1Advisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) 2============================================================ 3 4+----------------+-------------------------------------------------------------+ 5| Title | Trusted Firmware-A exposure to speculative processor | 6| | vulnerabilities using cache timing side-channels | 7+================+=============================================================+ 8| CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ / | 9| | `CVE-2018-3640`_ / `CVE-2018-3639`_ / `CVE-2022-23960`_ | 10+----------------+-------------------------------------------------------------+ 11| Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan, | 12| | 07 June 2018 and 07 Aug 2025) | 13+----------------+-------------------------------------------------------------+ 14| Versions | All, up to and including v1.4 | 15| Affected | | 16+----------------+-------------------------------------------------------------+ 17| Configurations | All | 18| Affected | | 19+----------------+-------------------------------------------------------------+ 20| Impact | Leakage of secure world data to normal world | 21+----------------+-------------------------------------------------------------+ 22| Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, | 23| | `Pull Request #1240`_ and `Pull Request #1405`_ | 24+----------------+-------------------------------------------------------------+ 25| Credit | Google / Arm | 26+----------------+-------------------------------------------------------------+ 27 28This security advisory describes the current understanding of the Trusted 29Firmware-A exposure to the speculative processor vulnerabilities identified by 30`Google Project Zero`_. To understand the background and wider impact of these 31vulnerabilities on Arm systems, please refer to the `Arm Processor Security 32Update`_. 33 34Variant 1 (`CVE-2017-5753`_) 35---------------------------- 36 37At the time of writing, no vulnerable patterns have been observed in upstream TF 38code, therefore no workarounds have been applied or are planned. 39 40Variant 2 (`CVE-2017-5715`_) 41---------------------------- 42 43Where possible on vulnerable CPUs, Arm recommends invalidating the branch 44predictor as early as possible on entry into the secure world, before any branch 45instruction is executed. There are a number of implementation defined ways to 46achieve this. 47 48For Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory 49invalidate the branch predictor when entering EL3 by disabling and re-enabling 50the MMU. 51 52For Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the 53branch predictor when entering EL3 by temporarily dropping into AArch32 54Secure-EL1 and executing the ``BPIALL`` instruction. This workaround is 55significantly more complex than the "MMU disable/enable" workaround. The latter 56is not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75. 57 58Note that if other privileged software, for example a Rich OS kernel, implements 59its own branch predictor invalidation during context switch by issuing an SMC 60(to execute firmware branch predictor invalidation), then there is a dependency 61on the PRs in this advisory being deployed in order for those workarounds to 62work. If that other privileged software is able to workaround the vulnerability 63locally (for example by implementing "MMU disable/enable" itself), there is no 64such dependency. 65 66`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by 67implementing a specified `CVE-2017-5715`_ workaround SMC 68(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This 69is more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``). 70Details of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715 71mitigation specification`_. The specification and implementation also enable 72the normal world to discover the presence of this firmware service. 73 74On Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and 75``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU 76disable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above. 77This includes the time spent in test code conforming to the SMC Calling 78Convention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the 79test code uses SMCCC v1.1, which reduces the number of general purpose registers 80it needs to save/restore. Although the ``BPIALL`` instruction is not effective 81at invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1 82with MMU disabled that this workaround entails effectively does invalidate the 83branch predictor. Hence this is a reasonable comparison. 84 85The results were as follows: 86 87+------------------------------------------------------------------+-----------+ 88| Test | Time (ns) | 89+==================================================================+===========+ 90| ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 | 91+------------------------------------------------------------------+-----------+ 92| ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 | 93+------------------------------------------------------------------+-----------+ 94| ``PSCI_VERSION`` with "MMU disable/enable" | 930 | 95+------------------------------------------------------------------+-----------+ 96| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 | 97+------------------------------------------------------------------+-----------+ 98| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 | 99+------------------------------------------------------------------+-----------+ 100| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 | 101+------------------------------------------------------------------+-----------+ 102 103Due to the high severity and wide applicability of this issue, the above 104workarounds are enabled by default (on vulnerable CPUs only), despite some 105performance and code size overhead. Platforms can choose to disable them at 106compile time if they do not require them. `Pull Request #1240`_ disables the 107workarounds for unaffected upstream platforms. 108 109For vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and 110Cortex-A17), the ``BPIALL`` instruction should be used as early as possible on 111entry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during 112early processor initialization. Note that the ``BPIALL`` instruction is not 113effective at invalidating the branch predictor on Cortex-A15. For that CPU, set 114``ACTLR[0]`` to 1 during early processor initialization, and invalidate the 115branch predictor by performing an ``ICIALLU`` instruction. 116 117On AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly 118integrated, for example as part of a Trusted OS. Therefore any Variant 2 119workaround should be provided by vendors of that software and is outside the 120scope of TF. However, an example implementation in the minimal AArch32 Secure 121Payload, ``SP_MIN`` is provided in `Pull Request #1228`_. 122 123Refer to `Arm CPU Security Bulletin-Spectre/Meltdown`_ for list of impacted CPUs. 124 125For more information about non-Arm CPUs, please contact the CPU vendor. 126 127Variant 3 (`CVE-2017-5754`_) 128---------------------------- 129 130This variant is only exploitable between Exception Levels within the same 131translation regime, for example between EL0 and EL1, therefore this variant 132cannot be used to access secure memory from the non-secure world, and is not 133applicable for TF. However, Secure Payloads (for example, Trusted OS) should 134provide mitigations on vulnerable CPUs to protect themselves from exploited 135Secure-EL0 applications. 136 137Refer to `Arm CPU Security Bulletin-Spectre/Meltdown`_ for list of impacted CPUs. 138 139Variant 3a (`CVE-2018-3640`_) 140----------------------------- 141In general, it is not believed that software mitigations for this issue are necessary. 142 143Variant 4 (`CVE-2018-3639`_) 144---------------------------- 145Refer to :ref:`security-advisory-tfv-7` for further details on this variant. 146 147Spectre-BHB (`CVE-2022-23960`_) 148------------------------------- 149Refer to :ref:`security-advisory-tfv-9` for further details on this variant. 150 151.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html 152.. _Arm Processor Security Update: http://www.arm.com/security-update 153.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 154.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 155.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 156.. _CVE-2018-3640: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640 157.. _CVE-2018-3639: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 158.. _CVE-2022-23960: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960 159.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214 160.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228 161.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240 162.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405 163.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 164.. _Arm CPU Security Bulletin-Spectre/Meltdown: https://developer.arm.com/documentation/110280/latest/ 165