Skip to content

GitLab

Switch branch/tag
  1. 11 Jan, 2018 3 commits
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored 
      

If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A75.

Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored 
      

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.

This is achieved by using 3 vector tables.  There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround.  The
additional tables are `vbar0` and `vbar1`.

The sequence of events for handling a single exception is
as follows:

1) Install vector table `vbar0` which saves the CPU context on entry
   to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
   with the MMU disabled and I$ enabled.  This is the default vector table.

2) Before doing an ERET into Secure-EL1, switch vbar to point to
   another vector table `vbar1`.  This is required to restore EL3 state
   when returning from the workaround, before proceeding with normal EL3
   exception handling.

3) While in Secure-EL1, the `BPIALL` instruction is executed and an
   SMC call back to EL3 is performed.

4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
   restored.  The vbar is switched to point to `vbar0` in preparation to
   handle further exceptions.  Finally a branch to the runtime vector
   table entry is taken to complete the handling of the original
   exception.

This workaround is enabled by default on the affected CPUs.

NOTE
====

There are 4 different stubs in Secure-EL1.  Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.

Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored 
      

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
and enabling the MMU.  To achieve this without performing any branch
instruction, a per-cpu vbar is installed which executes the workaround
and then branches off to the corresponding vector entry in the main
vector table.  A side effect of this change is that the main vbar is
configured before any reset handling.  This is to allow the per-cpu
reset function to override the vbar setting.

This workaround is enabled by default on the affected CPUs.

Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  3. 10 Jan, 2018 3 commits
  5. 09 Jan, 2018 4 commits
  7. 08 Jan, 2018 3 commits
  9. 03 Jan, 2018 6 commits
  11. 24 Dec, 2017 3 commits
  13. 23 Dec, 2017 1 commit
  15. 21 Dec, 2017 1 commit
    • David Cunado's avatar
      Update dependencies for ARM TF · fa05efb3
      David Cunado authored 
      

ARM TF has been tested as part of its CI system with the following
dependencies updated:

- Linaro binaries:    17.04 --> 17.10
- mbed TLS library:   2.4.2 --> 2.6.0

The version of AEM, Cortex-A and Foundation models that ARM TF is
tested on has also been updated:

- v11.1 build 11.1:22 --> v11.2 build 11.2:33
- v8.9 build 0.8:8805 --> v9.0 build 0.8:9005

This patch updates the user guide documentation to reflect these
changes to the dependencies.

Additionally, links to Linaro resources have been updated.

Change-Id: I9ea5cb76e7443c9dbb0c9525069f450a02f59e58
Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      fa05efb3
  17. 20 Dec, 2017 4 commits
  19. 19 Dec, 2017 5 commits
  21. 18 Dec, 2017 2 commits
  23. 15 Dec, 2017 2 commits
  25. 14 Dec, 2017 2 commits
  27. 13 Dec, 2017 1 commit
    • Roberto Vargas's avatar
      io: block: fix block_read/write may read/write overlap buffer · e19e40af
      Roberto Vargas authored 
      

The block operations were trying to optimize the number of memory
copies, and it tried to use directly the buffer supplied by the user
to them. This was a mistake because it created too many corner cases:

	1- It was possible to generate unaligned
	   operations to unaligned buffers. Drivers that were using
	   DMA transfer failed in that case.

	2- It was possible to generate read operations
	   with sizes that weren't a multiple of the block size. Some
	   low level drivers assumed that condition and they calculated
	   the number of blocks dividing the number of bytes by the
	   size of the block, without considering the remaining bytes.

	3- The block_* operations didn't control the
	   number of bytes actually copied to memory, because the
	   low level drivers were writing directly to the user buffer.

This patch rewrite block_read and block_write to use always the device
buffer, which the platform ensures that has the correct aligment and
the correct size.

Change-Id: I5e479bb7bc137e6ec205a8573eb250acd5f40420
Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      e19e40af