1*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 2*4fe91230SJoel Hutton| Title | Arm Trusted Firmware exposure to speculative processor | 3*4fe91230SJoel Hutton| | vulnerabilities using cache timing side-channels | 4*4fe91230SJoel Hutton+================+=============================================================+ 5*4fe91230SJoel Hutton| CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ | 6*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 7*4fe91230SJoel Hutton| Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07 | 8*4fe91230SJoel Hutton| | June 2018) | 9*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 10*4fe91230SJoel Hutton| Versions | All, up to and including v1.4 | 11*4fe91230SJoel Hutton| Affected | | 12*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 13*4fe91230SJoel Hutton| Configurations | All | 14*4fe91230SJoel Hutton| Affected | | 15*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 16*4fe91230SJoel Hutton| Impact | Leakage of secure world data to normal world | 17*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 18*4fe91230SJoel Hutton| Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, | 19*4fe91230SJoel Hutton| | `Pull Request #1240`_ and `Pull Request #1405`_ | 20*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 21*4fe91230SJoel Hutton| Credit | Google / Arm | 22*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 23*4fe91230SJoel Hutton 24*4fe91230SJoel HuttonThis security advisory describes the current understanding of the Arm Trusted 25*4fe91230SJoel HuttonFirmware (TF) exposure to the speculative processor vulnerabilities identified 26*4fe91230SJoel Huttonby `Google Project Zero`_. To understand the background and wider impact of 27*4fe91230SJoel Huttonthese vulnerabilities on Arm systems, please refer to the `Arm Processor 28*4fe91230SJoel HuttonSecurity Update`_. 29*4fe91230SJoel Hutton 30*4fe91230SJoel HuttonVariant 1 (`CVE-2017-5753`_) 31*4fe91230SJoel Hutton~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 32*4fe91230SJoel Hutton 33*4fe91230SJoel HuttonAt the time of writing, no vulnerable patterns have been observed in upstream TF 34*4fe91230SJoel Huttoncode, therefore no workarounds have been applied or are planned. 35*4fe91230SJoel Hutton 36*4fe91230SJoel HuttonVariant 2 (`CVE-2017-5715`_) 37*4fe91230SJoel Hutton~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 38*4fe91230SJoel Hutton 39*4fe91230SJoel HuttonWhere possible on vulnerable CPUs, Arm recommends invalidating the branch 40*4fe91230SJoel Huttonpredictor as early as possible on entry into the secure world, before any branch 41*4fe91230SJoel Huttoninstruction is executed. There are a number of implementation defined ways to 42*4fe91230SJoel Huttonachieve this. 43*4fe91230SJoel Hutton 44*4fe91230SJoel HuttonFor Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory 45*4fe91230SJoel Huttoninvalidate the branch predictor when entering EL3 by disabling and re-enabling 46*4fe91230SJoel Huttonthe MMU. 47*4fe91230SJoel Hutton 48*4fe91230SJoel HuttonFor Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the 49*4fe91230SJoel Huttonbranch predictor when entering EL3 by temporarily dropping into AArch32 50*4fe91230SJoel HuttonSecure-EL1 and executing the ``BPIALL`` instruction. This workaround is 51*4fe91230SJoel Huttonsignifiantly more complex than the "MMU disable/enable" workaround. The latter 52*4fe91230SJoel Huttonis not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75. 53*4fe91230SJoel Hutton 54*4fe91230SJoel HuttonNote that if other privileged software, for example a Rich OS kernel, implements 55*4fe91230SJoel Huttonits own branch predictor invalidation during context switch by issuing an SMC 56*4fe91230SJoel Hutton(to execute firmware branch predictor invalidation), then there is a dependency 57*4fe91230SJoel Huttonon the PRs in this advisory being deployed in order for those workarounds to 58*4fe91230SJoel Huttonwork. If that other privileged software is able to workaround the vulnerability 59*4fe91230SJoel Huttonlocally (for example by implementing "MMU disable/enable" itself), there is no 60*4fe91230SJoel Huttonsuch dependency. 61*4fe91230SJoel Hutton 62*4fe91230SJoel Hutton`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by 63*4fe91230SJoel Huttonimplementing a specified `CVE-2017-5715`_ workaround SMC 64*4fe91230SJoel Hutton(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This 65*4fe91230SJoel Huttonis more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``). 66*4fe91230SJoel HuttonDetails of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715 67*4fe91230SJoel Huttonmitigation specification`_. The specification and implementation also enable 68*4fe91230SJoel Huttonthe normal world to discover the presence of this firmware service. 69*4fe91230SJoel Hutton 70*4fe91230SJoel HuttonOn Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and 71*4fe91230SJoel Hutton``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU 72*4fe91230SJoel Huttondisable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above. 73*4fe91230SJoel HuttonThis includes the time spent in test code conforming to the SMC Calling 74*4fe91230SJoel HuttonConvention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the 75*4fe91230SJoel Huttontest code uses SMCCC v1.1, which reduces the number of general purpose registers 76*4fe91230SJoel Huttonit needs to save/restore. Although the ``BPIALL`` instruction is not effective 77*4fe91230SJoel Huttonat invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1 78*4fe91230SJoel Huttonwith MMU disabled that this workaround entails effectively does invalidate the 79*4fe91230SJoel Huttonbranch predictor. Hence this is a reasonable comparison. 80*4fe91230SJoel Hutton 81*4fe91230SJoel HuttonThe results were as follows: 82*4fe91230SJoel Hutton 83*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 84*4fe91230SJoel Hutton| Test | Time (ns) | 85*4fe91230SJoel Hutton+==================================================================+===========+ 86*4fe91230SJoel Hutton| ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 | 87*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 88*4fe91230SJoel Hutton| ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 | 89*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 90*4fe91230SJoel Hutton| ``PSCI_VERSION`` with "MMU disable/enable" | 930 | 91*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 92*4fe91230SJoel Hutton| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 | 93*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 94*4fe91230SJoel Hutton| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 | 95*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 96*4fe91230SJoel Hutton| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 | 97*4fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 98*4fe91230SJoel Hutton 99*4fe91230SJoel HuttonDue to the high severity and wide applicability of this issue, the above 100*4fe91230SJoel Huttonworkarounds are enabled by default (on vulnerable CPUs only), despite some 101*4fe91230SJoel Huttonperformance and code size overhead. Platforms can choose to disable them at 102*4fe91230SJoel Huttoncompile time if they do not require them. `Pull Request #1240`_ disables the 103*4fe91230SJoel Huttonworkarounds for unaffected upstream platforms. 104*4fe91230SJoel Hutton 105*4fe91230SJoel HuttonFor vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and 106*4fe91230SJoel HuttonCortex-A17), the ``BPIALL`` instruction should be used as early as possible on 107*4fe91230SJoel Huttonentry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during 108*4fe91230SJoel Huttonearly processor initialization. Note that the ``BPIALL`` instruction is not 109*4fe91230SJoel Huttoneffective at invalidating the branch predictor on Cortex-A15. For that CPU, set 110*4fe91230SJoel Hutton``ACTLR[0]`` to 1 during early processor initialization, and invalidate the 111*4fe91230SJoel Huttonbranch predictor by performing an ``ICIALLU`` instruction. 112*4fe91230SJoel Hutton 113*4fe91230SJoel HuttonOn AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly 114*4fe91230SJoel Huttonintegrated, for example as part of a Trusted OS. Therefore any Variant 2 115*4fe91230SJoel Huttonworkaround should be provided by vendors of that software and is outside the 116*4fe91230SJoel Huttonscope of TF. However, an example implementation in the minimal AArch32 Secure 117*4fe91230SJoel HuttonPayload, ``SP_MIN`` is provided in `Pull Request #1228`_. 118*4fe91230SJoel Hutton 119*4fe91230SJoel HuttonOther Arm CPUs are not vulnerable to this or other variants. This includes 120*4fe91230SJoel HuttonCortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5. 121*4fe91230SJoel Hutton 122*4fe91230SJoel HuttonFor more information about non-Arm CPUs, please contact the CPU vendor. 123*4fe91230SJoel Hutton 124*4fe91230SJoel HuttonVariant 3 (`CVE-2017-5754`_) 125*4fe91230SJoel Hutton~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 126*4fe91230SJoel Hutton 127*4fe91230SJoel HuttonThis variant is only exploitable between Exception Levels within the same 128*4fe91230SJoel Huttontranslation regime, for example between EL0 and EL1, therefore this variant 129*4fe91230SJoel Huttoncannot be used to access secure memory from the non-secure world, and is not 130*4fe91230SJoel Huttonapplicable for TF. However, Secure Payloads (for example, Trusted OS) should 131*4fe91230SJoel Huttonprovide mitigations on vulnerable CPUs to protect themselves from exploited 132*4fe91230SJoel HuttonSecure-EL0 applications. 133*4fe91230SJoel Hutton 134*4fe91230SJoel HuttonThe only Arm CPU vulnerable to this variant is Cortex-A75. 135*4fe91230SJoel Hutton 136*4fe91230SJoel Hutton.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html 137*4fe91230SJoel Hutton.. _Arm Processor Security Update: http://www.arm.com/security-update 138*4fe91230SJoel Hutton.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 139*4fe91230SJoel Hutton.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 140*4fe91230SJoel Hutton.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 141*4fe91230SJoel Hutton.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214 142*4fe91230SJoel Hutton.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228 143*4fe91230SJoel Hutton.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240 144*4fe91230SJoel Hutton.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405 145*4fe91230SJoel Hutton.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 146