From d148e0b79ab2c7f2d5ac82b8ae9b5f918367dfb3 Mon Sep 17 00:00:00 2001
From: Michal Orzel <michal.orzel@amd.com>
Date: Fri, 22 May 2026 09:35:58 +0200
Subject: xen/arm: Mitigate TLBI errata on various Arm CPUs

A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI + DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry. This can lead to memory
corruption and potential privilege escalation.

These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.

To mitigate this issue, Arm recommends that software follows each
TLBI+DSB sequence with an additional TLBI+DSB, which will ensure that
all memory write effects affected by the first TLBI have been globally
observed.

The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate the
issue. Enable this workaround for affected CPUs.

This is XSA-493 / CVE-2025-10263.

Signed-off-by: Michal Orzel <michal.orzel@amd.com>
Reviewed-by: Julien Grall <julien@xen.org>

diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 21d03d9f4424..12aa8580c820 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -436,6 +436,27 @@ config ARM64_ERRATUM_1508412
 
 	  If unsure, say Y.
 
+config ARM64_ERRATUM_CVE_2025_10263
+	bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+	default y
+	depends on ARM_64
+	select ARM64_WORKAROUND_REPEAT_TLBI
+	help
+	  This option adds a workaround for CVE-2025-10263.
+
+	  A broadcast TLBI on another PE may complete before affected memory
+	  accesses are globally observed. This may permit bypass of Stage 1
+	  translation, Stage-2 translation, or GPT protection.
+
+	  The workaround repeats the TLBI VALE2IS, XZR + DSB ISH operation for all
+	  the broadcast TLB flush operations. A single additional TLBI and DSB are
+	  sufficient regardless of how many TLBIs are completed by the DSB.
+
+	  Note that software workarounds are required at all execution levels for
+	  affected parts to fully mitigate this issue.
+
+	  If unsure, say Y.
+
 endmenu
 
 config ARM64_HARDEN_BRANCH_PREDICTOR
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index 2b7101ea2524..1fb0cf599fb0 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -535,6 +535,92 @@ static const struct arm_cpu_capabilities arm_errata[] = {
         MIDR_RANGE(MIDR_NEOVERSE_N1, 0, 3 << MIDR_VARIANT_SHIFT),
     },
 #endif
+#ifdef CONFIG_ARM64_ERRATUM_CVE_2025_10263
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_C1_ULTRA),
+    },
+    {
+        .capability = ARM64_WORKAROUND_REPEAT_TLBI,
+        MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM),
+    },
+#endif
 #ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR
     {
         .capability = ARM_HARDEN_BRANCH_PREDICTOR,