From patchwork Tue Jun 12 20:24:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nishanth Menon X-Patchwork-Id: 138380 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp5814978lji; Tue, 12 Jun 2018 13:26:33 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKXm29dsVpo/m2Oxyps8KrZlUOyHPzh8aLVknCnsKq8oO+wHUyntwNVrRtxHlGvjm1OaCbg X-Received: by 2002:adf:b86b:: with SMTP id u40-v6mr1776421wrf.162.1528835193416; Tue, 12 Jun 2018 13:26:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528835193; cv=none; d=google.com; s=arc-20160816; b=Zf5GL4moV/TJ9nXqgXMN9SPDs5YOr4f0WwwGVht9l3C9f1w0bNgCM9tltZMMYewzhx uBXuOTlSnNqtFaV6JgG6dt7K0Zt66d9+HaqjSk5G4DZKe3Ix0gzqqv48P4xMzNrDYRx+ 4qWFboWbC6OHMZFZn4RaIGIbNamLNsDrndZ2lAisAUocKemo5FVJoS9iPGlitWcJ085u Y3Q9lx2JADTupFlEFW1SguGdT7LJbJ1NEC8wNxRdnaChzyyZ1jeQXfYRAiEfNFarYpKF RLb5pg3jQLwveAYQNr7p6TfVRYpaMV/GCSJO4QzuK0+hbWfDUyw7UoDqAtYsPlFyllUe bX3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:mime-version:message-id:date:to:from:dkim-signature :arc-authentication-results; bh=NrvpFlHUi8vbPy1NzOf94wO7COWB0qoLdeps4r2aLz4=; b=SI8onu2yiKWH9dFB7ozEHRX3UiJCzuDNu62Rcib3zFE7Qq4+a7gUrr9iIGmfJaWkhr lTwuhfoLmqjrTk88n/ANFmIJJdEAzz7RyMobtBGiH+F5ygVBN5vDEMSYoetS+bgPK24T SVWMCDN6Hx0MFlQ9wVlKJ1gj3j7OjlyglGOvGQGkvloQVCVbGJxAQuUmJ3CpDASXAmgv uKVm3DJ01ZPoc3ldFSbeq7VDrbUA/Mj6Hv2/2i5ymZxN+biw52muKbLfCAKuukkG/8kW pvmL+gCAWrITVVryYInFLzLRB6ygM1slTRzJyE3POmvQXJqicsIQqOiy/2TQumINwhtW uS0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@ti.com header.s=ti-com-17Q1 header.b=IKP5wjDB; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=ti.com Return-Path: Received: from lists.denx.de (dione.denx.de. [81.169.180.215]) by mx.google.com with ESMTP id m2-v6si1069023edi.372.2018.06.12.13.26.33; Tue, 12 Jun 2018 13:26:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@ti.com header.s=ti-com-17Q1 header.b=IKP5wjDB; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=ti.com Received: by lists.denx.de (Postfix, from userid 105) id DAD07C21C6A; Tue, 12 Jun 2018 20:25:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=KHOP_BIG_TO_CC, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id ABAA4C21D56; Tue, 12 Jun 2018 20:25:06 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 76A4EC21D8A; Tue, 12 Jun 2018 20:24:46 +0000 (UTC) Received: from lelnx193.ext.ti.com (lelnx193.ext.ti.com [198.47.27.77]) by lists.denx.de (Postfix) with ESMTPS id 84FB3C21E08 for ; Tue, 12 Jun 2018 20:24:42 +0000 (UTC) Received: from dlelxv90.itg.ti.com ([172.17.2.17]) by lelnx193.ext.ti.com (8.15.1/8.15.1) with ESMTP id w5CKOD9T011409; Tue, 12 Jun 2018 15:24:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1528835053; bh=WcE0hc4LAf0RLF7boiA+Fjl6dE9ojIp/4HTi1oAQOuc=; h=From:To:CC:Subject:Date; b=IKP5wjDBo2ITmT1SI5bAYqPHzncbfTk9Sqa6hZvCpRj5gxX2dwPJ+4rBVOw/9Q0AX z4TPMJZe+eLjWQhjpxv+v+gybUO40rohWIU85mljCQj+l6BGxYd0YaybTFusLg8ULP 3F5Pi9polWmdCqFSuJIXMYBzMmGQGIlXMotLqySU= Received: from DLEE105.ent.ti.com (dlee105.ent.ti.com [157.170.170.35]) by dlelxv90.itg.ti.com (8.14.3/8.13.8) with ESMTP id w5CKODIG011471; Tue, 12 Jun 2018 15:24:13 -0500 Received: from DLEE111.ent.ti.com (157.170.170.22) by DLEE105.ent.ti.com (157.170.170.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 12 Jun 2018 15:24:12 -0500 Received: from dlep33.itg.ti.com (157.170.170.75) by DLEE111.ent.ti.com (157.170.170.22) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1466.3 via Frontend Transport; Tue, 12 Jun 2018 15:24:12 -0500 Received: from localhost (ileax41-snat.itg.ti.com [10.172.224.153]) by dlep33.itg.ti.com (8.14.3/8.13.8) with ESMTP id w5CKOCtS004390; Tue, 12 Jun 2018 15:24:12 -0500 From: Nishanth Menon To: Tom Rini , Russell King , Marc Zyngier , Catalin Marinas , Will Deacon , Tony Lindgren Date: Tue, 12 Jun 2018 15:24:07 -0500 Message-ID: <20180612202411.29798-1-nm@ti.com> X-Mailer: git-send-email 2.15.1 MIME-Version: 1.0 X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 Cc: Ard Biesheuvel , Andre Przywara , U-Boot-Denx , Robin Murphy , linux-arm-kernel@lists.infradead.org Subject: [U-Boot] [PATCH 0/4] ARM: Provide workaround setup bits for CVE-2017-5715 (A8/A15) X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Hi, This is a follow on from https://marc.info/?l=u-boot&m=151691688828176&w=2 (RFC) NOTE: * As per ARM recommendations[2], and discussions in list[1] ARM Cortex-A9/12/17 do not need additional steps in u-boot to enable the OS level workarounds. * This itself is'nt a complete solution and is based on recommendation This from Arm[2] for variant 2 CVE-2017-5715 -> Kernel changes can be seen on linux next (next-20180612) or on linux master (upcoming v4.18-rc1 tag). * I think it is necessary on older SoCs without firmware support (such as older OMAPs and AM*) to have kernel support mirroring what we do in u-boot to support additional cores AND/OR low power states where contexts are lost (assuming ACR states are'nt saved). just my 2 cents. Few of the tests (with linux next-20180612): AM571-IDK: https://pastebin.ubuntu.com/p/sr5X6sN3Tr/ (single core A15) OMAP5-uEVM: https://pastebin.ubuntu.com/p/9yDM22bJ6n/ (dual core A15) OMAP3-beagle-xm: https://pastebin.ubuntu.com/p/9DfDkpyxym/ (Single A8) AM335x-Beaglebone-black: https://pastebin.ubuntu.com/p/DczT9jPMwb/ (Single A8) Nishanth Menon (4): ARM: Introduce ability to enable ACR::IBE on Cortex-A8 for CVE-2017-5715 ARM: Introduce ability to enable invalidate of BTB with ICIALLU on Cortex-A15 for CVE-2017-5715 ARM: mach-omap2: omap5/dra7: Enable ACTLR[0] (Enable invalidates of BTB) to facilitate CVE_2017-5715 WA in OS ARM: mach-omap2: omap3/am335x: Enable ACR::IBE on Cortex-A8 SoCs for CVE-2017-5715 arch/arm/Kconfig | 9 +++++++++ arch/arm/cpu/armv7/start.S | 15 +++++++++++++-- arch/arm/mach-omap2/Kconfig | 3 +++ 3 files changed, 25 insertions(+), 2 deletions(-) [1] https://marc.info/?t=151639906500002&r=1&w=2 [2] https://developer.arm.com/support/security-update [3] https://marc.info/?t=151543790400007&r=1&w=2 and the latest in: https://marc.info/?l=linux-arm-kernel&m=151689379521082&w=2 [4] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6 https://www.op-tee.org/security-advisories/ https://www.linaro.org/blog/meltdown-spectre/ Acked-by: Marek Vasut