Commits · d003b190938fa9e50ad351015da4b5225c78ce14 · adam.huang / Arm Trusted Firmware

23 May, 2018 1 commit

Rename symbols and files relating to CVE-2017-5715 · 2c3a1078

Dimitris Papastamos authored Apr 06, 2018

This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.

Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

2c3a1078

29 Jan, 2018 2 commits

Optimize SMCCC_ARCH_WORKAROUND_1 on Cortex A57/A72/A73 and A75 · 1d6d47a8

Dimitris Papastamos authored Jan 08, 2018

This patch implements a fast path for this SMC call on affected PEs by
detecting and returning immediately after executing the workaround.

NOTE: The MMU disable/enable workaround now assumes that the MMU was
enabled on entry to EL3. This is a valid assumption as the code turns
on the MMU after reset and leaves it on until the core powers off.

Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

1d6d47a8

Optimize/cleanup BPIALL workaround · d9bd656c

Dimitris Papastamos authored Jan 11, 2018



In the initial implementation of this workaround we used a dedicated
workaround context to save/restore state.  This patch reduces the
footprint as no additional context is needed.

Additionally, this patch reduces the memory loads and stores by 20%,
reduces the instruction count and exploits static branch prediction to
optimize the SMC path.

Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

d9bd656c

11 Jan, 2018 1 commit

Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21

Dimitris Papastamos authored Dec 18, 2017



Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.

This is achieved by using 3 vector tables.  There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround.  The
additional tables are `vbar0` and `vbar1`.

The sequence of events for handling a single exception is
as follows:

1) Install vector table `vbar0` which saves the CPU context on entry
   to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
   with the MMU disabled and I$ enabled.  This is the default vector table.

2) Before doing an ERET into Secure-EL1, switch vbar to point to
   another vector table `vbar1`.  This is required to restore EL3 state
   when returning from the workaround, before proceeding with normal EL3
   exception handling.

3) While in Secure-EL1, the `BPIALL` instruction is executed and an
   SMC call back to EL3 is performed.

4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
   restored.  The vbar is switched to point to `vbar0` in preparation to
   handle further exceptions.  Finally a branch to the runtime vector
   table entry is taken to complete the handling of the original
   exception.

This workaround is enabled by default on the affected CPUs.

NOTE
====

There are 4 different stubs in Secure-EL1.  Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.

Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

a1781a21