Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package arm-trusted-firmware for 
openSUSE:Factory checked in at 2022-03-18 16:42:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/arm-trusted-firmware (Old)
 and      /work/SRC/openSUSE:Factory/.arm-trusted-firmware.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "arm-trusted-firmware"

Fri Mar 18 16:42:25 2022 rev:12 rq:962635 version:2.6

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/arm-trusted-firmware/arm-trusted-firmware.changes    
    2022-02-17 00:31:45.405420619 +0100
+++ 
/work/SRC/openSUSE:Factory/.arm-trusted-firmware.new.25692/arm-trusted-firmware.changes
     2022-03-18 16:42:43.897206898 +0100
@@ -1,0 +2,17 @@
+Fri Mar 18 09:48:05 UTC 2022 - Ivan Ivanov <ivan.iva...@suse.com>
+
+- Backport fallowing patches mitigating CVE-2022-23960 [1] and [2].
+
+  0001-docs-security-security-advisory-for-CVE-2022-23960.patch
+  0002-fix-security-workaround-for-CVE-2022-23960.patch
+  0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
+  0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
+  0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
+  0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch
+
+  Fixes bsc#1196657
+
+  [1] 
https://trustedfirmware-a.readthedocs.io/en/latest/security_advisories/security-advisory-tfv-9.html
+  [2] https://review.trustedfirmware.org/q/topic:"spectre_bhb";
+
+-------------------------------------------------------------------

New:
----
  0001-docs-security-security-advisory-for-CVE-2022-23960.patch
  0002-fix-security-workaround-for-CVE-2022-23960.patch
  0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
  0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
  0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
  0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ arm-trusted-firmware.spec ++++++
--- /var/tmp/diff_new_pack.oiXWjw/_old  2022-03-18 16:42:44.553207367 +0100
+++ /var/tmp/diff_new_pack.oiXWjw/_new  2022-03-18 16:42:44.557207370 +0100
@@ -65,6 +65,12 @@
 Source2:        A3700-utils-marvell-%{a3700_utils_ver}.tar.gz
 Source3:        binaries-marvell-%{mv_bin_ver}.tar.gz
 Patch1:         atf-allow-non-git-dir.patch
+Patch2:         0001-docs-security-security-advisory-for-CVE-2022-23960.patch
+Patch3:         0002-fix-security-workaround-for-CVE-2022-23960.patch
+Patch4:         0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch
+Patch5:         0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch
+Patch6:         0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch
+Patch7:         0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch
 Patch150:       A3700_utils-drop-git.patch
 BuildRequires:  fdupes
 %if "%{platform}" != ""
@@ -164,7 +170,6 @@
 %if "%{platform}" == "poplar"
 %package devel
 Summary:        ARM Trusted Firmware -- %{platform} development files
-License:        BSD-3-Clause
 Group:          System/Boot
 Requires:       %{name} = %{version}
 
@@ -224,6 +229,12 @@
 popd
 %endif
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 export BUILD_MESSAGE_TIMESTAMP="\"$(date -d "$(head -n 2 
%{_sourcedir}/arm-trusted-firmware.changes | tail -n 1 | cut -d- -f1 )" -u 
"+%%H:%%M:%%S, %%b %%e %%Y")\""

++++++ 0001-docs-security-security-advisory-for-CVE-2022-23960.patch ++++++
>From 40d8e25ddb0d242db6aaf954cf211ff4bd210ad3 Mon Sep 17 00:00:00 2001
From: Bipin Ravi <bipin.r...@arm.com>
Date: Fri, 25 Feb 2022 19:12:10 -0600
Subject: [PATCH 1/6] docs(security): security advisory for CVE-2022-23960

Signed-off-by: Bipin Ravi <bipin.r...@arm.com>
Change-Id: I17b0847ff71e4a291bf7ba41fd71fe08c400b5e8
---
 docs/security_advisories/index.rst            |   1 +
 .../security-advisory-tfv-9.rst               | 104 ++++++++++++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 docs/security_advisories/security-advisory-tfv-9.rst

diff --git a/docs/security_advisories/index.rst 
b/docs/security_advisories/index.rst
index ce2c843e5..887b06a55 100644
--- a/docs/security_advisories/index.rst
+++ b/docs/security_advisories/index.rst
@@ -14,3 +14,4 @@ Security Advisories
    security-advisory-tfv-6.rst
    security-advisory-tfv-7.rst
    security-advisory-tfv-8.rst
+   security-advisory-tfv-9.rst
diff --git a/docs/security_advisories/security-advisory-tfv-9.rst 
b/docs/security_advisories/security-advisory-tfv-9.rst
new file mode 100644
index 000000000..74b85dcd9
--- /dev/null
+++ b/docs/security_advisories/security-advisory-tfv-9.rst
@@ -0,0 +1,104 @@
+Advisory TFV-9 (CVE-2022-23960)
+============================================================
+
++----------------+-------------------------------------------------------------+
+| Title          | Trusted Firmware-A exposure to speculative processor        
|
+|                | vulnerabilities with branch prediction target reuse         
|
++================+=============================================================+
+| CVE ID         | `CVE-2022-23960`_                                           
|
++----------------+-------------------------------------------------------------+
+| Date           | 08 Mar 2022                                                 
|
++----------------+-------------------------------------------------------------+
+| Versions       | All, up to and including v2.6                               
|
+| Affected       |                                                             
|
++----------------+-------------------------------------------------------------+
+| Configurations | All                                                         
|
+| Affected       |                                                             
|
++----------------+-------------------------------------------------------------+
+| Impact         | Potential leakage of secure world data to normal world      
|
+|                | if an attacker is able to find a TF-A exfiltration 
primitive|
+|                | that can be predicted as a valid branch target, and somehow 
|
+|                | induce misprediction onto that primitive. There are         
|
+|                | currently no known exploits.                                
|
++----------------+-------------------------------------------------------------+
+| Fix Version    | `Gerrit topic #spectre_bhb`_                                
|
++----------------+-------------------------------------------------------------+
+| Credit         | Systems and Network Security Group at Vrije Universiteit    
|
+|                | Amsterdam for CVE-2022-23960, Arm for patches               
|
++----------------+-------------------------------------------------------------+
+
+This security advisory describes the current understanding of the Trusted
+Firmware-A exposure to the new speculative processor vulnerability.
+To understand the background and wider impact of these vulnerabilities on Arm
+systems, please refer to the `Arm Processor Security Update`_. The whitepaper
+referred to below describes the Spectre attack and mitigation in more detail
+including implementation specific mitigation details for all impacted Arm CPUs.
+
+
+`CVE-2022-23960`_
+-----------------
+
+Where possible on vulnerable CPUs that implement FEAT_CSV2, Arm recommends
+inserting a loop workaround with implementation specific number of iterations
+that will discard the branch history on exception entry to a higher exception
+level for the given CPU. This is done as early as possible on entry into EL3,
+before any branch instruction is executed. This is sufficient to mitigate
+Spectre-BHB on behalf of all secure world code, assuming that no secure world
+code is under attacker control.
+
+The below table lists the CPUs that mitigate against this vulnerability in
+TF-A using the loop workaround(all cores that implement FEAT_CSV2 except the
+revisions of Cortex-A73 and Cortex-A75 that implements FEAT_CSV2).
+
++----------------------+
+| Core                 |
++----------------------+
+| Cortex-A72(from r1p0)|
++----------------------+
+| Cortex-A76           |
++----------------------+
+| Cortex-A77           |
++----------------------+
+| Cortex-A78           |
++----------------------+
+| Cortex-X2            |
++----------------------+
+| Cortex-A710          |
++----------------------+
+| Neoverse-N1          |
++----------------------+
+| Neoverse-N2          |
++----------------------+
+| Neoverse-V1          |
++----------------------+
+
+For all other cores impacted by Spectre-BHB, some of which that do not 
implement
+FEAT_CSV2 and some that do e.g. Cortex-A73, the recommended mitigation is to
+flush all branch predictions via an implementation specific route.
+
+In case local workaround is not feasible, the Rich OS can invoke the SMC
+(``SMCCC_ARCH_WORKAROUND_3``) to apply the workaround. Refer to `SMCCC Calling
+Convention specification`_ for more details.
+
+`Gerrit topic #spectre_bhb`_ This patchset implements the Spectre-BHB loop
+workaround for CPUs mentioned in the above table. It also mitigates against
+this vulnerability for Cortex-A72 CPU versions that support the CSV2 feature
+(from r1p0). The patch stack also includes an implementation for a specified
+`CVE-2022-23960`_ workaround SMC(``SMCCC_ARCH_WORKAROUND_3``) for use by normal
+world privileged software. Details of ``SMCCC_ARCH_WORKAROUND_3`` can be found
+in the `SMCCC Calling Convention specification`_. The specification and
+implementation also enables the normal world to discover the presence of this
+firmware service. This patch also implements ``SMCCC_ARCH_WORKAROUND_3`` for
+Cortex-A57, Coxtex-A72, Cortex-A73 and Cortex-A75 using the existing 
workaround.
+for CVE-2017-5715.
+
+The above workaround is enabled by default (on vulnerable CPUs only). Platforms
+can choose to disable them at compile time if they do not require them.
+
+For more information about non-Arm CPUs, please contact the CPU vendor.
+
+.. _Arm Processor Security Update: http://www.arm.com/security-update
+.. _CVE-2022-23960: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960
+.. _Gerrit topic #spectre_bhb: 
https://review.trustedfirmware.org/q/topic:"spectre_bhb"+(status:open%20OR%20status:merged)
+.. _CVE-2022-23960 mitigation specification: 
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+.. _SMCCC Calling Convention specification: 
https://developer.arm.com/documentation/den0028/latest
-- 
2.26.2


++++++ 0002-fix-security-workaround-for-CVE-2022-23960.patch ++++++
++++ 945 lines (skipped)

++++++ 0003-refactor-el3-runtime-change-Cortex-A76-implementatio.patch ++++++
>From be320fca4586aafd2eb985b5d58c16a00908239a Mon Sep 17 00:00:00 2001
From: Bipin Ravi <bipin.r...@arm.com>
Date: Wed, 2 Feb 2022 23:03:28 -0600
Subject: [PATCH 3/6] refactor(el3-runtime): change Cortex-A76 implementation
 of CVE-2018-3639

Re-factored the prior implementation of workaround for CVE-2018-3639
using branch and link instruction to save vector space to include the
workaround for CVE-2022-23960.

Signed-off-by: Bipin Ravi <bipin.r...@arm.com>
Change-Id: Ib3fe949583160429b5de8f0a4a8e623eb91d87d4
---
 lib/cpus/aarch64/cortex_a76.S | 126 +++++++++++++++++++++-------------
 1 file changed, 78 insertions(+), 48 deletions(-)

diff --git a/lib/cpus/aarch64/cortex_a76.S b/lib/cpus/aarch64/cortex_a76.S
index 4f7f4bb9a..7bcdafd12 100644
--- a/lib/cpus/aarch64/cortex_a76.S
+++ b/lib/cpus/aarch64/cortex_a76.S
@@ -35,59 +35,17 @@
         *
         * The macro saves x2-x3 to the context. In the fast path
         * x0-x3 registers do not need to be restored as the calling
-        * context will have saved them.
+        * context will have saved them. The macro also saves
+        * x29-x30 to the context in the sync_exception path.
         */
        .macro apply_cve_2018_3639_wa _is_sync_exception _esr_el3_val
        stp     x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
-
        .if \_is_sync_exception
-               /*
-                * Ensure SMC is coming from A64/A32 state on #0
-                * with W0 = SMCCC_ARCH_WORKAROUND_2
-                *
-                * This sequence evaluates as:
-                *    (W0==SMCCC_ARCH_WORKAROUND_2) ? (ESR_EL3==SMC#0) : (NE)
-                * allowing use of a single branch operation
-                */
-               orr     w2, wzr, #SMCCC_ARCH_WORKAROUND_2
-               cmp     x0, x2
-               mrs     x3, esr_el3
-               mov_imm w2, \_esr_el3_val
-               ccmp    w2, w3, #0, eq
-               /*
-                * Static predictor will predict a fall-through, optimizing
-                * the `SMCCC_ARCH_WORKAROUND_2` fast path.
-                */
-               bne     1f
-
-               /*
-                * The sequence below implements the `SMCCC_ARCH_WORKAROUND_2`
-                * fast path.
-                */
-               cmp     x1, xzr /* enable/disable check */
-
-               /*
-                * When the calling context wants mitigation disabled,
-                * we program the mitigation disable function in the
-                * CPU context, which gets invoked on subsequent exits from
-                * EL3 via the `el3_exit` function. Otherwise NULL is
-                * programmed in the CPU context, which results in caller's
-                * inheriting the EL3 mitigation state (enabled) on subsequent
-                * `el3_exit`.
-                */
-               mov     x0, xzr
-               adr     x1, cortex_a76_disable_wa_cve_2018_3639
-               csel    x1, x1, x0, eq
-               str     x1, [sp, #CTX_CVE_2018_3639_OFFSET + 
CTX_CVE_2018_3639_DISABLE]
-
-               mrs     x2, CORTEX_A76_CPUACTLR2_EL1
-               orr     x1, x2, 
#CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
-               bic     x3, x2, 
#CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
-               csel    x3, x3, x1, eq
-               msr     CORTEX_A76_CPUACTLR2_EL1, x3
-               exception_return /* exception_return contains ISB */
+       stp     x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
+       mov_imm w2, \_esr_el3_val
+       bl      apply_cve_2018_3639_sync_wa
+       ldp     x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
        .endif
-1:
        /*
         * Always enable v4 mitigation during EL3 execution. This is not
         * required for the fast path above because it does not perform any
@@ -195,6 +153,78 @@ vector_entry cortex_a76_serror_aarch32
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A32_SMC0
        b       serror_aarch32
 end_vector_entry cortex_a76_serror_aarch32
+
+       /*
+        * -----------------------------------------------------------------
+        * This function applies the mitigation for CVE-2018-3639
+        * specifically for sync exceptions. It implements a fast path
+        * where `SMCCC_ARCH_WORKAROUND_2` SMC calls from a lower EL
+        * running in AArch64 will go through the fast and return early.
+        *
+        * In the fast path x0-x3 registers do not need to be restored as the
+        * calling context will have saved them.
+        *
+        * Caller must pass value of esr_el3 to compare via x2.
+        * Save and restore these registers outside of this function from the
+        * context before jumping to the main runtime vector table entry.
+        *
+        * Shall clobber: x0-x3, x30
+        * -----------------------------------------------------------------
+        */
+func apply_cve_2018_3639_sync_wa
+       /*
+        * Ensure SMC is coming from A64/A32 state on #0
+        * with W0 = SMCCC_ARCH_WORKAROUND_2
+        *
+        * This sequence evaluates as:
+        *    (W0==SMCCC_ARCH_WORKAROUND_2) ? (ESR_EL3==SMC#0) : (NE)
+        * allowing use of a single branch operation
+        * X2 populated outside this function with the SMC FID.
+        */
+       orr     w3, wzr, #SMCCC_ARCH_WORKAROUND_2
+       cmp     x0, x3
+       mrs     x3, esr_el3
+
+       ccmp    w2, w3, #0, eq
+       /*
+        * Static predictor will predict a fall-through, optimizing
+        * the `SMCCC_ARCH_WORKAROUND_2` fast path.
+        */
+       bne     1f
+
+       /*
+       * The sequence below implements the `SMCCC_ARCH_WORKAROUND_2`
+       * fast path.
+       */
+       cmp     x1, xzr /* enable/disable check */
+
+       /*
+        * When the calling context wants mitigation disabled,
+        * we program the mitigation disable function in the
+        * CPU context, which gets invoked on subsequent exits from
+        * EL3 via the `el3_exit` function. Otherwise NULL is
+        * programmed in the CPU context, which results in caller's
+        * inheriting the EL3 mitigation state (enabled) on subsequent
+        * `el3_exit`.
+        */
+       mov     x0, xzr
+       adr     x1, cortex_a76_disable_wa_cve_2018_3639
+       csel    x1, x1, x0, eq
+       str     x1, [sp, #CTX_CVE_2018_3639_OFFSET + CTX_CVE_2018_3639_DISABLE]
+
+       mrs     x2, CORTEX_A76_CPUACTLR2_EL1
+       orr     x1, x2, #CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
+       bic     x3, x2, #CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE
+       csel    x3, x3, x1, eq
+       msr     CORTEX_A76_CPUACTLR2_EL1, x3
+       ldp     x29, x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
+       /*
+       * `SMCCC_ARCH_WORKAROUND_2`fast path return to lower EL.
+       */
+       exception_return /* exception_return contains ISB */
+1:
+       ret
+endfunc apply_cve_2018_3639_sync_wa
 #endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
 
        /* --------------------------------------------------
-- 
2.26.2


++++++ 0004-fix-security-loop-workaround-for-CVE-2022-23960-for-.patch ++++++
>From 424d4857cf422051d54accb1bdf702bbf463cffa Mon Sep 17 00:00:00 2001
From: Bipin Ravi <bipin.r...@arm.com>
Date: Tue, 8 Feb 2022 19:32:38 -0600
Subject: [PATCH 4/6] fix(security): loop workaround for CVE-2022-23960 for
 Cortex-A76

Signed-off-by: Bipin Ravi <bipin.r...@arm.com>
Change-Id: I8d433b39a5c0f9e1cef978df8a2986d7a35d3745
---
 include/lib/cpus/aarch64/cortex_a76.h | 29 ++++----
 lib/cpus/aarch64/cortex_a76.S         | 99 ++++++++++++++++++++++++++-
 2 files changed, 112 insertions(+), 16 deletions(-)

diff --git a/include/lib/cpus/aarch64/cortex_a76.h 
b/include/lib/cpus/aarch64/cortex_a76.h
index a61825f1b..74fb6e974 100644
--- a/include/lib/cpus/aarch64/cortex_a76.h
+++ b/include/lib/cpus/aarch64/cortex_a76.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -10,38 +10,41 @@
 #include <lib/utils_def.h>
 
 /* Cortex-A76 MIDR for revision 0 */
-#define CORTEX_A76_MIDR                U(0x410fd0b0)
+#define CORTEX_A76_MIDR                                                
U(0x410fd0b0)
+
+/* Cortex-A76 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_A76_BHB_LOOP_COUNT                              U(24)
 
 
/*******************************************************************************
  * CPU Extended Control register specific definitions.
  
******************************************************************************/
-#define CORTEX_A76_CPUPWRCTLR_EL1      S3_0_C15_C2_7
-#define CORTEX_A76_CPUECTLR_EL1                S3_0_C15_C1_4
+#define CORTEX_A76_CPUPWRCTLR_EL1                              S3_0_C15_C2_7
+#define CORTEX_A76_CPUECTLR_EL1                                        
S3_0_C15_C1_4
 
-#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2      (ULL(3) << 24)
-#define CORTEX_A76_CPUECTLR_EL1_BIT_51         (ULL(1) << 51)
+#define CORTEX_A76_CPUECTLR_EL1_WS_THR_L2                      (ULL(3) << 24)
+#define CORTEX_A76_CPUECTLR_EL1_BIT_51                         (ULL(1) << 51)
 
 
/*******************************************************************************
  * CPU Auxiliary Control register specific definitions.
  
******************************************************************************/
-#define CORTEX_A76_CPUACTLR_EL1                S3_0_C15_C1_0
+#define CORTEX_A76_CPUACTLR_EL1                                        
S3_0_C15_C1_0
 
 #define CORTEX_A76_CPUACTLR_EL1_DISABLE_STATIC_PREDICTION      (ULL(1) << 6)
 
-#define CORTEX_A76_CPUACTLR_EL1_BIT_13 (ULL(1) << 13)
+#define CORTEX_A76_CPUACTLR_EL1_BIT_13                         (ULL(1) << 13)
 
-#define CORTEX_A76_CPUACTLR2_EL1       S3_0_C15_C1_1
+#define CORTEX_A76_CPUACTLR2_EL1                               S3_0_C15_C1_1
 
-#define CORTEX_A76_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
+#define CORTEX_A76_CPUACTLR2_EL1_BIT_2                         (ULL(1) << 2)
 
 #define CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE       (ULL(1) << 16)
 
-#define CORTEX_A76_CPUACTLR3_EL1       S3_0_C15_C1_2
+#define CORTEX_A76_CPUACTLR3_EL1                               S3_0_C15_C1_2
 
-#define CORTEX_A76_CPUACTLR3_EL1_BIT_10        (ULL(1) << 10)
+#define CORTEX_A76_CPUACTLR3_EL1_BIT_10                                (ULL(1) 
<< 10)
 
 
 /* Definitions of register field mask in CORTEX_A76_CPUPWRCTLR_EL1 */
-#define CORTEX_A76_CORE_PWRDN_EN_MASK  U(0x1)
+#define CORTEX_A76_CORE_PWRDN_EN_MASK                          U(0x1)
 
 #endif /* CORTEX_A76_H */
diff --git a/lib/cpus/aarch64/cortex_a76.S b/lib/cpus/aarch64/cortex_a76.S
index 7bcdafd12..114d0f529 100644
--- a/lib/cpus/aarch64/cortex_a76.S
+++ b/lib/cpus/aarch64/cortex_a76.S
@@ -7,11 +7,11 @@
 #include <arch.h>
 #include <asm_macros.S>
 #include <common/bl_common.h>
-#include <context.h>
 #include <cortex_a76.h>
 #include <cpu_macros.S>
 #include <plat_macros.S>
 #include <services/arm_arch_svc.h>
+#include "wa_cve_2022_23960_bhb.S"
 
 /* Hardware handled coherency */
 #if HW_ASSISTED_COHERENCY == 0
@@ -63,8 +63,10 @@
         */
        ldp     x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
        .endm
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
 
-vector_base cortex_a76_wa_cve_2018_3639_a76_vbar
+#if DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960
+vector_base cortex_a76_wa_cve_vbar
 
        /* ---------------------------------------------------------------------
         * Current EL with SP_EL0 : 0x0 - 0x200
@@ -111,22 +113,54 @@ end_vector_entry cortex_a76_serror_sp_elx
         * ---------------------------------------------------------------------
         */
 vector_entry cortex_a76_sync_exception_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=1 
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       sync_exception_aarch64
 end_vector_entry cortex_a76_sync_exception_aarch64
 
 vector_entry cortex_a76_irq_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       irq_aarch64
 end_vector_entry cortex_a76_irq_aarch64
 
 vector_entry cortex_a76_fiq_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       fiq_aarch64
 end_vector_entry cortex_a76_fiq_aarch64
 
 vector_entry cortex_a76_serror_aarch64
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A64_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       serror_aarch64
 end_vector_entry cortex_a76_serror_aarch64
 
@@ -135,25 +169,59 @@ end_vector_entry cortex_a76_serror_aarch64
         * ---------------------------------------------------------------------
         */
 vector_entry cortex_a76_sync_exception_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=1 
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       sync_exception_aarch32
 end_vector_entry cortex_a76_sync_exception_aarch32
 
 vector_entry cortex_a76_irq_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       irq_aarch32
 end_vector_entry cortex_a76_irq_aarch32
 
 vector_entry cortex_a76_fiq_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       fiq_aarch32
 end_vector_entry cortex_a76_fiq_aarch32
 
 vector_entry cortex_a76_serror_aarch32
+
+#if WORKAROUND_CVE_2022_23960
+       apply_cve_2022_23960_bhb_wa CORTEX_A76_BHB_LOOP_COUNT
+#endif /* WORKAROUND_CVE_2022_23960 */
+
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        apply_cve_2018_3639_wa _is_sync_exception=0 
_esr_el3_val=ESR_EL3_A32_SMC0
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639*/
+
        b       serror_aarch32
 end_vector_entry cortex_a76_serror_aarch32
+#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 || WORKAROUND_CVE_2022_23960 */
 
+#if DYNAMIC_WORKAROUND_CVE_2018_3639
        /*
         * -----------------------------------------------------------------
         * This function applies the mitigation for CVE-2018-3639
@@ -549,6 +617,15 @@ func check_errata_1165522
 #endif
 endfunc check_errata_1165522
 
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+       mov     x0, #ERRATA_APPLIES
+#else
+       mov     x0, #ERRATA_MISSING
+#endif /* WORKAROUND_CVE_2022_23960 */
+       ret
+endfunc check_errata_cve_2022_23960
+
        /* -------------------------------------------------
         * The CPU Ops reset function for Cortex-A76.
         * Shall clobber: x0-x19
@@ -620,16 +697,31 @@ func cortex_a76_reset_func
         * The Cortex-A76 generic vectors are overwritten to use the vectors
         * defined above. This is required in order to apply mitigation
         * against CVE-2018-3639 on exception entry from lower ELs.
+        * If the below vector table is used, skip overriding it again for
+        *  CVE_2022_23960 as both use the same vbar.
         */
-       adr     x0, cortex_a76_wa_cve_2018_3639_a76_vbar
+       adr     x0, cortex_a76_wa_cve_vbar
        msr     vbar_el3, x0
        isb
+       b       2f
 #endif /* IMAGE_BL31 */
 
 1:
 #endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */
 #endif /* WORKAROUND_CVE_2018_3639 */
 
+#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
+       /*
+        * The Cortex-A76 generic vectors are overridden to apply errata
+        * mitigation on exception entry from lower ELs. This will be bypassed
+        * if DYNAMIC_WORKAROUND_CVE_2018_3639 has overridden the vectors.
+        */
+       adr     x0, cortex_a76_wa_cve_vbar
+       msr     vbar_el3, x0
+       isb
+#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
+2:
+
 #if ERRATA_DSU_798953
        bl      errata_dsu_798953_wa
 #endif
@@ -686,6 +778,7 @@ func cortex_a76_errata_report
        report_errata WORKAROUND_CVE_2018_3639, cortex_a76, cve_2018_3639
        report_errata ERRATA_DSU_798953, cortex_a76, dsu_798953
        report_errata ERRATA_DSU_936184, cortex_a76, dsu_936184
+       report_errata WORKAROUND_CVE_2022_23960, cortex_a76, cve_2022_23960
 
        ldp     x8, x30, [sp], #16
        ret
-- 
2.26.2


++++++ 0005-fix-security-workaround-for-CVE-2022-23960-for-Corte.patch ++++++
>From 6d23d523a55f10394e96802ab9d7c981d3b4bc9f Mon Sep 17 00:00:00 2001
From: Bipin Ravi <bipin.r...@arm.com>
Date: Tue, 15 Feb 2022 23:24:51 -0600
Subject: [PATCH 5/6] fix(security): workaround for CVE-2022-23960 for
 Cortex-A57, Cortex-A72

Implements mitigation for Cortex-A72 CPU versions that support
the CSV2 feature(from r1p0). It also applies the mitigation for
Cortex-A57 CPU.

Signed-off-by: Bipin Ravi <bipin.r...@arm.com>
Change-Id: I7cfcf06537710f144f6e849992612033ddd79d33
---
 include/lib/cpus/aarch64/cortex_a72.h |  5 +++-
 lib/cpus/aarch64/cortex_a57.S         | 17 ++++++++++++-
 lib/cpus/aarch64/cortex_a72.S         | 36 ++++++++++++++++++++++++---
 3 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/include/lib/cpus/aarch64/cortex_a72.h 
b/include/lib/cpus/aarch64/cortex_a72.h
index 28b440e19..17776458b 100644
--- a/include/lib/cpus/aarch64/cortex_a72.h
+++ b/include/lib/cpus/aarch64/cortex_a72.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -12,6 +12,9 @@
 /* Cortex-A72 midr for revision 0 */
 #define CORTEX_A72_MIDR                                U(0x410FD080)
 
+/* Cortex-A72 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_A72_BHB_LOOP_COUNT                      U(8)
+
 
/*******************************************************************************
  * CPU Extended Control register specific definitions.
  
******************************************************************************/
diff --git a/lib/cpus/aarch64/cortex_a57.S b/lib/cpus/aarch64/cortex_a57.S
index 8ef0f922a..4120f119e 100644
--- a/lib/cpus/aarch64/cortex_a57.S
+++ b/lib/cpus/aarch64/cortex_a57.S
@@ -470,7 +470,12 @@ func cortex_a57_reset_func
        bl      errata_a57_859972_wa
 #endif
 
-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && ( WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960 )
+       /* ---------------------------------------------------------------
+        * Override vector table & enable existing workaround if either of
+        * the build flags are enabled
+        * ---------------------------------------------------------------
+        */
        adr     x0, wa_cve_2017_5715_mmu_vbar
        msr     vbar_el3, x0
        /* isb will be performed before returning from this function */
@@ -506,6 +511,15 @@ func cortex_a57_reset_func
        ret     x19
 endfunc cortex_a57_reset_func
 
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+       mov     x0, #ERRATA_APPLIES
+#else
+       mov     x0, #ERRATA_MISSING
+#endif
+       ret
+endfunc check_errata_cve_2022_23960
+
        /* ----------------------------------------------------
         * The CPU Ops core power down function for Cortex-A57.
         * ----------------------------------------------------
@@ -630,6 +644,7 @@ func cortex_a57_errata_report
        report_errata ERRATA_A57_1319537, cortex_a57, 1319537
        report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
        report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639
+       report_errata WORKAROUND_CVE_2022_23960, cortex_a57, cve_2022_23960
 
        ldp     x8, x30, [sp], #16
        ret
diff --git a/lib/cpus/aarch64/cortex_a72.S b/lib/cpus/aarch64/cortex_a72.S
index aff6072a0..3dc44805e 100644
--- a/lib/cpus/aarch64/cortex_a72.S
+++ b/lib/cpus/aarch64/cortex_a72.S
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -9,6 +9,11 @@
 #include <cortex_a72.h>
 #include <cpu_macros.S>
 #include <plat_macros.S>
+#include "wa_cve_2022_23960_bhb_vector.S"
+
+#if WORKAROUND_CVE_2022_23960
+       wa_cve_2022_23960_bhb_vector_table CORTEX_A72_BHB_LOOP_COUNT, cortex_a72
+#endif /* WORKAROUND_CVE_2022_23960 */
 
        /* ---------------------------------------------
         * Disable L1 data cache and unified L2 cache
@@ -133,6 +138,15 @@ func check_errata_1319367
        ret
 endfunc check_errata_1319367
 
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+       mov     x0, #ERRATA_APPLIES
+#else
+       mov     x0, #ERRATA_MISSING
+#endif
+       ret
+endfunc check_errata_cve_2022_23960
+
        /* -------------------------------------------------
         * The CPU Ops reset function for Cortex-A72.
         * -------------------------------------------------
@@ -147,13 +161,28 @@ func cortex_a72_reset_func
        bl      errata_a72_859971_wa
 #endif
 
-#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31 && (WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960)
        cpu_check_csv2  x0, 1f
        adr     x0, wa_cve_2017_5715_mmu_vbar
        msr     vbar_el3, x0
        /* isb will be performed before returning from this function */
+
+       /* Skip CVE_2022_23960 mitigation if cve_2017_5715 mitigation applied */
+       b       2f
 1:
-#endif
+#if WORKAROUND_CVE_2022_23960
+       /*
+        * The Cortex-A72 generic vectors are overridden to apply the
+         * mitigation on exception entry from lower ELs for revisions >= r1p0
+        * which has CSV2 implemented.
+        */
+       adr     x0, wa_cve_vbar_cortex_a72
+       msr     vbar_el3, x0
+
+       /* isb will be performed before returning from this function */
+#endif /* WORKAROUND_CVE_2022_23960 */
+2:
+#endif /* IMAGE_BL31 &&  (WORKAROUND_CVE_2017_5715 || 
WORKAROUND_CVE_2022_23960) */
 
 #if WORKAROUND_CVE_2018_3639
        mrs     x0, CORTEX_A72_CPUACTLR_EL1
@@ -299,6 +328,7 @@ func cortex_a72_errata_report
        report_errata ERRATA_A72_1319367, cortex_a72, 1319367
        report_errata WORKAROUND_CVE_2017_5715, cortex_a72, cve_2017_5715
        report_errata WORKAROUND_CVE_2018_3639, cortex_a72, cve_2018_3639
+       report_errata WORKAROUND_CVE_2022_23960, cortex_a72, cve_2022_23960
 
        ldp     x8, x30, [sp], #16
        ret
-- 
2.26.2


++++++ 0006-fix-security-SMCCC_ARCH_WORKAROUND_3-mitigations-for.patch ++++++
++++ 619 lines (skipped)

Reply via email to