Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / c52ebdcefc3769a82cf3877e160477335716149a^! / . / bl31 / bl31.mk
commitc52ebdcefc3769a82cf3877e160477335716149a[log] [tgz]
authorDimitris Papastamos <dimitris.papastamos@arm.com>Mon Dec 18 13:46:21 2017 +0000
committerDimitris Papastamos <dimitris.papastamos@arm.com>Thu Jan 11 10:26:15 2018 +0000
tree134af9ccff89ab1d2ddac0624d80bb1c18349646
parent446f7f10ff7e60e0cad42c06a0c922bb5f22994f [diff] [blame]
Workaround for CVE-2017-5715 on Cortex A73 and A75

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.

This is achieved by using 3 vector tables.  There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround.  The
additional tables are `vbar0` and `vbar1`.

The sequence of events for handling a single exception is
as follows:

1) Install vector table `vbar0` which saves the CPU context on entry
   to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
   with the MMU disabled and I$ enabled.  This is the default vector table.

2) Before doing an ERET into Secure-EL1, switch vbar to point to
   another vector table `vbar1`.  This is required to restore EL3 state
   when returning from the workaround, before proceeding with normal EL3
   exception handling.

3) While in Secure-EL1, the `BPIALL` instruction is executed and an
   SMC call back to EL3 is performed.

4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
   restored.  The vbar is switched to point to `vbar0` in preparation to
   handle further exceptions.  Finally a branch to the runtime vector
   table entry is taken to complete the handling of the original
   exception.

This workaround is enabled by default on the affected CPUs.

NOTE
====

There are 4 different stubs in Secure-EL1.  Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.

Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

diff --git a/bl31/bl31.mk b/bl31/bl31.mk
index 0732e05..8ff8f89 100644
--- a/bl31/bl31.mk
+++ b/bl31/bl31.mk

@@ -59,7 +59,8 @@
 endif
 
 ifeq (${WORKAROUND_CVE_2017_5715},1)
-BL31_SOURCES		+=	lib/cpus/aarch64/workaround_cve_2017_5715_mmu.S
+BL31_SOURCES		+=	lib/cpus/aarch64/workaround_cve_2017_5715_mmu.S		\
+				lib/cpus/aarch64/workaround_cve_2017_5715_bpiall.S
 endif
 
 BL31_LINKERFILE		:=	bl31/bl31.ld.S