TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / hafnium.git / d1d6798a7958de747dc67ebd26cf780ceb382319^! / . / src / arch / aarch64 / hypervisor / handler.c
commitd1d6798a7958de747dc67ebd26cf780ceb382319[log] [tgz]
authorFuad Tabba <tabba@google.com>Wed Jan 08 11:28:29 2020 +0000
committerFuad Tabba <tabba@google.com>Thu Jan 09 14:30:20 2020 +0000
treeb1ff0f61801aec178985c5246640a3a97e81b510
parent86808c205b7dec478c5d4e87d3408ff2956da73e [diff] [blame]
Use implicit error sync barriers to isolate SError exceptions

SError exceptions are asynchronous and can happen at an exception level or VM
other than the one responsible for it.  Armv8.2 mandates RAS support, which
adds the option of having implicit error synchronization barriers on entry or
exit from EL2.

Error Synchronization Barriers allow the efficient isolation of errors and are
lighter weight than other barriers, because they do not order accesses or
flush the pipeline necessarily (see Arm Cortex-A76 Core Technical Reference
Manual).

Before this change a malicious VM could potentially trigger an SError that would
cause Hafnium to either panic or to abort another VM.

Bug: 147342742
Bug: 140916188
Change-Id: Ie74d58b1de476789fe0876655f28b38098b1c766

diff --git a/src/arch/aarch64/hypervisor/handler.c b/src/arch/aarch64/hypervisor/handler.c
index 231bbe4..44fa3ae 100644
--- a/src/arch/aarch64/hypervisor/handler.c
+++ b/src/arch/aarch64/hypervisor/handler.c

@@ -185,7 +185,7 @@
 	(void)elr;
 	(void)spsr;
 
-	panic("IRQ from current");
+	panic("IRQ from current exception level.");
 }
 
 noreturn void fiq_current_exception_noreturn(uintreg_t elr, uintreg_t spsr)
@@ -193,7 +193,7 @@
 	(void)elr;
 	(void)spsr;
 
-	panic("FIQ from current");
+	panic("FIQ from current exception level.");
 }
 
 noreturn void serr_current_exception_noreturn(uintreg_t elr, uintreg_t spsr)
@@ -201,7 +201,7 @@
 	(void)elr;
 	(void)spsr;
 
-	panic("SERR from current");
+	panic("SError from current exception level.");
 }
 
 noreturn void sync_current_exception_noreturn(uintreg_t elr, uintreg_t spsr)
@@ -625,10 +625,15 @@
 	return irq_lower();
 }
 
-struct vcpu *serr_lower(void)
+noreturn struct vcpu *serr_lower(void)
 {
-	dlog("SERR from lower\n");
-	return api_abort(current());
+	/*
+	 * SError exceptions should be isolated and handled by the responsible
+	 * VM/exception level. Getting here indicates a bug, that isolation is
+	 * not working, or a processor that does not support ARMv8.2-IESB, in
+	 * which case Hafnium routes SError exceptions to EL2 (here).
+	 */
+	panic("SError from a lower exception level.");
 }
 
 /**