diff options
| author | Dimitris Papastamos <dimitris.papastamos@arm.com> | 2017-12-18 13:46:21 +0000 |
|---|---|---|
| committer | Kostya Porotchkin <kostap@marvell.com> | 2018-04-16 14:06:06 +0300 |
| commit | 1186130161bc536f99f1429801ea6efa2aff6aa0 (patch) | |
| tree | 3b7dd1a6e880cd319ab2a26033c081b98b2d59fd /lib/cpus/aarch64/cortex_a73.S | |
| parent | 56b415ddf910476b91ce8675f91c4c87b0536e8e (diff) | |
Workaround for CVE-2017-5715 on Cortex A73 and A75
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.
This is achieved by using 3 vector tables. There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround. The
additional tables are `vbar0` and `vbar1`.
The sequence of events for handling a single exception is
as follows:
1) Install vector table `vbar0` which saves the CPU context on entry
to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
with the MMU disabled and I$ enabled. This is the default vector table.
2) Before doing an ERET into Secure-EL1, switch vbar to point to
another vector table `vbar1`. This is required to restore EL3 state
when returning from the workaround, before proceeding with normal EL3
exception handling.
3) While in Secure-EL1, the `BPIALL` instruction is executed and an
SMC call back to EL3 is performed.
4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
restored. The vbar is switched to point to `vbar0` in preparation to
handle further exceptions. Finally a branch to the runtime vector
table entry is taken to complete the handling of the original
exception.
This workaround is enabled by default on the affected CPUs.
NOTE
====
There are 4 different stubs in Secure-EL1. Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.
Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Reviewed-on: http://vgitil04.il.marvell.com:8080/53232
Tested-by: iSoC Platform CI <ykjenk@marvell.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Diffstat (limited to 'lib/cpus/aarch64/cortex_a73.S')
| -rw-r--r-- | lib/cpus/aarch64/cortex_a73.S | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/cpus/aarch64/cortex_a73.S b/lib/cpus/aarch64/cortex_a73.S index 34414c2b..11680a09 100644 --- a/lib/cpus/aarch64/cortex_a73.S +++ b/lib/cpus/aarch64/cortex_a73.S @@ -36,6 +36,11 @@ func cortex_a73_disable_smp endfunc cortex_a73_disable_smp func cortex_a73_reset_func +#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 + adr x0, workaround_bpiall_vbar0_runtime_exceptions + msr vbar_el3, x0 +#endif + /* --------------------------------------------- * Enable the SMP bit. * Clobbers : x0 |