xref: /rk3399_ARM-atf/docs/security_advisories/security-advisory-tfv-6.rst (revision 40d553cfde38d4f68449c62967cd1ce0d6478750) 
1+----------------+-------------------------------------------------------------+
2| Title          | Arm Trusted Firmware exposure to speculative processor      |
3|                | vulnerabilities using cache timing side-channels            |
4+================+=============================================================+
5| CVE ID         | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_      |
6+----------------+-------------------------------------------------------------+
7| Date           | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07  |
8|                | June 2018)                                                  |
9+----------------+-------------------------------------------------------------+
10| Versions       | All, up to and including v1.4                               |
11| Affected       |                                                             |
12+----------------+-------------------------------------------------------------+
13| Configurations | All                                                         |
14| Affected       |                                                             |
15+----------------+-------------------------------------------------------------+
16| Impact         | Leakage of secure world data to normal world                |
17+----------------+-------------------------------------------------------------+
18| Fix Version    | `Pull Request #1214`_, `Pull Request #1228`_,               |
19|                | `Pull Request #1240`_ and `Pull Request #1405`_             |
20+----------------+-------------------------------------------------------------+
21| Credit         | Google / Arm                                                |
22+----------------+-------------------------------------------------------------+
23
24This security advisory describes the current understanding of the Arm Trusted
25Firmware (TF) exposure to the speculative processor vulnerabilities identified
26by `Google Project Zero`_.  To understand the background and wider impact of
27these vulnerabilities on Arm systems, please refer to the `Arm Processor
28Security Update`_.
29
30Variant 1 (`CVE-2017-5753`_)
31~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
33At the time of writing, no vulnerable patterns have been observed in upstream TF
34code, therefore no workarounds have been applied or are planned.
35
36Variant 2 (`CVE-2017-5715`_)
37~~~~~~~~~~~~~~~~~~~~~~~~~~~~
38
39Where possible on vulnerable CPUs, Arm recommends invalidating the branch
40predictor as early as possible on entry into the secure world, before any branch
41instruction is executed. There are a number of implementation defined ways to
42achieve this.
43
44For Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory
45invalidate the branch predictor when entering EL3 by disabling and re-enabling
46the MMU.
47
48For Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the
49branch predictor when entering EL3 by temporarily dropping into AArch32
50Secure-EL1 and executing the ``BPIALL`` instruction. This workaround is
51signifiantly more complex than the "MMU disable/enable" workaround. The latter
52is not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75.
53
54Note that if other privileged software, for example a Rich OS kernel, implements
55its own branch predictor invalidation during context switch by issuing an SMC
56(to execute firmware branch predictor invalidation), then there is a dependency
57on the PRs in this advisory being deployed in order for those workarounds to
58work. If that other privileged software is able to workaround the vulnerability
59locally (for example by implementing "MMU disable/enable" itself), there is no
60such dependency.
61
62`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by
63implementing a specified `CVE-2017-5715`_ workaround SMC
64(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This
65is more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``).
66Details of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715
67mitigation specification`_.  The specification and implementation also enable
68the normal world to discover the presence of this firmware service.
69
70On Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and
71``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU
72disable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above.
73This includes the time spent in test code conforming to the SMC Calling
74Convention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the
75test code uses SMCCC v1.1, which reduces the number of general purpose registers
76it needs to save/restore. Although the ``BPIALL`` instruction is not effective
77at invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1
78with MMU disabled that this workaround entails effectively does invalidate the
79branch predictor. Hence this is a reasonable comparison.
80
81The results were as follows:
82
83+------------------------------------------------------------------+-----------+
84| Test                                                             | Time (ns) |
85+==================================================================+===========+
86| ``PSCI_VERSION`` baseline (without PRs in this advisory)         | 515       |
87+------------------------------------------------------------------+-----------+
88| ``PSCI_VERSION`` baseline (with PRs in this advisory)            | 527       |
89+------------------------------------------------------------------+-----------+
90| ``PSCI_VERSION`` with "MMU disable/enable"                       | 930       |
91+------------------------------------------------------------------+-----------+
92| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable"            | 386       |
93+------------------------------------------------------------------+-----------+
94| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1"             | 1276      |
95+------------------------------------------------------------------+-----------+
96| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1"  | 770       |
97+------------------------------------------------------------------+-----------+
98
99Due to the high severity and wide applicability of this issue, the above
100workarounds are enabled by default (on vulnerable CPUs only), despite some
101performance and code size overhead. Platforms can choose to disable them at
102compile time if they do not require them. `Pull Request #1240`_ disables the
103workarounds for unaffected upstream platforms.
104
105For vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and
106Cortex-A17), the ``BPIALL`` instruction should be used as early as possible on
107entry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during
108early processor initialization. Note that the ``BPIALL`` instruction is not
109effective at invalidating the branch predictor on Cortex-A15. For that CPU, set
110``ACTLR[0]`` to 1 during early processor initialization, and invalidate the
111branch predictor by performing an ``ICIALLU`` instruction.
112
113On AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly
114integrated, for example as part of a Trusted OS. Therefore any Variant 2
115workaround should be provided by vendors of that software and is outside the
116scope of TF. However, an example implementation in the minimal AArch32 Secure
117Payload, ``SP_MIN`` is provided in `Pull Request #1228`_.
118
119Other Arm CPUs are not vulnerable to this or other variants. This includes
120Cortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5.
121
122For more information about non-Arm CPUs, please contact the CPU vendor.
123
124Variant 3 (`CVE-2017-5754`_)
125~~~~~~~~~~~~~~~~~~~~~~~~~~~~
126
127This variant is only exploitable between Exception Levels within the same
128translation regime, for example between EL0 and EL1, therefore this variant
129cannot be used to access secure memory from the non-secure world, and is not
130applicable for TF. However, Secure Payloads (for example, Trusted OS) should
131provide mitigations on vulnerable CPUs to protect themselves from exploited
132Secure-EL0 applications.
133
134The only Arm CPU vulnerable to this variant is Cortex-A75.
135
136.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
137.. _Arm Processor Security Update: http://www.arm.com/security-update
138.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
139.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
140.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
141.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214
142.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228
143.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240
144.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405
145.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
146