[PATCH] arm64: errata: Remove AES hwcap for COMPAT tasks on A57 and A72
Ard Biesheuvel
ardb at kernel.org
Thu Jan 27 04:39:00 PST 2022
On Thu, 27 Jan 2022 at 13:29, James Morse <james.morse at arm.com> wrote:
>
> Cortex-A57 and Cortex-A72 have an erratum where an interrupt that
> occurs between a pair of AES instructions in aarch32 mode may corrupt
> the ELR. The task will subsequently produce the wrong AES result.
>
> The AES instructions are part of the cryptographic extensions, which are
> optional. User-space software will detect the support for these
> instructions from the hwcaps. If the platform doesn't support these
> instructions a software implementation should be used.
>
> Remove the hwcap bits on affected parts to indicate user-space should
> not use the AES instructions.
>
> CC: Ard Biesheuvel <ardb at kernel.org>
> CC: Suzuki K Poulose <suzuki.poulose at arm.com>
> CC: <stable at vger.kernel.org>
> Signed-off-by: James Morse <james.morse at arm.com>
For this patch,
Acked-by: Ard Biesheuvel <ardb at kernel.org>
but I will note that
- depending on the C library used, OpenSSL may use SIGILL trapping to
decide whether these instructions are implemented or not,
- the 32-bit kernel should ideally adopt the same approach,
Fortunately, the only A72 that is known to be widely deployed with
32-bit kernels and/or user space is the Raspberry Pi 4, which does not
implement the crypto extensions.
> ---
> SDEN:
> A57: https://developer.arm.com/documentation/epm049219/2300 1742098
> A72: https://developer.arm.com/documentation/epm012079/11 1655431
> ---
> Documentation/arm64/silicon-errata.rst | 4 ++++
> arch/arm64/Kconfig | 16 ++++++++++++++++
> arch/arm64/include/asm/cpufeature.h | 1 +
> arch/arm64/kernel/cpu_errata.c | 17 +++++++++++++++++
> arch/arm64/kernel/cpufeature.c | 23 +++++++++++++++++++++++
> arch/arm64/tools/cpucaps | 1 +
> 6 files changed, 62 insertions(+)
>
> diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
> index 5342e895fb60..0f255ab8c3e2 100644
> --- a/Documentation/arm64/silicon-errata.rst
> +++ b/Documentation/arm64/silicon-errata.rst
> @@ -76,10 +76,14 @@ stable kernels.
> +----------------+-----------------+-----------------+-----------------------------+
> | ARM | Cortex-A57 | #1319537 | ARM64_ERRATUM_1319367 |
> +----------------+-----------------+-----------------+-----------------------------+
> +| ARM | Cortex-A57 | #1742098 | ARM64_ERRATUM_1742098 |
> ++----------------+-----------------+-----------------+-----------------------------+
> | ARM | Cortex-A72 | #853709 | N/A |
> +----------------+-----------------+-----------------+-----------------------------+
> | ARM | Cortex-A72 | #1319367 | ARM64_ERRATUM_1319367 |
> +----------------+-----------------+-----------------+-----------------------------+
> +| ARM | Cortex-A72 | #1655431 | ARM64_ERRATUM_1742098 |
> ++----------------+-----------------+-----------------+-----------------------------+
> | ARM | Cortex-A73 | #858921 | ARM64_ERRATUM_858921 |
> +----------------+-----------------+-----------------+-----------------------------+
> | ARM | Cortex-A76 | #1188873,1418040| ARM64_ERRATUM_1418040 |
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 6978140edfa4..0daf4fff0eaf 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -488,6 +488,22 @@ config ARM64_ERRATUM_834220
>
> If unsure, say Y.
>
> +config ARM64_ERRATUM_1742098
> + bool "Cortex-A57/A72: 1742098: ELR recorded incorrectly on interrupt taken between cryptographic instructions in a sequence"
> + depends on COMPAT
> + default y
> + help
> + This option removes the AES hwcap for aarch32 user-space to
> + workaround erratum 1742098 on Cortex-A57 and Cortex-A72.
> +
> + Affected parts may corrupt the AES state if an interrupt is
> + taken between a pair of AES instructions. These instructions
> + are only present if the cryptography extensions are present.
> + All software should have a fallback implementation for CPUs
> + that don't implement the cryptography extensions.
> +
> + If unsure, say Y.
> +
> config ARM64_ERRATUM_845719
> bool "Cortex-A53: 845719: a load might read incorrect data"
> depends on COMPAT
> diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
> index ef6be92b1921..355313d46c14 100644
> --- a/arch/arm64/include/asm/cpufeature.h
> +++ b/arch/arm64/include/asm/cpufeature.h
> @@ -857,6 +857,7 @@ extern struct arm64_ftr_override id_aa64isar1_override;
>
> u32 get_kvm_ipa_limit(void);
> void dump_cpu_features(void);
> +void arm64_remove_aes_compat_hwcap(const struct arm64_cpu_capabilities *cap);
>
> #endif /* __ASSEMBLY__ */
>
> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> index 9e1c1aef9ebd..b06fb054e055 100644
> --- a/arch/arm64/kernel/cpu_errata.c
> +++ b/arch/arm64/kernel/cpu_errata.c
> @@ -376,6 +376,14 @@ static struct midr_range trbe_write_out_of_range_cpus[] = {
> };
> #endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
>
> +#ifdef CONFIG_ARM64_ERRATUM_1742098
> +static struct midr_range broken_aarch32_aes[] = {
> + MIDR_RANGE(MIDR_CORTEX_A57, 0, 1, 0xf, 0xf),
> + MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
> + {},
> +};
> +#endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */
> +
> const struct arm64_cpu_capabilities arm64_errata[] = {
> #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE
> {
> @@ -597,6 +605,15 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
> .type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,
> CAP_MIDR_RANGE_LIST(trbe_write_out_of_range_cpus),
> },
> +#endif
> +#ifdef CONFIG_ARM64_ERRATUM_1742098
> + {
> + .desc = "ARM erratum 1742098",
> + .capability = ARM64_WORKAROUND_1742098,
> + CAP_MIDR_RANGE_LIST(broken_aarch32_aes),
> + .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
> + .cpu_enable = arm64_remove_aes_compat_hwcap,
> + },
> #endif
> {
> }
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index a46ab3b1c4d5..06605e267ab0 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -1900,6 +1900,29 @@ static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
> }
> #endif /* CONFIG_ARM64_MTE */
>
> +#ifdef CONFIG_ARM64_ERRATUM_1742098
> +/*
> + * compat_elf_hwcap{,2} are built from the sanitised id registers after the
> + * enable calls have run. See the order of the setup_system_capabilities()
> + * and setup_elf_hwcaps() calls in setup_cpu_features(). Removing the AES
> + * field prevents the AES hwcap from being advertised.
> + */
> +void arm64_remove_aes_compat_hwcap(const struct arm64_cpu_capabilities *cap)
> +{
> + struct arm64_ftr_reg *aa32isar5 = get_arm64_ftr_reg(SYS_ID_ISAR5_EL1);
> + u64 aes_mask = GENMASK_ULL(ID_ISAR5_AES_SHIFT + 3, ID_ISAR5_AES_SHIFT);
> +
> + /*
> + * On affected platforms this call is made via stop_machine() on all
> + * online CPUs. Only clear the register from the boot CPU.
> + */
> + if (smp_processor_id())
> + return;
> +
> + aa32isar5->sys_val &= ~aes_mask;
> +}
> +#endif /* CONFIG_ARM64_ERRATUM_1742098 */
> +
> #ifdef CONFIG_KVM
> static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused)
> {
> diff --git a/arch/arm64/tools/cpucaps b/arch/arm64/tools/cpucaps
> index 870c39537dd0..6a3a5c116668 100644
> --- a/arch/arm64/tools/cpucaps
> +++ b/arch/arm64/tools/cpucaps
> @@ -55,6 +55,7 @@ WORKAROUND_1418040
> WORKAROUND_1463225
> WORKAROUND_1508412
> WORKAROUND_1542419
> +WORKAROUND_1742098
> WORKAROUND_TRBE_OVERWRITE_FILL_MODE
> WORKAROUND_TSB_FLUSH_FAILURE
> WORKAROUND_TRBE_WRITE_OUT_OF_RANGE
> --
> 2.30.2
>
More information about the linux-arm-kernel
mailing list