|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] xen/arm: Add Cortex-A77 erratum 1508412 handling
commit bd3ddaf6ee7fa312bd077305819105f84a34008d
Author: Luca Fancellu <luca.fancellu@xxxxxxx>
AuthorDate: Mon Jul 17 13:25:46 2023 +0100
Commit: Julien Grall <jgrall@xxxxxxxxxx>
CommitDate: Tue Aug 8 08:50:17 2023 +0100
xen/arm: Add Cortex-A77 erratum 1508412 handling
Cortex-A77 cores (r0p0, r1p0) could deadlock on a sequence of a
store-exclusive or read of PAR_EL1 and a load with device or non-cacheable
memory attributes.
A workaround is available, but it depends on a firmware counterpart.
The proposed workaround from the errata document is to modify the software
running at EL1 and above to include a DMB SY before and after accessing
PAR_EL1.
In conjunction to the above, the firmware needs to use a specific write
sequence to several IMPLEMENTATION DEFINED registers to have the hardware
insert a DMB SY after all load-exclusive and store-exclusive instructions.
Apply the workaround to Xen where PAR_EL1 is read, implementing an helper
function to do that.
Since Xen can be interrupted by irqs in any moment, add a barrier on
entry/exit when we are running on the affected cores.
A guest without the workaround can deadlock the system, so warn the users
of Xen with the above type of cores to use only trusted guests, by
printing a message on Xen startup.
This is XSA-436 / CVE-2023-34320.
Signed-off-by: Luca Fancellu <luca.fancellu@xxxxxxx>
Reviewed-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
---
SUPPORT.md | 2 ++
docs/misc/arm/silicon-errata.txt | 1 +
xen/arch/arm/Kconfig | 21 +++++++++++++++++++++
xen/arch/arm/arm64/entry.S | 19 +++++++++++++++++++
xen/arch/arm/cpuerrata.c | 16 ++++++++++++----
xen/arch/arm/domain.c | 2 +-
xen/arch/arm/include/asm/arm64/page.h | 12 ++++++------
xen/arch/arm/include/asm/cpufeature.h | 3 ++-
xen/arch/arm/include/asm/sysregs.h | 24 ++++++++++++++++++++++++
9 files changed, 88 insertions(+), 12 deletions(-)
diff --git a/SUPPORT.md b/SUPPORT.md
index 35a6249e03..1c9f0b7d8c 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -39,8 +39,10 @@ supported in this document.
Status: Supported
Status, Cortex A57 r0p0-r1p1: Supported, not security supported
+ Status, Cortex A77 r0p0-r1p0: Supported, not security supported
For the Cortex A57 r0p0 - r1p1, see Errata 832075.
+For the Cortex A77 r0p0 - r1p0, see Errata 1508412.
## Host hardware support
diff --git a/docs/misc/arm/silicon-errata.txt b/docs/misc/arm/silicon-errata.txt
index a7abcc1ba1..fffca09656 100644
--- a/docs/misc/arm/silicon-errata.txt
+++ b/docs/misc/arm/silicon-errata.txt
@@ -58,4 +58,5 @@ stable hypervisors.
| ARM | Cortex-A76 | #1286807 | ARM64_ERRATUM_1286807
|
| ARM | Neoverse-N1 | #1165522 | N/A
|
| ARM | Neoverse-N1 | #1286807 | ARM64_ERRATUM_1286807
|
+| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412
|
| ARM | MMU-500 | #842869 | N/A
|
diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index fd57a82dd2..57bd1d01d7 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -355,6 +355,27 @@ config ARM64_ERRATUM_1286807
If unsure, say Y.
+config ARM64_ERRATUM_1508412
+ bool "Cortex-A77: 1508412: possible deadlock on sequence of NC/Device
load and store exclusive or PAR read"
+ default y
+ depends on ARM_64
+ help
+ This option adds a workaround for Arm Cortex-A77 erratum 1508412.
+
+ Affected Cortex-A77 cores (r0p0, r1p0) could deadlock on a sequence
+ of a store-exclusive or read of PAR_EL1 and a load with device or
+ non-cacheable memory attributes. The workaround depends on a firmware
+ counterpart.
+
+ Xen guests must also have the workaround implemented or they can
+ deadlock the system.
+
+ Work around the issue by inserting DMB SY barriers around PAR_EL1
+ register reads and warning Xen users. The DMB barrier is sufficient
+ to prevent a speculative PAR_EL1 read.
+
+ If unsure, say Y.
+
endmenu
config ARM64_HARDEN_BRANCH_PREDICTOR
diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
index 523c6d23d9..f963c923bb 100644
--- a/xen/arch/arm/arm64/entry.S
+++ b/xen/arch/arm/arm64/entry.S
@@ -134,6 +134,16 @@
* position on the stack before.
*/
.macro entry, hyp, compat, save_x0_x1=1
+
+ /*
+ * Ensure any PAR_EL1 reads complete, in case we were interrupted
+ * between the PAR_EL1 read and the memory barrier for the erratum
+ * 1508412 workaround.
+ */
+ alternative_if ARM64_WORKAROUND_1508412
+ dmb sy
+ alternative_else_nop_endif
+
sub sp, sp, #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */
.if \hyp == 0 /* Guest mode */
@@ -503,6 +513,15 @@ return_from_trap:
ldr lr, [sp], #(UREGS_SPSR_el1 - UREGS_LR) /* CPSR, PC, SP, LR */
+ /*
+ * Ensure any device/NC reads complete, in case we were interrupted
+ * between the memory barrier for the erratum 1508412 workaround and
+ * any PAR_EL1 read.
+ */
+ alternative_if ARM64_WORKAROUND_1508412
+ dmb sy
+ alternative_else_nop_endif
+
eret
sb
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index d0658aedb6..fcf32892a7 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -669,6 +669,14 @@ static const struct arm_cpu_capabilities arm_errata[] = {
.capability = ARM64_WORKAROUND_AT_SPECULATE,
MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
},
+#ifdef CONFIG_ARM64_ERRATUM_1508412
+ {
+ /* Cortex-A77 r0p0 - r1p0 */
+ .desc = "ARM erratum 1508412 (hypervisor portion)",
+ .capability = ARM64_WORKAROUND_1508412,
+ MIDR_RANGE(MIDR_CORTEX_A77, 0, 1),
+ },
+#endif
{
/* Cortex-A55 (All versions as erratum is open in SDEN v14) */
.desc = "ARM erratum 1530923",
@@ -687,11 +695,11 @@ void __init enable_errata_workarounds(void)
{
enable_cpu_capabilities(arm_errata);
-#ifdef CONFIG_ARM64_ERRATUM_832075
- if ( cpus_have_cap(ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE) )
+#if defined(CONFIG_ARM64_ERRATUM_832075) ||
defined(CONFIG_ARM64_ERRATUM_1508412)
+ if ( cpus_have_cap(ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE) ||
+ cpus_have_cap(ARM64_WORKAROUND_1508412) )
{
- printk_once("**** This CPU is affected by the errata 832075.
****\n"
- "**** Guests without CPU erratum workarounds can deadlock
the system! ****\n"
+ printk_once("**** Guests without CPU erratum workarounds can deadlock
the system! ****\n"
"**** Only trusted guests should be used.
****\n");
/* Taint the machine has being insecure */
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 3ae86ca620..6113ca785c 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -131,7 +131,7 @@ static void ctxt_switch_from(struct vcpu *p)
p->arch.ttbr1 = READ_SYSREG64(TTBR1_EL1);
if ( is_32bit_domain(p->domain) )
p->arch.dacr = READ_SYSREG(DACR32_EL2);
- p->arch.par = READ_SYSREG64(PAR_EL1);
+ p->arch.par = read_sysreg_par();
#if defined(CONFIG_ARM_32)
p->arch.mair0 = READ_CP32(MAIR0);
p->arch.mair1 = READ_CP32(MAIR1);
diff --git a/xen/arch/arm/include/asm/arm64/page.h
b/xen/arch/arm/include/asm/arm64/page.h
index 4f58c0382a..e944985ee0 100644
--- a/xen/arch/arm/include/asm/arm64/page.h
+++ b/xen/arch/arm/include/asm/arm64/page.h
@@ -37,11 +37,11 @@ static inline void invalidate_icache_local(void)
/* Ask the MMU to translate a VA for us */
static inline uint64_t __va_to_par(vaddr_t va)
{
- uint64_t par, tmp = READ_SYSREG64(PAR_EL1);
+ uint64_t par, tmp = read_sysreg_par();
asm volatile ("at s1e2r, %0;" : : "r" (va));
isb();
- par = READ_SYSREG64(PAR_EL1);
+ par = read_sysreg_par();
WRITE_SYSREG64(tmp, PAR_EL1);
return par;
}
@@ -49,28 +49,28 @@ static inline uint64_t __va_to_par(vaddr_t va)
/* Ask the MMU to translate a Guest VA for us */
static inline uint64_t gva_to_ma_par(vaddr_t va, unsigned int flags)
{
- uint64_t par, tmp = READ_SYSREG64(PAR_EL1);
+ uint64_t par, tmp = read_sysreg_par();
if ( (flags & GV2M_WRITE) == GV2M_WRITE )
asm volatile ("at s12e1w, %0;" : : "r" (va));
else
asm volatile ("at s12e1r, %0;" : : "r" (va));
isb();
- par = READ_SYSREG64(PAR_EL1);
+ par = read_sysreg_par();
WRITE_SYSREG64(tmp, PAR_EL1);
return par;
}
static inline uint64_t gva_to_ipa_par(vaddr_t va, unsigned int flags)
{
- uint64_t par, tmp = READ_SYSREG64(PAR_EL1);
+ uint64_t par, tmp = read_sysreg_par();
if ( (flags & GV2M_WRITE) == GV2M_WRITE )
asm volatile ("at s1e1w, %0;" : : "r" (va));
else
asm volatile ("at s1e1r, %0;" : : "r" (va));
isb();
- par = READ_SYSREG64(PAR_EL1);
+ par = read_sysreg_par();
WRITE_SYSREG64(tmp, PAR_EL1);
return par;
}
diff --git a/xen/arch/arm/include/asm/cpufeature.h
b/xen/arch/arm/include/asm/cpufeature.h
index 894f278a4a..8011076b8c 100644
--- a/xen/arch/arm/include/asm/cpufeature.h
+++ b/xen/arch/arm/include/asm/cpufeature.h
@@ -75,8 +75,9 @@
#define ARM_WORKAROUND_BHB_LOOP_32 14
#define ARM_WORKAROUND_BHB_SMCC_3 15
#define ARM_HAS_SB 16
+#define ARM64_WORKAROUND_1508412 17
-#define ARM_NCAPS 17
+#define ARM_NCAPS 18
#ifndef __ASSEMBLY__
diff --git a/xen/arch/arm/include/asm/sysregs.h
b/xen/arch/arm/include/asm/sysregs.h
index 5c5c51bbcd..61e30c9e51 100644
--- a/xen/arch/arm/include/asm/sysregs.h
+++ b/xen/arch/arm/include/asm/sysregs.h
@@ -9,6 +9,30 @@
# error "unknown ARM variant"
#endif
+#ifndef __ASSEMBLY__
+
+#include <asm/alternative.h>
+
+static inline register_t read_sysreg_par(void)
+{
+ register_t par_el1;
+
+ /*
+ * On Cortex-A77 r0p0 and r1p0, read access to PAR_EL1 shall include a
+ * DMB SY before and after accessing it, as part of the workaround for the
+ * errata 1508412.
+ */
+ asm volatile(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412,
+ CONFIG_ARM64_ERRATUM_1508412));
+ par_el1 = READ_SYSREG64(PAR_EL1);
+ asm volatile(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412,
+ CONFIG_ARM64_ERRATUM_1508412));
+
+ return par_el1;
+}
+
+#endif /* !__ASSEMBLY__ */
+
#endif /* __ASM_ARM_SYSREGS_H */
/*
* Local variables:
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |