1*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 2*4fe91230SJoel Hutton| Title | Trusted Firmware-A exposure to cache speculation | 3*4fe91230SJoel Hutton| | vulnerability Variant 4 | 4*4fe91230SJoel Hutton+================+=============================================================+ 5*4fe91230SJoel Hutton| CVE ID | `CVE-2018-3639`_ | 6*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 7*4fe91230SJoel Hutton| Date | 21 May 2018 (Updated 7 June 2018) | 8*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 9*4fe91230SJoel Hutton| Versions | All, up to and including v1.5 | 10*4fe91230SJoel Hutton| Affected | | 11*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 12*4fe91230SJoel Hutton| Configurations | All | 13*4fe91230SJoel Hutton| Affected | | 14*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 15*4fe91230SJoel Hutton| Impact | Leakage of secure world data to normal world | 16*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 17*4fe91230SJoel Hutton| Fix Version | `Pull Request #1392`_, `Pull Request #1397`_ | 18*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 19*4fe91230SJoel Hutton| Credit | Google | 20*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 21*4fe91230SJoel Hutton 22*4fe91230SJoel HuttonThis security advisory describes the current understanding of the Trusted 23*4fe91230SJoel HuttonFirmware-A (TF-A) exposure to Variant 4 of the cache speculation vulnerabilities 24*4fe91230SJoel Huttonidentified by `Google Project Zero`_. To understand the background and wider 25*4fe91230SJoel Huttonimpact of these vulnerabilities on Arm systems, please refer to the `Arm 26*4fe91230SJoel HuttonProcessor Security Update`_. 27*4fe91230SJoel Hutton 28*4fe91230SJoel HuttonAt the time of writing, the TF-A project is not aware of a Variant 4 exploit 29*4fe91230SJoel Huttonthat could be used against TF-A. It is likely to be very difficult to achieve an 30*4fe91230SJoel Huttonexploit against current standard configurations of TF-A, due to the limited 31*4fe91230SJoel Huttoninterfaces into the secure world with attacker-controlled inputs. However, this 32*4fe91230SJoel Huttonis becoming increasingly difficult to guarantee with the introduction of complex 33*4fe91230SJoel Huttonnew firmware interfaces, for example the `Software Delegated Exception Interface 34*4fe91230SJoel Hutton(SDEI)`_. Also, the TF-A project does not have visibility of all 35*4fe91230SJoel Huttonvendor-supplied interfaces. Therefore, the TF-A project takes a conservative 36*4fe91230SJoel Huttonapproach by mitigating Variant 4 in hardware wherever possible during secure 37*4fe91230SJoel Huttonworld execution. The mitigation is enabled by setting an implementation defined 38*4fe91230SJoel Huttoncontrol bit to prevent the re-ordering of stores and loads. 39*4fe91230SJoel Hutton 40*4fe91230SJoel HuttonFor each affected CPU type, TF-A implements one of the two following mitigation 41*4fe91230SJoel Huttonapproaches in `Pull Request #1392`_ and `Pull Request #1397`_. Both approaches 42*4fe91230SJoel Huttonhave a system performance impact, which varies for each CPU type and use-case. 43*4fe91230SJoel HuttonThe mitigation code is enabled by default, but can be disabled at compile time 44*4fe91230SJoel Huttonfor platforms that are unaffected or where the risk is deemed low enough. 45*4fe91230SJoel Hutton 46*4fe91230SJoel HuttonArm CPUs not mentioned below are unaffected. 47*4fe91230SJoel Hutton 48*4fe91230SJoel HuttonStatic mitigation 49*4fe91230SJoel Hutton~~~~~~~~~~~~~~~~~ 50*4fe91230SJoel Hutton 51*4fe91230SJoel HuttonFor affected CPUs, this approach enables the mitigation during EL3 52*4fe91230SJoel Huttoninitialization, following every PE reset. No mechanism is provided to disable 53*4fe91230SJoel Huttonthe mitigation at runtime. 54*4fe91230SJoel Hutton 55*4fe91230SJoel HuttonThis approach permanently mitigates the entire software stack and no additional 56*4fe91230SJoel Huttonmitigation code is required in other software components. 57*4fe91230SJoel Hutton 58*4fe91230SJoel HuttonTF-A implements this approach for the following affected CPUs: 59*4fe91230SJoel Hutton 60*4fe91230SJoel Hutton- Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of 61*4fe91230SJoel Hutton ``CPUACTLR_EL1`` (``S3_1_C15_C2_0``). 62*4fe91230SJoel Hutton 63*4fe91230SJoel Hutton- Cortex-A73, by setting bit 3 of ``S3_0_C15_C0_0`` (not documented in the 64*4fe91230SJoel Hutton Technical Reference Manual (TRM)). 65*4fe91230SJoel Hutton 66*4fe91230SJoel Hutton- Cortex-A75, by setting bit 35 (reserved in TRM) of ``CPUACTLR_EL1`` 67*4fe91230SJoel Hutton (``S3_0_C15_C1_0``). 68*4fe91230SJoel Hutton 69*4fe91230SJoel HuttonDynamic mitigation 70*4fe91230SJoel Hutton~~~~~~~~~~~~~~~~~~ 71*4fe91230SJoel Hutton 72*4fe91230SJoel HuttonFor affected CPUs, this approach also enables the mitigation during EL3 73*4fe91230SJoel Huttoninitialization, following every PE reset. In addition, this approach implements 74*4fe91230SJoel Hutton``SMCCC_ARCH_WORKAROUND_2`` in the Arm architectural range to allow callers at 75*4fe91230SJoel Huttonlower exception levels to temporarily disable the mitigation in their execution 76*4fe91230SJoel Huttoncontext, where the risk is deemed low enough. This approach enables mitigation 77*4fe91230SJoel Huttonon entry to EL3, and restores the mitigation state of the lower exception level 78*4fe91230SJoel Huttonon exit from EL3. For more information on this approach, see `Firmware 79*4fe91230SJoel Huttoninterfaces for mitigating cache speculation vulnerabilities`_. 80*4fe91230SJoel Hutton 81*4fe91230SJoel HuttonThis approach may be complemented by additional mitigation code in other 82*4fe91230SJoel Huttonsoftware components, for example code that calls ``SMCCC_ARCH_WORKAROUND_2``. 83*4fe91230SJoel HuttonHowever, even without any mitigation code in other software components, this 84*4fe91230SJoel Huttonapproach will effectively permanently mitigate the entire software stack, since 85*4fe91230SJoel Huttonthe default mitigation state for firmware-managed execution contexts is enabled. 86*4fe91230SJoel Hutton 87*4fe91230SJoel HuttonSince the expectation in this approach is that more software executes with the 88*4fe91230SJoel Huttonmitigation disabled, this may result in better system performance than the 89*4fe91230SJoel Huttonstatic approach for some systems or use-cases. However, for other systems or 90*4fe91230SJoel Huttonuse-cases, this performance saving may be outweighed by the additional overhead 91*4fe91230SJoel Huttonof ``SMCCC_ARCH_WORKAROUND_2`` calls and TF-A exception handling. 92*4fe91230SJoel Hutton 93*4fe91230SJoel HuttonTF-A implements this approach for the following affected CPU: 94*4fe91230SJoel Hutton 95*4fe91230SJoel Hutton- Cortex-A76, by setting and clearing bit 16 (reserved in TRM) of 96*4fe91230SJoel Hutton ``CPUACTLR2_EL1`` (``S3_0_C15_C1_1``). 97*4fe91230SJoel Hutton 98*4fe91230SJoel Hutton.. _Google Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 99*4fe91230SJoel Hutton.. _Arm Processor Security Update: http://www.arm.com/security-update 100*4fe91230SJoel Hutton.. _CVE-2018-3639: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 101*4fe91230SJoel Hutton.. _Software Delegated Exception Interface (SDEI): http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf 102*4fe91230SJoel Hutton.. _Firmware interfaces for mitigating cache speculation vulnerabilities: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 103*4fe91230SJoel Hutton.. _Pull Request #1392: https://github.com/ARM-software/arm-trusted-firmware/pull/1392 104*4fe91230SJoel Hutton.. _Pull Request #1397: https://github.com/ARM-software/arm-trusted-firmware/pull/1397 105