Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package arm-trusted-firmware for
openSUSE:Factory checked in at 2022-03-18 16:42:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/arm-trusted-firmware (Old)
and /work/SRC/openSUSE:Factory/.arm-trusted-firmware.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arm-trusted-firmware"
Fri Mar 18 16:42:25 2022 rev:12 rq:962635 version:2.6
Changes:
--------
---
/work/SRC/openSUSE:Factory/arm-trusted-firmware/arm-trusted-firmware.changes
2022-02-17 00:31:45.405420619 +0100
+++
/work/SRC/openSUSE:Factory/.arm-trusted-firmware.new.25692/arm-trusted-firmware.changes
2022-03-18 16:42:43.897206898 +0100
@@ -1,0 +2,17 @@
+Fri Mar 18 09:48:05 UTC 2022 - Ivan Ivanov <[email protected]>
+
+- Backport fallowing patches mitigating CVE-2022-23960 [1] and [2].
+
+ 0001-docs-security-security-advisory-for-CVE-2022-23960.patch
+ 0002-fix-security-workaround-for-CVE-2022-23960.patch
+ 0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
+ 0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
+ 0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
+ 0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch
+
+ Fixes bsc#1196657
+
+ [1]
https://trustedfirmware-a.readthedocs.io/en/latest/security_advisories/security-advisory-tfv-9.html
+ [2] https://review.trustedfirmware.org/q/topic:"spectre_bhb";
+
+-------------------------------------------------------------------
New:
----
0001-docs-security-security-advisory-for-CVE-2022-23960.patch
0002-fix-security-workaround-for-CVE-2022-23960.patch
0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ arm-trusted-firmware.spec ++++++
--- /var/tmp/diff_new_pack.oiXWjw/_old 2022-03-18 16:42:44.553207367 +0100
+++ /var/tmp/diff_new_pack.oiXWjw/_new 2022-03-18 16:42:44.557207370 +0100
@@ -65,6 +65,12 @@
Source2: A3700-utils-marvell-%{a3700_utils_ver}.tar.gz
Source3: binaries-marvell-%{mv_bin_ver}.tar.gz
Patch1: atf-allow-non-git-dir.patch
+Patch2: 0001-docs-security-security-advisory-for-CVE-2022-23960.patch
+Patch3: 0002-fix-security-workaround-for-CVE-2022-23960.patch
+Patch4: 0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
+Patch5: 0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
+Patch6: 0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
+Patch7: 0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch
Patch150: A3700_utils-drop-git.patch
BuildRequires: fdupes
%if "%{platform}" != ""
@@ -164,7 +170,6 @@
%if "%{platform}" == "poplar"
%package devel
Summary: ARM Trusted Firmware -- %{platform} development files
-License: BSD-3-Clause
Group: System/Boot
Requires: %{name} = %{version}
@@ -224,6 +229,12 @@
popd
%endif
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
export BUILD_MESSAGE_TIMESTAMP="\"$(date -d "$(head -n 2
%{_sourcedir}/arm-trusted-firmware.changes | tail -n 1 | cut -d- -f1 )" -u
"+%%H:%%M:%%S, %%b %%e %%Y")\""
++++++ 0001-docs-security-security-advisory-for-CVE-2022-23960.patch ++++++
>From 40d8e25ddb0d242db6aaf954cf211ff4bd210ad3 Mon Sep 17 00:00:00 2001
From: Bipin Ravi <[email protected]>
Date: Fri, 25 Feb 2022 19:12:10 -0600
Subject: [PATCH 1/6] docs(security): security advisory for CVE-2022-23960
Signed-off-by: Bipin Ravi <[email protected]>
Change-Id: I17b0847ff71e4a291bf7ba41fd71fe08c400b5e8
---
docs/security_advisories/index.rst | 1 +
.../security-advisory-tfv-9.rst | 104 ++++++++++++++++++
2 files changed, 105 insertions(+)
create mode 100644 docs/security_advisories/security-advisory-tfv-9.rst
diff --git a/docs/security_advisories/index.rst
b/docs/security_advisories/index.rst
index ce2c843e5..887b06a55 100644
--- a/docs/security_advisories/index.rst
+++ b/docs/security_advisories/index.rst
@@ -14,3 +14,4 @@ Security Advisories
security-advisory-tfv-6.rst
security-advisory-tfv-7.rst
security-advisory-tfv-8.rst
+ security-advisory-tfv-9.rst
diff --git a/docs/security_advisories/security-advisory-tfv-9.rst
b/docs/security_advisories/security-advisory-tfv-9.rst
new file mode 100644
index 000000000..74b85dcd9
--- /dev/null
+++ b/docs/security_advisories/security-advisory-tfv-9.rst
@@ -0,0 +1,104 @@
+Advisory TFV-9 (CVE-2022-23960)
+============================================================
+
++----------------+-------------------------------------------------------------+
+| Title | Trusted Firmware-A exposure to speculative processor
|
+| | vulnerabilities with branch prediction target reuse
|
++================+=============================================================+
+| CVE ID | `CVE-2022-23960`_
|
++----------------+-------------------------------------------------------------+
+| Date | 08 Mar 2022
|
++----------------+-------------------------------------------------------------+
+| Versions | All, up to and including v2.6
|
+| Affected |
|
++----------------+-------------------------------------------------------------+
+| Configurations | All
|
+| Affected |
|
++----------------+-------------------------------------------------------------+
+| Impact | Potential leakage of secure world data to normal world
|
+| | if an attacker is able to find a TF-A exfiltration
primitive|
+| | that can be predicted as a valid branch target, and somehow
|
+| | induce misprediction onto that primitive. There are
|
+| | currently no known exploits.
|
++----------------+-------------------------------------------------------------+
+| Fix Version | `Gerrit topic #spectre_bhb`_
|
++----------------+-------------------------------------------------------------+
+| Credit | Systems and Network Security Group at Vrije Universiteit
|
+| | Amsterdam for CVE-2022-23960, Arm for patches
|
++----------------+-------------------------------------------------------------+
+
+This security advisory describes the current understanding of the Trusted
+Firmware-A exposure to the new speculative processor vulnerability.
+To understand the background and wider impact of these vulnerabilities on Arm
+systems, please refer to the `Arm Processor Security Update`_. The whitepaper
+referred to below describes the Spectre attack and mitigation in more detail
+including implementation specific mitigation details for all impacted Arm CPUs.
+
+
+`CVE-2022-23960`_
+-----------------
+
+Where possible on vulnerable CPUs that implement FEAT_CSV2, Arm recommends
+inserting a loop workaround with implementation specific number of iterations
+that will discard the branch history on exception entry to a higher exception
+level for the given CPU. This is done as early as possible on entry into EL3,
+before any branch instruction is executed. This is sufficient to mitigate
+Spectre-BHB on behalf of all secure world code, assuming that no secure world
+code is under attacker control.
+
+The below table lists the CPUs that mitigate against this vulnerability in
+TF-A using the loop workaround(all cores that implement FEAT_CSV2 except the
+revisions of Cortex-A73 and Cortex-A75 that implements FEAT_CSV2).
+
++----------------------+
+| Core |
++----------------------+
+| Cortex-A72(from r1p0)|
++----------------------+
+| Cortex-A76 |
++----------------------+
+| Cortex-A77 |
++----------------------+
+| Cortex-A78 |
++----------------------+
+| Cortex-X2 |
++----------------------+
+| Cortex-A710 |
++----------------------+
+| Neoverse-N1 |
++----------------------+
+| Neoverse-N2 |
++----------------------+
+| Neoverse-V1 |
++----------------------+
+
+For all other cores impacted by Spectre-BHB, some of which that do not
implement
+FEAT_CSV2 and some that do e.g. Cortex-A73, the recommended mitigation is to
+flush all branch predictions via an implementation specific route.
+
+In case local workaround is not feasible, the Rich OS can invoke the SMC
+(``SMCCC_ARCH_WORKAROUND_3``) to apply the workaround. Refer to `SMCCC Calling
+Convention specification`_ for more details.
+
+`Gerrit topic #spectre_bhb`_ This patchset implements the Spectre-BHB loop
+workaround for CPUs mentioned in the above table. It also mitigates against
+this vulnerability for Cortex-A72 CPU versions that support the CSV2 feature
+(from r1p0). The patch stack also includes an implementation for a specified
+`CVE-2022-23960`_ workaround SMC(``SMCCC_ARCH_WORKAROUND_3``) for use by normal
+world privileged software. Details of ``SMCCC_ARCH_WORKAROUND_3`` can be found
+in the `SMCCC Calling Convention specification`_. The specification and
+implementation also enables the normal world to discover the presence of this
+firmware service. This patch also implements ``SMCCC_ARCH_WORKAROUND_3`` for
+Cortex-A57, Coxtex-A72, Cortex-A73 and Cortex-A75 using the existing
workaround.
+for CVE-2017-5715.
+
+The above workaround is enabled by default (on vulnerable CPUs only). Platforms
+can choose to disable them at compile time if they do not require them.
+
+For more information about non-Arm CPUs, please contact the CPU vendor.
+
+.. _Arm Processor Security Update: http://www.arm.com/security-update
+.. _CVE-2022-23960:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960
+.. _Gerrit topic #spectre_bhb:
https://review.trustedfirmware.org/q/topic:"spectre_bhb"+(status:open%20OR%20status:merged)
+.. _CVE-2022-23960 mitigation specification:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+.. _SMCCC Calling Convention specification:
https://developer.arm.com/documentation/den0028/latest
--
2.26.2
++++++ 0002-fix-security-workaround-for-CVE-2022-23960.patch ++++++
++++ 945 lines (skipped)
++++++ 0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch ++++++
>From be320fca4586aafd2eb985b5d58c16a00908239a Mon Sep 17 00:00:00 2001
From: Bipin Ravi <[email protected]>
Date: Wed, 2 Feb 2022 23:03:28 -0600
Subject: [PATCH 3/6] refactor(el3-runtime): change Cortex-A76 implementation
of CVE-2018-3639
Re-factored the prior implementation of workaround for CVE-2018-3639
using branch and link instruction to save vector space to include the
workaround for CVE-2022-23960.
Signed-off-by: Bipin Ravi <[email protected]>
Change-Id: Ib3fe949583160429b5de8f0a4a8e623eb91d87d4
---
lib/cpus/aarch64/cortex_a76.S | 126 +++++++++++++++++++++-------------
1 file changed, 78 insertions(+), 48 deletions(-)
diff --git a/lib/cpus/aarch64/cortex_a76.S b/lib/cpus/aarch64/cortex_a76.S
index 4f7f4bb9a..7bcdafd12 100644
--- a/lib/cpus/aarch64/cortex_a76.S
+++ b/lib/cpus/aarch64/cortex_a76.S
@@ -35,59 +35,17 @@
*
* The macro saves x2-x3 to the context. In the fast path
* x0-x3 registers do not need to be restored as the calling
- * context will have saved them.
+ * context will have saved them. The macro also saves
+ * x29-x30 to the context in the sync_exception path.
*/
.macro apply_cve_2018_3639_wa _is_sync_exception _esr_el3_val
stp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
-
.if \_is_sync_exception
- /*
- * Ensure SMC is coming from A64/A32 state on #0
- * with W0 = SMCCC_ARCH_WORKAROUND_2
- *
- * This sequence evaluates as:
- * (W0==SMCCC_ARCH_WORKAROUND_2) ? (ESR_EL3==SMC#0) : (NE)
- * allowing use of a single branch operation
- */
- orr w2, wzr, #SMCCC_ARCH_WORKAROUND_2
- cmp x0, x2
- mrs x3, esr_el3
- mov_imm w2, \_esr_el3_val
- ccmp w2, w3, #0, eq
- /*
- * Static predictor will predict a fall-through, optimizing
- * the `SMCCC_ARCH_WORKAROUND_2` fast path.
- */
- bne 1f
-
- /*
- * The sequence below implements the `SMCCC_ARCH_WORKAROUND_2`
- * fast path.
- */
- cmp x1, xzr /* enable/disable check */
-
- /*
- * When the calling context wants mitigation disabled,
- * we program the mitigation disable function in the
- * CPU context, which gets invoked on subsequent exits from
- * EL3 via the `el3_exit` function. Otherwise NULL is
- * programmed in the CPU context, which results in caller's
- * inheriting the EL3 mitigation state (enabled) on subsequent
- * `el3_exit`.
- */
- mov x0, xzr
- adr x1, cortex_a76_disable_wa_cve_2018_3639
- csel x1, x1, x0, eq
- str x1, [sp, #CTX_CVE_2018_3639_OFFSET +
CTX_CVE_2018_3639_DISABLE]
-
- mrs x2, CORTEX_A76_CPUACTLR2_EL1
- orr x1, x2,
#CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
- bic x3, x2,
#CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
- csel x3, x3, x1, eq
- msr CORTEX_A76_CPUACTLR2_EL1, x3
- exception_return /* exception_return contains ISB */
+ stp x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
+ mov_imm w2, \_esr_el3_val
+ bl apply_cve_2018_3639_sync_wa
+ ldp x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
.endif
-1:
/*
* Always enable v4 mitigation during EL3 execution. This is not
* required for the fast path above because it does not perform any
@@ -195,6 +153,78 @@ vector_entry cortex_a76_serror_aarch32
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A32_SMC0
b serror_aarch32
end_vector_entry cortex_a76_serror_aarch32
+
+ /*
+ * -----------------------------------------------------------------
+ * This function applies the mitigation for CVE-2018-3639
+ * specifically for sync exceptions. It implements a fast path
+ * where `SMCCC_ARCH_WORKAROUND_2` SMC calls from a lower EL
+ * running in AArch64 will go through the fast and return early.
+ *
+ * In the fast path x0-x3 registers do not need to be restored as the
+ * calling context will have saved them.
+ *
+ * Caller must pass value of esr_el3 to compare via x2.
+ * Save and restore these registers outside of this function from the
+ * context before jumping to the main runtime vector table entry.
+ *
+ * Shall clobber: x0-x3, x30
+ * -----------------------------------------------------------------
+ */
+func apply_cve_2018_3639_sync_wa
+ /*
+ * Ensure SMC is coming from A64/A32 state on #0
+ * with W0 = SMCCC_ARCH_WORKAROUND_2
+ *
+ * This sequence evaluates as:
+ * (W0==SMCCC_ARCH_WORKAROUND_2) ? (ESR_EL3==SMC#0) : (NE)
+ * allowing use of a single branch operation
+ * X2 populated outside this function with the SMC FID.
+ */
+ orr w3, wzr, #SMCCC_ARCH_WORKAROUND_2
+ cmp x0, x3
+ mrs x3, esr_el3
+
+ ccmp w2, w3, #0, eq
+ /*
+ * Static predictor will predict a fall-through, optimizing
+ * the `SMCCC_ARCH_WORKAROUND_2` fast path.
+ */
+ bne 1f
+
+ /*
+ * The sequence below implements the `SMCCC_ARCH_WORKAROUND_2`
+ * fast path.
+ */
+ cmp x1, xzr /* enable/disable check */
+
+ /*
+ * When the calling context wants mitigation disabled,
+ * we program the mitigation disable function in the
+ * CPU context, which gets invoked on subsequent exits from
+ * EL3 via the `el3_exit` function. Otherwise NULL is
+ * programmed in the CPU context, which results in caller's
+ * inheriting the EL3 mitigation state (enabled) on subsequent
+ * `el3_exit`.
+ */
+ mov x0, xzr
+ adr x1, cortex_a76_disable_wa_cve_2018_3639
+ csel x1, x1, x0, eq
+ str x1, [sp, #CTX_CVE_2018_3639_OFFSET + CTX_CVE_2018_3639_DISABLE]
+
+ mrs x2, CORTEX_A76_CPUACTLR2_EL1
+ orr x1, x2, #CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
+ bic x3, x2, #CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
+ csel x3, x3, x1, eq
+ msr CORTEX_A76_CPUACTLR2_EL1, x3
+ ldp x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
+ /*
+ * `SMCCC_ARCH_WORKAROUND_2`fast path return to lower EL.
+ */
+ exception_return /* exception_return contains ISB */
+1:
+ ret
+endfunc apply_cve_2018_3639_sync_wa
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
/* --------------------------------------------------
--
2.26.2
++++++ 0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch ++++++
>From 424d4857cf422051d54accb1bdf702bbf463cffa Mon Sep 17 00:00:00 2001
From: Bipin Ravi <[email protected]>
Date: Tue, 8 Feb 2022 19:32:38 -0600
Subject: [PATCH 4/6] fix(security): loop workaround for CVE-2022-23960 for
Cortex-A76
Signed-off-by: Bipin Ravi <[email protected]>
Change-Id: I8d433b39a5c0f9e1cef978df8a2986d7a35d3745
---
include/lib/cpus/aarch64/cortex_a76.h | 29 ++++----
lib/cpus/aarch64/cortex_a76.S | 99 ++++++++++++++++++++++++++-
2 files changed, 112 insertions(+), 16 deletions(-)
diff --git a/include/lib/cpus/aarch64/cortex_a76.h
b/include/lib/cpus/aarch64/cortex_a76.h
index a61825f1b..74fb6e974 100644
--- a/include/lib/cpus/aarch64/cortex_a76.h
+++ b/include/lib/cpus/aarch64/cortex_a76.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -10,38 +10,41 @@
#include <lib/utils_def.h>
/* Cortex-A76 MIDR for revision 0 */
-#define CORTEX_A76_MIDR U(0x410fd0b0)
+#define CORTEX_A76_MIDR
U(0x410fd0b0)
+
+/* Cortex-A76 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_A76_BHB_LOOP_COUNT U(24)
/*******************************************************************************
* CPU Extended Control register specific definitions.
******************************************************************************/
-#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
-#define CORTEX_A76_CPUECTLR_EL1 S3_0_C15_C1_4
+#define CORTEX_A76_CPUPWRCTLR_EL1 S3_0_C15_C2_7
+#define CORTEX_A76_CPUECTLR_EL1
S3_0_C15_C1_4
-#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
-#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
+#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2 (ULL(3) << 24)
+#define CORTEX_A76_CPUECTLR_EL1_BIT_51 (ULL(1) << 51)
/*******************************************************************************
* CPU Auxiliary Control register specific definitions.
******************************************************************************/
-#define CORTEX_A76_CPUACTLR_EL1 S3_0_C15_C1_0
+#define CORTEX_A76_CPUACTLR_EL1
S3_0_C15_C1_0
#define CORTEX_A76_CPUACTLR_EL1_DISABLE_STATIC_PREDICTION (ULL(1) << 6)
-#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
+#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
-#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
+#define CORTEX_A76_CPUACTLR2_EL1 S3_0_C15_C1_1
-#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
+#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
#define CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE (ULL(1) << 16)
-#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
+#define CORTEX_A76_CPUACTLR3_EL1 S3_0_C15_C1_2
-#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1) << 10)
+#define CORTEX_A76_CPUACTLR3_EL1_BIT_10 (ULL(1)
<< 10)
/* Definitions of register field mask in CORTEX_A76_CPUPWRCTLR_EL1 */
-#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
+#define CORTEX_A76_CORE_PWRDN_EN_MASK U(0x1)
#endif /* CORTEX_A76_H */
diff --git a/lib/cpus/aarch64/cortex_a76.S b/lib/cpus/aarch64/cortex_a76.S
index 7bcdafd12..114d0f529 100644
--- a/lib/cpus/aarch64/cortex_a76.S
+++ b/lib/cpus/aarch64/cortex_a76.S
@@ -7,11 +7,11 @@
#include <arch.h>
#include <asm_macros.S>
#include <common/bl_common.h>
-#include <context.h>
#include <cortex_a76.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include <services/arm_arch_svc.h>
+#include "wa_cve_2022_23960_bhb.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@@ -63,8 +63,10 @@
*/
ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
.endm
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
-vector_base cortex_a76_wa_cve_2018_3639_a76_vbar
+#if DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960
+vector_base cortex_a76_wa_cve_vbar
/* ---------------------------------------------------------------------
* Current EL with SP_EL0 : 0x0 - 0x200
@@ -111,22 +113,54 @@ end_vector_entry cortex_a76_serror_sp_elx
* ---------------------------------------------------------------------
*/
vector_entry cortex_a76_sync_exception_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=1
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b sync_exception_aarch64
end_vector_entry cortex_a76_sync_exception_aarch64
vector_entry cortex_a76_irq_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b irq_aarch64
end_vector_entry cortex_a76_irq_aarch64
vector_entry cortex_a76_fiq_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b fiq_aarch64
end_vector_entry cortex_a76_fiq_aarch64
vector_entry cortex_a76_serror_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b serror_aarch64
end_vector_entry cortex_a76_serror_aarch64
@@ -135,25 +169,59 @@ end_vector_entry cortex_a76_serror_aarch64
* ---------------------------------------------------------------------
*/
vector_entry cortex_a76_sync_exception_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=1
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b sync_exception_aarch32
end_vector_entry cortex_a76_sync_exception_aarch32
vector_entry cortex_a76_irq_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b irq_aarch32
end_vector_entry cortex_a76_irq_aarch32
vector_entry cortex_a76_fiq_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b fiq_aarch32
end_vector_entry cortex_a76_fiq_aarch32
vector_entry cortex_a76_serror_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+ apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
apply_cve_2018_3639_wa _is_sync_exception=0
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
b serror_aarch32
end_vector_entry cortex_a76_serror_aarch32
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960 */
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
/*
* -----------------------------------------------------------------
* This function applies the mitigation for CVE-2018-3639
@@ -549,6 +617,15 @@ func check_errata_1165522
#endif
endfunc check_errata_1165522
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+ mov x0, #ERRATA_APPLIES
+#else
+ mov x0, #ERRATA_MISSING
+#endif /* WORKAROUND_CVE_2022_23960 */
+ ret
+endfunc check_errata_cve_2022_23960
+
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A76.
* Shall clobber: x0-x19
@@ -620,16 +697,31 @@ func cortex_a76_reset_func
* The Cortex-A76 generic vectors are overwritten to use the vectors
* defined above. This is required in order to apply mitigation
* against CVE-2018-3639 on exception entry from lower ELs.
+ * If the below vector table is used, skip overriding it again for
+ * CVE_2022_23960 as both use the same vbar.
*/
- adr x0, cortex_a76_wa_cve_2018_3639_a76_vbar
+ adr x0, cortex_a76_wa_cve_vbar
msr vbar_el3, x0
isb
+ b 2f
#endif /* IMAGE_BL31 */
1:
#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
#endif /* WORKAROUND_CVE_2018_3639 */
+#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
+ /*
+ * The Cortex-A76 generic vectors are overridden to apply errata
+ * mitigation on exception entry from lower ELs. This will be bypassed
+ * if DYNAMIC_WORKAROUND_CVE_2018_3639 has overridden the vectors.
+ */
+ adr x0, cortex_a76_wa_cve_vbar
+ msr vbar_el3, x0
+ isb
+#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
+2:
+
#if ERRATA_DSU_798953
bl errata_dsu_798953_wa
#endif
@@ -686,6 +778,7 @@ func cortex_a76_errata_report
report_errata WORKAROUND_CVE_2018_3639, cortex_a76, cve_2018_3639
report_errata ERRATA_DSU_798953, cortex_a76, dsu_798953
report_errata ERRATA_DSU_936184, cortex_a76, dsu_936184
+ report_errata WORKAROUND_CVE_2022_23960, cortex_a76, cve_2022_23960
ldp x8, x30, [sp], #16
ret
--
2.26.2
++++++ 0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch ++++++
>From 6d23d523a55f10394e96802ab9d7c981d3b4bc9f Mon Sep 17 00:00:00 2001
From: Bipin Ravi <[email protected]>
Date: Tue, 15 Feb 2022 23:24:51 -0600
Subject: [PATCH 5/6] fix(security): workaround for CVE-2022-23960 for
Cortex-A57, Cortex-A72
Implements mitigation for Cortex-A72 CPU versions that support
the CSV2 feature(from r1p0). It also applies the mitigation for
Cortex-A57 CPU.
Signed-off-by: Bipin Ravi <[email protected]>
Change-Id: I7cfcf06537710f144f6e849992612033ddd79d33
---
include/lib/cpus/aarch64/cortex_a72.h | 5 +++-
lib/cpus/aarch64/cortex_a57.S | 17 ++++++++++++-
lib/cpus/aarch64/cortex_a72.S | 36 ++++++++++++++++++++++++---
3 files changed, 53 insertions(+), 5 deletions(-)
diff --git a/include/lib/cpus/aarch64/cortex_a72.h
b/include/lib/cpus/aarch64/cortex_a72.h
index 28b440e19..17776458b 100644
--- a/include/lib/cpus/aarch64/cortex_a72.h
+++ b/include/lib/cpus/aarch64/cortex_a72.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -12,6 +12,9 @@
/* Cortex-A72 midr for revision 0 */
#define CORTEX_A72_MIDR U(0x410FD080)
+/* Cortex-A72 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_A72_BHB_LOOP_COUNT U(8)
+
/*******************************************************************************
* CPU Extended Control register specific definitions.
******************************************************************************/
diff --git a/lib/cpus/aarch64/cortex_a57.S b/lib/cpus/aarch64/cortex_a57.S
index 8ef0f922a..4120f119e 100644
--- a/lib/cpus/aarch64/cortex_a57.S
+++ b/lib/cpus/aarch64/cortex_a57.S
@@ -470,7 +470,12 @@ func cortex_a57_reset_func
bl errata_a57_859972_wa
#endif
-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && ( WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960 )
+ /* ---------------------------------------------------------------
+ * Override vector table & enable existing workaround if either of
+ * the build flags are enabled
+ * ---------------------------------------------------------------
+ */
adr x0, wa_cve_2017_5715_mmu_vbar
msr vbar_el3, x0
/* isb will be performed before returning from this function */
@@ -506,6 +511,15 @@ func cortex_a57_reset_func
ret x19
endfunc cortex_a57_reset_func
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+ mov x0, #ERRATA_APPLIES
+#else
+ mov x0, #ERRATA_MISSING
+#endif
+ ret
+endfunc check_errata_cve_2022_23960
+
/* ----------------------------------------------------
* The CPU Ops core power down function for Cortex-A57.
* ----------------------------------------------------
@@ -630,6 +644,7 @@ func cortex_a57_errata_report
report_errata ERRATA_A57_1319537, cortex_a57, 1319537
report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639
+ report_errata WORKAROUND_CVE_2022_23960, cortex_a57, cve_2022_23960
ldp x8, x30, [sp], #16
ret
diff --git a/lib/cpus/aarch64/cortex_a72.S b/lib/cpus/aarch64/cortex_a72.S
index aff6072a0..3dc44805e 100644
--- a/lib/cpus/aarch64/cortex_a72.S
+++ b/lib/cpus/aarch64/cortex_a72.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -9,6 +9,11 @@
#include <cortex_a72.h>
#include <cpu_macros.S>
#include <plat_macros.S>
+#include "wa_cve_2022_23960_bhb_vector.S"
+
+#if WORKAROUND_CVE_2022_23960
+ wa_cve_2022_23960_bhb_vector_table CORTEX_A72_BHB_LOOP_COUNT, cortex_a72
+#endif /* WORKAROUND_CVE_2022_23960 */
/* ---------------------------------------------
* Disable L1 data cache and unified L2 cache
@@ -133,6 +138,15 @@ func check_errata_1319367
ret
endfunc check_errata_1319367
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+ mov x0, #ERRATA_APPLIES
+#else
+ mov x0, #ERRATA_MISSING
+#endif
+ ret
+endfunc check_errata_cve_2022_23960
+
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A72.
* -------------------------------------------------
@@ -147,13 +161,28 @@ func cortex_a72_reset_func
bl errata_a72_859971_wa
#endif
-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && (WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960)
cpu_check_csv2 x0, 1f
adr x0, wa_cve_2017_5715_mmu_vbar
msr vbar_el3, x0
/* isb will be performed before returning from this function */
+
+ /* Skip CVE_2022_23960 mitigation if cve_2017_5715 mitigation applied */
+ b 2f
1:
-#endif
+#if WORKAROUND_CVE_2022_23960
+ /*
+ * The Cortex-A72 generic vectors are overridden to apply the
+ * mitigation on exception entry from lower ELs for revisions >= r1p0
+ * which has CSV2 implemented.
+ */
+ adr x0, wa_cve_vbar_cortex_a72
+ msr vbar_el3, x0
+
+ /* isb will be performed before returning from this function */
+#endif /* WORKAROUND_CVE_2022_23960 */
+2:
+#endif /* IMAGE_BL31 && (WORKAROUND_CVE_2017_5715 ||
WORKAROUND_CVE_2022_23960) */
#if WORKAROUND_CVE_2018_3639
mrs x0, CORTEX_A72_CPUACTLR_EL1
@@ -299,6 +328,7 @@ func cortex_a72_errata_report
report_errata ERRATA_A72_1319367, cortex_a72, 1319367
report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715
report_errata WORKAROUND_CVE_2018_3639, cortex_a72, cve_2018_3639
+ report_errata WORKAROUND_CVE_2022_23960, cortex_a72, cve_2022_23960
ldp x8, x30, [sp], #16
ret
--
2.26.2
++++++ 0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch ++++++
++++ 619 lines (skipped)
