123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 |
- Advisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
- ============================================================
- +----------------+-------------------------------------------------------------+
- | Title | Trusted Firmware-A exposure to speculative processor |
- | | vulnerabilities using cache timing side-channels |
- +================+=============================================================+
- | CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ |
- +----------------+-------------------------------------------------------------+
- | Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07 |
- | | June 2018) |
- +----------------+-------------------------------------------------------------+
- | Versions | All, up to and including v1.4 |
- | Affected | |
- +----------------+-------------------------------------------------------------+
- | Configurations | All |
- | Affected | |
- +----------------+-------------------------------------------------------------+
- | Impact | Leakage of secure world data to normal world |
- +----------------+-------------------------------------------------------------+
- | Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, |
- | | `Pull Request #1240`_ and `Pull Request #1405`_ |
- +----------------+-------------------------------------------------------------+
- | Credit | Google / Arm |
- +----------------+-------------------------------------------------------------+
- This security advisory describes the current understanding of the Trusted
- Firmware-A exposure to the speculative processor vulnerabilities identified by
- `Google Project Zero`_. To understand the background and wider impact of these
- vulnerabilities on Arm systems, please refer to the `Arm Processor Security
- Update`_.
- Variant 1 (`CVE-2017-5753`_)
- ----------------------------
- At the time of writing, no vulnerable patterns have been observed in upstream TF
- code, therefore no workarounds have been applied or are planned.
- Variant 2 (`CVE-2017-5715`_)
- ----------------------------
- Where possible on vulnerable CPUs, Arm recommends invalidating the branch
- predictor as early as possible on entry into the secure world, before any branch
- instruction is executed. There are a number of implementation defined ways to
- achieve this.
- For Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory
- invalidate the branch predictor when entering EL3 by disabling and re-enabling
- the MMU.
- For Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the
- branch predictor when entering EL3 by temporarily dropping into AArch32
- Secure-EL1 and executing the ``BPIALL`` instruction. This workaround is
- significantly more complex than the "MMU disable/enable" workaround. The latter
- is not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75.
- Note that if other privileged software, for example a Rich OS kernel, implements
- its own branch predictor invalidation during context switch by issuing an SMC
- (to execute firmware branch predictor invalidation), then there is a dependency
- on the PRs in this advisory being deployed in order for those workarounds to
- work. If that other privileged software is able to workaround the vulnerability
- locally (for example by implementing "MMU disable/enable" itself), there is no
- such dependency.
- `Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by
- implementing a specified `CVE-2017-5715`_ workaround SMC
- (``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This
- is more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``).
- Details of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715
- mitigation specification`_. The specification and implementation also enable
- the normal world to discover the presence of this firmware service.
- On Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and
- ``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU
- disable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above.
- This includes the time spent in test code conforming to the SMC Calling
- Convention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the
- test code uses SMCCC v1.1, which reduces the number of general purpose registers
- it needs to save/restore. Although the ``BPIALL`` instruction is not effective
- at invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1
- with MMU disabled that this workaround entails effectively does invalidate the
- branch predictor. Hence this is a reasonable comparison.
- The results were as follows:
- +------------------------------------------------------------------+-----------+
- | Test | Time (ns) |
- +==================================================================+===========+
- | ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 |
- +------------------------------------------------------------------+-----------+
- | ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 |
- +------------------------------------------------------------------+-----------+
- | ``PSCI_VERSION`` with "MMU disable/enable" | 930 |
- +------------------------------------------------------------------+-----------+
- | ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 |
- +------------------------------------------------------------------+-----------+
- | ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 |
- +------------------------------------------------------------------+-----------+
- | ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 |
- +------------------------------------------------------------------+-----------+
- Due to the high severity and wide applicability of this issue, the above
- workarounds are enabled by default (on vulnerable CPUs only), despite some
- performance and code size overhead. Platforms can choose to disable them at
- compile time if they do not require them. `Pull Request #1240`_ disables the
- workarounds for unaffected upstream platforms.
- For vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and
- Cortex-A17), the ``BPIALL`` instruction should be used as early as possible on
- entry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during
- early processor initialization. Note that the ``BPIALL`` instruction is not
- effective at invalidating the branch predictor on Cortex-A15. For that CPU, set
- ``ACTLR[0]`` to 1 during early processor initialization, and invalidate the
- branch predictor by performing an ``ICIALLU`` instruction.
- On AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly
- integrated, for example as part of a Trusted OS. Therefore any Variant 2
- workaround should be provided by vendors of that software and is outside the
- scope of TF. However, an example implementation in the minimal AArch32 Secure
- Payload, ``SP_MIN`` is provided in `Pull Request #1228`_.
- Other Arm CPUs are not vulnerable to this or other variants. This includes
- Cortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5.
- For more information about non-Arm CPUs, please contact the CPU vendor.
- Variant 3 (`CVE-2017-5754`_)
- ----------------------------
- This variant is only exploitable between Exception Levels within the same
- translation regime, for example between EL0 and EL1, therefore this variant
- cannot be used to access secure memory from the non-secure world, and is not
- applicable for TF. However, Secure Payloads (for example, Trusted OS) should
- provide mitigations on vulnerable CPUs to protect themselves from exploited
- Secure-EL0 applications.
- The only Arm CPU vulnerable to this variant is Cortex-A75.
- .. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
- .. _Arm Processor Security Update: http://www.arm.com/security-update
- .. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
- .. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
- .. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
- .. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214
- .. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228
- .. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240
- .. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405
- .. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
|