BL2 ------------------ - | BL1 (rw) | <<<<<<<<<<<<< | BL31 NOBITS | + 0x04040000 +----------+ loaded by BL2 +----------------+ + | BL1 (rw) | <<<<<<<<<<<<< | | + |----------| <<<<<<<<<<<<< | BL31 NOBITS | + | BL2 | <<<<<<<<<<<<< | | |----------| <<<<<<<<<<<<< |----------------| | | <<<<<<<<<<<<< | BL31 PROGBITS | - |----------| ------------------ - | BL2 | - |----------| - | | + | | +----------------+ + 0x04002000 +----------+ + |fw_configs| 0x04001000 +----------+ | Shared | 0x04000000 +----------+ @@ -1907,7 +1921,7 @@ layout of the other images in Trusted SRAM. | BL1 (ro) | 0x00000000 +----------+ -**Juno with BL32 in Trusted SRAM (default option):** +**Juno with BL32 in Trusted SRAM :** :: @@ -1921,19 +1935,21 @@ layout of the other images in Trusted SRAM. 0x08000000 +----------+ BL31 is loaded after SCP_BL2 has Trusted SRAM been sent to SCP - 0x04040000 +----------+ loaded by BL2 ------------------ - | BL1 (rw) | <<<<<<<<<<<<< | BL31 NOBITS | + 0x04040000 +----------+ loaded by BL2 +----------------+ + | BL1 (rw) | <<<<<<<<<<<<< | | + |----------| <<<<<<<<<<<<< | BL31 NOBITS | + | BL2 | <<<<<<<<<<<<< | | |----------| <<<<<<<<<<<<< |----------------| | SCP_BL2 | <<<<<<<<<<<<< | BL31 PROGBITS | - |----------| ------------------ - | BL2 | <<<<<<<<<<<<< | BL32 NOBITS | |----------| <<<<<<<<<<<<< |----------------| - | | <<<<<<<<<<<<< | BL32 PROGBITS | - 0x04001000 +----------+ ------------------ + | | <<<<<<<<<<<<< | BL32 | + | | +----------------+ + | | + 0x04001000 +----------+ | MHU | 0x04000000 +----------+ -**Juno with BL32 in TZC-secured DRAM:** +**Juno with BL32 in TZC-secured DRAM :** :: @@ -1956,14 +1972,13 @@ layout of the other images in Trusted SRAM. 0x08000000 +----------+ BL31 is loaded after SCP_BL2 has Trusted SRAM been sent to SCP - 0x04040000 +----------+ loaded by BL2 ------------------ - | BL1 (rw) | <<<<<<<<<<<<< | BL31 NOBITS | + 0x04040000 +----------+ loaded by BL2 +----------------+ + | BL1 (rw) | <<<<<<<<<<<<< | | + |----------| <<<<<<<<<<<<< | BL31 NOBITS | + | BL2 | <<<<<<<<<<<<< | | |----------| <<<<<<<<<<<<< |----------------| | SCP_BL2 | <<<<<<<<<<<<< | BL31 PROGBITS | - |----------| ------------------ - | BL2 | - |----------| - | | + |----------| +----------------+ 0x04001000 +----------+ | MHU | 0x04000000 +----------+ diff --git a/docs/user-guide.rst b/docs/user-guide.rst index 5f3823db..f6d0c764 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -1928,7 +1928,7 @@ with 8 CPUs using the AArch32 build of TF-A. -C cluster1.cpu1.RVBAR=0x04001000 \ -C cluster1.cpu2.RVBAR=0x04001000 \ -C cluster1.cpu3.RVBAR=0x04001000 \ - --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04001000 \ + --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04002000 \ --data cluster0.cpu0="<path-to>/<bl33-binary>"@0x88000000 \ --data cluster0.cpu0="<path-to>/<fdt>"@0x82000000 \ --data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \ @@ -1959,7 +1959,7 @@ boot Linux with 8 CPUs using the AArch64 build of TF-A. -C cluster1.cpu2.RVBARADDR=0x04020000 \ -C cluster1.cpu3.RVBARADDR=0x04020000 \ --data cluster0.cpu0="<path-to>/<bl31-binary>"@0x04020000 \ - --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04001000 \ + --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04002000 \ --data cluster0.cpu0="<path-to>/<bl33-binary>"@0x88000000 \ --data cluster0.cpu0="<path-to>/<fdt>"@0x82000000 \ --data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \ @@ -1982,7 +1982,7 @@ boot Linux with 4 CPUs using the AArch32 build of TF-A. -C cluster0.cpu1.RVBARADDR=0x04001000 \ -C cluster0.cpu2.RVBARADDR=0x04001000 \ -C cluster0.cpu3.RVBARADDR=0x04001000 \ - --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04001000 \ + --data cluster0.cpu0="<path-to>/<bl32-binary>"@0x04002000 \ --data cluster0.cpu0="<path-to>/<bl33-binary>"@0x88000000 \ --data cluster0.cpu0="<path-to>/<fdt>"@0x82000000 \ --data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \ diff --git a/include/lib/cpus/aarch32/cortex_a57.h b/include/lib/cpus/aarch32/cortex_a57.h index 3fac9c7b..18cabe11 100644 --- a/include/lib/cpus/aarch32/cortex_a57.h +++ b/include/lib/cpus/aarch32/cortex_a57.h @@ -44,6 +44,7 @@ #define CORTEX_A57_CPUACTLR p15, 0, c15 #define CORTEX_A57_CPUACTLR_DIS_LOAD_PASS_DMB (ULL(1) << 59) +#define CORTEX_A57_CPUACTLR_DIS_LOAD_PASS_STORE (ULL(1) << 55) #define CORTEX_A57_CPUACTLR_GRE_NGRE_AS_NGNRE (ULL(1) << 54) #define CORTEX_A57_CPUACTLR_DIS_OVERREAD (ULL(1) << 52) #define CORTEX_A57_CPUACTLR_NO_ALLOC_WBWA (ULL(1) << 49) diff --git a/include/lib/cpus/aarch32/cortex_a72.h b/include/lib/cpus/aarch32/cortex_a72.h index f7da1f01..0331ace7 100644 --- a/include/lib/cpus/aarch32/cortex_a72.h +++ b/include/lib/cpus/aarch32/cortex_a72.h @@ -32,6 +32,7 @@ #define CORTEX_A72_CPUACTLR p15, 0, c15 #define CORTEX_A72_CPUACTLR_DISABLE_L1_DCACHE_HW_PFTCH (ULL(1) << 56) +#define CORTEX_A72_CPUACTLR_DIS_LOAD_PASS_STORE (ULL(1) << 55) #define CORTEX_A72_CPUACTLR_NO_ALLOC_WBWA (ULL(1) << 49) #define CORTEX_A72_CPUACTLR_DCC_AS_DCCI (ULL(1) << 44) #define CORTEX_A72_CPUACTLR_DIS_INSTR_PREFETCH (ULL(1) << 32) diff --git a/include/lib/cpus/aarch64/cortex_a57.h b/include/lib/cpus/aarch64/cortex_a57.h index 6c45c066..83ec9342 100644 --- a/include/lib/cpus/aarch64/cortex_a57.h +++ b/include/lib/cpus/aarch64/cortex_a57.h @@ -44,6 +44,7 @@ #define CORTEX_A57_CPUACTLR_EL1 S3_1_C15_C2_0 #define CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_DMB (ULL(1) << 59) +#define CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_STORE (ULL(1) << 55) #define CORTEX_A57_CPUACTLR_EL1_GRE_NGRE_AS_NGNRE (ULL(1) << 54) #define CORTEX_A57_CPUACTLR_EL1_DIS_OVERREAD (ULL(1) << 52) #define CORTEX_A57_CPUACTLR_EL1_NO_ALLOC_WBWA (ULL(1) << 49) diff --git a/include/lib/cpus/aarch64/cortex_a72.h b/include/lib/cpus/aarch64/cortex_a72.h index 6fbb7076..9f184706 100644 --- a/include/lib/cpus/aarch64/cortex_a72.h +++ b/include/lib/cpus/aarch64/cortex_a72.h @@ -32,6 +32,7 @@ #define CORTEX_A72_CPUACTLR_EL1 S3_1_C15_C2_0 #define CORTEX_A72_CPUACTLR_EL1_DISABLE_L1_DCACHE_HW_PFTCH (ULL(1) << 56) +#define CORTEX_A72_CPUACTLR_EL1_DIS_LOAD_PASS_STORE (ULL(1) << 55) #define CORTEX_A72_CPUACTLR_EL1_NO_ALLOC_WBWA (ULL(1) << 49) #define CORTEX_A72_CPUACTLR_EL1_DCC_AS_DCCI (ULL(1) << 44) #define CORTEX_A72_CPUACTLR_EL1_DIS_INSTR_PREFETCH (ULL(1) << 32) diff --git a/include/lib/cpus/aarch64/cortex_a73.h b/include/lib/cpus/aarch64/cortex_a73.h index faff5fef..4db0cae2 100644 --- a/include/lib/cpus/aarch64/cortex_a73.h +++ b/include/lib/cpus/aarch64/cortex_a73.h @@ -22,4 +22,11 @@ ******************************************************************************/ #define CORTEX_A73_L2MERRSR_EL1 S3_1_C15_C2_3 /* Instruction def. */ +/******************************************************************************* + * CPU implementation defined register specific definitions. + ******************************************************************************/ +#define CORTEX_A73_IMP_DEF_REG1 S3_0_C15_C0_0 + +#define CORTEX_A73_IMP_DEF_REG1_DISABLE_LOAD_PASS_STORE (1 << 3) + #endif /* __CORTEX_A73_H__ */ diff --git a/include/lib/cpus/aarch64/cortex_a75.h b/include/lib/cpus/aarch64/cortex_a75.h index 20f02518..493c7d47 100644 --- a/include/lib/cpus/aarch64/cortex_a75.h +++ b/include/lib/cpus/aarch64/cortex_a75.h @@ -16,6 +16,13 @@ #define CORTEX_A75_CPUPWRCTLR_EL1 S3_0_C15_C2_7 #define CORTEX_A75_CPUECTLR_EL1 S3_0_C15_C1_4 +/******************************************************************************* + * CPU Auxiliary Control register specific definitions. + ******************************************************************************/ +#define CORTEX_A75_CPUACTLR_EL1 S3_0_C15_C1_0 + +#define CORTEX_A75_CPUACTLR_EL1_DISABLE_LOAD_PASS_STORE (1 << 35) + /* Definitions of register field mask in CORTEX_A75_CPUPWRCTLR_EL1 */ #define CORTEX_A75_CORE_PWRDN_EN_MASK 0x1 diff --git a/include/lib/cpus/aarch64/cpu_macros.S b/include/lib/cpus/aarch64/cpu_macros.S index bfe2449e..cd8f3e8f 100644 --- a/include/lib/cpus/aarch64/cpu_macros.S +++ b/include/lib/cpus/aarch64/cpu_macros.S @@ -18,6 +18,9 @@ /* Special constant to specify that CPU has no reset function */ #define CPU_NO_RESET_FUNC 0 +#define CPU_NO_EXTRA1_FUNC 0 +#define CPU_NO_EXTRA2_FUNC 0 + /* Word size for 64-bit CPUs */ #define CPU_WORD_SIZE 8 @@ -48,6 +51,8 @@ CPU_RESET_FUNC: /* cpu_ops reset_func */ #endif CPU_EXTRA1_FUNC: .space 8 +CPU_EXTRA2_FUNC: + .space 8 #ifdef IMAGE_BL31 /* The power down core and cluster is needed only in BL31 */ CPU_PWR_DWN_OPS: /* cpu_ops power down functions */ .space (8 * CPU_MAX_PWR_DWN_OPS) @@ -119,6 +124,10 @@ CPU_OPS_SIZE = . * This is a placeholder for future per CPU operations. Currently, * some CPUs use this entry to set a test function to determine if * the workaround for CVE-2017-5715 needs to be applied or not. + * _extra2: + * This is a placeholder for future per CPU operations. Currently + * some CPUs use this entry to set a function to disable the + * workaround for CVE-2018-3639. * _power_down_ops: * Comma-separated list of functions to perform power-down * operatios on the CPU. At least one, and up to @@ -129,7 +138,7 @@ CPU_OPS_SIZE = . * used to handle power down at subsequent levels */ .macro declare_cpu_ops_base _name:req, _midr:req, _resetfunc:req, \ - _extra1:req, _power_down_ops:vararg + _extra1:req, _extra2:req, _power_down_ops:vararg .section cpu_ops, "a" .align 3 .type cpu_ops_\_name, %object @@ -138,6 +147,7 @@ CPU_OPS_SIZE = . .quad \_resetfunc #endif .quad \_extra1 + .quad \_extra2 #ifdef IMAGE_BL31 1: /* Insert list of functions */ @@ -196,14 +206,15 @@ CPU_OPS_SIZE = . .macro declare_cpu_ops _name:req, _midr:req, _resetfunc:req, \ _power_down_ops:vararg - declare_cpu_ops_base \_name, \_midr, \_resetfunc, 0, \ + declare_cpu_ops_base \_name, \_midr, \_resetfunc, 0, 0, \ \_power_down_ops .endm - .macro declare_cpu_ops_workaround_cve_2017_5715 _name:req, _midr:req, \ - _resetfunc:req, _extra1:req, _power_down_ops:vararg + .macro declare_cpu_ops_wa _name:req, _midr:req, \ + _resetfunc:req, _extra1:req, _extra2:req, \ + _power_down_ops:vararg declare_cpu_ops_base \_name, \_midr, \_resetfunc, \ - \_extra1, \_power_down_ops + \_extra1, \_extra2, \_power_down_ops .endm #if REPORT_ERRATA diff --git a/include/lib/cpus/wa_cve_2017_5715.h b/include/lib/cpus/wa_cve_2017_5715.h new file mode 100644 index 00000000..0a65a569 --- /dev/null +++ b/include/lib/cpus/wa_cve_2017_5715.h @@ -0,0 +1,12 @@ +/* + * Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __WA_CVE_2017_5715_H__ +#define __WA_CVE_2017_5715_H__ + +int check_wa_cve_2017_5715(void); + +#endif /* __WA_CVE_2017_5715_H__ */ diff --git a/include/lib/cpus/wa_cve_2018_3639.h b/include/lib/cpus/wa_cve_2018_3639.h new file mode 100644 index 00000000..36546f70 --- /dev/null +++ b/include/lib/cpus/wa_cve_2018_3639.h @@ -0,0 +1,12 @@ +/* + * Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __WA_CVE_2018_3639_H__ +#define __WA_CVE_2018_3639_H__ + +void *wa_cve_2018_3639_get_disable_ptr(void); + +#endif /* __WA_CVE_2018_3639_H__ */ diff --git a/include/lib/cpus/workaround_cve_2017_5715.h b/include/lib/cpus/workaround_cve_2017_5715.h deleted file mode 100644 index e837a673..00000000 --- a/include/lib/cpus/workaround_cve_2017_5715.h +++ /dev/null @@ -1,12 +0,0 @@ -/* - * Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef __WORKAROUND_CVE_2017_5715_H__ -#define __WORKAROUND_CVE_2017_5715_H__ - -int check_workaround_cve_2017_5715(void); - -#endif /* __WORKAROUND_CVE_2017_5715_H__ */ diff --git a/include/lib/el3_runtime/aarch64/context.h b/include/lib/el3_runtime/aarch64/context.h index cdd74a34..a4f3ea1b 100644 --- a/include/lib/el3_runtime/aarch64/context.h +++ b/include/lib/el3_runtime/aarch64/context.h @@ -128,8 +128,8 @@ * Constants that allow assembler code to access members of and the 'fp_regs' * structure at their correct offsets. ******************************************************************************/ -#if CTX_INCLUDE_FPREGS #define CTX_FPREGS_OFFSET (CTX_SYSREGS_OFFSET + CTX_SYSREGS_END) +#if CTX_INCLUDE_FPREGS #define CTX_FP_Q0 U(0x0) #define CTX_FP_Q1 U(0x10) #define CTX_FP_Q2 U(0x20) @@ -170,8 +170,14 @@ #else #define CTX_FPREGS_END U(0x210) /* Align to the next 16 byte boundary */ #endif +#else +#define CTX_FPREGS_END U(0) #endif +#define CTX_CVE_2018_3639_OFFSET (CTX_FPREGS_OFFSET + CTX_FPREGS_END) +#define CTX_CVE_2018_3639_DISABLE U(0) +#define CTX_CVE_2018_3639_END U(0x10) /* Align to the next 16 byte boundary */ + #ifndef __ASSEMBLY__ #include <cassert.h> @@ -195,6 +201,7 @@ #define CTX_FPREG_ALL (CTX_FPREGS_END >> DWORD_SHIFT) #endif #define CTX_EL3STATE_ALL (CTX_EL3STATE_END >> DWORD_SHIFT) +#define CTX_CVE_2018_3639_ALL (CTX_CVE_2018_3639_END >> DWORD_SHIFT) /* * AArch64 general purpose register context structure. Usually x0-x18, @@ -227,6 +234,9 @@ DEFINE_REG_STRUCT(fp_regs, CTX_FPREG_ALL); */ DEFINE_REG_STRUCT(el3_state, CTX_EL3STATE_ALL); +/* Function pointer used by CVE-2018-3639 dynamic mitigation */ +DEFINE_REG_STRUCT(cve_2018_3639, CTX_CVE_2018_3639_ALL); + /* * Macros to access members of any of the above structures using their * offsets @@ -251,6 +261,7 @@ typedef struct cpu_context { #if CTX_INCLUDE_FPREGS fp_regs_t fpregs_ctx; #endif + cve_2018_3639_t cve_2018_3639_ctx; } cpu_context_t; /* Macros to access members of the 'cpu_context_t' structure */ @@ -276,6 +287,8 @@ CASSERT(CTX_FPREGS_OFFSET == __builtin_offsetof(cpu_context_t, fpregs_ctx), \ #endif CASSERT(CTX_EL3STATE_OFFSET == __builtin_offsetof(cpu_context_t, el3state_ctx), \ assert_core_context_el3state_offset_mismatch); +CASSERT(CTX_CVE_2018_3639_OFFSET == __builtin_offsetof(cpu_context_t, cve_2018_3639_ctx), \ + assert_core_context_cve_2018_3639_offset_mismatch); /* * Helper macro to set the general purpose registers that correspond to diff --git a/include/plat/arm/board/common/board_arm_def.h b/include/plat/arm/board/common/board_arm_def.h index 21ceae30..2d8e4c13 100644 --- a/include/plat/arm/board/common/board_arm_def.h +++ b/include/plat/arm/board/common/board_arm_def.h @@ -93,21 +93,19 @@ #endif /* - * PLAT_ARM_MAX_BL31_SIZE is calculated using the current BL31 debug size plus a - * little space for growth. + * Since BL31 NOBITS overlays BL2 and BL1-RW, PLAT_ARM_MAX_BL31_SIZE is + * calculated using the current BL31 PROGBITS debug size plus the sizes of + * BL2 and BL1-RW */ -#if ENABLE_SPM -# define PLAT_ARM_MAX_BL31_SIZE 0x40000 -#else -# define PLAT_ARM_MAX_BL31_SIZE 0x20000 -#endif +#define PLAT_ARM_MAX_BL31_SIZE 0x3B000 #ifdef AARCH32 /* - * PLAT_ARM_MAX_BL32_SIZE is calculated for SP_MIN as the AArch32 Secure - * Payload. + * Since BL32 NOBITS overlays BL2 and BL1-RW, PLAT_ARM_MAX_BL32_SIZE is + * calculated using the current SP_MIN PROGBITS debug size plus the sizes of + * BL2 and BL1-RW */ -# define PLAT_ARM_MAX_BL32_SIZE 0x1D000 +# define PLAT_ARM_MAX_BL32_SIZE 0x3B000 #endif #endif /* ARM_BOARD_OPTIMISE_MEM */ diff --git a/include/plat/arm/common/arm_def.h b/include/plat/arm/common/arm_def.h index 18390d6a..1f62ebe7 100644 --- a/include/plat/arm/common/arm_def.h +++ b/include/plat/arm/common/arm_def.h @@ -317,7 +317,7 @@ * and limit. Leave enough space of BL2 meminfo. */ #define ARM_TB_FW_CONFIG_BASE ARM_BL_RAM_BASE + sizeof(meminfo_t) -#define ARM_TB_FW_CONFIG_LIMIT BL2_BASE +#define ARM_TB_FW_CONFIG_LIMIT ARM_BL_RAM_BASE + PAGE_SIZE /******************************************************************************* * BL1 specific defines. @@ -338,32 +338,18 @@ /******************************************************************************* * BL2 specific defines. ******************************************************************************/ -#if ARM_BL31_IN_DRAM -/* - * For AArch64 BL31 is loaded in the DRAM. - * Put BL2 just below BL1. - */ -#define BL2_BASE (BL1_RW_BASE - PLAT_ARM_MAX_BL2_SIZE) -#define BL2_LIMIT BL1_RW_BASE - -#elif BL2_AT_EL3 - -#define BL2_BASE ARM_BL_RAM_BASE +#if BL2_AT_EL3 +/* Put BL2 in the middle of the Trusted SRAM */ +#define BL2_BASE (ARM_TRUSTED_SRAM_BASE + \ + (PLAT_ARM_TRUSTED_SRAM_SIZE >> 1)) #define BL2_LIMIT (ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE) -#elif defined(AARCH32) || JUNO_AARCH32_EL3_RUNTIME -/* - * Put BL2 just below BL32. - */ -#define BL2_BASE (BL32_BASE - PLAT_ARM_MAX_BL2_SIZE) -#define BL2_LIMIT BL32_BASE - #else /* - * Put BL2 just below BL31. + * Put BL2 just below BL1. */ -#define BL2_BASE (BL31_BASE - PLAT_ARM_MAX_BL2_SIZE) -#define BL2_LIMIT BL31_BASE +#define BL2_BASE (BL1_RW_BASE - PLAT_ARM_MAX_BL2_SIZE) +#define BL2_LIMIT BL1_RW_BASE #endif /******************************************************************************* @@ -384,13 +370,10 @@ (PLAT_ARM_TRUSTED_SRAM_SIZE >> 1)) #define BL31_LIMIT (ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE) #else -/* - * Put BL31 at the top of the Trusted SRAM. - */ -#define BL31_BASE (ARM_BL_RAM_BASE + \ - ARM_BL_RAM_SIZE - \ - PLAT_ARM_MAX_BL31_SIZE) -#define BL31_PROGBITS_LIMIT BL1_RW_BASE +/* Put BL31 below BL2 in the Trusted SRAM.*/ +#define BL31_BASE ((ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE)\ + - PLAT_ARM_MAX_BL31_SIZE) +#define BL31_PROGBITS_LIMIT BL2_BASE #define BL31_LIMIT (ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE) #endif @@ -399,15 +382,17 @@ * BL32 specific defines for EL3 runtime in AArch32 mode ******************************************************************************/ # if RESET_TO_SP_MIN && !JUNO_AARCH32_EL3_RUNTIME -/* SP_MIN is the only BL image in SRAM. Allocate the whole of SRAM to BL32 */ -# define BL32_BASE ARM_BL_RAM_BASE +/* + * SP_MIN is the only BL image in SRAM. Allocate the whole of SRAM (excluding + * the page reserved for fw_configs) to BL32 + */ +# define BL32_BASE ARM_TB_FW_CONFIG_LIMIT # define BL32_LIMIT (ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE) # else -/* Put BL32 at the top of the Trusted SRAM.*/ -# define BL32_BASE (ARM_BL_RAM_BASE + \ - ARM_BL_RAM_SIZE - \ - PLAT_ARM_MAX_BL32_SIZE) -# define BL32_PROGBITS_LIMIT BL1_RW_BASE +/* Put BL32 below BL2 in the Trusted SRAM.*/ +# define BL32_BASE ((ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE)\ + - PLAT_ARM_MAX_BL32_SIZE) +# define BL32_PROGBITS_LIMIT BL2_BASE # define BL32_LIMIT (ARM_BL_RAM_BASE + ARM_BL_RAM_SIZE) # endif /* RESET_TO_SP_MIN && !JUNO_AARCH32_EL3_RUNTIME */ @@ -438,8 +423,8 @@ # elif ARM_TSP_RAM_LOCATION_ID == ARM_TRUSTED_SRAM_ID # define TSP_SEC_MEM_BASE ARM_BL_RAM_BASE # define TSP_SEC_MEM_SIZE ARM_BL_RAM_SIZE -# define TSP_PROGBITS_LIMIT BL2_BASE -# define BL32_BASE ARM_BL_RAM_BASE +# define TSP_PROGBITS_LIMIT BL31_BASE +# define BL32_BASE ARM_TB_FW_CONFIG_LIMIT # define BL32_LIMIT BL31_BASE # elif ARM_TSP_RAM_LOCATION_ID == ARM_TRUSTED_DRAM_ID # define TSP_SEC_MEM_BASE PLAT_ARM_TRUSTED_DRAM_BASE diff --git a/include/plat/arm/css/common/css_def.h b/include/plat/arm/css/common/css_def.h index 6d68b440..725c27cb 100644 --- a/include/plat/arm/css/common/css_def.h +++ b/include/plat/arm/css/common/css_def.h @@ -158,14 +158,14 @@ /* * Load address of SCP_BL2 in CSS platform ports * SCP_BL2 is loaded to the same place as BL31 but it shouldn't overwrite BL1 - * rw data. Once SCP_BL2 is transferred to the SCP, it is discarded and BL31 - * is loaded over the top. + * rw data or BL2. Once SCP_BL2 is transferred to the SCP, it is discarded and + * BL31 is loaded over the top. */ -#define SCP_BL2_BASE (BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2_SIZE) -#define SCP_BL2_LIMIT BL1_RW_BASE +#define SCP_BL2_BASE (BL2_BASE - PLAT_CSS_MAX_SCP_BL2_SIZE) +#define SCP_BL2_LIMIT BL2_BASE -#define SCP_BL2U_BASE (BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2U_SIZE) -#define SCP_BL2U_LIMIT BL1_RW_BASE +#define SCP_BL2U_BASE (BL2_BASE - PLAT_CSS_MAX_SCP_BL2U_SIZE) +#define SCP_BL2U_LIMIT BL2_BASE #endif /* CSS_LOAD_SCP_IMAGES */ /* Load address of Non-Secure Image for CSS platform ports */ diff --git a/include/services/arm_arch_svc.h b/include/services/arm_arch_svc.h index 29616013..0d2f4774 100644 --- a/include/services/arm_arch_svc.h +++ b/include/services/arm_arch_svc.h @@ -10,5 +10,8 @@ #define SMCCC_VERSION U(0x80000000) #define SMCCC_ARCH_FEATURES U(0x80000001) #define SMCCC_ARCH_WORKAROUND_1 U(0x80008000) +#define SMCCC_ARCH_WORKAROUND_2 U(0x80007FFF) + +#define SMCCC_ARCH_NOT_REQUIRED -2 #endif /* __ARM_ARCH_SVC_H__ */ diff --git a/lib/cpus/aarch32/cortex_a57.S b/lib/cpus/aarch32/cortex_a57.S index f446bfff..dff86be7 100644 --- a/lib/cpus/aarch32/cortex_a57.S +++ b/lib/cpus/aarch32/cortex_a57.S @@ -337,6 +337,15 @@ func check_errata_cve_2017_5715 bx lr endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov r0, #ERRATA_APPLIES +#else + mov r0, #ERRATA_MISSING +#endif + bx lr +endfunc check_errata_cve_2018_3639 + /* ------------------------------------------------- * The CPU Ops reset function for Cortex-A57. * Shall clobber: r0-r6 @@ -392,6 +401,14 @@ func cortex_a57_reset_func bl errata_a57_859972_wa #endif +#if WORKAROUND_CVE_2018_3639 + ldcopr16 r0, r1, CORTEX_A57_CPUACTLR + orr64_imm r0, r1, CORTEX_A57_CPUACTLR_DIS_LOAD_PASS_STORE + stcopr16 r0, r1, CORTEX_A57_CPUACTLR + isb + dsb sy +#endif + /* --------------------------------------------- * Enable the SMP bit. * --------------------------------------------- @@ -525,6 +542,7 @@ func cortex_a57_errata_report report_errata ERRATA_A57_833471, cortex_a57, 833471 report_errata ERRATA_A57_859972, cortex_a57, 859972 report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639 pop {r12, lr} bx lr diff --git a/lib/cpus/aarch32/cortex_a72.S b/lib/cpus/aarch32/cortex_a72.S index 56e91f5c..3bc3388b 100644 --- a/lib/cpus/aarch32/cortex_a72.S +++ b/lib/cpus/aarch32/cortex_a72.S @@ -92,6 +92,15 @@ func check_errata_cve_2017_5715 bx lr endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov r0, #ERRATA_APPLIES +#else + mov r0, #ERRATA_MISSING +#endif + bx lr +endfunc check_errata_cve_2018_3639 + /* ------------------------------------------------- * The CPU Ops reset function for Cortex-A72. * ------------------------------------------------- @@ -105,6 +114,15 @@ func cortex_a72_reset_func mov r0, r4 bl errata_a72_859971_wa #endif + +#if WORKAROUND_CVE_2018_3639 + ldcopr16 r0, r1, CORTEX_A72_CPUACTLR + orr64_imm r0, r1, CORTEX_A72_CPUACTLR_DIS_LOAD_PASS_STORE + stcopr16 r0, r1, CORTEX_A72_CPUACTLR + isb + dsb sy +#endif + /* --------------------------------------------- * Enable the SMP bit. * --------------------------------------------- @@ -241,6 +259,7 @@ func cortex_a72_errata_report */ report_errata ERRATA_A72_859971, cortex_a72, 859971 report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a72, cve_2018_3639 pop {r12, lr} bx lr diff --git a/lib/cpus/aarch64/cortex_a57.S b/lib/cpus/aarch64/cortex_a57.S index 4d072e11..07fadd15 100644 --- a/lib/cpus/aarch64/cortex_a57.S +++ b/lib/cpus/aarch64/cortex_a57.S @@ -337,6 +337,15 @@ func check_errata_cve_2017_5715 ret endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2018_3639 + /* ------------------------------------------------- * The CPU Ops reset function for Cortex-A57. * Shall clobber: x0-x19 @@ -393,10 +402,18 @@ func cortex_a57_reset_func #endif #if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 - adr x0, workaround_mmu_runtime_exceptions + adr x0, wa_cve_2017_5715_mmu_vbar msr vbar_el3, x0 #endif +#if WORKAROUND_CVE_2018_3639 + mrs x0, CORTEX_A57_CPUACTLR_EL1 + orr x0, x0, #CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_STORE + msr CORTEX_A57_CPUACTLR_EL1, x0 + isb + dsb sy +#endif + /* --------------------------------------------- * Enable the SMP bit. * --------------------------------------------- @@ -528,6 +545,7 @@ func cortex_a57_errata_report report_errata ERRATA_A57_833471, cortex_a57, 833471 report_errata ERRATA_A57_859972, cortex_a57, 859972 report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639 ldp x8, x30, [sp], #16 ret @@ -555,8 +573,9 @@ func cortex_a57_cpu_reg_dump ret endfunc cortex_a57_cpu_reg_dump -declare_cpu_ops_workaround_cve_2017_5715 cortex_a57, CORTEX_A57_MIDR, \ +declare_cpu_ops_wa cortex_a57, CORTEX_A57_MIDR, \ cortex_a57_reset_func, \ check_errata_cve_2017_5715, \ + CPU_NO_EXTRA2_FUNC, \ cortex_a57_core_pwr_dwn, \ cortex_a57_cluster_pwr_dwn diff --git a/lib/cpus/aarch64/cortex_a72.S b/lib/cpus/aarch64/cortex_a72.S index 29fa77b9..bb9381d1 100644 --- a/lib/cpus/aarch64/cortex_a72.S +++ b/lib/cpus/aarch64/cortex_a72.S @@ -110,6 +110,15 @@ func check_errata_cve_2017_5715 ret endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2018_3639 + /* ------------------------------------------------- * The CPU Ops reset function for Cortex-A72. * ------------------------------------------------- @@ -126,11 +135,19 @@ func cortex_a72_reset_func #if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 cpu_check_csv2 x0, 1f - adr x0, workaround_mmu_runtime_exceptions + adr x0, wa_cve_2017_5715_mmu_vbar msr vbar_el3, x0 1: #endif +#if WORKAROUND_CVE_2018_3639 + mrs x0, CORTEX_A72_CPUACTLR_EL1 + orr x0, x0, #CORTEX_A72_CPUACTLR_EL1_DIS_LOAD_PASS_STORE + msr CORTEX_A72_CPUACTLR_EL1, x0 + isb + dsb sy +#endif + /* --------------------------------------------- * Enable the SMP bit. * --------------------------------------------- @@ -265,6 +282,7 @@ func cortex_a72_errata_report */ report_errata ERRATA_A72_859971, cortex_a72, 859971 report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a72, cve_2018_3639 ldp x8, x30, [sp], #16 ret @@ -292,8 +310,9 @@ func cortex_a72_cpu_reg_dump ret endfunc cortex_a72_cpu_reg_dump -declare_cpu_ops_workaround_cve_2017_5715 cortex_a72, CORTEX_A72_MIDR, \ +declare_cpu_ops_wa cortex_a72, CORTEX_A72_MIDR, \ cortex_a72_reset_func, \ check_errata_cve_2017_5715, \ + CPU_NO_EXTRA2_FUNC, \ cortex_a72_core_pwr_dwn, \ cortex_a72_cluster_pwr_dwn diff --git a/lib/cpus/aarch64/cortex_a73.S b/lib/cpus/aarch64/cortex_a73.S index 0a961ea3..d595f128 100644 --- a/lib/cpus/aarch64/cortex_a73.S +++ b/lib/cpus/aarch64/cortex_a73.S @@ -38,11 +38,18 @@ endfunc cortex_a73_disable_smp func cortex_a73_reset_func #if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 cpu_check_csv2 x0, 1f - adr x0, workaround_bpiall_vbar0_runtime_exceptions + adr x0, wa_cve_2017_5715_bpiall_vbar msr vbar_el3, x0 1: #endif +#if WORKAROUND_CVE_2018_3639 + mrs x0, CORTEX_A73_IMP_DEF_REG1 + orr x0, x0, #CORTEX_A73_IMP_DEF_REG1_DISABLE_LOAD_PASS_STORE + msr CORTEX_A73_IMP_DEF_REG1, x0 + isb +#endif + /* --------------------------------------------- * Enable the SMP bit. * Clobbers : x0 @@ -129,6 +136,15 @@ func check_errata_cve_2017_5715 ret endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2018_3639 + #if REPORT_ERRATA /* * Errata printing function for Cortex A75. Must follow AAPCS. @@ -144,6 +160,7 @@ func cortex_a73_errata_report * checking functions of each errata. */ report_errata WORKAROUND_CVE_2017_5715, cortex_a73, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a73, cve_2018_3639 ldp x8, x30, [sp], #16 ret @@ -170,8 +187,9 @@ func cortex_a73_cpu_reg_dump ret endfunc cortex_a73_cpu_reg_dump -declare_cpu_ops_workaround_cve_2017_5715 cortex_a73, CORTEX_A73_MIDR, \ +declare_cpu_ops_wa cortex_a73, CORTEX_A73_MIDR, \ cortex_a73_reset_func, \ check_errata_cve_2017_5715, \ + CPU_NO_EXTRA2_FUNC, \ cortex_a73_core_pwr_dwn, \ cortex_a73_cluster_pwr_dwn diff --git a/lib/cpus/aarch64/cortex_a75.S b/lib/cpus/aarch64/cortex_a75.S index 288f5afe..20ec32ce 100644 --- a/lib/cpus/aarch64/cortex_a75.S +++ b/lib/cpus/aarch64/cortex_a75.S @@ -13,11 +13,18 @@ func cortex_a75_reset_func #if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 cpu_check_csv2 x0, 1f - adr x0, workaround_bpiall_vbar0_runtime_exceptions + adr x0, wa_cve_2017_5715_bpiall_vbar msr vbar_el3, x0 1: #endif +#if WORKAROUND_CVE_2018_3639 + mrs x0, CORTEX_A75_CPUACTLR_EL1 + orr x0, x0, #CORTEX_A75_CPUACTLR_EL1_DISABLE_LOAD_PASS_STORE + msr CORTEX_A75_CPUACTLR_EL1, x0 + isb +#endif + #if ENABLE_AMU /* Make sure accesses from EL0/EL1 and EL2 are not trapped to EL3 */ mrs x0, actlr_el3 @@ -57,6 +64,15 @@ func check_errata_cve_2017_5715 ret endfunc check_errata_cve_2017_5715 +func check_errata_cve_2018_3639 +#if WORKAROUND_CVE_2018_3639 + mov x0, #ERRATA_APPLIES +#else + mov x0, #ERRATA_MISSING +#endif + ret +endfunc check_errata_cve_2018_3639 + /* --------------------------------------------- * HW will do the cache maintenance while powering down * --------------------------------------------- @@ -88,6 +104,7 @@ func cortex_a75_errata_report * checking functions of each errata. */ report_errata WORKAROUND_CVE_2017_5715, cortex_a75, cve_2017_5715 + report_errata WORKAROUND_CVE_2018_3639, cortex_a75, cve_2018_3639 ldp x8, x30, [sp], #16 ret @@ -113,7 +130,8 @@ func cortex_a75_cpu_reg_dump ret endfunc cortex_a75_cpu_reg_dump -declare_cpu_ops_workaround_cve_2017_5715 cortex_a75, CORTEX_A75_MIDR, \ +declare_cpu_ops_wa cortex_a75, CORTEX_A75_MIDR, \ cortex_a75_reset_func, \ check_errata_cve_2017_5715, \ + CPU_NO_EXTRA2_FUNC, \ cortex_a75_core_pwr_dwn diff --git a/lib/cpus/aarch64/cpu_helpers.S b/lib/cpus/aarch64/cpu_helpers.S index 9f13ed2c..69ece8ff 100644 --- a/lib/cpus/aarch64/cpu_helpers.S +++ b/lib/cpus/aarch64/cpu_helpers.S @@ -285,7 +285,7 @@ endfunc print_errata_status #endif /* - * int check_workaround_cve_2017_5715(void); + * int check_wa_cve_2017_5715(void); * * This function returns: * - ERRATA_APPLIES when firmware mitigation is required. @@ -296,8 +296,8 @@ endfunc print_errata_status * NOTE: Must be called only after cpu_ops have been initialized * in per-CPU data. */ - .globl check_workaround_cve_2017_5715 -func check_workaround_cve_2017_5715 + .globl check_wa_cve_2017_5715 +func check_wa_cve_2017_5715 mrs x0, tpidr_el3 #if ENABLE_ASSERTIONS cmp x0, #0 @@ -315,4 +315,28 @@ func check_workaround_cve_2017_5715 1: mov x0, #ERRATA_NOT_APPLIES ret -endfunc check_workaround_cve_2017_5715 +endfunc check_wa_cve_2017_5715 + +/* + * void *wa_cve_2018_3639_get_disable_ptr(void); + * + * Returns a function pointer which is used to disable mitigation + * for CVE-2018-3639. + * The function pointer is only returned on cores that employ + * dynamic mitigation. If the core uses static mitigation or is + * unaffected by CVE-2018-3639 this function returns NULL. + * + * NOTE: Must be called only after cpu_ops have been initialized + * in per-CPU data. + */ + .globl wa_cve_2018_3639_get_disable_ptr +func wa_cve_2018_3639_get_disable_ptr + mrs x0, tpidr_el3 +#if ENABLE_ASSERTIONS + cmp x0, #0 + ASM_ASSERT(ne) +#endif + ldr x0, [x0, #CPU_DATA_CPU_OPS_PTR] + ldr x0, [x0, #CPU_EXTRA2_FUNC] + ret +endfunc wa_cve_2018_3639_get_disable_ptr diff --git a/lib/cpus/aarch64/workaround_cve_2017_5715_bpiall.S b/lib/cpus/aarch64/wa_cve_2017_5715_bpiall.S index cd824973..84371551 100644 --- a/lib/cpus/aarch64/workaround_cve_2017_5715_bpiall.S +++ b/lib/cpus/aarch64/wa_cve_2017_5715_bpiall.S @@ -9,13 +9,13 @@ #include <asm_macros.S> #include <context.h> - .globl workaround_bpiall_vbar0_runtime_exceptions + .globl wa_cve_2017_5715_bpiall_vbar #define EMIT_BPIALL 0xee070fd5 #define EMIT_SMC 0xe1600070 #define ESR_EL3_A64_SMC0 0x5e000000 - .macro enter_workaround _from_vector + .macro apply_cve_2017_5715_wa _from_vector /* * Save register state to enable a call to AArch32 S-EL1 and return * Identify the original calling vector in w2 (==_from_vector) @@ -66,7 +66,7 @@ movz w8, SPSR_MODE32(MODE32_svc, SPSR_T_ARM, SPSR_E_LITTLE, SPSR_AIF_MASK) /* Switch EL3 exception vectors while the workaround is executing. */ - adr x9, workaround_bpiall_vbar1_runtime_exceptions + adr x9, wa_cve_2017_5715_bpiall_ret_vbar /* Setup SCTLR_EL1 with MMU off and I$ on */ ldr x10, stub_sel1_sctlr @@ -93,13 +93,13 @@ * is not enabled, the existing runtime exception vector table is used. * --------------------------------------------------------------------- */ -vector_base workaround_bpiall_vbar0_runtime_exceptions +vector_base wa_cve_2017_5715_bpiall_vbar /* --------------------------------------------------------------------- * Current EL with SP_EL0 : 0x0 - 0x200 * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar0_sync_exception_sp_el0 +vector_entry bpiall_sync_exception_sp_el0 b sync_exception_sp_el0 nop /* to force 8 byte alignment for the following stub */ @@ -114,79 +114,79 @@ aarch32_stub: .word EMIT_BPIALL .word EMIT_SMC - check_vector_size workaround_bpiall_vbar0_sync_exception_sp_el0 + check_vector_size bpiall_sync_exception_sp_el0 -vector_entry workaround_bpiall_vbar0_irq_sp_el0 +vector_entry bpiall_irq_sp_el0 b irq_sp_el0 - check_vector_size workaround_bpiall_vbar0_irq_sp_el0 + check_vector_size bpiall_irq_sp_el0 -vector_entry workaround_bpiall_vbar0_fiq_sp_el0 +vector_entry bpiall_fiq_sp_el0 b fiq_sp_el0 - check_vector_size workaround_bpiall_vbar0_fiq_sp_el0 + check_vector_size bpiall_fiq_sp_el0 -vector_entry workaround_bpiall_vbar0_serror_sp_el0 +vector_entry bpiall_serror_sp_el0 b serror_sp_el0 - check_vector_size workaround_bpiall_vbar0_serror_sp_el0 + check_vector_size bpiall_serror_sp_el0 /* --------------------------------------------------------------------- * Current EL with SP_ELx: 0x200 - 0x400 * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar0_sync_exception_sp_elx +vector_entry bpiall_sync_exception_sp_elx b sync_exception_sp_elx - check_vector_size workaround_bpiall_vbar0_sync_exception_sp_elx + check_vector_size bpiall_sync_exception_sp_elx -vector_entry workaround_bpiall_vbar0_irq_sp_elx +vector_entry bpiall_irq_sp_elx b irq_sp_elx - check_vector_size workaround_bpiall_vbar0_irq_sp_elx + check_vector_size bpiall_irq_sp_elx -vector_entry workaround_bpiall_vbar0_fiq_sp_elx +vector_entry bpiall_fiq_sp_elx b fiq_sp_elx - check_vector_size workaround_bpiall_vbar0_fiq_sp_elx + check_vector_size bpiall_fiq_sp_elx -vector_entry workaround_bpiall_vbar0_serror_sp_elx +vector_entry bpiall_serror_sp_elx b serror_sp_elx - check_vector_size workaround_bpiall_vbar0_serror_sp_elx + check_vector_size bpiall_serror_sp_elx /* --------------------------------------------------------------------- * Lower EL using AArch64 : 0x400 - 0x600 * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar0_sync_exception_aarch64 - enter_workaround 1 - check_vector_size workaround_bpiall_vbar0_sync_exception_aarch64 +vector_entry bpiall_sync_exception_aarch64 + apply_cve_2017_5715_wa 1 + check_vector_size bpiall_sync_exception_aarch64 -vector_entry workaround_bpiall_vbar0_irq_aarch64 - enter_workaround 2 - check_vector_size workaround_bpiall_vbar0_irq_aarch64 +vector_entry bpiall_irq_aarch64 + apply_cve_2017_5715_wa 2 + check_vector_size bpiall_irq_aarch64 -vector_entry workaround_bpiall_vbar0_fiq_aarch64 - enter_workaround 4 - check_vector_size workaround_bpiall_vbar0_fiq_aarch64 +vector_entry bpiall_fiq_aarch64 + apply_cve_2017_5715_wa 4 + check_vector_size bpiall_fiq_aarch64 -vector_entry workaround_bpiall_vbar0_serror_aarch64 - enter_workaround 8 - check_vector_size workaround_bpiall_vbar0_serror_aarch64 +vector_entry bpiall_serror_aarch64 + apply_cve_2017_5715_wa 8 + check_vector_size bpiall_serror_aarch64 /* --------------------------------------------------------------------- * Lower EL using AArch32 : 0x600 - 0x800 * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar0_sync_exception_aarch32 - enter_workaround 1 - check_vector_size workaround_bpiall_vbar0_sync_exception_aarch32 +vector_entry bpiall_sync_exception_aarch32 + apply_cve_2017_5715_wa 1 + check_vector_size bpiall_sync_exception_aarch32 -vector_entry workaround_bpiall_vbar0_irq_aarch32 - enter_workaround 2 - check_vector_size workaround_bpiall_vbar0_irq_aarch32 +vector_entry bpiall_irq_aarch32 + apply_cve_2017_5715_wa 2 + check_vector_size bpiall_irq_aarch32 -vector_entry workaround_bpiall_vbar0_fiq_aarch32 - enter_workaround 4 - check_vector_size workaround_bpiall_vbar0_fiq_aarch32 +vector_entry bpiall_fiq_aarch32 + apply_cve_2017_5715_wa 4 + check_vector_size bpiall_fiq_aarch32 -vector_entry workaround_bpiall_vbar0_serror_aarch32 - enter_workaround 8 - check_vector_size workaround_bpiall_vbar0_serror_aarch32 +vector_entry bpiall_serror_aarch32 + apply_cve_2017_5715_wa 8 + check_vector_size bpiall_serror_aarch32 /* --------------------------------------------------------------------- * This vector table is used while the workaround is executing. It @@ -195,73 +195,73 @@ vector_entry workaround_bpiall_vbar0_serror_aarch32 * EL3 state before proceeding with the normal runtime exception vector. * --------------------------------------------------------------------- */ -vector_base workaround_bpiall_vbar1_runtime_exceptions +vector_base wa_cve_2017_5715_bpiall_ret_vbar /* --------------------------------------------------------------------- * Current EL with SP_EL0 : 0x0 - 0x200 (UNUSED) * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar1_sync_exception_sp_el0 +vector_entry bpiall_ret_sync_exception_sp_el0 b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_sync_exception_sp_el0 + check_vector_size bpiall_ret_sync_exception_sp_el0 -vector_entry workaround_bpiall_vbar1_irq_sp_el0 +vector_entry bpiall_ret_irq_sp_el0 b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_irq_sp_el0 + check_vector_size bpiall_ret_irq_sp_el0 -vector_entry workaround_bpiall_vbar1_fiq_sp_el0 +vector_entry bpiall_ret_fiq_sp_el0 b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_fiq_sp_el0 + check_vector_size bpiall_ret_fiq_sp_el0 -vector_entry workaround_bpiall_vbar1_serror_sp_el0 +vector_entry bpiall_ret_serror_sp_el0 b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_serror_sp_el0 + check_vector_size bpiall_ret_serror_sp_el0 /* --------------------------------------------------------------------- * Current EL with SP_ELx: 0x200 - 0x400 (UNUSED) * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar1_sync_exception_sp_elx +vector_entry bpiall_ret_sync_exception_sp_elx b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_sync_exception_sp_elx + check_vector_size bpiall_ret_sync_exception_sp_elx -vector_entry workaround_bpiall_vbar1_irq_sp_elx +vector_entry bpiall_ret_irq_sp_elx b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_irq_sp_elx + check_vector_size bpiall_ret_irq_sp_elx -vector_entry workaround_bpiall_vbar1_fiq_sp_elx +vector_entry bpiall_ret_fiq_sp_elx b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_fiq_sp_elx + check_vector_size bpiall_ret_fiq_sp_elx -vector_entry workaround_bpiall_vbar1_serror_sp_elx +vector_entry bpiall_ret_serror_sp_elx b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_serror_sp_elx + check_vector_size bpiall_ret_serror_sp_elx /* --------------------------------------------------------------------- * Lower EL using AArch64 : 0x400 - 0x600 (UNUSED) * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar1_sync_exception_aarch64 +vector_entry bpiall_ret_sync_exception_aarch64 b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_sync_exception_aarch64 + check_vector_size bpiall_ret_sync_exception_aarch64 -vector_entry workaround_bpiall_vbar1_irq_aarch64 +vector_entry bpiall_ret_irq_aarch64 b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_irq_aarch64 + check_vector_size bpiall_ret_irq_aarch64 -vector_entry workaround_bpiall_vbar1_fiq_aarch64 +vector_entry bpiall_ret_fiq_aarch64 b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_fiq_aarch64 + check_vector_size bpiall_ret_fiq_aarch64 -vector_entry workaround_bpiall_vbar1_serror_aarch64 +vector_entry bpiall_ret_serror_aarch64 b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_serror_aarch64 + check_vector_size bpiall_ret_serror_aarch64 /* --------------------------------------------------------------------- * Lower EL using AArch32 : 0x600 - 0x800 * --------------------------------------------------------------------- */ -vector_entry workaround_bpiall_vbar1_sync_exception_aarch32 +vector_entry bpiall_ret_sync_exception_aarch32 /* * w2 indicates which SEL1 stub was run and thus which original vector was used * w3-w6 contain saved system register state (esr_el3 in w3) @@ -281,7 +281,7 @@ vector_entry workaround_bpiall_vbar1_sync_exception_aarch32 * to workaround entry table in preparation for subsequent * Sync/IRQ/FIQ/SError exceptions. */ - adr x0, workaround_bpiall_vbar0_runtime_exceptions + adr x0, wa_cve_2017_5715_bpiall_vbar msr vbar_el3, x0 /* @@ -324,34 +324,34 @@ vector_entry workaround_bpiall_vbar1_sync_exception_aarch32 1: ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] b sync_exception_aarch64 - check_vector_size workaround_bpiall_vbar1_sync_exception_aarch32 + check_vector_size bpiall_ret_sync_exception_aarch32 -vector_entry workaround_bpiall_vbar1_irq_aarch32 +vector_entry bpiall_ret_irq_aarch32 b report_unhandled_interrupt /* * Post-workaround fan-out for non-sync exceptions */ workaround_not_sync: - tbnz w2, #3, workaround_bpiall_vbar1_serror - tbnz w2, #2, workaround_bpiall_vbar1_fiq + tbnz w2, #3, bpiall_ret_serror + tbnz w2, #2, bpiall_ret_fiq /* IRQ */ ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] b irq_aarch64 -workaround_bpiall_vbar1_fiq: +bpiall_ret_fiq: ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] b fiq_aarch64 -workaround_bpiall_vbar1_serror: +bpiall_ret_serror: ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] b serror_aarch64 - check_vector_size workaround_bpiall_vbar1_irq_aarch32 + check_vector_size bpiall_ret_irq_aarch32 -vector_entry workaround_bpiall_vbar1_fiq_aarch32 +vector_entry bpiall_ret_fiq_aarch32 b report_unhandled_interrupt - check_vector_size workaround_bpiall_vbar1_fiq_aarch32 + check_vector_size bpiall_ret_fiq_aarch32 -vector_entry workaround_bpiall_vbar1_serror_aarch32 +vector_entry bpiall_ret_serror_aarch32 b report_unhandled_exception - check_vector_size workaround_bpiall_vbar1_serror_aarch32 + check_vector_size bpiall_ret_serror_aarch32 diff --git a/lib/cpus/aarch64/workaround_cve_2017_5715_mmu.S b/lib/cpus/aarch64/wa_cve_2017_5715_mmu.S index b24b620c..039e373c 100644 --- a/lib/cpus/aarch64/workaround_cve_2017_5715_mmu.S +++ b/lib/cpus/aarch64/wa_cve_2017_5715_mmu.S @@ -9,13 +9,13 @@ #include <asm_macros.S> #include <context.h> - .globl workaround_mmu_runtime_exceptions + .globl wa_cve_2017_5715_mmu_vbar #define ESR_EL3_A64_SMC0 0x5e000000 -vector_base workaround_mmu_runtime_exceptions +vector_base wa_cve_2017_5715_mmu_vbar - .macro apply_workaround _is_sync_exception + .macro apply_cve_2017_5715_wa _is_sync_exception stp x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0] mrs x1, sctlr_el3 /* Disable MMU */ @@ -63,86 +63,86 @@ vector_base workaround_mmu_runtime_exceptions * Current EL with SP_EL0 : 0x0 - 0x200 * --------------------------------------------------------------------- */ -vector_entry workaround_mmu_sync_exception_sp_el0 +vector_entry mmu_sync_exception_sp_el0 b sync_exception_sp_el0 - check_vector_size workaround_mmu_sync_exception_sp_el0 + check_vector_size mmu_sync_exception_sp_el0 -vector_entry workaround_mmu_irq_sp_el0 +vector_entry mmu_irq_sp_el0 b irq_sp_el0 - check_vector_size workaround_mmu_irq_sp_el0 + check_vector_size mmu_irq_sp_el0 -vector_entry workaround_mmu_fiq_sp_el0 +vector_entry mmu_fiq_sp_el0 b fiq_sp_el0 - check_vector_size workaround_mmu_fiq_sp_el0 + check_vector_size mmu_fiq_sp_el0 -vector_entry workaround_mmu_serror_sp_el0 +vector_entry mmu_serror_sp_el0 b serror_sp_el0 - check_vector_size workaround_mmu_serror_sp_el0 + check_vector_size mmu_serror_sp_el0 /* --------------------------------------------------------------------- * Current EL with SP_ELx: 0x200 - 0x400 * --------------------------------------------------------------------- */ -vector_entry workaround_mmu_sync_exception_sp_elx +vector_entry mmu_sync_exception_sp_elx b sync_exception_sp_elx - check_vector_size workaround_mmu_sync_exception_sp_elx + check_vector_size mmu_sync_exception_sp_elx -vector_entry workaround_mmu_irq_sp_elx +vector_entry mmu_irq_sp_elx b irq_sp_elx - check_vector_size workaround_mmu_irq_sp_elx + check_vector_size mmu_irq_sp_elx -vector_entry workaround_mmu_fiq_sp_elx +vector_entry mmu_fiq_sp_elx b fiq_sp_elx - check_vector_size workaround_mmu_fiq_sp_elx + check_vector_size mmu_fiq_sp_elx -vector_entry workaround_mmu_serror_sp_elx +vector_entry mmu_serror_sp_elx b serror_sp_elx - check_vector_size workaround_mmu_serror_sp_elx + check_vector_size mmu_serror_sp_elx /* --------------------------------------------------------------------- * Lower EL using AArch64 : 0x400 - 0x600 * --------------------------------------------------------------------- */ -vector_entry workaround_mmu_sync_exception_aarch64 - apply_workaround _is_sync_exception=1 +vector_entry mmu_sync_exception_aarch64 + apply_cve_2017_5715_wa _is_sync_exception=1 b sync_exception_aarch64 - check_vector_size workaround_mmu_sync_exception_aarch64 + check_vector_size mmu_sync_exception_aarch64 -vector_entry workaround_mmu_irq_aarch64 - apply_workaround _is_sync_exception=0 +vector_entry mmu_irq_aarch64 + apply_cve_2017_5715_wa _is_sync_exception=0 b irq_aarch64 - check_vector_size workaround_mmu_irq_aarch64 + check_vector_size mmu_irq_aarch64 -vector_entry workaround_mmu_fiq_aarch64 - apply_workaround _is_sync_exception=0 +vector_entry mmu_fiq_aarch64 + apply_cve_2017_5715_wa _is_sync_exception=0 b fiq_aarch64 - check_vector_size workaround_mmu_fiq_aarch64 + check_vector_size mmu_fiq_aarch64 -vector_entry workaround_mmu_serror_aarch64 - apply_workaround _is_sync_exception=0 +vector_entry mmu_serror_aarch64 + apply_cve_2017_5715_wa _is_sync_exception=0 b serror_aarch64 - check_vector_size workaround_mmu_serror_aarch64 + check_vector_size mmu_serror_aarch64 /* --------------------------------------------------------------------- * Lower EL using AArch32 : 0x600 - 0x800 * --------------------------------------------------------------------- */ -vector_entry workaround_mmu_sync_exception_aarch32 - apply_workaround _is_sync_exception=1 +vector_entry mmu_sync_exception_aarch32 + apply_cve_2017_5715_wa _is_sync_exception=1 b sync_exception_aarch32 - check_vector_size workaround_mmu_sync_exception_aarch32 + check_vector_size mmu_sync_exception_aarch32 -vector_entry workaround_mmu_irq_aarch32 - apply_workaround _is_sync_exception=0 +vector_entry mmu_irq_aarch32 + apply_cve_2017_5715_wa _is_sync_exception=0 b irq_aarch32 - check_vector_size workaround_mmu_irq_aarch32 + check_vector_size mmu_irq_aarch32 -vector_entry workaround_mmu_fiq_aarch32 - apply_workaround _is_sync_exception=0 +vector_entry mmu_fiq_aarch32 + apply_cve_2017_5715_wa _is_sync_exception=0 b fiq_aarch32 - check_vector_size workaround_mmu_fiq_aarch32 + check_vector_size mmu_fiq_aarch32 -vector_entry workaround_mmu_serror_aarch32 - apply_workaround _is_sync_exception=0 +vector_entry mmu_serror_aarch32 + apply_cve_2017_5715_wa _is_sync_exception=0 b serror_aarch32 - check_vector_size workaround_mmu_serror_aarch32 + check_vector_size mmu_serror_aarch32 diff --git a/lib/cpus/cpu-ops.mk b/lib/cpus/cpu-ops.mk index 3ba8c1fc..434c13ea 100644 --- a/lib/cpus/cpu-ops.mk +++ b/lib/cpus/cpu-ops.mk @@ -17,6 +17,8 @@ A53_DISABLE_NON_TEMPORAL_HINT ?=1 A57_DISABLE_NON_TEMPORAL_HINT ?=1 WORKAROUND_CVE_2017_5715 ?=1 +WORKAROUND_CVE_2018_3639 ?=1 +DYNAMIC_WORKAROUND_CVE_2018_3639 ?=0 # Process SKIP_A57_L1_FLUSH_PWR_DWN flag $(eval $(call assert_boolean,SKIP_A57_L1_FLUSH_PWR_DWN)) @@ -34,6 +36,19 @@ $(eval $(call add_define,A57_DISABLE_NON_TEMPORAL_HINT)) $(eval $(call assert_boolean,WORKAROUND_CVE_2017_5715)) $(eval $(call add_define,WORKAROUND_CVE_2017_5715)) +# Process WORKAROUND_CVE_2018_3639 flag +$(eval $(call assert_boolean,WORKAROUND_CVE_2018_3639)) +$(eval $(call add_define,WORKAROUND_CVE_2018_3639)) + +$(eval $(call assert_boolean,DYNAMIC_WORKAROUND_CVE_2018_3639)) +$(eval $(call add_define,DYNAMIC_WORKAROUND_CVE_2018_3639)) + +ifneq (${DYNAMIC_WORKAROUND_CVE_2018_3639},0) + ifeq (${WORKAROUND_CVE_2018_3639},0) + $(error "Error: WORKAROUND_CVE_2018_3639 must be 1 if DYNAMIC_WORKAROUND_CVE_2018_3639 is 1") + endif +endif + # CPU Errata Build flags. # These should be enabled by the platform if the erratum workaround needs to be # applied. diff --git a/lib/el3_runtime/aarch64/context.S b/lib/el3_runtime/aarch64/context.S index 121ca4d3..707e6dbd 100644 --- a/lib/el3_runtime/aarch64/context.S +++ b/lib/el3_runtime/aarch64/context.S @@ -404,6 +404,15 @@ func el3_exit msr spsr_el3, x16 msr elr_el3, x17 +#if IMAGE_BL31 && DYNAMIC_WORKAROUND_CVE_2018_3639 + /* Restore mitigation state as it was on entry to EL3 */ + ldr x17, [sp, #CTX_CVE_2018_3639_OFFSET + CTX_CVE_2018_3639_DISABLE] + cmp x17, xzr + beq 1f + blr x17 +#endif + +1: /* Restore saved general purpose registers and return */ b restore_gp_registers_eret endfunc el3_exit diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk index c02831ac..f807dc6e 100644 --- a/plat/arm/board/fvp/platform.mk +++ b/plat/arm/board/fvp/platform.mk @@ -225,12 +225,6 @@ ifneq (${BL2_AT_EL3}, 0) override BL1_SOURCES = endif -ifeq (${ENABLE_SPM},1) -ifneq (${ARM_BL31_IN_DRAM},1) - $(error "Error: SPM needs BL31 to be located in DRAM.") -endif -endif - include plat/arm/board/common/board_common.mk include plat/arm/common/arm_common.mk diff --git a/plat/arm/board/juno/include/platform_def.h b/plat/arm/board/juno/include/platform_def.h index e616e1fc..80d4ba81 100644 --- a/plat/arm/board/juno/include/platform_def.h +++ b/plat/arm/board/juno/include/platform_def.h @@ -117,7 +117,7 @@ * plus a little space for growth. */ #if TRUSTED_BOARD_BOOT -# define PLAT_ARM_MAX_BL1_RW_SIZE 0xA000 +# define PLAT_ARM_MAX_BL1_RW_SIZE 0xB000 #else # define PLAT_ARM_MAX_BL1_RW_SIZE 0x6000 #endif @@ -128,7 +128,7 @@ */ #if TRUSTED_BOARD_BOOT #if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA -# define PLAT_ARM_MAX_BL2_SIZE 0x20000 +# define PLAT_ARM_MAX_BL2_SIZE 0x1F000 #elif TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA # define PLAT_ARM_MAX_BL2_SIZE 0x1D000 #else @@ -139,22 +139,21 @@ #endif /* - * PLAT_ARM_MAX_BL31_SIZE is calculated using the current BL31 debug size plus a - * little space for growth. - * SCP_BL2 image is loaded into the space BL31 -> BL1_RW_BASE. - * For TBB use case, PLAT_ARM_MAX_BL1_RW_SIZE has been increased and therefore - * PLAT_ARM_MAX_BL31_SIZE has been increased to ensure SCP_BL2 has the same - * space available. + * Since BL31 NOBITS overlays BL2 and BL1-RW, PLAT_ARM_MAX_BL31_SIZE is + * calculated using the current BL31 PROGBITS debug size plus the sizes of + * BL2 and BL1-RW. SCP_BL2 image is loaded into the space BL31 -> BL2_BASE. + * Hence the BL31 PROGBITS size should be >= PLAT_CSS_MAX_SCP_BL2_SIZE. */ -#define PLAT_ARM_MAX_BL31_SIZE 0x1E000 +#define PLAT_ARM_MAX_BL31_SIZE 0x3E000 #if JUNO_AARCH32_EL3_RUNTIME /* - * PLAT_ARM_MAX_BL32_SIZE is calculated for SP_MIN as the AArch32 Secure - * Payload. We also need to take care of SCP_BL2 size as well, as the SCP_BL2 - * is loaded into the space BL32 -> BL1_RW_BASE + * Since BL32 NOBITS overlays BL2 and BL1-RW, PLAT_ARM_MAX_BL32_SIZE is + * calculated using the current BL32 PROGBITS debug size plus the sizes of + * BL2 and BL1-RW. SCP_BL2 image is loaded into the space BL32 -> BL2_BASE. + * Hence the BL32 PROGBITS size should be >= PLAT_CSS_MAX_SCP_BL2_SIZE. */ -# define PLAT_ARM_MAX_BL32_SIZE 0x1E000 +#define PLAT_ARM_MAX_BL32_SIZE 0x3E000 #endif /* diff --git a/plat/arm/common/arm_bl2_setup.c b/plat/arm/common/arm_bl2_setup.c index d2da54d9..fd7a9e9a 100644 --- a/plat/arm/common/arm_bl2_setup.c +++ b/plat/arm/common/arm_bl2_setup.c @@ -25,18 +25,10 @@ static meminfo_t bl2_tzram_layout __aligned(CACHE_WRITEBACK_GRANULE); /* - * Check that BL2_BASE is atleast a page over ARM_BL_RAM_BASE. The page is for - * `meminfo_t` data structure and TB_FW_CONFIG passed from BL1. Not needed - * when BL2 is compiled for BL_AT_EL3 as BL2 doesn't need any info from BL1 and - * BL2 is loaded at base of usable SRAM. + * Check that BL2_BASE is above ARM_TB_FW_CONFIG_LIMIT. This reserved page is + * for `meminfo_t` data structure and fw_configs passed from BL1. */ -#if BL2_AT_EL3 -#define BL1_MEMINFO_OFFSET 0x0 -#else -#define BL1_MEMINFO_OFFSET PAGE_SIZE -#endif - -CASSERT(BL2_BASE >= (ARM_BL_RAM_BASE + BL1_MEMINFO_OFFSET), assert_bl2_base_overflows); +CASSERT(BL2_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_bl2_base_overflows); /* Weak definitions may be overridden in specific ARM standard platform */ #pragma weak bl2_early_platform_setup2 diff --git a/plat/arm/common/arm_bl31_setup.c b/plat/arm/common/arm_bl31_setup.c index 551e7002..46f7ae0e 100644 --- a/plat/arm/common/arm_bl31_setup.c +++ b/plat/arm/common/arm_bl31_setup.c @@ -25,6 +25,11 @@ static entry_point_info_t bl32_image_ep_info; static entry_point_info_t bl33_image_ep_info; +/* + * Check that BL31_BASE is above ARM_TB_FW_CONFIG_LIMIT. The reserved page + * is required for SOC_FW_CONFIG/TOS_FW_CONFIG passed from BL2. + */ +CASSERT(BL31_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_bl31_base_overflows); /* Weak definitions may be overridden in specific ARM standard platform */ #pragma weak bl31_early_platform_setup2 diff --git a/plat/arm/common/arm_dyn_cfg.c b/plat/arm/common/arm_dyn_cfg.c index 3f0a9b4c..32a515b5 100644 --- a/plat/arm/common/arm_dyn_cfg.c +++ b/plat/arm/common/arm_dyn_cfg.c @@ -143,8 +143,8 @@ void arm_bl2_dyn_cfg_init(void) if (check_uptr_overflow(image_base, image_size) != 0) continue; - /* Ensure the configs don't overlap with BL2 */ - if ((image_base > BL2_BASE) || ((image_base + image_size) > BL2_BASE)) + /* Ensure the configs don't overlap with BL31 */ + if ((image_base > BL31_BASE) || ((image_base + image_size) > BL31_BASE)) continue; /* Ensure the configs are loaded in a valid address */ diff --git a/plat/arm/common/sp_min/arm_sp_min_setup.c b/plat/arm/common/sp_min/arm_sp_min_setup.c index 9a6c0740..b42e35f3 100644 --- a/plat/arm/common/sp_min/arm_sp_min_setup.c +++ b/plat/arm/common/sp_min/arm_sp_min_setup.c @@ -22,6 +22,11 @@ static entry_point_info_t bl33_image_ep_info; #pragma weak sp_min_plat_arch_setup #pragma weak plat_arm_sp_min_early_platform_setup +/* + * Check that BL32_BASE is above ARM_TB_FW_CONFIG_LIMIT. The reserved page + * is required for SOC_FW_CONFIG/TOS_FW_CONFIG passed from BL2. + */ +CASSERT(BL32_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_bl32_base_overflows); /******************************************************************************* * Return a pointer to the 'entry_point_info' structure of the next image for the diff --git a/plat/arm/css/drivers/scp/css_bom_bootloader.c b/plat/arm/css/drivers/scp/css_bom_bootloader.c index 42ed30d3..5268510d 100644 --- a/plat/arm/css/drivers/scp/css_bom_bootloader.c +++ b/plat/arm/css/drivers/scp/css_bom_bootloader.c @@ -47,16 +47,16 @@ typedef struct { } cmd_data_payload_t; /* - * All CSS platforms load SCP_BL2/SCP_BL2U just below BL rw-data and above - * BL2/BL2U (this is where BL31 usually resides except when ARM_BL31_IN_DRAM is - * set. Ensure that SCP_BL2/SCP_BL2U do not overflow into BL1 rw-data nor - * BL2/BL2U. + * All CSS platforms load SCP_BL2/SCP_BL2U just below BL2 (this is where BL31 + * usually resides except when ARM_BL31_IN_DRAM is + * set). Ensure that SCP_BL2/SCP_BL2U do not overflow into shared RAM and + * the tb_fw_config. */ -CASSERT(SCP_BL2_LIMIT <= BL1_RW_BASE, assert_scp_bl2_overwrite_bl1); -CASSERT(SCP_BL2U_LIMIT <= BL1_RW_BASE, assert_scp_bl2u_overwrite_bl1); +CASSERT(SCP_BL2_LIMIT <= BL2_BASE, assert_scp_bl2_overwrite_bl2); +CASSERT(SCP_BL2U_LIMIT <= BL2_BASE, assert_scp_bl2u_overwrite_bl2); -CASSERT(SCP_BL2_BASE >= BL2_LIMIT, assert_scp_bl2_overwrite_bl2); -CASSERT(SCP_BL2U_BASE >= BL2U_LIMIT, assert_scp_bl2u_overwrite_bl2u); +CASSERT(SCP_BL2_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_scp_bl2_overflow); +CASSERT(SCP_BL2U_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_scp_bl2u_overflow); static void scp_boot_message_start(void) { diff --git a/plat/arm/css/drivers/scp/css_scp.h b/plat/arm/css/drivers/scp/css_scp.h index 1f0cf8e2..671612a8 100644 --- a/plat/arm/css/drivers/scp/css_scp.h +++ b/plat/arm/css/drivers/scp/css_scp.h @@ -34,17 +34,17 @@ int css_scp_boot_image_xfer(void *image, unsigned int image_size); int css_scp_boot_ready(void); #if CSS_LOAD_SCP_IMAGES + /* - * All CSS platforms load SCP_BL2/SCP_BL2U just below BL rw-data and above - * BL2/BL2U (this is where BL31 usually resides except when ARM_BL31_IN_DRAM is - * set. Ensure that SCP_BL2/SCP_BL2U do not overflow into BL1 rw-data nor - * BL2/BL2U. + * All CSS platforms load SCP_BL2/SCP_BL2U just below BL2 (this is where BL31 + * usually resides except when ARM_BL31_IN_DRAM is + * set). Ensure that SCP_BL2/SCP_BL2U do not overflow into tb_fw_config. */ -CASSERT(SCP_BL2_LIMIT <= BL1_RW_BASE, assert_scp_bl2_limit_overwrite_bl1); -CASSERT(SCP_BL2U_LIMIT <= BL1_RW_BASE, assert_scp_bl2u_limit_overwrite_bl1); +CASSERT(SCP_BL2_LIMIT <= BL2_BASE, assert_scp_bl2_overwrite_bl2); +CASSERT(SCP_BL2U_LIMIT <= BL2_BASE, assert_scp_bl2u_overwrite_bl2); -CASSERT(SCP_BL2_BASE >= BL2_LIMIT, assert_scp_bl2_overwrite_bl2); -CASSERT(SCP_BL2U_BASE >= BL2U_LIMIT, assert_scp_bl2u_overwrite_bl2u); +CASSERT(SCP_BL2_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_scp_bl2_overflow); +CASSERT(SCP_BL2U_BASE >= ARM_TB_FW_CONFIG_LIMIT, assert_scp_bl2u_overflow); #endif #endif /* __CSS_SCP_H__ */ diff --git a/services/arm_arch_svc/arm_arch_svc_setup.c b/services/arm_arch_svc/arm_arch_svc_setup.c index eb736c06..45c4704e 100644 --- a/services/arm_arch_svc/arm_arch_svc_setup.c +++ b/services/arm_arch_svc/arm_arch_svc_setup.c @@ -10,7 +10,8 @@ #include <runtime_svc.h> #include <smccc.h> #include <smccc_helpers.h> -#include <workaround_cve_2017_5715.h> +#include <wa_cve_2017_5715.h> +#include <wa_cve_2018_3639.h> static int32_t smccc_version(void) { @@ -25,10 +26,31 @@ static int32_t smccc_arch_features(u_register_t arg) return SMC_OK; #if WORKAROUND_CVE_2017_5715 case SMCCC_ARCH_WORKAROUND_1: - if (check_workaround_cve_2017_5715() == ERRATA_NOT_APPLIES) + if (check_wa_cve_2017_5715() == ERRATA_NOT_APPLIES) return 1; return 0; /* ERRATA_APPLIES || ERRATA_MISSING */ #endif +#if WORKAROUND_CVE_2018_3639 + case SMCCC_ARCH_WORKAROUND_2: +#if DYNAMIC_WORKAROUND_CVE_2018_3639 + /* + * On a platform where at least one CPU requires + * dynamic mitigation but others are either unaffected + * or permanently mitigated, report the latter as not + * needing dynamic mitigation. + */ + if (wa_cve_2018_3639_get_disable_ptr() == NULL) + return 1; + /* + * If we get here, this CPU requires dynamic mitigation + * so report it as such. + */ + return 0; +#else + /* Either the CPUs are unaffected or permanently mitigated */ + return SMCCC_ARCH_NOT_REQUIRED; +#endif +#endif default: return SMC_UNK; } @@ -60,6 +82,16 @@ static uintptr_t arm_arch_svc_smc_handler(uint32_t smc_fid, */ SMC_RET0(handle); #endif +#if WORKAROUND_CVE_2018_3639 + case SMCCC_ARCH_WORKAROUND_2: + /* + * The workaround has already been applied on affected PEs + * requiring dynamic mitigation during entry to EL3. + * On unaffected or statically mitigated PEs, this function + * has no effect. + */ + SMC_RET0(handle); +#endif default: WARN("Unimplemented Arm Architecture Service Call: 0x%x \n", smc_fid); |