1. 19 Jun, 2018 1 commit
  2. 12 Jun, 2018 1 commit
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.7 Part 1 · 40692923
      Daniel Boulby authored
      
      
      Rule 5.7: A tag name shall be a unique identifier
      
      There were 2 amu_ctx struct type definitions:
          - In lib/extensions/amu/aarch64/amu.c
          - In lib/cpus/aarch64/cpuamu.c
      
      Renamed the latter to cpuamu_ctx to avoid this name clash
      
      To avoid violation of Rule 8.3 also change name of function
      amu_ctxs to unique name (cpuamu_ctxs) since it now returns a
      different type (cpuamu_ctx) than the other amu_ctxs function
      
      Fixed for:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: Ieeb7e390ec2900fd8b775bef312eda93804a43ed
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      40692923
  3. 08 Jun, 2018 4 commits
  4. 07 Jun, 2018 1 commit
    • Dimitris Papastamos's avatar
      Fast path SMCCC_ARCH_WORKAROUND_1 calls from AArch32 · 2b915366
      Dimitris Papastamos authored
      
      
      When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in
      AArch32 state, ensure that the SMC call will take a shortcut in EL3.
      This minimizes the time it takes to apply the mitigation in EL3.
      
      When lower ELs run in AArch32, it is preferred that they execute the
      `BPIALL` instruction to invalidate the BTB.  However, on some cores
      the `BPIALL` instruction may be a no-op and thus would benefit from
      making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path.
      
      Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      2b915366
  5. 23 May, 2018 3 commits
    • Dimitris Papastamos's avatar
      Add support for dynamic mitigation for CVE-2018-3639 · fe007b2e
      Dimitris Papastamos authored
      
      
      Some CPUS may benefit from using a dynamic mitigation approach for
      CVE-2018-3639.  A new SMC interface is defined to allow software
      executing in lower ELs to enable or disable the mitigation for their
      execution context.
      
      It should be noted that regardless of the state of the mitigation for
      lower ELs, code executing in EL3 is always mitigated against
      CVE-2018-3639.
      
      NOTE: This change is a compatibility break for any platform using
      the declare_cpu_ops_workaround_cve_2017_5715 macro.  Migrate to
      the declare_cpu_ops_wa macro instead.
      
      Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      fe007b2e
    • Dimitris Papastamos's avatar
      Implement static workaround for CVE-2018-3639 · b8a25bbb
      Dimitris Papastamos authored
      For affected CPUs, this approach enables the mitigation during EL3
      initialization, following every PE reset. No mechanism is provided to
      disable the mitigation at runtime.
      
      This approach permanently mitigates the entire software stack and no
      additional mitigation code is required in other software components.
      
      TF-A implements this approach for the following affected CPUs:
      
      *   Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
          `CPUACTLR_EL1` (`S3_1_C15_C2_0`).
      
      *   Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
          Technical Reference Manual (TRM)).
      
      *   Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
          (`S3_0_C15_C1_0`).
      
      Additionally, a new SMC interface is implemented to allow software
      executing in lower ELs to discover whether the system is mitigated
      against CVE-2018-3639.
      
      Refer to "Firmware interfaces for mitigating cache speculation
      vulnerabilities System Software on Arm Systems"[0] for more
      information.
      
      [0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
      
      
      
      Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      b8a25bbb
    • Dimitris Papastamos's avatar
      Rename symbols and files relating to CVE-2017-5715 · 2c3a1078
      Dimitris Papastamos authored
      
      
      This patch renames symbols and files relating to CVE-2017-5715 to make
      it easier to introduce new symbols and files for new CVE mitigations.
      
      Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      2c3a1078
  6. 15 May, 2018 1 commit
    • Varun Wadekar's avatar
      Workaround for CVE-2017-5715 on NVIDIA Denver CPUs · b0301467
      Varun Wadekar authored
      
      
      Flush the indirect branch predictor and RSB on entry to EL3 by issuing
      a newly added instruction for Denver CPUs. Support for this operation
      can be determined by comparing bits 19:16 of ID_AFR0_EL1 with 0b0001.
      
      To achieve this without performing any branch instruction, a per-cpu
      vbar is installed which executes the workaround and then branches off
      to the corresponding vector entry in the main vector table. A side
      effect of this change is that the main vbar is configured before any
      reset handling. This is to allow the per-cpu reset function to override
      the vbar setting.
      
      Change-Id: Ief493cd85935bab3cfee0397e856db5101bc8011
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      b0301467
  7. 12 Apr, 2018 2 commits
  8. 14 Mar, 2018 2 commits
  9. 27 Feb, 2018 3 commits
  10. 31 Jan, 2018 1 commit
  11. 29 Jan, 2018 2 commits
    • Dimitris Papastamos's avatar
      Optimize SMCCC_ARCH_WORKAROUND_1 on Cortex A57/A72/A73 and A75 · 1d6d47a8
      Dimitris Papastamos authored
      
      
      This patch implements a fast path for this SMC call on affected PEs by
      detecting and returning immediately after executing the workaround.
      
      NOTE: The MMU disable/enable workaround now assumes that the MMU was
      enabled on entry to EL3.  This is a valid assumption as the code turns
      on the MMU after reset and leaves it on until the core powers off.
      
      Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      1d6d47a8
    • Dimitris Papastamos's avatar
      Optimize/cleanup BPIALL workaround · d9bd656c
      Dimitris Papastamos authored
      
      
      In the initial implementation of this workaround we used a dedicated
      workaround context to save/restore state.  This patch reduces the
      footprint as no additional context is needed.
      
      Additionally, this patch reduces the memory loads and stores by 20%,
      reduces the instruction count and exploits static branch prediction to
      optimize the SMC path.
      
      Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      d9bd656c
  12. 18 Jan, 2018 2 commits
  13. 11 Jan, 2018 4 commits
    • Dimitris Papastamos's avatar
      Add hooks to save/restore AMU context for Cortex A75 · 53bfb94e
      Dimitris Papastamos authored
      
      
      Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      53bfb94e
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored
      
      
      If the CSV2 field reads as 1 then branch targets trained in one
      context cannot affect speculative execution in a different context.
      In that case skip the workaround on Cortex A75.
      
      Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
      temporarily dropping into AArch32 Secure-EL1 and executing the
      `BPIALL` instruction.
      
      This is achieved by using 3 vector tables.  There is the runtime
      vector table which is used to handle exceptions and 2 additional
      tables which are required to implement this workaround.  The
      additional tables are `vbar0` and `vbar1`.
      
      The sequence of events for handling a single exception is
      as follows:
      
      1) Install vector table `vbar0` which saves the CPU context on entry
         to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
         with the MMU disabled and I$ enabled.  This is the default vector table.
      
      2) Before doing an ERET into Secure-EL1, switch vbar to point to
         another vector table `vbar1`.  This is required to restore EL3 state
         when returning from the workaround, before proceeding with normal EL3
         exception handling.
      
      3) While in Secure-EL1, the `BPIALL` instruction is executed and an
         SMC call back to EL3 is performed.
      
      4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
         restored.  The vbar is switched to point to `vbar0` in preparation to
         handle further exceptions.  Finally a branch to the runtime vector
         table entry is taken to complete the handling of the original
         exception.
      
      This workaround is enabled by default on the affected CPUs.
      
      NOTE
      ====
      
      There are 4 different stubs in Secure-EL1.  Each stub corresponds to
      an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
      different value in `R0` before doing an SMC call back into EL3.
      Without this piece of information it would not be possible to know
      what the original exception type was as we cannot use `ESR_EL3` to
      distinguish between IRQs and FIQs.
      
      Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  14. 29 Nov, 2017 1 commit
  15. 07 Sep, 2017 2 commits
  16. 29 Aug, 2017 1 commit
  17. 12 Jul, 2017 1 commit
    • Isla Mitchell's avatar
      Fix order of #includes · 2a4b4b71
      Isla Mitchell authored
      
      
      This fix modifies the order of system includes to meet the ARM TF coding
      standard. There are some exceptions in order to retain header groupings,
      minimise changes to imported headers, and where there are headers within
      the #if and #ifndef statements.
      
      Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
      Signed-off-by: default avatarIsla Mitchell <isla.mitchell@arm.com>
      2a4b4b71
  18. 22 Jun, 2017 1 commit
    • Douglas Raillard's avatar
      Apply workarounds for A53 Cat A Errata 835769 and 843419 · a94cc374
      Douglas Raillard authored
      These errata are only applicable to AArch64 state. See the errata notice
      for more details:
      http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html
      
      
      
      Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
      Enable both of them for Juno.
      
      Apply the 835769 workaround as following:
      * Compile with -mfix-cortex-a53-835769
      * Link with --fix-cortex-a53-835769
      
      Apply the 843419 workaround as following:
      * Link with --fix-cortex-a53-843419
      
      The erratum 843419 workaround can lead the linker to create new sections
      suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
      linker to create new "*.stub" sections with no particular alignment.
      
      Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
      architecture-specific linker options.
      
      Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      a94cc374
  19. 14 Jun, 2017 1 commit
  20. 01 Jun, 2017 1 commit
  21. 24 May, 2017 1 commit
  22. 03 May, 2017 1 commit
  23. 20 Apr, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Remove build option `ASM_ASSERTION` · 044bb2fa
      Antonio Nino Diaz authored
      
      
      The build option `ENABLE_ASSERTIONS` should be used instead. That way
      both C and ASM assertions can be enabled or disabled together.
      
      All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
      been replaced by `ENABLE_ASSERTIONS`.
      
      ASM_ASSERTION has been removed from the user guide.
      
      Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      044bb2fa
  24. 20 Mar, 2017 1 commit
    • Andre Przywara's avatar
      Add workaround for ARM Cortex-A53 erratum 855873 · b75dc0e4
      Andre Przywara authored
      
      
      ARM erratum 855873 applies to all Cortex-A53 CPUs.
      The recommended workaround is to promote "data cache clean"
      instructions to "data cache clean and invalidate" instructions.
      For core revisions of r0p3 and later this can be done by setting a bit
      in the CPUACTLR_EL1 register, so that hardware takes care of the promotion.
      As CPUACTLR_EL1 is both IMPLEMENTATION DEFINED and can be trapped to EL3,
      we set the bit in firmware.
      Also we dump this register upon crashing to provide more debug
      information.
      
      Enable the workaround for the Juno boards.
      
      Change-Id: I3840114291958a406574ab6c49b01a9d9847fec8
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      b75dc0e4
  25. 08 Mar, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Apply workaround for errata 813419 of Cortex-A57 · ccbec91c
      Antonio Nino Diaz authored
      
      
      TLBI instructions for EL3 won't have the desired effect under specific
      circumstances in Cortex-A57 r0p0. The workaround is to execute DSB and
      TLBI twice each time.
      
      Even though this errata is only needed in r0p0, the current errata
      framework is not prepared to apply run-time workarounds. The current one
      is always applied if compiled in, regardless of the CPU or its revision.
      
      This errata has been enabled for Juno.
      
      The `DSB` instruction used when initializing the translation tables has
      been changed to `DSB ISH` as an optimization and to be consistent with
      the barriers used for the workaround.
      
      Change-Id: Ifc1d70b79cb5e0d87e90d88d376a59385667d338
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ccbec91c