[U-Boot] U-Boot, cache speculation side channel attacks and ARM

Michael Nazzareno Trimarchi michael at amarulasolutions.com
Sat Jan 20 09:47:39 UTC 2018


Hi Nishanth

On Sat, Jan 20, 2018 at 12:10 AM, Nishanth Menon <nm at ti.com> wrote:
> On 01/19/2018 04:21 PM, Mark Kettenis wrote:
>>>
>>> Date: Fri, 19 Jan 2018 16:56:14 -0500
>>> From: Tom Rini <trini at konsulko.com>
>>>
>>> Hey all,
>>>
>>> So, now that things have quieted down a little bit in this area, I've
>>> been wondering about something.  Over on the U-Boot side of things, are
>>> there changes we need to make in order to support the kernel side of the
>>> various mitigations properly?  I know that for example currently
>>> https://developer.arm.com/support/security-update talks about ATF
>>> patches, in the context of AArch64 however.  But on the other hand for
>>> variant 2, there's nothing listed on the Linux side for 32bit ARM, but
>>> there is for non-Linux OSes.
>>>
>>> And, in the event I'm also missing something else entirely that we need
>>> to do here, is there something that we need to be doing?  Or is it still
>>> too early at this point in time to know?
>>
>>
>> I think that for AArch32, the following bit advice is relevant:
>>
>>    For Cortex-A15, set ACTLR[0]==1 from early initialization of the
>>    processor, and invalidate the branch predictor by performing an
>>    ICIALLU instruction.
>>
>> For now OpenBSD assumes that "the firmware" sets ACTLR[0] since this
>> register may be read-only in non-secure mode.  And unless I missed
>> something Linux makes the same assumption.
>>
>> If U-Boot provides the PSCI implementation it should probably flush
>> the BTB on affected 32-bit processors and should defenitely flush on
>> 64-bit processors.
>
>
> Seeing the traffic in kernel, I think I understand these two I know of at
> least?
>
> A8/9/12/17:
> "So without IBE set, as the comments above say, the flush won't do
> anything."

Regarding IBE set, is this can be set later on boot stage after MLO?

Michael

> https://marc.info/?l=linux-arm-kernel&m=151566145121435&w=2
>
> A15: ACTLR
> https://marc.info/?l=linux-arm-kernel&m=151562519425981&w=2
>
> Am I misunderstanding the list we need to do in u-boot?
>
> --
> Regards,
> Nishanth Menon
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot



-- 
| Michael Nazzareno Trimarchi                     Amarula Solutions BV |
| COO  -  Founder                                      Cruquiuskade 47 |
| +31(0)851119172                                 Amsterdam 1018 AM NL |
|                  [`as] http://www.amarulasolutions.com               |


More information about the U-Boot mailing list