xref: /rk3399_ARM-atf/docs/security_advisories/security-advisory-tfv-13.rst (revision e9db137a7f5fa48a6034bcd9054e7656f73b6ed4) 
1Advisory TFV-13 (CVE-2024-7881)
2================================
3
4+----------------+-----------------------------------------------------------------+
5| Title          | An unprivileged context can trigger a data memory-dependent     |
6|                | prefetch engine to fetch the contents of a privileged location  |
7|                | and consume those contents as an address that is                |
8|                | also dereferenced.                                              |
9|                |                                                                 |
10+================+=================================================================+
11| CVE ID         | `CVE-2024-7881`_                                                |
12+----------------+-----------------------------------------------------------------+
13| Date           | Reported on 16 August 2024                                      |
14+----------------+-----------------------------------------------------------------+
15| Versions       | TF-A version from v2.2 to v2.12                                 |
16| Affected       | LTS releases lts-v2.8.0 to lts-v2.8.28                          |
17|                | LTS releases lts-v2.10.0 to lts-v2.10.12                        |
18+----------------+-----------------------------------------------------------------+
19| Configurations | All                                                             |
20| Affected       |                                                                 |
21+----------------+-----------------------------------------------------------------+
22| Impact         | Potential leakage of secure world data to normal world.         |
23+----------------+-----------------------------------------------------------------+
24| Fix Version    | `Gerrit topic #ar/smccc_arch_wa_4`_                             |
25|                | Also see mitigation guidance in the `Official Arm Advisory`_    |
26+----------------+-----------------------------------------------------------------+
27| Credit         | Arm                                                             |
28+----------------+-----------------------------------------------------------------+
29
30Description
31-----------
32
33An issue has been identified in some Arm-based CPUs that may allow
34an unprivileged context to trigger a data memory-dependent prefetch engine
35to fetch the contents of a privileged location (for which it
36does not have read permission) and consume those contents as an address
37that is also dereferenced.
38
39The following table identifies all affected CPUs and revisions
40for which a mitigation is provided in TF-A.
41
42+----------------+--------------------------+------------------+
43| CPU            | Affected Versions        | Fix Status       |
44+----------------+--------------------------+------------------+
45| cortex-x3      | r0p0, r1p0, r1p1, r1p2   | open             |
46+----------------+--------------------------+------------------+
47| cortex-x4      | r0p0, r0p1, r0p2         | fixed in r0p3    |
48+----------------+--------------------------+------------------+
49| cortex-x925    | r0p0, r0p1               | fixed in r0p2    |
50+----------------+--------------------------+------------------+
51| neoverse-v2    | r0p0, r0p1, r0p2         | open             |
52+----------------+--------------------------+------------------+
53| neoverse-v3    | r0p0, r0p1               | fixed in r0p2    |
54+----------------+--------------------------+------------------+
55| neoverse-v3ae  | r0p0, r0p1               | fixed in r0p2    |
56+----------------+--------------------------+------------------+
57| c1-premium     | r0p0                     | fixed in r1p0    |
58+----------------+--------------------------+------------------+
59| c1-pro         | r0p0, r1p0               | fixed in r1p1    |
60+----------------+--------------------------+------------------+
61| c1-ultra       | r0p0                     | fixed in r1p0    |
62+----------------+--------------------------+------------------+
63
64
65Mitigation and Recommendations
66------------------------------
67
68Arm recommends following the mitigation steps and configuration changes
69described in the official advisory. The mitigation for CVE-2024-7881 is
70implemented at EL3 and addresses vulnerabilities caused by memory-dependant
71speculative prefetching. This issue can be avoided by disabling the
72affected prefetcher. For most cores, this is done by
73setting CPUACTLR6_EL1[41] = 1. For C1-Pro, the affected prefetcher is
74instead disabled by setting IMP_CPUECTLR_EL1[49] = 1.
75
76Arm has updated the SMC Calling Convention spec so that privileged normal world
77software can identify when the issue has been mitigated in
78firmware (SMCCC_ARCH_WORKAROUND_4). Refer to the `SMC Calling Convention
79Specification`_ for more details.
80
81The above workaround is enabled by default (on vulnerable CPUs only).
82Platforms can choose to disable them at compile time if
83they do not require them.
84
85For further technical information, affected CPUs, and detailed guidance,
86refer to the full `Official Arm Advisory`_.
87
88.. _CVE-2024-7881: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7881
89.. _Gerrit topic #ar/smccc_arch_wa_4: https://review.trustedfirmware.org/q/topic:%22ar/smccc_arch_wa_4%22
90.. _SMC Calling Convention specification: https://developer.arm.com/documentation/den0028/latest
91.. _Official Arm Advisory: https://developer.arm.com/documentation/110326/latest
92