1Advisory TFV-13 (CVE-2024-7881) 2================================ 3 4+----------------+-----------------------------------------------------------------+ 5| Title | An unprivileged context can trigger a data memory-dependent | 6| | prefetch engine to fetch the contents of a privileged location | 7| | and consume those contents as an address that is | 8| | also dereferenced. | 9| | | 10+================+=================================================================+ 11| CVE ID | `CVE-2024-7881`_ | 12+----------------+-----------------------------------------------------------------+ 13| Date | Reported on 16 August 2024 | 14+----------------+-----------------------------------------------------------------+ 15| Versions | TF-A version from v2.2 to v2.12 | 16| Affected | LTS releases lts-v2.8.0 to lts-v2.8.28 | 17| | LTS releases lts-v2.10.0 to lts-v2.10.12 | 18+----------------+-----------------------------------------------------------------+ 19| Configurations | All | 20| Affected | | 21+----------------+-----------------------------------------------------------------+ 22| Impact | Potential leakage of secure world data to normal world. | 23+----------------+-----------------------------------------------------------------+ 24| Fix Version | `Gerrit topic #ar/smccc_arch_wa_4`_ | 25| | Also see mitigation guidance in the `Official Arm Advisory`_ | 26+----------------+-----------------------------------------------------------------+ 27| Credit | Arm | 28+----------------+-----------------------------------------------------------------+ 29 30Description 31----------- 32 33An issue has been identified in some Arm-based CPUs that may allow 34an unprivileged context to trigger a data memory-dependent prefetch engine 35to fetch the contents of a privileged location (for which it 36does not have read permission) and consume those contents as an address 37that is also dereferenced. 38 39The below table lists all the CPUs impacted by this vulnerability and have 40mitigation in TF-A. 41 42+----------------------+ 43| Core | 44+----------------------+ 45| Cortex-X3 | 46+----------------------+ 47| Cortex-X4 | 48+----------------------+ 49| Cortex-X925 | 50+----------------------+ 51| Neoverse-V2 | 52+----------------------+ 53| Neoverse-V3 | 54+----------------------+ 55| Neoverse-V3AE | 56+----------------------+ 57 58Mitigation and Recommendations 59------------------------------ 60 61Arm recommends following the mitigation steps and configuration changes 62described in the official advisory. The mitigation for CVE-2024-7881 is 63implemented at EL3 and addresses vulnerabilities caused by memory-dependant 64speculative prefetching. This issue is avoided by setting CPUACTLR6_EL1[41] 65to 1, this disables the affected prefetcher. 66 67Arm has updated the SMC Calling Convention spec so that privileged normal world 68software can identify when the issue has been mitigated in 69firmware (SMCCC_ARCH_WORKAROUND_4). Refer to the `SMC Calling Convention 70Specification`_ for more details. 71 72The above workaround is enabled by default (on vulnerable CPUs only). 73Platforms can choose to disable them at compile time if 74they do not require them. 75 76For further technical information, affected CPUs, and detailed guidance, 77refer to the full `Official Arm Advisory`_. 78 79.. _CVE-2024-7881: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7881 80.. _Gerrit topic #ar/smccc_arch_wa_4: https://review.trustedfirmware.org/q/topic:%22ar/smccc_arch_wa_4%22 81.. _SMC Calling Convention specification: https://developer.arm.com/documentation/den0028/latest 82.. _Official Arm Advisory: https://developer.arm.com/documentation/110326/latest 83