- 05 Sep, 2018 3 commits
-
-
Varun Wadekar authored
For Denver CPUs, this approach enables the mitigation during EL3 initialization, following every PE reset. No mechanism is provided to disable the mitigation at runtime. This approach permanently mitigates the EL3 software stack only. Other software components are responsible to enable it for their exception levels. TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3 and earlier: * By setting bit 11 (Disable speculative store buffering) of `ACTLR_EL3` * By setting bit 9 (Disable speculative memory disambiguation) of `ACTLR_EL3` TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4 and later: * By setting bit 18 (Disable speculative store buffering) of `ACTLR_EL3` * By setting bit 17 (Disable speculative memory disambiguation) of `ACTLR_EL3` Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555 Signed-off-by:Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
Denver CPUs expect the power state field to be reset to 'C1' during boot. This patch updates the reset handler to reset the ACTLR_.PMSTATE field to 'C1' state during CPU boot. Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c Signed-off-by: -
Varun Wadekar authored
The current functions to disable and enable Dynamic Code Optimizer (DCO) assume that all denver cores are in the same cluster. They ignore AFF1 field of the mpidr_el1 register, which leads to incorect logical core id calculation. This patch calls the platform handler, plat_my_core_pos(), to get the logical core id to disable/enable DCO for the core. Original change by: Krishna Sitaraman <ksitaraman@nvidia.com> Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830 Signed-off-by:
-
- 23 Aug, 2018 1 commit
-
-
John Tsichritzis authored
The initial implementation was corrupting registers that it shouldn't. Now this is fixed. Change-Id: Iaa407c18e668b2d9381391bf10d6876fe936aded Signed-off-by:John Tsichritzis <john.tsichritzis@arm.com>
-
- 17 Aug, 2018 2 commits
-
-
Varun Wadekar authored
This patch uses the 'declare_cpu_ops_wa' macro, to set the check function, to report that Denver cores are mitigated. Denver cores are vulnerable to this anomaly and require the mitigation to be enabled always. Change-Id: I1bb6eefdec8c01fb8b645e112f8d04d4bb8811ef Signed-off-by: -
John Tsichritzis authored
If the system is in near idle conditions, this erratum could cause a deadlock or data corruption. This patch applies the workaround that prevents this. This DSU erratum affects only the DSUs that contain the ACP interface and it was fixed in r2p0. The workaround is applied only to the DSUs that are actually affected. Link to respective Arm documentation: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9 Signed-off-by:
-
- 11 Jul, 2018 3 commits
-
-
Joel Hutton authored
Change-Id: Ic0486131c493632eadf329f80b0b5904aed5e4ef Signed-off-by:
Joel Hutton <joel.hutton@arm.com> Signed-off-by:
Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Joel Hutton authored
Change-Id: I2c4b06423fcd96af9351b88a5e2818059f981f1b Signed-off-by:
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by:Roberto Vargas <roberto.vargas@arm.com>
-
- 19 Jun, 2018 1 commit
-
-
Dimitris Papastamos authored
Change-Id: I18a41bb9fedda635c3c002a7f112578808410ef6 Signed-off-by:
-
- 12 Jun, 2018 1 commit
-
-
Daniel Boulby authored
Rule 5.7: A tag name shall be a unique identifier There were 2 amu_ctx struct type definitions: - In lib/extensions/amu/aarch64/amu.c - In lib/cpus/aarch64/cpuamu.c Renamed the latter to cpuamu_ctx to avoid this name clash To avoid violation of Rule 8.3 also change name of function amu_ctxs to unique name (cpuamu_ctxs) since it now returns a different type (cpuamu_ctx) than the other amu_ctxs function Fixed for: make LOG_LEVEL=50 PLAT=fvp Change-Id: Ieeb7e390ec2900fd8b775bef312eda93804a43ed Signed-off-by:Daniel Boulby <daniel.boulby@arm.com>
-
- 08 Jun, 2018 4 commits
-
-
Dimitris Papastamos authored
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in "Firmware interfaces for mitigating cache speculation vulnerabilities System Software on Arm Systems"[0]. Dynamic mitigation for CVE-2018-3639 is enabled/disabled by setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`. NOTE: The generic code that implements dynamic mitigation does not currently implement the expected semantics when dispatching an SDEI event to a lower EL. This will be fixed in a separate patch. [0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a Signed-off-by:
-
Dimitris Papastamos authored
The workaround uses the instruction patching feature of the Ares cpu. Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59 Signed-off-by: -
Dimitris Papastamos authored
Change-Id: Ia170c12d3929a616ba80eb7645c301066641f5cc Signed-off-by: -
Isla Mitchell authored
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are simple. Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161 Signed-off-by:Isla Mitchell <isla.mitchell@arm.com>
-
- 07 Jun, 2018 1 commit
-
-
Dimitris Papastamos authored
When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in AArch32 state, ensure that the SMC call will take a shortcut in EL3. This minimizes the time it takes to apply the mitigation in EL3. When lower ELs run in AArch32, it is preferred that they execute the `BPIALL` instruction to invalidate the BTB. However, on some cores the `BPIALL` instruction may be a no-op and thus would benefit from making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path. Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5 Signed-off-by:
-
- 23 May, 2018 4 commits
-
-
Dimitris Papastamos authored
Some CPUS may benefit from using a dynamic mitigation approach for CVE-2018-3639. A new SMC interface is defined to allow software executing in lower ELs to enable or disable the mitigation for their execution context. It should be noted that regardless of the state of the mitigation for lower ELs, code executing in EL3 is always mitigated against CVE-2018-3639. NOTE: This change is a compatibility break for any platform using the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to the declare_cpu_ops_wa macro instead. Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013 Signed-off-by: -
Dimitris Papastamos authored
Implement static mitigation for CVE-2018-3639 on Cortex A57 and A72. Change-Id: I83409a16238729b84142b19e258c23737cc1ddc3 Signed-off-by: -
Dimitris Papastamos authored
For affected CPUs, this approach enables the mitigation during EL3 initialization, following every PE reset. No mechanism is provided to disable the mitigation at runtime. This approach permanently mitigates the entire software stack and no additional mitigation code is required in other software components. TF-A implements this approach for the following affected CPUs: * Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of `CPUACTLR_EL1` (`S3_1_C15_C2_0`). * Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the Technical Reference Manual (TRM)). * Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1` (`S3_0_C15_C1_0`). Additionally, a new SMC interface is implemented to allow software executing in lower ELs to discover whether the system is mitigated against CVE-2018-3639. Refer to "Firmware interfaces for mitigating cache speculation vulnerabilities System Software on Arm Systems"[0] for more information. [0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb Signed-off-by: -
Dimitris Papastamos authored
This patch renames symbols and files relating to CVE-2017-5715 to make it easier to introduce new symbols and files for new CVE mitigations. Change-Id: I24c23822862ca73648c772885f1690bed043dbc7 Signed-off-by:
-
- 15 May, 2018 1 commit
-
-
Varun Wadekar authored
Flush the indirect branch predictor and RSB on entry to EL3 by issuing a newly added instruction for Denver CPUs. Support for this operation can be determined by comparing bits 19:16 of ID_AFR0_EL1 with 0b0001. To achieve this without performing any branch instruction, a per-cpu vbar is installed which executes the workaround and then branches off to the corresponding vector entry in the main vector table. A side effect of this change is that the main vbar is configured before any reset handling. This is to allow the per-cpu reset function to override the vbar setting. Change-Id: Ief493cd85935bab3cfee0397e856db5101bc8011 Signed-off-by:
-
- 12 Apr, 2018 2 commits
-
-
Jonathan Wright authored
A fix for errata 835769 may be available in revisions r0p2, r0p3 or r0p4 of the Cortex-A53 processor. The presence of the fix is determined by checking bit 7 in the REVIDR register. If the fix is present we report ERRATA_NOT_APPLIES which silences the erroneous 'missing workaround' warning. Change-Id: Ib75b008e755e9ac648554ca9398024fdbea4a91a Signed-off-by:Jonathan Wright <jonathan.wright@arm.com>
-
Jonathan Wright authored
A fix for errata 843419 may be available in revision r0p4 of the Cortex-A53 processor. The presence of the fix is determined by checking bit 8 in the REVIDR register. If the fix is present we report ERRATA_NOT_APPLIES which silences the erroneous 'missing workaround' warning. Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7 Signed-off-by:
-
- 14 Mar, 2018 2 commits
-
-
Dimitris Papastamos authored
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`, return either: * -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called requires firmware mitigation for CVE-2017-5715 but the mitigation is not compiled in. * 0 to indicate that firmware mitigation is required, or * 1 to indicate that no firmware mitigation is required. This patch complies with v1.2 of the firmware interfaces specification (ARM DEN 0070A). Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a Signed-off-by: -
Dimitris Papastamos authored
If the CSV2 field reads as 1 then branch targets trained in one context cannot affect speculative execution in a different context. In that case skip the workaround on Cortex A72 and A73. Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee Signed-off-by:
-
- 27 Feb, 2018 3 commits
-
-
Dimitris Papastamos authored
Change-Id: I61c9fdfda0c0b3c3ec6249519db23602cf4c2100 Signed-off-by: -
Dimitris Papastamos authored
This patch also fixes the assumption that the counters are disabled on the resume path. This is incorrect as the AMU counters are enabled early in the CPU reset function before `cpuamu_context_restore()` runs. Change-Id: I38a94eb166a523f00de18e86860434ffccff2131 Signed-off-by: -
Dimitris Papastamos authored
This patch also fixes `cpuamu_write_cpuamcntenclr_el0()` to use an MSR instruction instead of an MRS instruction. Change-Id: Ia6531f64b5ebc60ba432124eaa8d8eaccba40ed0 Signed-off-by:
-
- 22 Feb, 2018 1 commit
-
-
Soby Mathew authored
The AArch32 assembly implementation of `print_errata_status` did not save a register which was getting clobbered by a `get_cpu_ops_ptr`. This patch fixes that. Change-Id: Id0711e46b7c685a18a10328d4b513e952a5d860b Signed-off-by:Soby Mathew <soby.mathew@arm.com>
-
- 31 Jan, 2018 1 commit
-
-
Joel Hutton authored
Add amu_context_save() and amu_context_restore() functions for aarch32 Change-Id: I4df83d447adeaa9d9f203e16dc5a919ffc04d87a Signed-off-by:
-
- 29 Jan, 2018 2 commits
-
-
Dimitris Papastamos authored
This patch implements a fast path for this SMC call on affected PEs by detecting and returning immediately after executing the workaround. NOTE: The MMU disable/enable workaround now assumes that the MMU was enabled on entry to EL3. This is a valid assumption as the code turns on the MMU after reset and leaves it on until the core powers off. Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3 Signed-off-by: -
Dimitris Papastamos authored
In the initial implementation of this workaround we used a dedicated workaround context to save/restore state. This patch reduces the footprint as no additional context is needed. Additionally, this patch reduces the memory loads and stores by 20%, reduces the instruction count and exploits static branch prediction to optimize the SMC path. Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d Signed-off-by:
-
- 19 Jan, 2018 1 commit
-
-
Manoj Kumar authored
In AARCH32 mode, cortex_a72_reset_func branches to address in lr register instead of r5 register. This leads to linux boot failure of Cortex-A72 cores in AARCH32 mode on Juno-R2 board. This patch fixes the branching of cortex_a72_reset_func to r5 register as in cortex_a57_reset_func implementation. Signed-off-by:Manoj Kumar <manoj.kumar3@arm.com>
-
- 18 Jan, 2018 4 commits
-
-
Dimitris Papastamos authored
A per-cpu vbar is installed that implements the workaround by invalidating the branch target buffer (BTB) directly in the case of A9 and A17 and indirectly by invalidating the icache in the case of A15. For Cortex A57 and A72 there is currently no workaround implemented when EL3 is in AArch32 mode so report it as missing. For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are no changes since there is currently no upstream AArch32 EL3 support for these CPUs. Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f Signed-off-by: -
Dimitris Papastamos authored
Even though the workaround for CVE-2017-5715 is not a CPU erratum, the code is piggybacking on the errata framework to print whether the workaround was applied, missing or not needed. Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3 Signed-off-by: -
Dimitris Papastamos authored
As we are using the errata framework to handle workarounds in a more general sense, change the default string to reflect that. Change-Id: I2e266af2392c9d95e18fe4e965f9a1d46fd0e95e Signed-off-by: -
Roberto Vargas authored
This patch enables BL2 to execute at the highest exception level without any dependancy on TF BL1. This enables platforms which already have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL stages without need for BL1. This is not currently possible because BL2 executes at S-EL1 and cannot jump straight to EL3. Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69 Signed-off-by:
-
- 11 Jan, 2018 3 commits
-
-
Dimitris Papastamos authored
Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f Signed-off-by: -
Dimitris Papastamos authored
If the CSV2 field reads as 1 then branch targets trained in one context cannot affect speculative execution in a different context. In that case skip the workaround on Cortex A75. Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38 Signed-off-by: -
Dimitris Papastamos authored
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by temporarily dropping into AArch32 Secure-EL1 and executing the `BPIALL` instruction. This is achieved by using 3 vector tables. There is the runtime vector table which is used to handle exceptions and 2 additional tables which are required to implement this workaround. The additional tables are `vbar0` and `vbar1`. The sequence of events for handling a single exception is as follows: 1) Install vector table `vbar0` which saves the CPU context on entry to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode with the MMU disabled and I$ enabled. This is the default vector table. 2) Before doing an ERET into Secure-EL1, switch vbar to point to another vector table `vbar1`. This is required to restore EL3 state when returning from the workaround, before proceeding with normal EL3 exception handling. 3) While in Secure-EL1, the `BPIALL` instruction is executed and an SMC call back to EL3 is performed. 4) On entry to EL3 from Secure-EL1, the saved context from step 1) is restored. The vbar is switched to point to `vbar0` in preparation to handle further exceptions. Finally a branch to the runtime vector table entry is taken to complete the handling of the original exception. This workaround is enabled by default on the affected CPUs. NOTE ==== There are 4 different stubs in Secure-EL1. Each stub corresponds to an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a different value in `R0` before doing an SMC call back into EL3. Without this piece of information it would not be possible to know what the original exception type was as we cannot use `ESR_EL3` to distinguish between IRQs and FIQs. Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434 Signed-off-by:
-
