103c7510bSGovindraj Raja.. _security-advisory-tfv-7: 203c7510bSGovindraj Raja 3267f8085SPaul BeesleyAdvisory TFV-7 (CVE-2018-3639) 4267f8085SPaul Beesley============================== 5267f8085SPaul Beesley 64fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 74fe91230SJoel Hutton| Title | Trusted Firmware-A exposure to cache speculation | 84fe91230SJoel Hutton| | vulnerability Variant 4 | 94fe91230SJoel Hutton+================+=============================================================+ 104fe91230SJoel Hutton| CVE ID | `CVE-2018-3639`_ | 114fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 124fe91230SJoel Hutton| Date | 21 May 2018 (Updated 7 June 2018) | 134fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 144fe91230SJoel Hutton| Versions | All, up to and including v1.5 | 154fe91230SJoel Hutton| Affected | | 164fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 174fe91230SJoel Hutton| Configurations | All | 184fe91230SJoel Hutton| Affected | | 194fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 204fe91230SJoel Hutton| Impact | Leakage of secure world data to normal world | 214fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 224fe91230SJoel Hutton| Fix Version | `Pull Request #1392`_, `Pull Request #1397`_ | 234fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 244fe91230SJoel Hutton| Credit | Google | 254fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 264fe91230SJoel Hutton 274fe91230SJoel HuttonThis security advisory describes the current understanding of the Trusted 284fe91230SJoel HuttonFirmware-A (TF-A) exposure to Variant 4 of the cache speculation vulnerabilities 294fe91230SJoel Huttonidentified by `Google Project Zero`_. To understand the background and wider 304fe91230SJoel Huttonimpact of these vulnerabilities on Arm systems, please refer to the `Arm 314fe91230SJoel HuttonProcessor Security Update`_. 324fe91230SJoel Hutton 334fe91230SJoel HuttonAt the time of writing, the TF-A project is not aware of a Variant 4 exploit 344fe91230SJoel Huttonthat could be used against TF-A. It is likely to be very difficult to achieve an 354fe91230SJoel Huttonexploit against current standard configurations of TF-A, due to the limited 364fe91230SJoel Huttoninterfaces into the secure world with attacker-controlled inputs. However, this 374fe91230SJoel Huttonis becoming increasingly difficult to guarantee with the introduction of complex 384fe91230SJoel Huttonnew firmware interfaces, for example the `Software Delegated Exception Interface 394fe91230SJoel Hutton(SDEI)`_. Also, the TF-A project does not have visibility of all 404fe91230SJoel Huttonvendor-supplied interfaces. Therefore, the TF-A project takes a conservative 414fe91230SJoel Huttonapproach by mitigating Variant 4 in hardware wherever possible during secure 424fe91230SJoel Huttonworld execution. The mitigation is enabled by setting an implementation defined 434fe91230SJoel Huttoncontrol bit to prevent the re-ordering of stores and loads. 444fe91230SJoel Hutton 454fe91230SJoel HuttonFor each affected CPU type, TF-A implements one of the two following mitigation 464fe91230SJoel Huttonapproaches in `Pull Request #1392`_ and `Pull Request #1397`_. Both approaches 474fe91230SJoel Huttonhave a system performance impact, which varies for each CPU type and use-case. 484fe91230SJoel HuttonThe mitigation code is enabled by default, but can be disabled at compile time 494fe91230SJoel Huttonfor platforms that are unaffected or where the risk is deemed low enough. 504fe91230SJoel Hutton 514fe91230SJoel HuttonArm CPUs not mentioned below are unaffected. 524fe91230SJoel Hutton 534fe91230SJoel HuttonStatic mitigation 54267f8085SPaul Beesley----------------- 554fe91230SJoel Hutton 564fe91230SJoel HuttonFor affected CPUs, this approach enables the mitigation during EL3 574fe91230SJoel Huttoninitialization, following every PE reset. No mechanism is provided to disable 584fe91230SJoel Huttonthe mitigation at runtime. 594fe91230SJoel Hutton 604fe91230SJoel HuttonThis approach permanently mitigates the entire software stack and no additional 614fe91230SJoel Huttonmitigation code is required in other software components. 624fe91230SJoel Hutton 634fe91230SJoel HuttonTF-A implements this approach for the following affected CPUs: 644fe91230SJoel Hutton 654fe91230SJoel Hutton- Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of 664fe91230SJoel Hutton ``CPUACTLR_EL1`` (``S3_1_C15_C2_0``). 674fe91230SJoel Hutton 684fe91230SJoel Hutton- Cortex-A73, by setting bit 3 of ``S3_0_C15_C0_0`` (not documented in the 694fe91230SJoel Hutton Technical Reference Manual (TRM)). 704fe91230SJoel Hutton 714fe91230SJoel Hutton- Cortex-A75, by setting bit 35 (reserved in TRM) of ``CPUACTLR_EL1`` 724fe91230SJoel Hutton (``S3_0_C15_C1_0``). 734fe91230SJoel Hutton 744fe91230SJoel HuttonDynamic mitigation 75267f8085SPaul Beesley------------------ 764fe91230SJoel Hutton 774fe91230SJoel HuttonFor affected CPUs, this approach also enables the mitigation during EL3 784fe91230SJoel Huttoninitialization, following every PE reset. In addition, this approach implements 794fe91230SJoel Hutton``SMCCC_ARCH_WORKAROUND_2`` in the Arm architectural range to allow callers at 804fe91230SJoel Huttonlower exception levels to temporarily disable the mitigation in their execution 814fe91230SJoel Huttoncontext, where the risk is deemed low enough. This approach enables mitigation 824fe91230SJoel Huttonon entry to EL3, and restores the mitigation state of the lower exception level 834fe91230SJoel Huttonon exit from EL3. For more information on this approach, see `Firmware 844fe91230SJoel Huttoninterfaces for mitigating cache speculation vulnerabilities`_. 854fe91230SJoel Hutton 864fe91230SJoel HuttonThis approach may be complemented by additional mitigation code in other 874fe91230SJoel Huttonsoftware components, for example code that calls ``SMCCC_ARCH_WORKAROUND_2``. 884fe91230SJoel HuttonHowever, even without any mitigation code in other software components, this 894fe91230SJoel Huttonapproach will effectively permanently mitigate the entire software stack, since 904fe91230SJoel Huttonthe default mitigation state for firmware-managed execution contexts is enabled. 914fe91230SJoel Hutton 924fe91230SJoel HuttonSince the expectation in this approach is that more software executes with the 934fe91230SJoel Huttonmitigation disabled, this may result in better system performance than the 944fe91230SJoel Huttonstatic approach for some systems or use-cases. However, for other systems or 954fe91230SJoel Huttonuse-cases, this performance saving may be outweighed by the additional overhead 964fe91230SJoel Huttonof ``SMCCC_ARCH_WORKAROUND_2`` calls and TF-A exception handling. 974fe91230SJoel Hutton 984fe91230SJoel HuttonTF-A implements this approach for the following affected CPU: 994fe91230SJoel Hutton 1004fe91230SJoel Hutton- Cortex-A76, by setting and clearing bit 16 (reserved in TRM) of 1014fe91230SJoel Hutton ``CPUACTLR2_EL1`` (``S3_0_C15_C1_1``). 1024fe91230SJoel Hutton 1034fe91230SJoel Hutton.. _Google Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 1044fe91230SJoel Hutton.. _Arm Processor Security Update: http://www.arm.com/security-update 1054fe91230SJoel Hutton.. _CVE-2018-3639: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 106*854d199bSGovindraj Raja.. _Software Delegated Exception Interface (SDEI): https://developer.arm.com/documentation/den0054 1074fe91230SJoel Hutton.. _Firmware interfaces for mitigating cache speculation vulnerabilities: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 1084fe91230SJoel Hutton.. _Pull Request #1392: https://github.com/ARM-software/arm-trusted-firmware/pull/1392 1094fe91230SJoel Hutton.. _Pull Request #1397: https://github.com/ARM-software/arm-trusted-firmware/pull/1397 110