Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

armstub8: Add PSCI monitor support for BCM2711 #121

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hanzyd
Copy link

@hanzyd hanzyd commented Mar 2, 2021

This monitor is used to workaround few issues in
Cortex-A72 CPU used in BCM2711:

  • CVE-2017-5715 aka Spectre-v2. Invalidate the Branch Target
    Buffer (BTB) on entry to EL3 by disabling and enabling the MMU.
  • CVE-2018-3639 aka Spectre-v4. Set or clean bit 55
    (Disable load pass store) of CPUACTLR_EL1, when requested
    by SMCCC_ARCH_WORKAROUND_2.
  • Prevent speculative execution past ERET.
  • Implement workaround for AT speculative behaviour

This work is based on Oleksandr RPi3 psci-monitor [1] and
Arm Trusted Firmware [2].

Mitigation's are implemented according "ARM DEN 0070A" [3].

CVE workarounds could be controlled via Linux command line
options [4]: nospectre_v2 and ssbd=

Validation was done using Ghostbusters [5] and Google's Safeside
project [6].

Supported functions include:
PSCI_VERSION
PSCI_CPU_OFF
PSCI_CPU_ON
PSCI_AFFINITY_INFO
PSCI_MIGRATE_INFO_TYPE
PSCI_MIGRATE_INFO_UP_CPU
PSCI_SYSTEM_OFF
PSCI_SYSTEM_RESET
PSCI_FEATURES
SMCCC_VERSION
SMCCC_ARCH_WORKAROUND_1
SMCCC_ARCH_WORKAROUND_2

As side effect of this now Linux kexec is working.

Performance degradation was evaluated using Phoronix hackbench
and it is around 6% in combined case, I would say.

"Hackbench - Count: 4 - Type: Process"

00 = spectre_v2: Vulnerable, spec_store_bypass: Vulnerable
01 = spectre_v2: Mitigated, spec_store_bypass: Vulnerable
02 = spectre_v2: Vulnerable, spec_store_bypass: Mitigated
03 = spectre_v2: Mitigated, spec_store_bypass: Mitigated
04 = no PSCI monitor at all
05 = no PSCI monitor at all

 Run-1   | Run-2   | Run-3, seconds

00 | 100.689 | 100.215 | 100.749
01 | 103.386 | 104.627 | 104.387
02 | 104.519 | 105.383 | 104.611
03 | 107.084 | 106.081 | 107.269
04 | 101.301 | 101.894 | 102.564
05 | 100.302 | 101.85 | 99.912

Details could be found here [7].

[1] https://github.com/gonzoua/rpi3-psci-monitor
[2] https://github.com/Arm-Software/arm-trusted-firmware
[3] "Firmware interfaces for mitigating cache speculation vulnerabilities"
[4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
[5] https://github.com/Sultanic/Ghostbusters.git
[6] https://github.com/google/safeside.git
[7] https://openbenchmarking.org/result/2103024-HA-PSCIMON0014,2103020-HA-PSCIMON0130,2103027-HA-PSCIMON0242,2103028-HA-PSCIMON0310,2103021-HA-PSCIMON0401,2103021-HA-PSCIMON0524

Signed-off-by: Ivan T. Ivanov [email protected]

This monitor is used to workaround few issues in
Cortex-A72 CPU used in BCM2711:

* CVE-2017-5715 aka Spectre-v2. Invalidate the Branch Target
  Buffer (BTB) on entry to EL3 by disabling and enabling the MMU.
* CVE-2018-3639 aka Spectre-v4. Set or clean bit 55
  (Disable load pass store) of CPUACTLR_EL1, when requested
  by SMCCC_ARCH_WORKAROUND_2.
* Prevent speculative execution past ERET.
* Implement workaround for AT speculative behaviour

This work is based on Oleksandr RPi3 psci-monitor [1] and
Arm Trusted Firmware [2].

Mitigation's are implemented according "ARM DEN 0070A" [3].

CVE workarounds could be controlled via Linux command line
options [4]: nospectre_v2 and ssbd=

Validation was done using Ghostbusters [5] and Google's Safeside
project [6].

Supported functions include:
 PSCI_VERSION
 PSCI_CPU_OFF
 PSCI_CPU_ON
 PSCI_AFFINITY_INFO
 PSCI_MIGRATE_INFO_TYPE
 PSCI_MIGRATE_INFO_UP_CPU
 PSCI_SYSTEM_OFF
 PSCI_SYSTEM_RESET
 PSCI_FEATURES
 SMCCC_VERSION
 SMCCC_ARCH_WORKAROUND_1
 SMCCC_ARCH_WORKAROUND_2

As side effect of this now Linux kexec is working.

Performance degradation was evaluated using Phoronix hackbench
and it is around 6% in combined case, I would say.

"Hackbench - Count: 4 - Type: Process"

00 = spectre_v2: Vulnerable, spec_store_bypass: Vulnerable
01 = spectre_v2: Mitigated, spec_store_bypass: Vulnerable
02 = spectre_v2: Vulnerable, spec_store_bypass: Mitigated
03 = spectre_v2: Mitigated, spec_store_bypass: Mitigated
04 = no PSCI monitor at all
05 = no PSCI monitor at all

     Run-1   | Run-2   | Run-3, seconds
----------------------------------------
00 | 100.689 | 100.215 | 100.749
01 | 103.386 | 104.627 | 104.387
02 | 104.519 | 105.383 | 104.611
03 | 107.084 | 106.081 | 107.269
04 | 101.301 | 101.894 | 102.564
05 | 100.302 | 101.85  | 99.912

Details could be found here [7].

[1] https://github.com/gonzoua/rpi3-psci-monitor
[2] https://github.com/Arm-Software/arm-trusted-firmware
[3] "Firmware interfaces for mitigating cache speculation vulnerabilities"
[4] https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
[5] https://github.com/Sultanic/Ghostbusters.git
[6] https://github.com/google/safeside.git
[7] https://openbenchmarking.org/result/2103024-HA-PSCIMON0014,2103020-HA-PSCIMON0130,2103027-HA-PSCIMON0242,2103028-HA-PSCIMON0310,2103021-HA-PSCIMON0401,2103021-HA-PSCIMON0524

Signed-off-by: Ivan T. Ivanov <[email protected]>
@pelwell
Copy link
Contributor

pelwell commented Mar 2, 2021

Why do you think this should be the standard ARMv8 stub, given that it is so easy for distributions to provide there own?

And are you the author? Your GitHub userid does not make this obvious.

@hanzyd
Copy link
Author

hanzyd commented Mar 2, 2021

Well, they are distributions that are using this stub, like openSUSE.
In some sense is easer to add simple mitigations here, than use
big/fat TF-A. I think there will be others that could benefit for this.

This work is heavily based on TF-A and RPi3 monitor, as stated in commit
message, but, yes, I am the author of this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants