1*b1f8b71cSArvind Ram PrakashAdvisory TFV-13 (CVE-2024-7881) 2*b1f8b71cSArvind Ram Prakash================================ 3*b1f8b71cSArvind Ram Prakash 4*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 5*b1f8b71cSArvind Ram Prakash| Title | An unprivileged context can trigger a data memory-dependent | 6*b1f8b71cSArvind Ram Prakash| | prefetch engine to fetch the contents of a privileged location | 7*b1f8b71cSArvind Ram Prakash| | and consume those contents as an address that is | 8*b1f8b71cSArvind Ram Prakash| | also dereferenced. | 9*b1f8b71cSArvind Ram Prakash| | | 10*b1f8b71cSArvind Ram Prakash+================+=================================================================+ 11*b1f8b71cSArvind Ram Prakash| CVE ID | `CVE-2024-7881`_ | 12*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 13*b1f8b71cSArvind Ram Prakash| Date | Reported on 16 August 2024 | 14*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 15*b1f8b71cSArvind Ram Prakash| Versions | TF-A version from v2.2 to v2.12 | 16*b1f8b71cSArvind Ram Prakash| Affected | LTS releases lts-v2.8.0 to lts-v2.8.28 | 17*b1f8b71cSArvind Ram Prakash| | LTS releases lts-v2.10.0 to lts-v2.10.12 | 18*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 19*b1f8b71cSArvind Ram Prakash| Configurations | All | 20*b1f8b71cSArvind Ram Prakash| Affected | | 21*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 22*b1f8b71cSArvind Ram Prakash| Impact | Potential leakage of secure world data to normal world. | 23*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 24*b1f8b71cSArvind Ram Prakash| Fix Version | `Gerrit topic #ar/smccc_arch_wa_4`_ | 25*b1f8b71cSArvind Ram Prakash| | Also see mitigation guidance in the `Official Arm Advisory`_ | 26*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 27*b1f8b71cSArvind Ram Prakash| Credit | Arm | 28*b1f8b71cSArvind Ram Prakash+----------------+-----------------------------------------------------------------+ 29*b1f8b71cSArvind Ram Prakash 30*b1f8b71cSArvind Ram PrakashDescription 31*b1f8b71cSArvind Ram Prakash----------- 32*b1f8b71cSArvind Ram Prakash 33*b1f8b71cSArvind Ram PrakashAn issue has been identified in some Arm-based CPUs that may allow 34*b1f8b71cSArvind Ram Prakashan unprivileged context to trigger a data memory-dependent prefetch engine 35*b1f8b71cSArvind Ram Prakashto fetch the contents of a privileged location (for which it 36*b1f8b71cSArvind Ram Prakashdoes not have read permission) and consume those contents as an address 37*b1f8b71cSArvind Ram Prakashthat is also dereferenced. 38*b1f8b71cSArvind Ram Prakash 39*b1f8b71cSArvind Ram PrakashThe below table lists all the CPUs impacted by this vulnerability and have 40*b1f8b71cSArvind Ram Prakashmitigation in TF-A. 41*b1f8b71cSArvind Ram Prakash 42*b1f8b71cSArvind Ram Prakash+----------------------+ 43*b1f8b71cSArvind Ram Prakash| Core | 44*b1f8b71cSArvind Ram Prakash+----------------------+ 45*b1f8b71cSArvind Ram Prakash| Cortex-X3 | 46*b1f8b71cSArvind Ram Prakash+----------------------+ 47*b1f8b71cSArvind Ram Prakash| Cortex-X4 | 48*b1f8b71cSArvind Ram Prakash+----------------------+ 49*b1f8b71cSArvind Ram Prakash| Cortex-X925 | 50*b1f8b71cSArvind Ram Prakash+----------------------+ 51*b1f8b71cSArvind Ram Prakash| Neoverse-V2 | 52*b1f8b71cSArvind Ram Prakash+----------------------+ 53*b1f8b71cSArvind Ram Prakash| Neoverse-V3 | 54*b1f8b71cSArvind Ram Prakash+----------------------+ 55*b1f8b71cSArvind Ram Prakash| Neoverse-V3AE | 56*b1f8b71cSArvind Ram Prakash+----------------------+ 57*b1f8b71cSArvind Ram Prakash 58*b1f8b71cSArvind Ram PrakashMitigation and Recommendations 59*b1f8b71cSArvind Ram Prakash------------------------------ 60*b1f8b71cSArvind Ram Prakash 61*b1f8b71cSArvind Ram PrakashArm recommends following the mitigation steps and configuration changes 62*b1f8b71cSArvind Ram Prakashdescribed in the official advisory. The mitigation for CVE-2024-7881 is 63*b1f8b71cSArvind Ram Prakashimplemented at EL3 and addresses vulnerabilities caused by memory-dependant 64*b1f8b71cSArvind Ram Prakashspeculative prefetching. This issue is avoided by setting CPUACTLR6_EL1[41] 65*b1f8b71cSArvind Ram Prakashto 1, this disables the affected prefetcher. 66*b1f8b71cSArvind Ram Prakash 67*b1f8b71cSArvind Ram PrakashArm has updated the SMC Calling Convention spec so that privileged normal world 68*b1f8b71cSArvind Ram Prakashsoftware can identify when the issue has been mitigated in 69*b1f8b71cSArvind Ram Prakashfirmware (SMCCC_ARCH_WORKAROUND_4). Refer to the `SMC Calling Convention 70*b1f8b71cSArvind Ram PrakashSpecification`_ for more details. 71*b1f8b71cSArvind Ram Prakash 72*b1f8b71cSArvind Ram PrakashThe above workaround is enabled by default (on vulnerable CPUs only). 73*b1f8b71cSArvind Ram PrakashPlatforms can choose to disable them at compile time if 74*b1f8b71cSArvind Ram Prakashthey do not require them. 75*b1f8b71cSArvind Ram Prakash 76*b1f8b71cSArvind Ram PrakashFor further technical information, affected CPUs, and detailed guidance, 77*b1f8b71cSArvind Ram Prakashrefer to the full `Official Arm Advisory`_. 78*b1f8b71cSArvind Ram Prakash 79*b1f8b71cSArvind Ram Prakash.. _CVE-2024-7881: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7881 80*b1f8b71cSArvind Ram Prakash.. _Gerrit topic #ar/smccc_arch_wa_4: https://review.trustedfirmware.org/q/topic:%22ar/smccc_arch_wa_4%22 81*b1f8b71cSArvind Ram Prakash.. _SMC Calling Convention specification: https://developer.arm.com/documentation/den0028/latest 82*b1f8b71cSArvind Ram Prakash.. _Official Arm Advisory: https://developer.arm.com/documentation/110326/latest 83