# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-0001-0001, ARM SPEC AT, ARM64 errata 1165522/1319367/1319537/1530923, Speculative AT TLB corruption

check_CVE_0001_0001() {
    check_cve 'CVE-0001-0001'
}

# On affected cores, a speculative address translation (AT) instruction issued from the hypervisor
# using an out-of-context translation regime may poison the TLB, causing a subsequent guest-context
# request to see an incorrect translation. Relevant mainly to KVM hosts. Kernel workaround:
# invalidate TLB state across world-switch for affected cores (ARM64_WORKAROUND_SPECULATIVE_AT).
#   * Cortex-A76 r0p0..r2p0   erratum 1165522   CONFIG_ARM64_ERRATUM_1165522
#   * Cortex-A72 all revs     erratum 1319367   CONFIG_ARM64_ERRATUM_1319367
#   * Cortex-A57 all revs     erratum 1319537   CONFIG_ARM64_ERRATUM_1319367 (same kconfig)
#   * Cortex-A55 r0p0..r2p0   erratum 1530923   CONFIG_ARM64_ERRATUM_1530923
# References:
#   arch/arm64/Kconfig (ARM64_ERRATUM_{1165522,1319367,1530923})
#   arch/arm64/kernel/cpu_errata.c (erratum_speculative_at_list, "ARM errata 1165522, 1319367, or 1530923")
#   Cortex-A55 SDEN: https://developer.arm.com/documentation/SDEN-1301074/latest
check_CVE_0001_0001_linux() {
    local cve kernel_mitigated config_found
    cve='CVE-0001-0001'
    kernel_mitigated=''
    config_found=''

    if [ "$opt_sysfs_only" != 1 ] && is_arm_kernel; then
        # kconfig: any of the three erratum config options implies the workaround is compiled in
        if [ -n "$opt_config" ]; then
            for erratum in 1165522 1319367 1530923; do
                if grep -q "^CONFIG_ARM64_ERRATUM_$erratum=y" "$opt_config"; then
                    config_found="${config_found:+$config_found, }$erratum"
                fi
            done
            [ -n "$config_found" ] && kernel_mitigated="found CONFIG_ARM64_ERRATUM_$config_found=y in kernel config"
        fi
        # kernel image: look for the descriptor string the kernel prints at boot
        if [ -z "$kernel_mitigated" ] && [ -n "$g_kernel" ]; then
            if "${opt_arch_prefix}strings" "$g_kernel" 2>/dev/null | grep -qE 'ARM errata 1165522, 1319367'; then
                kernel_mitigated="found erratum descriptor string in kernel image"
            fi
        fi
        # live mode: dmesg prints the workaround once at boot
        if [ -z "$kernel_mitigated" ] && [ "$g_mode" = live ]; then
            if dmesg 2>/dev/null | grep -qE 'ARM errata 1165522, 1319367'; then
                kernel_mitigated="erratum workaround reported as applied in dmesg"
            fi
        fi

        pr_info_nol "* Kernel has the ARM64 Speculative-AT workaround compiled in: "
        if [ -n "$kernel_mitigated" ]; then
            pstatus green YES "$kernel_mitigated"
        else
            pstatus yellow NO
        fi
    fi

    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
    elif [ "$opt_sysfs_only" = 1 ]; then
        pvulnstatus "$cve" UNK "no sysfs interface exists for this erratum, own checks have been skipped (--sysfs-only)"
    elif [ -n "$kernel_mitigated" ]; then
        pvulnstatus "$cve" OK "your kernel includes the erratum workaround"
    else
        pvulnstatus "$cve" VULN "your CPU is affected by this erratum family and the kernel does not appear to include the workaround"
        explain "Run a kernel built with CONFIG_ARM64_ERRATUM_1165522=y, CONFIG_ARM64_ERRATUM_1319367=y, and/or CONFIG_ARM64_ERRATUM_1530923=y (matching your CPU core). These options are 'default y' in mainline and enabled by most distro kernels. Refer to the ARM Software Developers Errata Notice for your core for full details."
    fi
}

check_CVE_0001_0001_bsd() {
    local cve
    cve='CVE-0001-0001'
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
    else
        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
    fi
}