feat: add ARM64 silicon errata checks (issue #357)

Add detection for three speculation/security-relevant ARM64 errata families that are tracked by vendor erratum IDs rather than CVEs: Speculative AT TLB corruption (1165522/1319367/1319537/1530923), speculative unprivileged load (2966298/3117295), and MSR SSBS not self-synchronizing (3194386 and siblings). Reserves a new CVE-0001-NNNN placeholder range for vendor errata and adds a --errata <number> selector alongside --variant/--cve. CPU affection is determined per-core from (implementer, part, variant, revision) tuples read from /proc/cpuinfo, matching the kernel's MIDR ranges (including Kryo4xx Silver for erratum 1530923). Kernel mitigation detection uses the erratum-specific CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image descriptor strings, and dmesg output (no sysfs for these)
2026-06-06 14:43:04 +02:00 · 2026-04-21 08:31:00 +02:00
parent 03b1787d69
commit 8a302b56e6
8 changed files with 380 additions and 7 deletions
@@ -0,0 +1,75 @@
+# vim: set ts=4 sw=4 sts=4 et:
+###############################
+# CVE-0001-0002, ARM SPEC UNPRIV LOAD, ARM64 errata 2966298/3117295, Speculative unprivileged load
+
+check_CVE_0001_0002() {
+    check_cve 'CVE-0001-0002'
+}
+
+# On affected cores, a speculatively-executed unprivileged load from a page that is mapped as
+# privileged can leak the loaded value into the cache hierarchy, allowing a Spectre-style
+# cache side-channel to expose privileged kernel data to userspace. Kernel workaround:
+# sandwich kernel-exit sequences with an additional speculation barrier/DSB so that
+# speculative unprivileged loads cannot observe privileged state
+# (ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD).
+#   * Cortex-A510 all revs    erratum 3117295   CONFIG_ARM64_ERRATUM_3117295
+#   * Cortex-A520 r0p0..r0p1  erratum 2966298   CONFIG_ARM64_ERRATUM_2966298
+# References:
+#   arch/arm64/Kconfig (ARM64_ERRATUM_{2966298,3117295})
+#   arch/arm64/kernel/cpu_errata.c (erratum_spec_unpriv_load_list, "ARM errata 2966298, 3117295")
+#   Cortex-A510 SDEN: https://developer.arm.com/documentation/SDEN-2397239/latest
+check_CVE_0001_0002_linux() {
+    local cve kernel_mitigated config_found erratum
+    cve='CVE-0001-0002'
+    kernel_mitigated=''
+    config_found=''
+
+    if [ "$opt_sysfs_only" != 1 ] && is_arm_kernel; then
+        if [ -n "$opt_config" ]; then
+            for erratum in 2966298 3117295; do
+                if grep -q "^CONFIG_ARM64_ERRATUM_$erratum=y" "$opt_config"; then
+                    config_found="${config_found:+$config_found, }$erratum"
+                fi
+            done
+            [ -n "$config_found" ] && kernel_mitigated="found CONFIG_ARM64_ERRATUM_$config_found=y in kernel config"
+        fi
+        if [ -z "$kernel_mitigated" ] && [ -n "$g_kernel" ]; then
+            if "${opt_arch_prefix}strings" "$g_kernel" 2>/dev/null | grep -qE 'ARM errata 2966298, 3117295'; then
+                kernel_mitigated="found erratum descriptor string in kernel image"
+            fi
+        fi
+        if [ -z "$kernel_mitigated" ] && [ "$g_mode" = live ]; then
+            if dmesg 2>/dev/null | grep -qE 'ARM errata 2966298, 3117295'; then
+                kernel_mitigated="erratum workaround reported as applied in dmesg"
+            fi
+        fi
+
+        pr_info_nol "* Kernel has the ARM64 Speculative-Unprivileged-Load workaround compiled in: "
+        if [ -n "$kernel_mitigated" ]; then
+            pstatus green YES "$kernel_mitigated"
+        else
+            pstatus yellow NO
+        fi
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
+    elif [ "$opt_sysfs_only" = 1 ]; then
+        pvulnstatus "$cve" UNK "no sysfs interface exists for this erratum, own checks have been skipped (--sysfs-only)"
+    elif [ -n "$kernel_mitigated" ]; then
+        pvulnstatus "$cve" OK "your kernel includes the erratum workaround"
+    else
+        pvulnstatus "$cve" VULN "your CPU is affected by this erratum family and the kernel does not appear to include the workaround"
+        explain "Run a kernel built with CONFIG_ARM64_ERRATUM_2966298=y (Cortex-A520) and/or CONFIG_ARM64_ERRATUM_3117295=y (Cortex-A510). These options are 'default y' in mainline and enabled by most distro kernels. Refer to the ARM Software Developers Errata Notice for your core for full details."
+    fi
+}
+
+check_CVE_0001_0002_bsd() {
+    local cve
+    cve='CVE-0001-0002'
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
+    else
+        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+    fi
+}