# vim: set ts=4 sw=4 sts=4 et:
###############################
# CVE-0001-0002, ARM SPEC UNPRIV LOAD, ARM64 errata 2966298/3117295, Speculative unprivileged load

check_CVE_0001_0002() {
    check_cve 'CVE-0001-0002'
}

# On affected cores, a speculatively-executed unprivileged load from a page that is mapped as
# privileged can leak the loaded value into the cache hierarchy, allowing a Spectre-style
# cache side-channel to expose privileged kernel data to userspace. Kernel workaround:
# sandwich kernel-exit sequences with an additional speculation barrier/DSB so that
# speculative unprivileged loads cannot observe privileged state
# (ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD).
#   * Cortex-A510 all revs    erratum 3117295   CONFIG_ARM64_ERRATUM_3117295
#   * Cortex-A520 r0p0..r0p1  erratum 2966298   CONFIG_ARM64_ERRATUM_2966298
# References:
#   arch/arm64/Kconfig (ARM64_ERRATUM_{2966298,3117295})
#   arch/arm64/kernel/cpu_errata.c (erratum_spec_unpriv_load_list, "ARM errata 2966298, 3117295")
#   Cortex-A510 SDEN: https://developer.arm.com/documentation/SDEN-2397239/latest
check_CVE_0001_0002_linux() {
    local cve kernel_mitigated config_found erratum
    cve='CVE-0001-0002'
    kernel_mitigated=''
    config_found=''

    if [ "$opt_sysfs_only" != 1 ] && is_arm_kernel; then
        if [ -n "$opt_config" ]; then
            for erratum in 2966298 3117295; do
                if grep -q "^CONFIG_ARM64_ERRATUM_$erratum=y" "$opt_config"; then
                    config_found="${config_found:+$config_found, }$erratum"
                fi
            done
            [ -n "$config_found" ] && kernel_mitigated="found CONFIG_ARM64_ERRATUM_$config_found=y in kernel config"
        fi
        if [ -z "$kernel_mitigated" ] && [ -n "$g_kernel" ]; then
            if "${opt_arch_prefix}strings" "$g_kernel" 2>/dev/null | grep -qE 'ARM errata 2966298, 3117295'; then
                kernel_mitigated="found erratum descriptor string in kernel image"
            fi
        fi
        if [ -z "$kernel_mitigated" ] && [ "$g_mode" = live ]; then
            if dmesg 2>/dev/null | grep -qE 'ARM errata 2966298, 3117295'; then
                kernel_mitigated="erratum workaround reported as applied in dmesg"
            fi
        fi

        pr_info_nol "* Kernel has the ARM64 Speculative-Unprivileged-Load workaround compiled in: "
        if [ -n "$kernel_mitigated" ]; then
            pstatus green YES "$kernel_mitigated"
        else
            pstatus yellow NO
        fi
    fi

    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
    elif [ "$opt_sysfs_only" = 1 ]; then
        pvulnstatus "$cve" UNK "no sysfs interface exists for this erratum, own checks have been skipped (--sysfs-only)"
    elif [ -n "$kernel_mitigated" ]; then
        pvulnstatus "$cve" OK "your kernel includes the erratum workaround"
    else
        pvulnstatus "$cve" VULN "your CPU is affected by this erratum family and the kernel does not appear to include the workaround"
        explain "Run a kernel built with CONFIG_ARM64_ERRATUM_2966298=y (Cortex-A520) and/or CONFIG_ARM64_ERRATUM_3117295=y (Cortex-A510). These options are 'default y' in mainline and enabled by most distro kernels. Refer to the ARM Software Developers Errata Notice for your core for full details."
    fi
}

check_CVE_0001_0002_bsd() {
    local cve
    cve='CVE-0001-0002'
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU is not affected by this erratum family"
    else
        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
    fi
}