14fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 24fe91230SJoel Hutton| Title | Not saving x0 to x3 registers can leak information from one | 34fe91230SJoel Hutton| | Normal World SMC client to another | 44fe91230SJoel Hutton+================+=============================================================+ 5*12fc6ba7SPaul Beesley| CVE ID | `CVE-2018-19440`_ | 64fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 74fe91230SJoel Hutton| Date | 27 Nov 2018 | 84fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 94fe91230SJoel Hutton| Versions | All | 104fe91230SJoel Hutton| Affected | | 114fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 124fe91230SJoel Hutton| Configurations | Multiple normal world SMC clients calling into AArch64 BL31 | 134fe91230SJoel Hutton| Affected | | 144fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 154fe91230SJoel Hutton| Impact | Leakage of SMC return values from one normal world SMC | 164fe91230SJoel Hutton| | client to another | 174fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 184fe91230SJoel Hutton| Fix Version | `Pull Request #1710`_ | 194fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 204fe91230SJoel Hutton| Credit | Secmation | 214fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 224fe91230SJoel Hutton 234fe91230SJoel HuttonWhen taking an exception to EL3, BL31 saves the CPU context. The aim is to 244fe91230SJoel Huttonrestore it before returning into the lower exception level software that called 254fe91230SJoel Huttoninto the firmware. However, for an SMC exception, the general purpose registers 264fe91230SJoel Hutton``x0`` to ``x3`` are not part of the CPU context saved on the stack. 274fe91230SJoel Hutton 284fe91230SJoel HuttonAs per the `SMC Calling Convention`_, up to 4 values may be returned to the 294fe91230SJoel Huttoncaller in registers ``x0`` to ``x3``. In TF-A, these return values are written 304fe91230SJoel Huttoninto the CPU context, typically using one of the ``SMC_RETx()`` macros provided 314fe91230SJoel Huttonin the ``include/lib/aarch64/smccc_helpers.h`` header file. 324fe91230SJoel Hutton 334fe91230SJoel HuttonBefore returning to the caller, the ``restore_gp_registers()`` function is 344fe91230SJoel Huttoncalled. It restores the values of all general purpose registers taken from the 354fe91230SJoel HuttonCPU context stored on the stack. This includes registers ``x0`` to ``x3``, as 364fe91230SJoel Huttoncan be seen in the ``lib/el3_runtime/aarch64/context.S`` file at line 339 374fe91230SJoel Hutton(referring to the version of the code as of `commit c385955`_): 384fe91230SJoel Hutton 394fe91230SJoel Hutton.. code:: c 404fe91230SJoel Hutton 414fe91230SJoel Hutton /* 424fe91230SJoel Hutton * This function restores all general purpose registers except x30 from the 434fe91230SJoel Hutton * CPU context. x30 register must be explicitly restored by the caller. 444fe91230SJoel Hutton */ 454fe91230SJoel Hutton func restore_gp_registers 464fe91230SJoel Hutton ldp x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0] 474fe91230SJoel Hutton ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] 484fe91230SJoel Hutton 494fe91230SJoel HuttonIn the case of an SMC handler that does not use all 4 return values, the 504fe91230SJoel Huttonremaining ones are left unchanged in the CPU context. As a result, 514fe91230SJoel Hutton``restore_gp_registers()`` restores the stale values saved by a previous SMC 524fe91230SJoel Huttonrequest (or asynchronous exception to EL3) that used these return values. 534fe91230SJoel Hutton 544fe91230SJoel HuttonIn the presence of multiple normal world SMC clients, this behaviour might leak 554fe91230SJoel Huttonsome of the return values from one client to another. For example, if a victim 564fe91230SJoel Huttonclient first sends an SMC that returns 4 values, a malicious client may then 574fe91230SJoel Huttonsend a second SMC expecting no return values (for example, a 584fe91230SJoel Hutton``SDEI_EVENT_COMPLETE`` SMC) to get the 4 return values of the victim client. 594fe91230SJoel Hutton 604fe91230SJoel HuttonIn general, the responsibility for mitigating threats due to the presence of 614fe91230SJoel Huttonmultiple normal world SMC clients lies with EL2 software. When present, EL2 624fe91230SJoel Huttonsoftware must trap SMC calls from EL1 software to ensure secure behaviour. 634fe91230SJoel Hutton 644fe91230SJoel HuttonFor this reason, TF-A does not save ``x0`` to ``x3`` in the CPU context on an 654fe91230SJoel HuttonSMC synchronous exception. It has behaved this way since the first version. 664fe91230SJoel Hutton 674fe91230SJoel HuttonWe can confirm that at least upstream KVM-based systems mitigate this threat, 684fe91230SJoel Huttonand are therefore unaffected by this issue. Other EL2 software should be audited 694fe91230SJoel Huttonto assess the impact of this threat. 704fe91230SJoel Hutton 714fe91230SJoel HuttonEL2 software might find mitigating this threat somewhat onerous, because for all 724fe91230SJoel HuttonSMCs it would need to be aware of which return registers contain valid data, so 734fe91230SJoel Huttonit can sanitise any unused return registers. On the other hand, mitigating this 744fe91230SJoel Huttonin EL3 is relatively easy and cheap. Therefore, TF-A will now ensure that no 754fe91230SJoel Huttoninformation is leaked through registers ``x0`` to ``x3``, by preserving the 764fe91230SJoel Huttonregister state over the call. 774fe91230SJoel Hutton 784fe91230SJoel HuttonNote that AArch32 TF-A is not affected by this issue. The SMC handling code in 794fe91230SJoel Hutton``SP_MIN`` already saves all general purpose registers - including ``r0`` to 804fe91230SJoel Hutton``r3``, as can be seen in the ``include/lib/aarch32/smccc_macros.S`` file at 814fe91230SJoel Huttonline 19 (referring to the version of the code as of `commit c385955`_): 824fe91230SJoel Hutton 834fe91230SJoel Hutton.. code:: c 844fe91230SJoel Hutton 854fe91230SJoel Hutton /* 864fe91230SJoel Hutton * Macro to save the General purpose registers (r0 - r12), the banked 874fe91230SJoel Hutton * spsr, lr, sp registers and the `scr` register to the SMC context on entry 884fe91230SJoel Hutton * due a SMC call. The `lr` of the current mode (monitor) is expected to be 894fe91230SJoel Hutton * already saved. The `sp` must point to the `smc_ctx_t` to save to. 904fe91230SJoel Hutton * Additionally, also save the 'pmcr' register as this is updated whilst 914fe91230SJoel Hutton * executing in the secure world. 924fe91230SJoel Hutton */ 934fe91230SJoel Hutton .macro smccc_save_gp_mode_regs 944fe91230SJoel Hutton /* Save r0 - r12 in the SMC context */ 954fe91230SJoel Hutton stm sp, {r0-r12} 964fe91230SJoel Hutton 97*12fc6ba7SPaul Beesley.. _CVE-2018-19440: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19440 984fe91230SJoel Hutton.. _commit c385955: https://github.com/ARM-software/arm-trusted-firmware/commit/c385955 994fe91230SJoel Hutton.. _SMC Calling Convention: http://arminfo.emea.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf 1004fe91230SJoel Hutton.. _Pull Request #1710: https://github.com/ARM-software/arm-trusted-firmware/pull/1710 101