1*e0cb13fdSGovindraj RajaAdvisory TFV-12 (CVE-2024-5660) 2*e0cb13fdSGovindraj Raja================================ 3*e0cb13fdSGovindraj Raja 4*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 5*e0cb13fdSGovindraj Raja| Title | When Hardware Page Aggregation (HPA) is enabled memory | 6*e0cb13fdSGovindraj Raja| | accesses may be translated incorrectly. | 7*e0cb13fdSGovindraj Raja+================+==============================================================+ 8*e0cb13fdSGovindraj Raja| CVE ID | `CVE-2024-5660`_ | 9*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 10*e0cb13fdSGovindraj Raja| Date | Reported on 26 Jan 2024 | 11*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 12*e0cb13fdSGovindraj Raja| Versions | TF-A version from v2.2 to v2.12 | 13*e0cb13fdSGovindraj Raja| Affected | LTS releases lts-v2.8.0 to lts-v2.8.26 | 14*e0cb13fdSGovindraj Raja| | LTS releases lts-v2.10.0 to lts-v2.10.10 | 15*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 16*e0cb13fdSGovindraj Raja| Configurations | Arm CPUs with Hardware Page Aggregation (HPA) running in | 17*e0cb13fdSGovindraj Raja| Affected | environments where a modified, untrusted guest OS may | 18*e0cb13fdSGovindraj Raja| | operate, especially with specific hypervisors. | 19*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 20*e0cb13fdSGovindraj Raja| Impact | Potential for a compromised guest OS to attack the host via | 21*e0cb13fdSGovindraj Raja| | HPA mechanism, resulting in possible information disclosure. | 22*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 23*e0cb13fdSGovindraj Raja| Fix Version | `Gerrit-Patches`_ | 24*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 25*e0cb13fdSGovindraj Raja| Credit | Arm | 26*e0cb13fdSGovindraj Raja+----------------+--------------------------------------------------------------+ 27*e0cb13fdSGovindraj Raja 28*e0cb13fdSGovindraj RajaDescription 29*e0cb13fdSGovindraj Raja----------- 30*e0cb13fdSGovindraj Raja 31*e0cb13fdSGovindraj RajaA vulnerability has been identified in certain Arm CPUs implementing the 32*e0cb13fdSGovindraj RajaHardware Page Aggregation (HPA) feature. In environments utilizing virtualization, 33*e0cb13fdSGovindraj Rajaa specially crafted or compromised guest operating system could exploit this 34*e0cb13fdSGovindraj Rajavulnerability to affect the host system. This could potentially lead to information 35*e0cb13fdSGovindraj Rajadisclosure depending on the deployment scenario and hypervisor configuration. 36*e0cb13fdSGovindraj Raja 37*e0cb13fdSGovindraj RajaThe below table lists the CPUs that mitigate against this vulnerability in TF-A. 38*e0cb13fdSGovindraj Raja 39*e0cb13fdSGovindraj Raja+---------------+ 40*e0cb13fdSGovindraj Raja| **Core** | 41*e0cb13fdSGovindraj Raja+---------------+ 42*e0cb13fdSGovindraj Raja| Cortex-A77 | 43*e0cb13fdSGovindraj Raja+---------------+ 44*e0cb13fdSGovindraj Raja| Cortex-A78 | 45*e0cb13fdSGovindraj Raja+---------------+ 46*e0cb13fdSGovindraj Raja| Cortex-A78C | 47*e0cb13fdSGovindraj Raja+---------------+ 48*e0cb13fdSGovindraj Raja| Cortex-A78AE | 49*e0cb13fdSGovindraj Raja+---------------+ 50*e0cb13fdSGovindraj Raja| Cortex-A710 | 51*e0cb13fdSGovindraj Raja+---------------+ 52*e0cb13fdSGovindraj Raja| Cortex-X1 | 53*e0cb13fdSGovindraj Raja+---------------+ 54*e0cb13fdSGovindraj Raja| Cortex-X2 | 55*e0cb13fdSGovindraj Raja+---------------+ 56*e0cb13fdSGovindraj Raja| Cortex-X3 | 57*e0cb13fdSGovindraj Raja+---------------+ 58*e0cb13fdSGovindraj Raja| Cortex-X4 | 59*e0cb13fdSGovindraj Raja+---------------+ 60*e0cb13fdSGovindraj Raja| Cortex-X925 | 61*e0cb13fdSGovindraj Raja+---------------+ 62*e0cb13fdSGovindraj Raja| Neoverse-V1 | 63*e0cb13fdSGovindraj Raja+---------------+ 64*e0cb13fdSGovindraj Raja| Neoverse-V2 | 65*e0cb13fdSGovindraj Raja+---------------+ 66*e0cb13fdSGovindraj Raja| Neoverse-V3 | 67*e0cb13fdSGovindraj Raja+---------------+ 68*e0cb13fdSGovindraj Raja| Neoverse-N2 | 69*e0cb13fdSGovindraj Raja+---------------+ 70*e0cb13fdSGovindraj Raja 71*e0cb13fdSGovindraj RajaMitigation and Recommendations 72*e0cb13fdSGovindraj Raja------------------------------ 73*e0cb13fdSGovindraj Raja 74*e0cb13fdSGovindraj RajaArm recommends following the mitigation steps and configuration changes described in the 75*e0cb13fdSGovindraj Rajaofficial advisory. The issue is avoided by setting CPUECTLR_EL1[46] to 1 which will 76*e0cb13fdSGovindraj Rajadisable hardware page aggregation. 77*e0cb13fdSGovindraj Raja 78*e0cb13fdSGovindraj RajaUsers should refer to the latest firmware updates as provided by vendors 79*e0cb13fdSGovindraj Rajaand ensure that HPA-related security mitigations are enabled where applicable. 80*e0cb13fdSGovindraj Raja 81*e0cb13fdSGovindraj RajaFor further technical information, affected CPUs, and detailed guidance, refer to the 82*e0cb13fdSGovindraj Rajafull `Official Arm Advisory`_. 83*e0cb13fdSGovindraj Raja 84*e0cb13fdSGovindraj Raja.. _CVE-2024-5660: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5660 85*e0cb13fdSGovindraj Raja.. _Gerrit-Patches: https://review.trustedfirmware.org/q/topic:%22sm/fix_erratum%22 86*e0cb13fdSGovindraj Raja.. _Official Arm Advisory: https://developer.arm.com/documentation/110324/latest 87