xref: /rk3399_ARM-atf/docs/security_advisories/security-advisory-tfv-13.rst (revision e0ac8507f46b0ea89da969123e8099ceab82a8a7) 
1Advisory TFV-13 (CVE-2024-7881)
2================================
3
4+----------------+-----------------------------------------------------------------+
5| Title          | An unprivileged context can trigger a data memory-dependent     |
6|                | prefetch engine to fetch the contents of a privileged location  |
7|                | and consume those contents as an address that is                |
8|                | also dereferenced.                                              |
9|                |                                                                 |
10+================+=================================================================+
11| CVE ID         | `CVE-2024-7881`_                                                |
12+----------------+-----------------------------------------------------------------+
13| Date           | Reported on 16 August 2024                                      |
14+----------------+-----------------------------------------------------------------+
15| Versions       | TF-A version from v2.2 to v2.12                                 |
16| Affected       | LTS releases lts-v2.8.0 to lts-v2.8.28                          |
17|                | LTS releases lts-v2.10.0 to lts-v2.10.12                        |
18+----------------+-----------------------------------------------------------------+
19| Configurations | All                                                             |
20| Affected       |                                                                 |
21+----------------+-----------------------------------------------------------------+
22| Impact         | Potential leakage of secure world data to normal world.         |
23+----------------+-----------------------------------------------------------------+
24| Fix Version    | `Gerrit topic #ar/smccc_arch_wa_4`_                             |
25|                | Also see mitigation guidance in the `Official Arm Advisory`_    |
26+----------------+-----------------------------------------------------------------+
27| Credit         | Arm                                                             |
28+----------------+-----------------------------------------------------------------+
29
30Description
31-----------
32
33An issue has been identified in some Arm-based CPUs that may allow
34an unprivileged context to trigger a data memory-dependent prefetch engine
35to fetch the contents of a privileged location (for which it
36does not have read permission) and consume those contents as an address
37that is also dereferenced.
38
39The following table identifies all affected CPUs and revisions
40for which a mitigation is provided in TF-A.
41
42+----------------+--------------------+------------------+
43| CPU            | affected versions  | Fix status       |
44+----------------+--------------------+------------------+
45| cortex-x3      | all revisions      | open             |
46+----------------+--------------------+------------------+
47| cortex-x4      | all revisions      | open             |
48+----------------+--------------------+------------------+
49| cortex-x925    | all revisions      | open             |
50+----------------+--------------------+------------------+
51| neoverse-v2    | all revisions      | open             |
52+----------------+--------------------+------------------+
53| neoverse-v3    | all revisions      | open             |
54+----------------+--------------------+------------------+
55| neoverse-v3ae  | all revisions      | open             |
56+----------------+--------------------+------------------+
57| c1-premium     | r0p0               | fixed in r1p0    |
58+----------------+--------------------+------------------+
59| c1-pro         | r0p0, r1p0         | fixed in r1p1    |
60+----------------+--------------------+------------------+
61| c1-ultra       | r0p0               | fixed in r1p0    |
62+----------------+--------------------+------------------+
63
64Mitigation and Recommendations
65------------------------------
66
67Arm recommends following the mitigation steps and configuration changes
68described in the official advisory. The mitigation for CVE-2024-7881 is
69implemented at EL3 and addresses vulnerabilities caused by memory-dependant
70speculative prefetching. This issue can be avoided by disabling the
71affected prefetcher. For most cores, this is done by
72setting CPUACTLR6_EL1[41] = 1. For C1-Pro, the affected prefetcher is
73instead disabled by setting IMP_CPUECTLR_EL1[49] = 1.
74
75Arm has updated the SMC Calling Convention spec so that privileged normal world
76software can identify when the issue has been mitigated in
77firmware (SMCCC_ARCH_WORKAROUND_4). Refer to the `SMC Calling Convention
78Specification`_ for more details.
79
80The above workaround is enabled by default (on vulnerable CPUs only).
81Platforms can choose to disable them at compile time if
82they do not require them.
83
84For further technical information, affected CPUs, and detailed guidance,
85refer to the full `Official Arm Advisory`_.
86
87.. _CVE-2024-7881: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7881
88.. _Gerrit topic #ar/smccc_arch_wa_4: https://review.trustedfirmware.org/q/topic:%22ar/smccc_arch_wa_4%22
89.. _SMC Calling Convention specification: https://developer.arm.com/documentation/den0028/latest
90.. _Official Arm Advisory: https://developer.arm.com/documentation/110326/latest
91