[PATCH v2 1/2] arm64: errata: Remove AES hwcap for COMPAT tasks

Will Deacon will at kernel.org
Thu Apr 14 03:03:43 PDT 2022 

On Wed, Apr 13, 2022 at 06:05:44PM +0100, James Morse wrote:
> Cortex-A57 and Cortex-A72 have an erratum where an interrupt that
> occurs between a pair of AES instructions in aarch32 mode may corrupt
> the ELR. The task will subsequently produce the wrong AES result.
> 
> The AES instructions are part of the cryptographic extensions, which are
> optional. User-space software will detect the support for these
> instructions from the hwcaps. If the platform doesn't support these
> instructions a software implementation should be used.
> 
> Remove the hwcap bits on affected parts to indicate user-space should
> not use the AES instructions.
> 
> Signed-off-by: James Morse <james.morse at arm.com>
> ---
>  Documentation/arm64/silicon-errata.rst |  4 ++++
>  arch/arm64/Kconfig                     | 16 ++++++++++++++++
>  arch/arm64/kernel/cpu_errata.c         | 16 ++++++++++++++++
>  arch/arm64/kernel/cpufeature.c         | 11 ++++++++++-
>  arch/arm64/tools/cpucaps               |  1 +
>  5 files changed, 47 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
> index 466cb9e89047..053dc12696b5 100644
> --- a/Documentation/arm64/silicon-errata.rst
> +++ b/Documentation/arm64/silicon-errata.rst
> @@ -82,10 +82,14 @@ stable kernels.
>  +----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A57      | #1319537        | ARM64_ERRATUM_1319367       |
>  +----------------+-----------------+-----------------+-----------------------------+
> +| ARM            | Cortex-A57      | #1742098        | ARM64_ERRATUM_1742098       |
> ++----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A72      | #853709         | N/A                         |
>  +----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A72      | #1319367        | ARM64_ERRATUM_1319367       |
>  +----------------+-----------------+-----------------+-----------------------------+
> +| ARM            | Cortex-A72      | #1655431        | ARM64_ERRATUM_1742098       |
> ++----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A73      | #858921         | ARM64_ERRATUM_858921        |
>  +----------------+-----------------+-----------------+-----------------------------+
>  | ARM            | Cortex-A76      | #1188873,1418040| ARM64_ERRATUM_1418040       |
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 57c4c995965f..df19e60c4c46 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -491,6 +491,22 @@ config ARM64_ERRATUM_834220
>  
>  	  If unsure, say Y.
>  
> +config ARM64_ERRATUM_1742098
> +	bool "Cortex-A57/A72: 1742098: ELR recorded incorrectly on interrupt taken between cryptographic instructions in a sequence"
> +	depends on COMPAT
> +	default y
> +	help
> +	  This option removes the AES hwcap for aarch32 user-space to
> +	  workaround erratum 1742098 on Cortex-A57 and Cortex-A72.
> +
> +	  Affected parts may corrupt the AES state if an interrupt is
> +	  taken between a pair of AES instructions. These instructions
> +	  are only present if the cryptography extensions are present.
> +	  All software should have a fallback implementation for CPUs
> +	  that don't implement the cryptography extensions.
> +
> +	  If unsure, say Y.
> +
>  config ARM64_ERRATUM_845719
>  	bool "Cortex-A53: 845719: a load might read incorrect data"
>  	depends on COMPAT
> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> index 4c9b5b4b7a0b..8f85dac4cd79 100644
> --- a/arch/arm64/kernel/cpu_errata.c
> +++ b/arch/arm64/kernel/cpu_errata.c
> @@ -393,6 +393,14 @@ static struct midr_range trbe_write_out_of_range_cpus[] = {
>  };
>  #endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
>  
> +#ifdef CONFIG_ARM64_ERRATUM_1742098
> +static struct midr_range broken_aarch32_aes[] = {
> +	MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
> +	MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
> +	{},
> +};
> +#endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */

Comment here is wrong ^^^

> +
>  const struct arm64_cpu_capabilities arm64_errata[] = {
>  #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE
>  	{
> @@ -655,6 +663,14 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
>  		/* Cortex-A510 r0p0 - r0p1 */
>  		ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A510, 0, 0, 1)
>  	},
> +#endif
> +#ifdef CONFIG_ARM64_ERRATUM_1742098
> +	{
> +		.desc = "ARM erratum 1742098",
> +		.capability = ARM64_WORKAROUND_1742098,
> +		CAP_MIDR_RANGE_LIST(broken_aarch32_aes),
> +		.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
> +	},
>  #endif
>  	{
>  	}
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index d72c4b4d389c..3faf16f1c040 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -1922,6 +1922,12 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
>  }
>  #endif /* CONFIG_ARM64_MTE */
>  
> +static void elf_hwcap_fixup(void)
> +{
> +	if (cpus_have_const_cap(ARM64_WORKAROUND_1742098))
> +		compat_elf_hwcap2 &= ~COMPAT_HWCAP2_AES;
> +}

How does this deal with big/little if we late online an affected CPU?  It
would probably be easier if we treated these CPUs as not having the 32-bit
AES instructions at all (rather than removing the hwcap later), then the
early cap check would prevent late onlining.

Will

More information about the linux-arm-kernel mailing list