• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/*
2 * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
3 * Copyright (c) 2020, NVIDIA Corporation. All rights reserved.
4 *
5 * SPDX-License-Identifier: BSD-3-Clause
6 */
7
8#include <arch.h>
9#include <asm_macros.S>
10#include <assert_macros.S>
11#include <context.h>
12#include <denver.h>
13#include <cpu_macros.S>
14#include <plat_macros.S>
15
16	/* -------------------------------------------------
17	 * CVE-2017-5715 mitigation
18	 *
19	 * Flush the indirect branch predictor and RSB on
20	 * entry to EL3 by issuing a newly added instruction
21	 * for Denver CPUs.
22	 *
23	 * To achieve this without performing any branch
24	 * instruction, a per-cpu vbar is installed which
25	 * executes the workaround and then branches off to
26	 * the corresponding vector entry in the main vector
27	 * table.
28	 * -------------------------------------------------
29	 */
30vector_base workaround_bpflush_runtime_exceptions
31
32	.macro	apply_workaround
33	stp	x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0]
34
35	/* Disable cycle counter when event counting is prohibited */
36	mrs	x1, pmcr_el0
37	orr	x0, x1, #PMCR_EL0_DP_BIT
38	msr	pmcr_el0, x0
39	isb
40
41	/* -------------------------------------------------
42	 * A new write-only system register where a write of
43	 * 1 to bit 0 will cause the indirect branch predictor
44	 * and RSB to be flushed.
45	 *
46	 * A write of 0 to bit 0 will be ignored. A write of
47	 * 1 to any other bit will cause an MCA.
48	 * -------------------------------------------------
49	 */
50	mov	x0, #1
51	msr	s3_0_c15_c0_6, x0
52	isb
53
54	ldp	x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0]
55	.endm
56
57	/* ---------------------------------------------------------------------
58	 * Current EL with SP_EL0 : 0x0 - 0x200
59	 * ---------------------------------------------------------------------
60	 */
61vector_entry workaround_bpflush_sync_exception_sp_el0
62	b	sync_exception_sp_el0
63end_vector_entry workaround_bpflush_sync_exception_sp_el0
64
65vector_entry workaround_bpflush_irq_sp_el0
66	b	irq_sp_el0
67end_vector_entry workaround_bpflush_irq_sp_el0
68
69vector_entry workaround_bpflush_fiq_sp_el0
70	b	fiq_sp_el0
71end_vector_entry workaround_bpflush_fiq_sp_el0
72
73vector_entry workaround_bpflush_serror_sp_el0
74	b	serror_sp_el0
75end_vector_entry workaround_bpflush_serror_sp_el0
76
77	/* ---------------------------------------------------------------------
78	 * Current EL with SP_ELx: 0x200 - 0x400
79	 * ---------------------------------------------------------------------
80	 */
81vector_entry workaround_bpflush_sync_exception_sp_elx
82	b	sync_exception_sp_elx
83end_vector_entry workaround_bpflush_sync_exception_sp_elx
84
85vector_entry workaround_bpflush_irq_sp_elx
86	b	irq_sp_elx
87end_vector_entry workaround_bpflush_irq_sp_elx
88
89vector_entry workaround_bpflush_fiq_sp_elx
90	b	fiq_sp_elx
91end_vector_entry workaround_bpflush_fiq_sp_elx
92
93vector_entry workaround_bpflush_serror_sp_elx
94	b	serror_sp_elx
95end_vector_entry workaround_bpflush_serror_sp_elx
96
97	/* ---------------------------------------------------------------------
98	 * Lower EL using AArch64 : 0x400 - 0x600
99	 * ---------------------------------------------------------------------
100	 */
101vector_entry workaround_bpflush_sync_exception_aarch64
102	apply_workaround
103	b	sync_exception_aarch64
104end_vector_entry workaround_bpflush_sync_exception_aarch64
105
106vector_entry workaround_bpflush_irq_aarch64
107	apply_workaround
108	b	irq_aarch64
109end_vector_entry workaround_bpflush_irq_aarch64
110
111vector_entry workaround_bpflush_fiq_aarch64
112	apply_workaround
113	b	fiq_aarch64
114end_vector_entry workaround_bpflush_fiq_aarch64
115
116vector_entry workaround_bpflush_serror_aarch64
117	apply_workaround
118	b	serror_aarch64
119end_vector_entry workaround_bpflush_serror_aarch64
120
121	/* ---------------------------------------------------------------------
122	 * Lower EL using AArch32 : 0x600 - 0x800
123	 * ---------------------------------------------------------------------
124	 */
125vector_entry workaround_bpflush_sync_exception_aarch32
126	apply_workaround
127	b	sync_exception_aarch32
128end_vector_entry workaround_bpflush_sync_exception_aarch32
129
130vector_entry workaround_bpflush_irq_aarch32
131	apply_workaround
132	b	irq_aarch32
133end_vector_entry workaround_bpflush_irq_aarch32
134
135vector_entry workaround_bpflush_fiq_aarch32
136	apply_workaround
137	b	fiq_aarch32
138end_vector_entry workaround_bpflush_fiq_aarch32
139
140vector_entry workaround_bpflush_serror_aarch32
141	apply_workaround
142	b	serror_aarch32
143end_vector_entry workaround_bpflush_serror_aarch32
144
145	.global	denver_disable_dco
146
147	/* ---------------------------------------------
148	 * Disable debug interfaces
149	 * ---------------------------------------------
150	 */
151func denver_disable_ext_debug
152	mov	x0, #1
153	msr	osdlr_el1, x0
154	isb
155	dsb	sy
156	ret
157endfunc denver_disable_ext_debug
158
159	/* ----------------------------------------------------
160	 * Enable dynamic code optimizer (DCO)
161	 * ----------------------------------------------------
162	 */
163func denver_enable_dco
164	/* DCO is not supported on PN5 and later */
165	mrs	x1, midr_el1
166	mov_imm	x2, DENVER_MIDR_PN4
167	cmp	x1, x2
168	b.hi	1f
169
170	mov	x18, x30
171	bl	plat_my_core_pos
172	mov	x1, #1
173	lsl	x1, x1, x0
174	msr	s3_0_c15_c0_2, x1
175	mov	x30, x18
1761:	ret
177endfunc denver_enable_dco
178
179	/* ----------------------------------------------------
180	 * Disable dynamic code optimizer (DCO)
181	 * ----------------------------------------------------
182	 */
183func denver_disable_dco
184	/* DCO is not supported on PN5 and later */
185	mrs	x1, midr_el1
186	mov_imm	x2, DENVER_MIDR_PN4
187	cmp	x1, x2
188	b.hi	2f
189
190	/* turn off background work */
191	mov	x18, x30
192	bl	plat_my_core_pos
193	mov	x1, #1
194	lsl	x1, x1, x0
195	lsl	x2, x1, #16
196	msr	s3_0_c15_c0_2, x2
197	isb
198
199	/* wait till the background work turns off */
2001:	mrs	x2, s3_0_c15_c0_2
201	lsr	x2, x2, #32
202	and	w2, w2, 0xFFFF
203	and	x2, x2, x1
204	cbnz	x2, 1b
205
206	mov	x30, x18
2072:	ret
208endfunc denver_disable_dco
209
210func check_errata_cve_2017_5715
211	mov	x0, #ERRATA_MISSING
212#if WORKAROUND_CVE_2017_5715
213	/*
214	 * Check if the CPU supports the special instruction
215	 * required to flush the indirect branch predictor and
216	 * RSB. Support for this operation can be determined by
217	 * comparing bits 19:16 of ID_AFR0_EL1 with 0b0001.
218	 */
219	mrs	x1, id_afr0_el1
220	mov	x2, #0x10000
221	and	x1, x1, x2
222	cbz	x1, 1f
223	mov	x0, #ERRATA_APPLIES
2241:
225#endif
226	ret
227endfunc check_errata_cve_2017_5715
228
229func check_errata_cve_2018_3639
230#if WORKAROUND_CVE_2018_3639
231	mov	x0, #ERRATA_APPLIES
232#else
233	mov	x0, #ERRATA_MISSING
234#endif
235	ret
236endfunc check_errata_cve_2018_3639
237
238	/* -------------------------------------------------
239	 * The CPU Ops reset function for Denver.
240	 * -------------------------------------------------
241	 */
242func denver_reset_func
243
244	mov	x19, x30
245
246#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
247	/*
248	 * Check if the CPU supports the special instruction
249	 * required to flush the indirect branch predictor and
250	 * RSB. Support for this operation can be determined by
251	 * comparing bits 19:16 of ID_AFR0_EL1 with 0b0001.
252	 */
253	mrs	x0, id_afr0_el1
254	mov	x1, #0x10000
255	and	x0, x0, x1
256	cmp	x0, #0
257	adr	x1, workaround_bpflush_runtime_exceptions
258	mrs	x2, vbar_el3
259	csel	x0, x1, x2, ne
260	msr	vbar_el3, x0
261#endif
262
263#if WORKAROUND_CVE_2018_3639
264	/*
265	 * Denver CPUs with DENVER_MIDR_PN3 or earlier, use different
266	 * bits in the ACTLR_EL3 register to disable speculative
267	 * store buffer and memory disambiguation.
268	 */
269	mrs	x0, midr_el1
270	mov_imm	x1, DENVER_MIDR_PN4
271	cmp	x0, x1
272	mrs	x0, actlr_el3
273	mov	x1, #(DENVER_CPU_DIS_MD_EL3 | DENVER_CPU_DIS_SSB_EL3)
274	mov	x2, #(DENVER_PN4_CPU_DIS_MD_EL3 | DENVER_PN4_CPU_DIS_SSB_EL3)
275	csel	x3, x1, x2, ne
276	orr	x0, x0, x3
277	msr	actlr_el3, x0
278	isb
279	dsb	sy
280#endif
281
282	/* ----------------------------------------------------
283	 * Reset ACTLR.PMSTATE to C1 state
284	 * ----------------------------------------------------
285	 */
286	mrs	x0, actlr_el1
287	bic	x0, x0, #DENVER_CPU_PMSTATE_MASK
288	orr	x0, x0, #DENVER_CPU_PMSTATE_C1
289	msr	actlr_el1, x0
290
291	/* ----------------------------------------------------
292	 * Enable dynamic code optimizer (DCO)
293	 * ----------------------------------------------------
294	 */
295	bl	denver_enable_dco
296
297	ret	x19
298endfunc denver_reset_func
299
300	/* ----------------------------------------------------
301	 * The CPU Ops core power down function for Denver.
302	 * ----------------------------------------------------
303	 */
304func denver_core_pwr_dwn
305
306	mov	x19, x30
307
308	/* ---------------------------------------------
309	 * Force the debug interfaces to be quiescent
310	 * ---------------------------------------------
311	 */
312	bl	denver_disable_ext_debug
313
314	ret	x19
315endfunc denver_core_pwr_dwn
316
317	/* -------------------------------------------------------
318	 * The CPU Ops cluster power down function for Denver.
319	 * -------------------------------------------------------
320	 */
321func denver_cluster_pwr_dwn
322	ret
323endfunc denver_cluster_pwr_dwn
324
325#if REPORT_ERRATA
326	/*
327	 * Errata printing function for Denver. Must follow AAPCS.
328	 */
329func denver_errata_report
330	stp	x8, x30, [sp, #-16]!
331
332	bl	cpu_get_rev_var
333	mov	x8, x0
334
335	/*
336	 * Report all errata. The revision-variant information is passed to
337	 * checking functions of each errata.
338	 */
339	report_errata WORKAROUND_CVE_2017_5715, denver, cve_2017_5715
340	report_errata WORKAROUND_CVE_2018_3639, denver, cve_2018_3639
341
342	ldp	x8, x30, [sp], #16
343	ret
344endfunc denver_errata_report
345#endif
346
347	/* ---------------------------------------------
348	 * This function provides Denver specific
349	 * register information for crash reporting.
350	 * It needs to return with x6 pointing to
351	 * a list of register names in ascii and
352	 * x8 - x15 having values of registers to be
353	 * reported.
354	 * ---------------------------------------------
355	 */
356.section .rodata.denver_regs, "aS"
357denver_regs:  /* The ascii list of register names to be reported */
358	.asciz	"actlr_el1", ""
359
360func denver_cpu_reg_dump
361	adr	x6, denver_regs
362	mrs	x8, ACTLR_EL1
363	ret
364endfunc denver_cpu_reg_dump
365
366/* macro to declare cpu_ops for Denver SKUs */
367.macro	denver_cpu_ops_wa midr
368	declare_cpu_ops_wa denver, \midr, \
369		denver_reset_func, \
370		check_errata_cve_2017_5715, \
371		CPU_NO_EXTRA2_FUNC, \
372		denver_core_pwr_dwn, \
373		denver_cluster_pwr_dwn
374.endm
375
376denver_cpu_ops_wa DENVER_MIDR_PN0
377denver_cpu_ops_wa DENVER_MIDR_PN1
378denver_cpu_ops_wa DENVER_MIDR_PN2
379denver_cpu_ops_wa DENVER_MIDR_PN3
380denver_cpu_ops_wa DENVER_MIDR_PN4
381denver_cpu_ops_wa DENVER_MIDR_PN5
382denver_cpu_ops_wa DENVER_MIDR_PN6
383denver_cpu_ops_wa DENVER_MIDR_PN7
384denver_cpu_ops_wa DENVER_MIDR_PN8
385denver_cpu_ops_wa DENVER_MIDR_PN9
386