arm: Invalidate icache on prefetch abort outside of user mapping on Cortex-A15
Marc Zyngier [Thu, 1 Feb 2018 11:07:37 +0000 (11:07 +0000)]
** Not yet queued for inclusion in mainline **

In order to prevent aliasing attacks on the branch predictor,
invalidate the icache on Cortex-A15, which has the side effect
of invalidating the BTB. This requires ACTLR[0] to be set to 1
(secure operation).

Change-Id: I4bb8e3ec05853d739bebd8fb3c61657e252808c0
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698400
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

arch/arm/include/asm/cp15.h
arch/arm/mm/fault.c

index 43eddec..d820fc5 100644 (file)
@@ -66,6 +66,7 @@
 
 
 #define BPIALL                         __ACCESS_CP15(c7, 0, c5, 6)
+#define ICIALLU                                __ACCESS_CP15(c7, 0, c5, 0)
 
 extern unsigned long cr_no_alignment;  /* defined in entry-armv.S */
 extern unsigned long cr_alignment;     /* defined in entry-armv.S */
index f18f940..e8f4282 100644 (file)
@@ -26,6 +26,7 @@
 #include <asm/system_misc.h>
 #include <asm/system_info.h>
 #include <asm/tlbflush.h>
+#include <asm/cputype.h>
 
 #include "fault.h"
 
@@ -401,6 +402,9 @@ do_pabt_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
        if (addr > TASK_SIZE) {
                switch (read_cpuid_part_number()) {
+               case ARM_CPU_PART_CORTEX_A15:
+                       write_sysreg(0, ICIALLU);
+                       break;
                }
        }
 #endif