xref: /rk3399_ARM-atf/docs/security_advisories/security-advisory-tfv-5.rst (revision fd7b287cbe9147ca9e07dd9f30c49c58bbdd92a8) 
1+----------------+-------------------------------------------------------------+
2| Title          | Not initializing or saving/restoring ``PMCR_EL0`` can leak  |
3|                | secure world timing information                             |
4+================+=============================================================+
5| CVE ID         | `CVE-2017-15031`_                                           |
6+----------------+-------------------------------------------------------------+
7| Date           | 02 Oct 2017                                                 |
8+----------------+-------------------------------------------------------------+
9| Versions       | All, up to and including v1.4                               |
10| Affected       |                                                             |
11+----------------+-------------------------------------------------------------+
12| Configurations | All                                                         |
13| Affected       |                                                             |
14+----------------+-------------------------------------------------------------+
15| Impact         | Leakage of sensitive secure world timing information        |
16+----------------+-------------------------------------------------------------+
17| Fix Version    | `Pull Request #1127`_ (merged on 18 October 2017)           |
18+----------------+-------------------------------------------------------------+
19| Credit         | Arm                                                         |
20+----------------+-------------------------------------------------------------+
21
22The ``PMCR_EL0`` (Performance Monitors Control Register) provides details of the
23Performance Monitors implementation, including the number of counters
24implemented, and configures and controls the counters. If the ``PMCR_EL0.DP``
25bit is set to zero, the cycle counter (when enabled) counts during secure world
26execution, even when prohibited by the debug signals.
27
28Since Arm TF does not save and restore ``PMCR_EL0`` when switching between the
29normal and secure worlds, normal world code can set ``PMCR_EL0.DP`` to zero to
30cause leakage of secure world timing information. This register should be added
31to the list of saved/restored registers.
32
33Furthermore, ``PMCR_EL0.DP`` has an architecturally ``UNKNOWN`` reset value.
34Since Arm TF does not initialize this register, it's possible that on at least
35some implementations, ``PMCR_EL0.DP`` is set to zero by default. This and other
36bits with an architecturally UNKNOWN reset value should be initialized to
37sensible default values in the secure context.
38
39The same issue exists for the equivalent AArch32 register, ``PMCR``, except that
40here ``PMCR_EL0.DP`` architecturally resets to zero.
41
42.. _CVE-2017-15031: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15031
43.. _Pull Request #1127: https://github.com/ARM-software/arm-trusted-firmware/pull/1127
44