arm: SMC call to flush branch predictor.

In order to avoid aliasing attacks against the branch predictor, Cortex-A57/72 require to invalidate the BTB when switching from one user context to another. Implement wrapper function to invoke SMC call for flushing branch predictorstate. Change-Id: Id828635276ffa9d585a3f52ceec1e8b048d0eba4 Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org> Signed-off-by: Prateek Sood <prsood@codeaurora.org> Signed-off-by: Rajshekar Eashwarappa <reashw@codeaurora.org>
2024-09-21 03:43:03 +00:00 · 2018-01-16 14:32:00 +05:30 · 2018-01-16 14:32:00 +05:30 · 3a49aad871
parent 32fa66493c
commit 3a49aad871
4 changed files with 81 additions and 0 deletions
--- a/arch/arm/mm/context.c
+++ b/arch/arm/mm/context.c
@ -21,6 +21,8 @@
 #include <asm/smp_plat.h>
 #include <asm/thread_notify.h>
 #include <asm/tlbflush.h>
+#include <uapi/linux/psci.h>
+#include <asm/opcodes-sec.h>

 /*
 * On ARMv6, we have the following structure in the Context ID:
@ -262,3 +264,28 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
 switch_mm_fastpath:
 	cpu_switch_mm(mm->pgd, mm);
 }
+
+static noinline int bp_hardening(u32 _function_id, u32 _arg0,
+				  u32 _arg1, u32 _arg2)
+{
+	register u32 function_id asm("r0") = _function_id;
+	register u32 arg0 asm("r1") = _arg0;
+	register u32 arg1 asm("r2") = _arg1;
+	register u32 arg2 asm("r3") = _arg2;
+
+	asm volatile(
+			__asmeq("%0", "r0")
+			__asmeq("%1", "r1")
+			__asmeq("%2", "r2")
+			__asmeq("%3", "r3")
+			__SMC(0)
+		: "+r" (function_id)
+		: "r" (arg0), "r" (arg1), "r" (arg2));
+
+	return function_id;
+}
+
+asmlinkage void apply_bp_hardening(void)
+{
+	bp_hardening(PSCI_0_2_FN_PSCI_VERSION, 0, 0, 0);
+}
--- a/arch/arm/mm/proc-v7-2level.S
+++ b/arch/arm/mm/proc-v7-2level.S
@ -36,7 +36,13 @@
 *
 *	It is assumed that:
 *	- we are not using split page tables
+ *	Branch Predictor buffer invalidation in Cortex-A57, A72
+ *	is done by making SMC call into TZ
 */
+ENTRY(cpu_ca57_switch_mm)
+#ifdef CONFIG_MMU
+	bl	apply_bp_hardening
+#endif
 ENTRY(cpu_v7_switch_mm)
 #ifdef CONFIG_MMU
 	mov	r2, #0
@ -61,6 +67,7 @@ ENTRY(cpu_v7_switch_mm)
 #endif
 	mov	pc, lr
 ENDPROC(cpu_v7_switch_mm)
+ENDPROC(cpu_ca57_switch_mm)

 /*
 *	cpu_v7_set_pte_ext(ptep, pte)
--- a/arch/arm/mm/proc-v7-3level.S
+++ b/arch/arm/mm/proc-v7-3level.S
@ -44,7 +44,15 @@
 *
 * Set the translation table base pointer to be pgd_phys (physical address of
 * the new TTB).
+ *
+ * Branch Predictor buffer invalidation in Cortex-A57, A72
+ * is done by making SMC call into TZ
+ *
 */
+ENTRY(cpu_ca57_switch_mm)
+#ifdef CONFIG_MMU
+	bl	apply_bp_hardening
+#endif
 ENTRY(cpu_v7_switch_mm)
 #ifdef CONFIG_MMU
 	mmid	r1, r1				@ get mm->context.id
@ -55,6 +63,7 @@ ENTRY(cpu_v7_switch_mm)
 #endif
 	mov	pc, lr
 ENDPROC(cpu_v7_switch_mm)
+ENDPROC(cpu_ca57_switch_mm)

 #ifdef __ARMEB__
 #define rl r3
--- a/arch/arm/mm/proc-v7.S
+++ b/arch/arm/mm/proc-v7.S
@ -182,6 +182,21 @@ ENTRY(cpu_ca9mp_do_resume)
 ENDPROC(cpu_ca9mp_do_resume)
 #endif

+ /*
+  * Cortex-A57, A72 that require an icache invalidation on switch_mm
+  */
+	globl_equ	cpu_ca57_proc_init,		cpu_v7_proc_init
+	globl_equ	cpu_ca57_proc_fin,		cpu_v7_proc_fin
+	globl_equ	cpu_ca57_reset,			cpu_v7_reset
+	globl_equ	cpu_ca57_do_idle,		cpu_v7_do_idle
+	globl_equ	cpu_ca57_dcache_clean_area,	cpu_v7_dcache_clean_area
+	globl_equ	cpu_ca57_set_pte_ext,		cpu_v7_set_pte_ext
+	globl_equ	cpu_ca57_suspend_size,		cpu_v7_suspend_size
+#ifdef CONFIG_ARM_CPU_SUSPEND
+	globl_equ	cpu_ca57_do_suspend,		cpu_v7_do_suspend
+	globl_equ	cpu_ca57_do_resume,		cpu_v7_do_resume
+#endif
+
 #ifdef CONFIG_CPU_PJ4B
 	globl_equ	cpu_pj4b_switch_mm,     cpu_v7_switch_mm
 	globl_equ	cpu_pj4b_set_pte_ext,	cpu_v7_set_pte_ext
@ -225,6 +240,8 @@ __v7_ca9mp_setup:
 __v7_ca7mp_setup:
 __v7_ca15mp_setup:
 __v7_ca53mp_setup:
+__v7_ca57mp_setup:
+__v7_ca72mp_setup:
 	mov	r10, #0
 1:
 #ifdef CONFIG_SMP
@ -440,6 +457,7 @@ __v7_setup_stack:
 	@ define struct processor (see <asm/proc-fns.h> and proc-macros.S)
 	define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
 	define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
+	define_processor_functions ca57, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
 #ifdef CONFIG_CPU_PJ4B
 	define_processor_functions pj4b, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
 #endif
@ -554,6 +572,26 @@ __v7_ca53mp_proc_info:
 	__v7_proc __v7_ca53mp_setup
 	.size	__v7_ca53mp_proc_info, . - __v7_ca53mp_proc_info

+	/*
+	 * ARM Ltd. Cortex A57 processor.
+	 */
+	.type	__v7_ca57mp_proc_info, #object
+__v7_ca57mp_proc_info:
+	.long	0x410fd070
+	.long	0xff0ffff0
+	__v7_proc __v7_ca57mp_setup, proc_fns = ca57_processor_functions
+	.size	__v7_ca57mp_proc_info, . - __v7_ca57mp_proc_info
+
+	/*
+	 * ARM Ltd. Cortex A72 processor.
+	 */
+	.type	__v7_ca72mp_proc_info, #object
+__v7_ca72mp_proc_info:
+	.long	0x410fd080
+	.long	0xff0ffff0
+	__v7_proc __v7_ca72mp_setup, proc_fns = ca57_processor_functions
+	.size	__v7_ca72mp_proc_info, . - __v7_ca72mp_proc_info
+
 	/*
 	 * Match any ARMv7 processor core.
 	 */