| Message ID | 20180612202411.29798-1-nm@ti.com |
|---|---|
| Headers | show |
| Series | ARM: Provide workaround setup bits for CVE-2017-5715 (A8/A15) | expand |
On 06/12/2018 10:24 PM, Nishanth Menon wrote: > Hi, > > This is a follow on from https://marc.info/?l=u-boot&m=151691688828176&w=2 (RFC) > > NOTE: > * As per ARM recommendations[2], and discussions in list[1] ARM > Cortex-A9/12/17 do not need additional steps in u-boot to enable the > OS level workarounds. > * This itself is'nt a complete solution and is based on recommendation > This from Arm[2] for variant 2 CVE-2017-5715 -> Kernel changes can be seen on > linux next (next-20180612) or on linux master (upcoming v4.18-rc1 tag). > * I think it is necessary on older SoCs without firmware support > (such as older OMAPs and AM*) to have kernel support mirroring what we do in > u-boot to support additional cores AND/OR low power states where contexts are > lost (assuming ACR states are'nt saved). just my 2 cents. > > Few of the tests (with linux next-20180612): > AM571-IDK: https://pastebin.ubuntu.com/p/sr5X6sN3Tr/ (single core A15) > OMAP5-uEVM: https://pastebin.ubuntu.com/p/9yDM22bJ6n/ (dual core A15) > OMAP3-beagle-xm: https://pastebin.ubuntu.com/p/9DfDkpyxym/ (Single A8) > AM335x-Beaglebone-black: https://pastebin.ubuntu.com/p/DczT9jPMwb/ (Single A8) > > Nishanth Menon (4): > ARM: Introduce ability to enable ACR::IBE on Cortex-A8 for > CVE-2017-5715 > ARM: Introduce ability to enable invalidate of BTB with ICIALLU on > Cortex-A15 for CVE-2017-5715 > ARM: mach-omap2: omap5/dra7: Enable ACTLR[0] (Enable invalidates of > BTB) to facilitate CVE_2017-5715 WA in OS > ARM: mach-omap2: omap3/am335x: Enable ACR::IBE on Cortex-A8 SoCs for > CVE-2017-5715 > > arch/arm/Kconfig | 9 +++++++++ > arch/arm/cpu/armv7/start.S | 15 +++++++++++++-- > arch/arm/mach-omap2/Kconfig | 3 +++ > 3 files changed, 25 insertions(+), 2 deletions(-) > > [1] https://marc.info/?t=151639906500002&r=1&w=2 > [2] https://developer.arm.com/support/security-update > [3] https://marc.info/?t=151543790400007&r=1&w=2 and the latest in: > https://marc.info/?l=linux-arm-kernel&m=151689379521082&w=2 > [4] > https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6 > https://www.op-tee.org/security-advisories/ > https://www.linaro.org/blog/meltdown-spectre/ > Except for that minor insignificant nit about BIT() macro, entire series Acked-by: Marek Vasut <marek.vasut@gmail.com>
On Tue, Jun 12, 2018 at 03:24:07PM -0500, Nishanth Menon wrote: > Hi, > > This is a follow on from https://marc.info/?l=u-boot&m=151691688828176&w=2 (RFC) > > NOTE: > * As per ARM recommendations[2], and discussions in list[1] ARM > Cortex-A9/12/17 do not need additional steps in u-boot to enable the > OS level workarounds. > * This itself is'nt a complete solution and is based on recommendation > This from Arm[2] for variant 2 CVE-2017-5715 -> Kernel changes can be seen on > linux next (next-20180612) or on linux master (upcoming v4.18-rc1 tag). > * I think it is necessary on older SoCs without firmware support > (such as older OMAPs and AM*) to have kernel support mirroring what we do in > u-boot to support additional cores AND/OR low power states where contexts are > lost (assuming ACR states are'nt saved). just my 2 cents. > > Few of the tests (with linux next-20180612): > AM571-IDK: https://pastebin.ubuntu.com/p/sr5X6sN3Tr/ (single core A15) > OMAP5-uEVM: https://pastebin.ubuntu.com/p/9yDM22bJ6n/ (dual core A15) > OMAP3-beagle-xm: https://pastebin.ubuntu.com/p/9DfDkpyxym/ (Single A8) > AM335x-Beaglebone-black: https://pastebin.ubuntu.com/p/DczT9jPMwb/ (Single A8) > > Nishanth Menon (4): > ARM: Introduce ability to enable ACR::IBE on Cortex-A8 for > CVE-2017-5715 > ARM: Introduce ability to enable invalidate of BTB with ICIALLU on > Cortex-A15 for CVE-2017-5715 > ARM: mach-omap2: omap5/dra7: Enable ACTLR[0] (Enable invalidates of > BTB) to facilitate CVE_2017-5715 WA in OS > ARM: mach-omap2: omap3/am335x: Enable ACR::IBE on Cortex-A8 SoCs for > CVE-2017-5715 > > arch/arm/Kconfig | 9 +++++++++ > arch/arm/cpu/armv7/start.S | 15 +++++++++++++-- > arch/arm/mach-omap2/Kconfig | 3 +++ > 3 files changed, 25 insertions(+), 2 deletions(-) > > [1] https://marc.info/?t=151639906500002&r=1&w=2 > [2] https://developer.arm.com/support/security-update > [3] https://marc.info/?t=151543790400007&r=1&w=2 and the latest in: > https://marc.info/?l=linux-arm-kernel&m=151689379521082&w=2 > [4] > https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6 > https://www.op-tee.org/security-advisories/ > https://www.linaro.org/blog/meltdown-spectre/ This series of changes for U-Boot, if I can briefly summarize the feedback as I understand it, is that yes, this is correct and is a part of what is required to work around the issues, but only covers as much of the system as U-Boot can cover leaving other parts of the software stack (still) in need of fixes. Yes? If so, is there anything else that should be done before in U-Boot we grab these changes? Would any of the knowledgeable but not usually U-Boot folks on CC feel comfortable adding an ack/reviewed-by to the series? Thanks! -- Tom
Hi, This is a follow on from https://marc.info/?l=u-boot&m=151691688828176&w=2 (RFC) NOTE: * As per ARM recommendations[2], and discussions in list[1] ARM Cortex-A9/12/17 do not need additional steps in u-boot to enable the OS level workarounds. * This itself is'nt a complete solution and is based on recommendation This from Arm[2] for variant 2 CVE-2017-5715 -> Kernel changes can be seen on linux next (next-20180612) or on linux master (upcoming v4.18-rc1 tag). * I think it is necessary on older SoCs without firmware support (such as older OMAPs and AM*) to have kernel support mirroring what we do in u-boot to support additional cores AND/OR low power states where contexts are lost (assuming ACR states are'nt saved). just my 2 cents. Few of the tests (with linux next-20180612): AM571-IDK: https://pastebin.ubuntu.com/p/sr5X6sN3Tr/ (single core A15) OMAP5-uEVM: https://pastebin.ubuntu.com/p/9yDM22bJ6n/ (dual core A15) OMAP3-beagle-xm: https://pastebin.ubuntu.com/p/9DfDkpyxym/ (Single A8) AM335x-Beaglebone-black: https://pastebin.ubuntu.com/p/DczT9jPMwb/ (Single A8) Nishanth Menon (4): ARM: Introduce ability to enable ACR::IBE on Cortex-A8 for CVE-2017-5715 ARM: Introduce ability to enable invalidate of BTB with ICIALLU on Cortex-A15 for CVE-2017-5715 ARM: mach-omap2: omap5/dra7: Enable ACTLR[0] (Enable invalidates of BTB) to facilitate CVE_2017-5715 WA in OS ARM: mach-omap2: omap3/am335x: Enable ACR::IBE on Cortex-A8 SoCs for CVE-2017-5715 arch/arm/Kconfig | 9 +++++++++ arch/arm/cpu/armv7/start.S | 15 +++++++++++++-- arch/arm/mach-omap2/Kconfig | 3 +++ 3 files changed, 25 insertions(+), 2 deletions(-) [1] https://marc.info/?t=151639906500002&r=1&w=2 [2] https://developer.arm.com/support/security-update [3] https://marc.info/?t=151543790400007&r=1&w=2 and the latest in: https://marc.info/?l=linux-arm-kernel&m=151689379521082&w=2 [4] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6 https://www.op-tee.org/security-advisories/ https://www.linaro.org/blog/meltdown-spectre/