fix(security): workaround for CVE-2022-23960 for Cortex-X1
Implements the loop workaround for Cortex-X1.
Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I5828a26c1ec3cfb718246ea5c3b099dabc0fb3d7
diff --git a/lib/cpus/aarch64/cortex_x1.S b/lib/cpus/aarch64/cortex_x1.S
index c8bc190..9a7f666 100644
--- a/lib/cpus/aarch64/cortex_x1.S
+++ b/lib/cpus/aarch64/cortex_x1.S
@@ -7,6 +7,7 @@
#include <asm_macros.S>
#include <cortex_x1.h>
#include <cpu_macros.S>
+#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
@@ -18,6 +19,10 @@
#error "Cortex-X1 supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
+#if WORKAROUND_CVE_2022_23960
+ wa_cve_2022_23960_bhb_vector_table CORTEX_X1_BHB_LOOP_COUNT, cortex_x1
+#endif /* WORKAROUND_CVE_2022_23960 */
+
/* --------------------------------------------------
* Errata Workaround for X1 Erratum 1821534.
* This applies to revision r0p0 and r1p0 of X1.
@@ -101,6 +106,15 @@
b cpu_rev_var_ls
endfunc check_errata_1827429
+func check_errata_cve_2022_23960
+#if WORKAROUND_CVE_2022_23960
+ mov x0, #ERRATA_APPLIES
+#else
+ mov x0, #ERRATA_MISSING
+#endif
+ ret
+endfunc check_errata_cve_2022_23960
+
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-X1.
* Shall clobber: x0-x19
@@ -126,6 +140,15 @@
bl errata_x1_1827429_wa
#endif
+#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
+ /*
+ * The Cortex-X1 generic vectors are overridden to apply errata
+ * mitigation on exception entry from lower ELs.
+ */
+ adr x0, wa_cve_vbar_cortex_x1
+ msr vbar_el3, x0
+#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
+
isb
ret x19
endfunc cortex_x1_reset_func
@@ -163,6 +186,7 @@
report_errata ERRATA_X1_1821534, cortex_x1, 1821534
report_errata ERRATA_X1_1688305, cortex_x1, 1688305
report_errata ERRATA_X1_1827429, cortex_x1, 1827429
+ report_errata WORKAROUND_CVE_2022_23960, cortex_x1, cve_2022_23960
ldp x8, x30, [sp], #16
ret