diff options
| author | Dimitris Papastamos <dimitris.papastamos@arm.com> | 2017-12-18 13:46:21 +0000 |
|---|---|---|
| committer | Kostya Porotchkin <kostap@marvell.com> | 2018-04-16 14:06:06 +0300 |
| commit | 1186130161bc536f99f1429801ea6efa2aff6aa0 (patch) | |
| tree | 3b7dd1a6e880cd319ab2a26033c081b98b2d59fd /lib/cpus/aarch64/cortex_a75.S | |
| parent | 56b415ddf910476b91ce8675f91c4c87b0536e8e (diff) | |
Workaround for CVE-2017-5715 on Cortex A73 and A75
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.
This is achieved by using 3 vector tables. There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround. The
additional tables are `vbar0` and `vbar1`.
The sequence of events for handling a single exception is
as follows:
1) Install vector table `vbar0` which saves the CPU context on entry
to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
with the MMU disabled and I$ enabled. This is the default vector table.
2) Before doing an ERET into Secure-EL1, switch vbar to point to
another vector table `vbar1`. This is required to restore EL3 state
when returning from the workaround, before proceeding with normal EL3
exception handling.
3) While in Secure-EL1, the `BPIALL` instruction is executed and an
SMC call back to EL3 is performed.
4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
restored. The vbar is switched to point to `vbar0` in preparation to
handle further exceptions. Finally a branch to the runtime vector
table entry is taken to complete the handling of the original
exception.
This workaround is enabled by default on the affected CPUs.
NOTE
====
There are 4 different stubs in Secure-EL1. Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.
Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Reviewed-on: http://vgitil04.il.marvell.com:8080/53232
Tested-by: iSoC Platform CI <ykjenk@marvell.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Diffstat (limited to 'lib/cpus/aarch64/cortex_a75.S')
| -rw-r--r-- | lib/cpus/aarch64/cortex_a75.S | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/lib/cpus/aarch64/cortex_a75.S b/lib/cpus/aarch64/cortex_a75.S index 3825ae47..de1cfda4 100644 --- a/lib/cpus/aarch64/cortex_a75.S +++ b/lib/cpus/aarch64/cortex_a75.S @@ -111,18 +111,8 @@ endfunc cortex_a75_amu_write_cpuamcntenclr_el0 func cortex_a75_reset_func #if IMAGE_BL31 && WORKAROUND_CVE_2017_5715 - mrs x0, id_aa64pfr0_el1 - ubfx x0, x0, #ID_AA64PFR0_CSV2_SHIFT, #ID_AA64PFR0_CSV2_LENGTH - /* - * If the field equals to 1 then branch targets trained in one - * context cannot affect speculative execution in a different context. - */ - cmp x0, #1 - beq 1f - adr x0, workaround_bpiall_vbar0_runtime_exceptions msr vbar_el3, x0 -1: #endif #if ENABLE_AMU |