Xen project Mailing List

[xen staging-4.19] xen/arm: Mitigate TLBI errata on various Arm CPUs

Date: Tue, 09 Jun 2026 12:29:03 +0000

Delivery-date: Tue, 09 Jun 2026 12:29:04 +0000

List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit a9c8547cc8d8522a83adfaa87d35d97e2b15f237 Author: Michal Orzel <michal.orzel@xxxxxxx> AuthorDate: Fri May 22 09:35:58 2026 +0200 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Thu Jun 4 21:47:50 2026 +0100 xen/arm: Mitigate TLBI errata on various Arm CPUs A number of CPUs developed by Arm suffer from errata whereby a broadcast TLBI + DSB sequence may complete before the global observation of writes which are translated by an affected TLB entry. This can lead to memory corruption and potential privilege escalation. These errata ONLY affect the completion of memory accesses which have been translated by an invalidated TLB entry, and these errata DO NOT affect the actual invalidation of TLB entries. TLB entries are removed correctly. To mitigate this issue, Arm recommends that software follows each TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that all memory write effects affected by the first TLBI have been globally observed. The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the issue. Enable this workaround for affected CPUs. This is XSA-493 / CVE-2025-10263. Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx> Reviewed-by: Julien Grall <julien@xxxxxxx> (cherry picked from commit 161e8f61b5b0f2c205072c7bc699bfc37653999f) --- xen/arch/arm/Kconfig | 21 ++++++++++++ xen/arch/arm/cpuerrata.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 21d03d9f44..12aa8580c8 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -436,6 +436,27 @@ config ARM64_ERRATUM_1508412 If unsure, say Y. +config ARM64_ERRATUM_CVE_2025_10263 + bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + depends on ARM_64 + select ARM64_WORKAROUND_REPEAT_TLBI + help + This option adds a workaround for CVE-2025-10263. + + A broadcast TLBI on another PE may complete before affected memory + accesses are globally observed. This may permit bypass of Stage 1 + translation, Stage-2 translation, or GPT protection. + + The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all + the broadcast TLB flush operations. A single additional TLBI and DSB are + sufficient regardless of how many TLBIs are completed by the DSB. + + Note that software workarounds are required at all execution levels for + affected parts to fully mitigate this issue. + + If unsure, say Y. + endmenu config ARM64_HARDEN_BRANCH_PREDICTOR diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 2b7101ea25..1fb0cf599f 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -535,6 +535,92 @@ static const struct arm_cpu_capabilities arm_errata[] = { MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263 + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), + }, + { + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), + }, +#endif #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR { .capability = ARM_HARDEN_BRANCH_PREDICTOR, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.19

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.