1267f8085SPaul BeesleyAdvisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) 2267f8085SPaul Beesley============================================================ 3267f8085SPaul Beesley 44fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 5*55f14059SJohn Tsichritzis| Title | Trusted Firmware-A exposure to speculative processor | 64fe91230SJoel Hutton| | vulnerabilities using cache timing side-channels | 74fe91230SJoel Hutton+================+=============================================================+ 84fe91230SJoel Hutton| CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ | 94fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 104fe91230SJoel Hutton| Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07 | 114fe91230SJoel Hutton| | June 2018) | 124fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 134fe91230SJoel Hutton| Versions | All, up to and including v1.4 | 144fe91230SJoel Hutton| Affected | | 154fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 164fe91230SJoel Hutton| Configurations | All | 174fe91230SJoel Hutton| Affected | | 184fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 194fe91230SJoel Hutton| Impact | Leakage of secure world data to normal world | 204fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 214fe91230SJoel Hutton| Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, | 224fe91230SJoel Hutton| | `Pull Request #1240`_ and `Pull Request #1405`_ | 234fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 244fe91230SJoel Hutton| Credit | Google / Arm | 254fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 264fe91230SJoel Hutton 27*55f14059SJohn TsichritzisThis security advisory describes the current understanding of the Trusted 28*55f14059SJohn TsichritzisFirmware-A exposure to the speculative processor vulnerabilities identified by 29*55f14059SJohn Tsichritzis`Google Project Zero`_. To understand the background and wider impact of these 30*55f14059SJohn Tsichritzisvulnerabilities on Arm systems, please refer to the `Arm Processor Security 31*55f14059SJohn TsichritzisUpdate`_. 324fe91230SJoel Hutton 334fe91230SJoel HuttonVariant 1 (`CVE-2017-5753`_) 34267f8085SPaul Beesley---------------------------- 354fe91230SJoel Hutton 364fe91230SJoel HuttonAt the time of writing, no vulnerable patterns have been observed in upstream TF 374fe91230SJoel Huttoncode, therefore no workarounds have been applied or are planned. 384fe91230SJoel Hutton 394fe91230SJoel HuttonVariant 2 (`CVE-2017-5715`_) 40267f8085SPaul Beesley---------------------------- 414fe91230SJoel Hutton 424fe91230SJoel HuttonWhere possible on vulnerable CPUs, Arm recommends invalidating the branch 434fe91230SJoel Huttonpredictor as early as possible on entry into the secure world, before any branch 444fe91230SJoel Huttoninstruction is executed. There are a number of implementation defined ways to 454fe91230SJoel Huttonachieve this. 464fe91230SJoel Hutton 474fe91230SJoel HuttonFor Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory 484fe91230SJoel Huttoninvalidate the branch predictor when entering EL3 by disabling and re-enabling 494fe91230SJoel Huttonthe MMU. 504fe91230SJoel Hutton 514fe91230SJoel HuttonFor Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the 524fe91230SJoel Huttonbranch predictor when entering EL3 by temporarily dropping into AArch32 534fe91230SJoel HuttonSecure-EL1 and executing the ``BPIALL`` instruction. This workaround is 544fe91230SJoel Huttonsignifiantly more complex than the "MMU disable/enable" workaround. The latter 554fe91230SJoel Huttonis not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75. 564fe91230SJoel Hutton 574fe91230SJoel HuttonNote that if other privileged software, for example a Rich OS kernel, implements 584fe91230SJoel Huttonits own branch predictor invalidation during context switch by issuing an SMC 594fe91230SJoel Hutton(to execute firmware branch predictor invalidation), then there is a dependency 604fe91230SJoel Huttonon the PRs in this advisory being deployed in order for those workarounds to 614fe91230SJoel Huttonwork. If that other privileged software is able to workaround the vulnerability 624fe91230SJoel Huttonlocally (for example by implementing "MMU disable/enable" itself), there is no 634fe91230SJoel Huttonsuch dependency. 644fe91230SJoel Hutton 654fe91230SJoel Hutton`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by 664fe91230SJoel Huttonimplementing a specified `CVE-2017-5715`_ workaround SMC 674fe91230SJoel Hutton(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This 684fe91230SJoel Huttonis more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``). 694fe91230SJoel HuttonDetails of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715 704fe91230SJoel Huttonmitigation specification`_. The specification and implementation also enable 714fe91230SJoel Huttonthe normal world to discover the presence of this firmware service. 724fe91230SJoel Hutton 734fe91230SJoel HuttonOn Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and 744fe91230SJoel Hutton``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU 754fe91230SJoel Huttondisable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above. 764fe91230SJoel HuttonThis includes the time spent in test code conforming to the SMC Calling 774fe91230SJoel HuttonConvention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the 784fe91230SJoel Huttontest code uses SMCCC v1.1, which reduces the number of general purpose registers 794fe91230SJoel Huttonit needs to save/restore. Although the ``BPIALL`` instruction is not effective 804fe91230SJoel Huttonat invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1 814fe91230SJoel Huttonwith MMU disabled that this workaround entails effectively does invalidate the 824fe91230SJoel Huttonbranch predictor. Hence this is a reasonable comparison. 834fe91230SJoel Hutton 844fe91230SJoel HuttonThe results were as follows: 854fe91230SJoel Hutton 864fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 874fe91230SJoel Hutton| Test | Time (ns) | 884fe91230SJoel Hutton+==================================================================+===========+ 894fe91230SJoel Hutton| ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 | 904fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 914fe91230SJoel Hutton| ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 | 924fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 934fe91230SJoel Hutton| ``PSCI_VERSION`` with "MMU disable/enable" | 930 | 944fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 954fe91230SJoel Hutton| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 | 964fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 974fe91230SJoel Hutton| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 | 984fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 994fe91230SJoel Hutton| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 | 1004fe91230SJoel Hutton+------------------------------------------------------------------+-----------+ 1014fe91230SJoel Hutton 1024fe91230SJoel HuttonDue to the high severity and wide applicability of this issue, the above 1034fe91230SJoel Huttonworkarounds are enabled by default (on vulnerable CPUs only), despite some 1044fe91230SJoel Huttonperformance and code size overhead. Platforms can choose to disable them at 1054fe91230SJoel Huttoncompile time if they do not require them. `Pull Request #1240`_ disables the 1064fe91230SJoel Huttonworkarounds for unaffected upstream platforms. 1074fe91230SJoel Hutton 1084fe91230SJoel HuttonFor vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and 1094fe91230SJoel HuttonCortex-A17), the ``BPIALL`` instruction should be used as early as possible on 1104fe91230SJoel Huttonentry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during 1114fe91230SJoel Huttonearly processor initialization. Note that the ``BPIALL`` instruction is not 1124fe91230SJoel Huttoneffective at invalidating the branch predictor on Cortex-A15. For that CPU, set 1134fe91230SJoel Hutton``ACTLR[0]`` to 1 during early processor initialization, and invalidate the 1144fe91230SJoel Huttonbranch predictor by performing an ``ICIALLU`` instruction. 1154fe91230SJoel Hutton 1164fe91230SJoel HuttonOn AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly 1174fe91230SJoel Huttonintegrated, for example as part of a Trusted OS. Therefore any Variant 2 1184fe91230SJoel Huttonworkaround should be provided by vendors of that software and is outside the 1194fe91230SJoel Huttonscope of TF. However, an example implementation in the minimal AArch32 Secure 1204fe91230SJoel HuttonPayload, ``SP_MIN`` is provided in `Pull Request #1228`_. 1214fe91230SJoel Hutton 1224fe91230SJoel HuttonOther Arm CPUs are not vulnerable to this or other variants. This includes 1234fe91230SJoel HuttonCortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5. 1244fe91230SJoel Hutton 1254fe91230SJoel HuttonFor more information about non-Arm CPUs, please contact the CPU vendor. 1264fe91230SJoel Hutton 1274fe91230SJoel HuttonVariant 3 (`CVE-2017-5754`_) 128267f8085SPaul Beesley---------------------------- 1294fe91230SJoel Hutton 1304fe91230SJoel HuttonThis variant is only exploitable between Exception Levels within the same 1314fe91230SJoel Huttontranslation regime, for example between EL0 and EL1, therefore this variant 1324fe91230SJoel Huttoncannot be used to access secure memory from the non-secure world, and is not 1334fe91230SJoel Huttonapplicable for TF. However, Secure Payloads (for example, Trusted OS) should 1344fe91230SJoel Huttonprovide mitigations on vulnerable CPUs to protect themselves from exploited 1354fe91230SJoel HuttonSecure-EL0 applications. 1364fe91230SJoel Hutton 1374fe91230SJoel HuttonThe only Arm CPU vulnerable to this variant is Cortex-A75. 1384fe91230SJoel Hutton 1394fe91230SJoel Hutton.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html 1404fe91230SJoel Hutton.. _Arm Processor Security Update: http://www.arm.com/security-update 1414fe91230SJoel Hutton.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 1424fe91230SJoel Hutton.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 1434fe91230SJoel Hutton.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 1444fe91230SJoel Hutton.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214 1454fe91230SJoel Hutton.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228 1464fe91230SJoel Hutton.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240 1474fe91230SJoel Hutton.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405 1484fe91230SJoel Hutton.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 149